# vim: set ft=sh: # based on /lib/initcpio/hooks/encrypt run_hook () { /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 if [ -e "/sys/class/misc/device-mapper" ]; then if [ ! -e "/dev/mapper/control" ]; then /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |') fi [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" # Get keyfile if specified ckeyfile="/crypto_keyfile.bin" if [ "x${cryptkey}" != "x" ]; then ckdev="$(echo "${cryptkey}" | cut -d: -f1)" ckarg1="$(echo "${cryptkey}" | cut -d: -f2)" ckarg2="$(echo "${cryptkey}" | cut -d: -f3)" if poll_device "${ckdev}" ${rootdelay}; then case ${ckarg1} in *[!0-9]*) # Use a file on the device # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path mkdir /ckey mount -r -t ${ckarg1} ${ckdev} /ckey dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1 umount /ckey ;; *) # Read raw data from the block device # ckarg1 is numeric: ckarg1=offset, ckarg2=length dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1 ;; esac fi [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." fi if [ "x${cryptdevices}" = "x" ]; then echo "No cryptdevices argument." exit 1 fi set -- $(echo "${cryptdevices}" | sed 's|,| |g') # if first item in cryptdevices is just 'dev:fstype' instead of 'dev:fstype:/path', default to 'dev:fstype:/' cryptdev=$(echo "${1}" | cut -d: -f1) crypttype=$(echo "${1}" | cut -d: -f2) cryptpath=$(echo "${1}:/" | cut -d: -f3) shift 1 if poll_device "${cryptdev}" ${rootdelay}; then if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then dopassphrase=1 # If keyfile exists, try to use that if [ -f ${ckeyfile} ]; then if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} multicrypt ${CSQUIET}; then dopassphrase=0 else echo "Invalid keyfile. Reverting to passphrase." fi fi # Ask for a passphrase if [ ${dopassphrase} -gt 0 ]; then echo "" echo "A password is required to access the multicrypt key volume:" #loop until we get a real password while ! eval /sbin/cryptsetup luksOpen ${cryptdev} multicrypt ${CSQUIET}; do sleep 2; done fi if [ ! -e /dev/mapper/multicrypt ]; then err "Password succeeded, but multicrypt creation failed, aborting..." exit 1 fi # we succeeded in luksOpening the multicrypt key volume, now we have to mount it, open the remaining target volumes, then unmount and luksClose the key volume if ! /bin/mount -t ${crypttype} -n -r /dev/mapper/multicrypt /multicrypt; then echo "Couldn't mount multicrypt key volume; try to fix..." sh fi for t; do tdev=$(echo "${t}" | cut -d: -f1) tname=$(echo "${t}" | cut -d: -f2) eval /sbin/cryptsetup -d /multicrypt/${cryptpath}/${tname} luksOpen ${tdev} ${tname} ${CSQUIET} done /bin/umount -n /multicrypt eval /sbin/cryptsetup luksClose multicrypt ${CSQUIET} else err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume." fi else err "Couldn't find device ${cryptdev}." fi rm -f ${ckeyfile} fi }