From 65e49671f5f63ff209c8730c588e01651203e2ec Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Sun, 31 Dec 2017 20:33:00 +0200 Subject: [PATCH] Update encryption settings --- lib/util-base.sh | 44 +++++++++++++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 11 deletions(-) diff --git a/lib/util-base.sh b/lib/util-base.sh index 71ca3f6..fed18a4 100644 --- a/lib/util-base.sh +++ b/lib/util-base.sh @@ -397,7 +397,8 @@ install_grub_uefi() { # if root is encrypted, amend /etc/default/grub root_name=$(mount | awk '/\/mnt / {print $1}' | sed s~/dev/mapper/~~g | sed s~/dev/~~g) - root_device=$(lsblk -i | tac | sed -n -e "/$root_name/,/disk/p" | awk '/disk/ {print $1}') + root_device=$(lsblk -i | tac | sed -n -e "/$root_name/,/disk/p" | awk '/disk/ {print $1}') + root_part=$(lsblk -i | tac | sed -n -e "/$root_name/,/part/p" | awk '/part/ {print $1}' | tr -cd '[:alnum:]') boot_encrypted_setting # If encryption used amend grub [[ $(cat /tmp/.luks_dev) != "" ]] && sed -i "s~GRUB_CMDLINE_LINUX=.*~GRUB_CMDLINE_LINUX=\"$(cat /tmp/.luks_dev)\"~g" ${MOUNTPOINT}/etc/default/grub @@ -629,19 +630,40 @@ bios_bootloader() { fi } +setup_luks_keyfile() { + # Create a keyfile + dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin + chmod 000 /mnt/crypto_keyfile.bin + # Add keyfile to luks + cryptsetup luksAddKey /dev/"$root_part" /mnt/crypto_keyfile.bin + # Add keyfile to initcpio + sed -i '/FILES/ s~)~/crypto_keyfile.bin)~' /mnt/etc/mkinitcpio.conf + arch_chroot "mkinitcpio -P" +} + boot_encrypted_setting() { - # Check if there is separate encrypted /boot partition - if $(lsblk | grep '/mnt/boot' | grep -q 'crypt' ); then - echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub - # Check if root is encrypted and there is no separate /boot - elif $(lsblk | grep "/mnt$" | grep -q 'crypt' ) && [[ $(lsblk | grep "/mnt/boot$") == "" ]]; then - echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub - # Check if root is on encrypted lvm volume - elif $(lsblk -i | tac | sed -n -e "/$root_name/,/disk/p" | awk '{print $6}' | grep -q crypt) && [[ $(lsblk | grep "/mnt/boot$") == "" ]]; then - echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub + # Check if there is separate /boot partition + if [[ $(lsblk | grep "/mnt/boot$") == "" ]]; then + #There is no separate /boot parition + # Check if root is encrypted + if $(lsblk | grep "/mnt$" | grep -q 'crypt' ); then + echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub + setup_luks_keyfile + # Check if root is on encrypted lvm volume + elif $(lsblk -i | tac | sed -n -e "/$root_name/,/disk/p" | awk '{print $6}' | grep -q crypt); then + echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub + setup_luks_keyfile + fi + elif + # There is a separate /boot. Check if it is encrypted + if $(lsblk | grep '/mnt/boot' | grep -q 'crypt' ); then + echo "GRUB_ENABLE_CRYPTODISK=y" >> /mnt/etc/default/grub + setup_luks_keyfile + fi else true fi + } recheck_luks() { @@ -847,4 +869,4 @@ create_new_user() { #arch_chroot "cp /etc/skel/.bashrc /home/${USER}" arch_chroot "chown -R ${USER}:${USER} /home/${USER}" [[ -e ${MOUNTPOINT}/etc/sudoers ]] && sed -i '/%wheel ALL=(ALL) ALL/s/^#//' ${MOUNTPOINT}/etc/sudoers -} \ No newline at end of file +}