install/LUKS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2026-02-02 00:45:17 +01:00
commit b9d97a76f0
8 changed files with 865 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
README.debian13 Normal file
View File

@@ -0,0 +1,68 @@
# ---------------------------------------------------------------------------------------
#
# Early decrypt partition using systemd-cryptsetup - after upgrade Debian 12 -> Debia 13
#
# ---------------------------------------------------------------------------------------
RAW_PARTITION=/dev/md5
CRYPT_PARTITION=data
KEY_FILE=/etc/cryptsetup-keys.d/data.key
# 1) cryptsetup-initramfs entfernen
# =================================
#
# (cryptsetup selbst bleibt installiert!)
#
apt purge cryptsetup-initramfs
# update-initramfs -u -k all sollte nun durchlaufen
#
update-initramfs -u -k all
# 2) Sicherstellen, dass systemd die crypttab Einträge überhaupt verarbeitet
# ===========================================================================
#
# In Debian wurde systemd-cryptsetup als eigenes Paket aufgeteilt; wenn das fehlt,
# werden nicht-root LUKS-Volumes aus /etc/crypttab u.U. nicht automatisch geöffnet.
#
# Also:
#
# apt install systemd-cryptsetup
#
apt install systemd-cryptsetup
# 3) /etc/crypttab anpassen (kein initramfs mehr)
# ===============================================
#
# data UUID=a7e3afb8-f257-4e99-b37a-fdc579ec9e96 /etc/cryptsetup-keys.d/data.key luks,nofail
#
cat <<EOF >> /etc/crypttab
# <target name> <source device> <key file> <options>
${CRYPT_PARTITION} UUID=a$(blkid -s UUID -o value ${RAW_PARTITION}) ${KEY_FILE} luks,nofail
EOF
# 4) /etc/fstab
# =============
#
# /dev/mapper/data /data ext4 defaults,nofail,x-systemd.device-timeout=30 0 2
#
cat <<EOF >> /etc/fstab
# /dev/mapper/${CRYPT_PARTITION} (LUKS device ${RAW_PARTITION})
/dev/mapper/${CRYPT_PARTITION} /data ext4 efaults,nofail,x-systemd.device-timeout=30 0 2
EOF
systemctl daemon-reload
# 5) RAID (md5) muss beim Boot assembliert werden
#
apt install --reinstall mdadm
update-initramfs -u -k all

62
create_crypted_disk.sh Executable file
View File

@@ -0,0 +1,62 @@
#!/usr/bin/env bash
_BACKUP_DEVICE_NAME=backup
_LABEL=BACKUP_OPP_03
_KEY_FILE=/crypt/home/.keys/zapata.key
echo ""
# - Encrypt Disk with given keyfile
# -
echo ""
echo "Encrypt Disk with given keyfile"
cryptsetup luksFormat /dev/sde1 $_KEY_FILE
# - Add Key with Passphrase
# -
echo ""
echo "Add Key (Passphrase) using existent key (keyfile: $_KEY_FILE)"
cryptsetup luksAddKey -d $_KEY_FILE /dev/sde1
# - Open encrypted device
# -
echo ""
echo "Open encrypted device"
cryptsetup luksOpen /dev/sde1 $_BACKUP_DEVICE_NAME --key-file $_KEY_FILE
# - Create Filesystem on crypted device
# -
echo ""
echo "Create ext4 Filesystem on crypted device \"$_BACKUP_DEVICE_NAME\""
mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/$_BACKUP_DEVICE_NAME
echo ""
echo "Simple sync.."
sync
# - Label crypted device
# -
echo ""
echo "Label crypted device \"$_BACKUP_DEVICE_NAME\". Label: $_LABEL"
tune2fs -L $_LABEL /dev/mapper/$_BACKUP_DEVICE_NAME
# - Set maximal mount count on crypted device
# -
echo ""
echo "Set maximal mount count on crypted device"
tune2fs -c 21 /dev/mapper/$_BACKUP_DEVICE_NAME
# - List settings of crypted device
# -
echo ""
echo "List settings of crypted device \"_BACKUP_DEVICE_NAME\""
tune2fs -l /dev/mapper/$_BACKUP_DEVICE_NAME
# - Close crypted device
# -
echo ""
echo "Close crypted device \"$_BACKUP_DEVICE_NAME\""
cryptsetup luksClose $_BACKUP_DEVICE_NAME
echo ""
exit 0

203
cryptodevice.txt Normal file
View File

@@ -0,0 +1,203 @@
## - urls
## -
http://wiki.ubuntuusers.de/System_verschl%C3%BCsseln
http://de.gentoo-wiki.com/DM-Crypt
## --------------------------------------------------------- ##
## - In welchem Slot befindet sich der Key mit Passwort... - ##
## --------------------------------------------------------- ##
# - bsp.: cryptsetup --verbose open --test-passphrase /dev/sda5
# -
cryptsetup --verbose open --test-passphrase <device>
## ------------------------------------------------------------- #
## - - #
## - cryptodevice einrichten - #
## - - #
## ------------------------------------------------------------- #
## -------------------------- ##
## - Cryptodevice erstellen - ##
## -------------------------- ##
## -
cryptsetup luksFormat <device i.e. "/dev/sda1">
## - oder
cryptsetup -c aes-lrw-benbi -y -s 384 luksFormat <device>
#
#cryptsetup -c aes-xts-plain -y -s 512 luksFormat <device>
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y <device>
## - cryptodevice erstellen mit password im keyfile
## -
## - keyfile (1024 bit groß) erstellen
head -c1024 /dev/urandom > <keyfile i.e. "/etc/.key/hostname.key">
## - crytodevice erstellen
cryptsetup -c aes-lrw-benbi -s 384 luksFormat <device> <keyfile>
# - oder (etwas neuer)
#cryptsetup -c aes-xts-plain -s 512 luksFormat <device> <keyfile>
cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat <device> <keyfile>
## - cryptodevice mit einem abgeleiteten Schlüssel eines bestehenden LUKS
## - device erstellen
## -
## - /lib/cryptsetup/scripts/decrypt_derived <Name_des_Ursprungsgeräts> | cryptsetup -c aes-xts-plain -s 512 luksFormat <Gerät>
## - wobei mit <Name des Ursprungsgeräts> ist im Folgenden der Mapper-Name
## - gemeint ist, der unter /dev/mapper/ angezeigt wird - z.Bsp. root
## -
/lib/cryptsetup/scripts/decrypt_derived root | cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sda3
## ------------------------ ##
## - Cryptodevice oeffnen - ##
## ------------------------ ##
## -
cryptsetup luksOpen <device> <cryptodevice i.e. "data">
## - bzw. mit keyfileangabe
cryptsetup luksOpen <device> <cryptodevice i.e. "data"> --key-file <keyfile>
## - dateisystem erstellen
## -
## - Die "-m" Option reserviert soviel Prozent (hier: 0 Prozent) des Speichers
## - für den Superuser. Vergisst man die Option anzugeben, werden standardmäßig 5%
## - des Speicherplatzers für den Superuser reserviert.
## -
#mkfs.ext4 -m0 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/<cryptodevice>
mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/<cryptodevice>
## - neue crytopartition mounten
## -
mount /dev/mapper/<cryptodevice> <mountpoint i.e. "/data">
## - öffnen eines mit einem abgeleiteten Schlüssel erstellten
## - LUKS Devices
## -
## - /lib/cryptsetup/scripts/decrypt_derived <Name Des Ursprungsgeräts> | cryptsetup luksOpen <Gerät> <Name>
/lib/cryptsetup/scripts/decrypt_derived root | cryptsetup luksOpen /dev/sda3 data
## ----------------- ##
## - /etc/crypttab - ##
## ----------------- ##
## -
## - Paswortgeschütztes Device
#<Name> UUID=<UUID> none <options>
root UUID=9d323be6-7aad-4813-a0d2-8db4947c48d9 none luks
## -
## - Keyfile gechütztes Device
#<Name> UUID=<UUID> <key file> <options
home UUID=866d09f2-1b18-a00a-8d45-b2407260864c /etc/.key/luna.key luks,aes-xts-plain
## -
## - mit abgeleitetem Schlüssel erstelltes Device
#<Name> UUID=<UUID> <Ursprungsgeräts> luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
data UUID=5f106e59-829f-4186-95b7-a0c84bb0adbd root luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
## - Hinweis!
## - die UUID eines Gerätedevice kann mittels "blkid" ermittelt werden
## -
blkid /dev/sda2
## - Neuere Versionen von cryptsetup können die UUID auch selbst ermitteln:
## -
cryptsetup luksUUID /dev/sdxY
## - Luks ermöglicht, mit verschiedenen Schlüsseln auf die
## - Partition zuzugreifen. Folgender Befehl fügst einen
## - weiteren hinzu:
## - ein passwort hinzufügen
## -
cryptsetup luksAddKey /dev/$DEVICE
## -
## - ein passwort hinzufügen falls eine schlüsseldatei benutzt wird
## -
cryptsetup luksAddKey -d /pfad/zur/datei /dev/$DEVICE
## -
## - ein passwort hinzufügen falls eine abgeleiteter Schlüssel benutzt wird
## -
mkdir /mnt/ram && mount -t ramfs -o size=1m ramfs /mnt/ram && chmod 600 /mnt/ram
/lib/cryptsetup/scripts/decrypt_derived <Ursprungsgerät z.Bsp. root> > /mnt/ram/tmp.key
cryptsetup luksAddKey -d /mnt/ram/tmp.key /dev/$DEVICE
umount /mnt/ram && rmdir /mnt/ram
## -
## - einen abgeleiteten Schlüssel hinzufügen, falls ein Passwort benutzt wurde
## -
mkdir /mnt/ram && mount -t ramfs -o size=1m ramfs /mnt/ram && chmod 600 /mnt/ram
/lib/cryptsetup/scripts/decrypt_derived <Ursprungsgerät z.Bsp. root> > /mnt/ram/tmp.key
cryptsetup luksAddKey /dev/$DEVICE /mnt/ram/tmp.key
umount /mnt/ram && rmdir /mnt/ram
## -
## - eine Schlüsseldatei hinzufügen
## -
cryptsetup luksAddKey /dev/$DEVICE <keydatei>
## -
## - eine Schlüsseldatei hinzufügen falls eine schlüsseldatei benutzt wird
## -
cryptsetup luksAddKey -d /pfad/zur/datei /dev/$DEVICE <keydatei>
## - Analog dazu kann mit luksKillSlot ein Schlüssel wieder entfernen.
## -
cryptsetup luksKillSlot <cryptodevice> <SlotNr>
## - Täglicher Gebrauch
## - ==================
* Trage deine Cryptopartition in /etc/crypttab ein, bspw:
# <target device> <source device> <key file> <options>
$CRYPTODEVICE /dev/$DEVICE none luks,check=ext2,retry=5
# oder
<cryptodevice> <device> none luks,retry=1,cipher=aes-lrw-benbi
<cryptodevice> <device> <keykile> luks,cipher=aes-lrw-benbi
* Trage in /etc/fstab das Device (/dev/mapper/$CRYPTODEVICE $MOUNT)
mit deinen Dateisystemoptionen ein:
/dev/mapper/$CRYPTDEVICE $MOUNT auto defaults 0 0
* /etc/init.d/cryptdisks kümmert sich nun um die Initialisierung beim Booten.
Bei Falscheingabe, wirst du mehrmals (siehe retry in der /etc/crypttab)
erneut gefragt. Falls es weiterhin fehlschlägt, wird der Bootvorgang
ohne mounten fortgesetzt.
* Luks ermöglicht es dir, mit verschiedenen Schlüsseln auf die Partition
zuzugreifen. Mit folgendem Befehl fügst du einen weiteren hinzu:
cryptsetup luksAddKey /dev/$DEVICE
Dazu musst du das Passwort eines schon vorhandenen Schlüssels eingeben. Analog
dazu kannst du mit luksDelKey ein Schlüssel wieder entfernen.
Paranoia
========
Mit dmsetup info lassen sich benutzte devicemappings anzeigen.
Taucht hier ein Teil als ACTIVE auf, so hat jedermensch darauf
Zugriff (auch wenn es nicht gemountet ist, könnte - wer die
nötigen Rechte hat - das Teil ohne passendes Cryptokennwort
mounten) - es ist in diesem Zustand quasi entschlüsselt!
Deswegen immer nach dem unmounten, das mapping entfernen
(sonst gibt's (erfahrene Beamte vorausgesetzt) evtl. Stress bei
der Hausdurchsuchung):
umount $MOUNT
cryptsetup luksClose $CRYPTODEVICE
Du kannst alle mappings gleichzeitig entfernen mit:
dmsetup remove_all
! Denk dran: cryptsetup luksClose niemals nicht vergessen oder aber
Stecker ziehen (bzw. den Rechner herunterfahren) ;) !

163
mount_crypt Executable file
View File

@@ -0,0 +1,163 @@
#!/usr/bin/env bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
## - Partition: data
## -
part_name=data
crypt_partition="/dev/mapper/$part_name"
raw_partition=< i.e. /dev/vda3 or /dev/sda3 ..>
mount_point=<your mount point>
start_samba=false
start_kvm=false
start_mysql=false
start_apache=false
start_vservers=true
vservers="<vserver1, vserver2,..>"
echo -e "\n\033[1;34m"
/sbin/cryptsetup luksOpen $raw_partition $part_name > /dev/null 2>&1
echo -e "\033[0m"
if ! df | grep "$crypt_partition" > /dev/null 2>&1 ;then
declare -i mount_count=`tune2fs -l $crypt_partition | grep "Mount count" | cut -d ":" -f 2`
declare -i max_mount_count=`tune2fs -l $crypt_partition | grep "Maximum mount count" | cut -d ":" -f 2`
if [ $max_mount_count -gt 0 ];then
if [ $mount_count -ge $max_mount_count ]; then
echo ""
echo -e "\tMaximal mount count of $max_mount_count was reached."
echo -e "\tSo a filecheck on \"$crypt_partition\" will be initiated.."
echo -e "\t\033[1;33m\E[5mPlease wait. This may take some time..\033[00m"
echo ""
e2fsck -p $crypt_partition > /dev/null
if [ $? -gt -0 ]; then
echo -e "\n\t[\033[1;31mERROR\033[0m] filecheck on $crypt_partition failed.\n"
fi
tune2fs -C 0 $crypt_partition > /dev/null
fi
fi
fi
if ! df | grep "$crypt_partition" > /dev/null 2>&1 ;then
echo -n -e "\tMounting crypto-partition \"$part_name\"..\t"
/bin/mount $crypt_partition $mount_point > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [\033[40m\033[1;31m failed \033[0m]"
else
echo -e " [\033[1;32m done \033[0m]"
fi
else
echo -e "\t\033[1;33mPartition \"$part_name\" already mounted..\033[0m"
fi
if $start_vservers ; then
if [ -n "$vservers" ]; then
echo ""
for _vserver in $vservers ; do
echo -n -e "\tStarting VServer \"$_vserver\".."
vserver $_vserver start > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e "\t [\033[40m\033[1;31m failed \033[0m]"
else
echo -e "\t [\033[1;32m done \033[0m]"
fi
done
echo ""
fi
fi
if $start_mysql ; then
if ps ax | grep /usr/sbin/mysqld | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then
## - Stopping Mysql..
## -
echo -n -e "\n\tStopping MySQL Server..\t\t"
/etc/init.d/mysql stop > /dev/null
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
## - Starting Mysql..
## -
echo -n -e "\n\tStarting MySQL Server..\t\t"
/etc/init.d/mysql start > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
if $start_apache ; then
if ps ax | grep /usr/sbin/apache2 | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then
## - Stopping Apache Webserver..
## -
echo -n -e "\n\tStopping Apache Weberver..\t"
/etc/init.d/apache2 stop > /dev/null
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
## - Starting Apache..
## -
echo -n -e "\n\tStarting Apache Webserver..\t"
/etc/init.d/apache2 start > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
if $start_samba ; then
## - Starting Samba..
## -
if ps ax | grep nmbd | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then
/etc/init.d/samba stop > /dev/null
killall smbd > /dev/null 2>&1
killall nmbd > /dev/null 2>&1
fi
echo -n -e "\n\tStarting Samba Fileserver..\t\t"
/etc/init.d/samba start > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
if $start_kvm ; then
## - Starting libvirt-bin (also starts virtual boxes)
## -
echo -n -e "\n\tStarting libvirt-bin..\t\t\t"
/etc/init.d/libvirt-bin start > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi

54
mount_cryptroot Normal file
View File

@@ -0,0 +1,54 @@
#!/bin/sh
# This script generates two scripts in the initramfs output,
# /root/mount_cryptroot.sh and /root/.profile
ALLOW_SHELL=0
# Set this to 1 before running update-initramfs if you want
# to allow authorized users to type Ctrl-C to drop to a
# root shell (useful for debugging, potential for abuse.)
#
# (Note that even with ALLOW_SHELL=0 it may still be possible
# to achieve a root shell.)
#
if [ -z ${DESTDIR} ]; then
exit
fi
SCRIPT="${DESTDIR}/root/mount_cryptroot.sh"
cat > "${SCRIPT}" << 'EOF'
#!/bin/sh
CMD=
while [ -z "$CMD" -o -z "`pidof askpass plymouth`" ]; do
CMD=`ps -o args | grep cryptsetup | grep -i open | grep -v grep`
sleep 0.1
done
while [ -n "`pidof askpass plymouth`" ]; do
$CMD && kill -9 `pidof askpass plymouth` && echo "Success"
done
EOF
chmod +x "${SCRIPT}"
# Run mount_cryptroot by default and close the login session afterwards
# If ALLOW_SHELL is set to 1, you can press Ctrl-C to get to an interactive prompt
cat > "${DESTDIR}/root/.profile" << EOF
ctrl_c_exit() {
exit 1
}
ctrl_c_shell() {
# Ctrl-C during .profile appears to mangle terminal settings
reset
}
if [ "$ALLOW_SHELL" == "1" ]; then
echo "Unlocking rootfs... Type Ctrl-C for a shell."
trap ctrl_c_shell INT
else
echo "Unlocking rootfs..."
trap ctrl_c_exit INT
fi
/root/mount_cryptroot.sh && exit 1 || echo "Run ./mount_cryptroot.sh to try unlocking again"
trap INT
EOF

120
remote_decrypt.txt Normal file
View File

@@ -0,0 +1,120 @@
## - IP definitions in initramfs overwrites /etc/network/interfaces
## -
## - Add the following line to your interface definition
## -
## - pre-up ip addr flush dev eth0
Luks remote decrypt
===================
## Install packages busybox and dropbear
## -
## - Notice:
## - If package busybox-static is already installed, tha is sufficient.
## - Install only package dropbear in that case.
## -
#apt-get install dropbear busybox
apt-get install dropbear
## - For security reason and if no needed, remove keys from root directory in
## - initramfs (/etc/initramfs-tools/root/.ssh)
## -
rm /etc/initramfs-tools/root/.ssh/id_*
## - Empty /etc/initramfs-tools/root/.ssh/authorized_keys
## -
> /etc/initramfs-tools/root/.ssh/authorized_keys
## - Add your public key, you wish to early connect, to authorized_keys file
## - /etc/initramfs-tools/root/.ssh/authorized_keys
## -
vim /etc/initramfs-tools/root/.ssh/authorized_keys
## - Create initramfs script for unlocking the key
## -
cat << END > /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh
#!/bin/sh
PREREQ="dropbear"
prereqs() {
echo "\$PREREQ"
}
case "\$1" in
prereqs)
prereqs
exit 0
;;
esac
. "\$CONFDIR/initramfs.conf"
#. /usr/share/initramfs-tools/hook-functions
if [ "\$DROPBEAR" != "n" ] && [ -r "/etc/crypttab" ] ; then
# fix for dropbear in Ubuntu 12.04 x86_64
[ -d /lib/x86_64-linux-gnu ] && cp -p /lib/x86_64-linux-gnu/libnss_* "\$DESTDIR/lib/"
mkdir -m 755 -p "\$DESTDIR/lib/unlock"
##### /bin/unlock
cat > "\${DESTDIR}/bin/unlock" <<EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot ; then
for n in cryptroot "plymouth ask-for-pass" cryptsetup ; do
p=\\\$(ps w | grep "\\\$n" | awk '\\\$5 != "grep" {print \\\$1}')
[ -n "\\\$p" ] && kill \\\$p
done
exit 0
fi
exit 1
EOF
##### EOF /bin/unlock
##### /lib/unlock/plymouth
cat > "\$DESTDIR/lib/unlock/plymouth" <<-EOF
#!/bin/sh
[ "\\\$1" == "--ping" ] && exit 1
exec /bin/plymouth "\\\$@"
EOF
##### EOF /lib/unlock/plymouth
chmod 755 "\$DESTDIR/bin/unlock"
chmod 755 "\$DESTDIR/lib/unlock/plymouth"
# enable password login
[ -n "\$SSHUSERPASS" ] &&
touch "\$DESTDIR/etc/shadow" && chmod 640 "\$DESTDIR/etc/shadow" &&
getent shadow "\$SSHUSERPASS" | sed -n "s/^\$SSHUSERPASS:/root:/p" /etc/shadow >> "\$DESTDIR/etc/shadow"
sed -i'' 's|^\(root:.*\):[^:]*$|\1:/bin/sh|' "\$DESTDIR/etc/passwd"
fi
END
chmod 755 /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh
## - Make changes persistent to initramfs
## -
update-initramfs -u -k all
## - Now you can connect to dropbear shell with your added key, for example
## -
## - Connect:
## - ssh -i ~/.ssh/dropbear/id_rsa_initram -o UserKnownHostsFile=.ssh/dropbear/known_hosts root@192.168.63.90
## -
## - Enter your passphrase:
## - Enter passphrase for key '/home/chris/.ssh/dropbear/id_rsa_initram': ******************
## -
## - Unlock key, type:
## - unlock
## -
## - Enter pasphrase for cryptodevice
## - Enter passphrase:
## -

139
umount_crypt Executable file
View File

@@ -0,0 +1,139 @@
#!/usr/bin/env bash
### BEGIN INIT INFO
# Provides: umount_crypt
# Required-Start: $remote_fs $syslog $network postfix
# Required-Stop: $remote_fs $syslog $network postfix
# Default-Start:
# Default-Stop: 0 1 6
# Short-Description: Unmounting crypto device(s)
### END INIT INFO
## ---
## - add with:
## - update-rc.d umount_crypt stop 01 0 1 6 .
## ---
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
## - Partition: data
## -
part_name=<choose a name i.e data>
crypt_partition="/dev/mapper/$part_name"
raw_partition=< i.e. /dev/vda3 or /dev/sda3 ..>
mount_point=<your mount point i.e /data>
stop_samba=false
stop_kvm=false
stop_mysql=false
stop_apache=false
stop_vservers=true
if $stop_vservers ; then
if [ -n $vservers ];then
echo ""
vservers=`vserver-stat | grep -E "^[0-9]{2,}" | awk '{print$8}'`
for _vserver in $vservers ; do
echo -n -e "\tStopping VServer \"$_vserver\".."
vserver $_vserver stop > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e "\t[ \033[1;31mfailed\033[0m ]"
else
echo -e "\t[ \033[1;32mdone\033[0m ]"
fi
done
echo ""
fi
fi
if $stop_apache ; then
if ps ax | grep /usr/sbin/apache2 | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then
## - Stopping Apache Webserver..
## -
echo -n -e "\n\tStopping Apache Weberver..\t"
/etc/init.d/apache2 stop > /dev/null
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
fi
if $stop_mysql ; then
if ps ax | grep /usr/sbin/mysqld | grep -v grep > /dev/null 2>&1 || ps ax | grep smbd | grep -v grep > /dev/null 2>&1 ; then
## - Stopping Mysql..
## -
echo -n -e "\n\tStopping MySQL Server..\t\t"
/etc/init.d/mysql stop > /dev/null
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
fi
if $stop_kvm ; then
## - Stopping KVM's
## -
echo -n -e "\n\tStopping Virtual Boxes..\t\t"
/etc/init.d/kvm_shutdown_guests stop > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
echo -n -e "\n\tStopping libvirt-bin..\t\t\t"
/etc/init.d/libvirt-bin stop > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
if $stop_samba ; then
## - Stopping Samba-Server
## -
echo -n -e "\n\tStopping Samba Fileserver..\t\t"
/etc/init.d/samba stop > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
if ! df | grep "$crypt_partition" > /dev/null 2>&1 ;then
echo -e "\n\t\033[1;33mPartition \"$part_name\" is NOT mounted..\033[0m"
else
echo -n -e "\n\tUnmounting Partition $mount_point..\t\t"
/bin/umount $crypt_partition > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]"
else
echo -e " [ \033[1;32mdone\033[0m ]"
fi
echo -n -e "\tDecrypting $part_name..\t\t\t"
cryptsetup luksClose $part_name > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo -e " [ \033[1;31mfailed\033[0m ]\n"
else
echo -e " [ \033[1;32mdone\033[0m ]\n"
fi
fi
echo ""
exit 0

56
unlock_cryptkey_via_ssh.sh Executable file
View File

@@ -0,0 +1,56 @@
#!/bin/sh
PREREQ="dropbear"
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. "$CONFDIR/initramfs.conf"
#. /usr/share/initramfs-tools/hook-functions
if [ "$DROPBEAR" != "n" ] && [ -r "/etc/crypttab" ] ; then
# fix for dropbear in Ubuntu 12.04 x86_64
[ -d /lib/x86_64-linux-gnu ] && cp -p /lib/x86_64-linux-gnu/libnss_* "$DESTDIR/lib/"
mkdir -m 755 -p "$DESTDIR/lib/unlock"
##### /bin/unlock
cat > "${DESTDIR}/bin/unlock" <<EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot ; then
for n in cryptroot "plymouth ask-for-pass" cryptsetup ; do
p=\$(ps w | grep "\$n" | awk '\$5 != "grep" {print \$1}')
[ -n "\$p" ] && kill \$p
done
exit 0
fi
exit 1
EOF
##### EOF /bin/unlock
##### /lib/unlock/plymouth
cat > "$DESTDIR/lib/unlock/plymouth" <<-EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
exec /bin/plymouth "\$@"
EOF
##### EOF /lib/unlock/plymouth
chmod 755 "$DESTDIR/bin/unlock"
chmod 755 "$DESTDIR/lib/unlock/plymouth"
# enable password login
[ -n "$SSHUSERPASS" ] &&
touch "$DESTDIR/etc/shadow" && chmod 640 "$DESTDIR/etc/shadow" &&
getent shadow "$SSHUSERPASS" | sed -n "s/^$SSHUSERPASS:/root:/p" /etc/shadow >> "$DESTDIR/etc/shadow"
sed -i'' 's|^\(root:.*\):[^:]*$|\1:/bin/sh|' "$DESTDIR/etc/passwd"
fi