diff options
| author | Tails developers <amnesia@boum.org> | 2011-11-12 05:56:06 +0100 |
|---|---|---|
| committer | Daniel Baumann <daniel@debian.org> | 2011-11-24 09:42:09 +0100 |
| commit | ef22a990570cd3658c7a693796e4470994b86fb9 (patch) | |
| tree | 11039a1cf8f71ceebeb0a696722c7b9427a2eed4 /scripts | |
| parent | 05dd30f7923913a060d7bef57b167386c988bc7c (diff) | |
| download | live-boot-ef22a990570cd3658c7a693796e4470994b86fb9.tar.gz live-boot-ef22a990570cd3658c7a693796e4470994b86fb9.zip | |
Changing persistent-encryption to accept a list TYPE... instead.
The comma-separated list TYPE... specifies which types of encryption
to allow for persistent media, and whether to allow plaintext media.
The possible TYPEs are the old {none, luks}, with default "none". The
only change is that this allow plaintext and encrypted media to be
used simultaneously.
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/live | 10 | ||||
| -rw-r--r-- | scripts/live-helpers | 67 |
2 files changed, 48 insertions, 29 deletions
diff --git a/scripts/live b/scripts/live index 970853c..c28314f 100755 --- a/scripts/live +++ b/scripts/live @@ -395,19 +395,23 @@ Arguments () export UNIONTYPE fi - if [ "${PERSISTENT_ENCRYPTION}" = "luks" ] + if [ -z "${PERSISTENT_ENCRYPTION}" ] + then + PERSISTENT_ENCRYPTION="none" + export PERSISTENT_ENCRYPTION + elif echo ${PERSISTENT_ENCRYPTION} | grep -qw luks then if ! modprobe dm-crypt then log_warning_msg "Unable to load module dm-crypt" - PERSISTENT_ENCRYPTION="none" + PERSISTENT_ENCRYPTION=$(echo ${PERSISTENT_ENCRYPTION} | sed -e 's/\<luks,\|,\?luks$//g') export PERSISTENT_ENCRYPTION fi if [ ! -x /lib/cryptsetup/askpass ] || [ ! -x /sbin/cryptsetup ] then log_warning_msg "cryptsetup in unavailable" - PERSISTENT_ENCRYPTION="none" + PERSISTENT_ENCRYPTION=$(echo ${PERSISTENT_ENCRYPTION} | sed -e 's/\<luks,\|,\?luks$//g') export PERSISTENT_ENCRYPTION fi fi diff --git a/scripts/live-helpers b/scripts/live-helpers index 33d2ee7..9e45517 100644 --- a/scripts/live-helpers +++ b/scripts/live-helpers @@ -311,6 +311,37 @@ try_mount () fi } +open_luks_device () +{ + dev="${1}" + name="$(basename ${dev})" + opts="--key-file=-" + + load_keymap + + while true + do + /lib/cryptsetup/askpass "Enter passphrase for ${dev}: " | \ + /sbin/cryptsetup -T 1 luksOpen ${dev} ${name} ${opts} + + if [ 0 -eq ${?} ] + then + luks_device="/dev/mapper/${name}" + echo ${luks_device} + return 0 + fi + + echo >&6 + echo -n "There was an error decrypting ${dev} ... Retry? [Y/n] " >&6 + read answer + + if [ "$(echo "${answer}" | cut -b1 | tr A-Z a-z)" = "n" ] + then + return 2 + fi + done +} + find_persistent_media () { # Scans devices for overlays and snapshots, and returns a whitespace @@ -344,36 +375,20 @@ find_persistent_media () luks_device="" # Checking for a luks device - if [ "${PERSISTENT_ENCRYPTION}" = "luks" ] + if echo ${PERSISTENT_ENCRYPTION} | grep -qw luks && \ + /sbin/cryptsetup isLuks ${dev} then - if ! /sbin/cryptsetup isLuks ${dev} + if luks_device=$(open_luks_device "${dev}") then - # skip device since we strictly want luks devices + dev="${luks_device}" + else + # skip $dev since we failed/chose not to open it continue fi - - load_keymap - - while true - do - /lib/cryptsetup/askpass "Enter passphrase for ${dev}: " | /sbin/cryptsetup -T 1 luksOpen ${dev} $(basename ${dev}) --key-file=- - - if [ 0 -eq ${?} ] - then - luks_device="/dev/mapper/$(basename ${dev})" - dev="${luks_device}" - break - fi - - echo >&6 - echo -n "There was an error decrypting ${dev} ... Retry? [Y/n] " >&6 - read answer - - if [ "$(echo "${answer}" | cut -b1 | tr A-Z a-z)" = "n" ] - then - break - fi - done + elif echo ${PERSISTENT_ENCRYPTION} | grep -qwv none + then + # skip $dev since we don't allow unencrypted storage + continue fi if echo ${PERSISTENT_STORAGE} | grep -qw filesystem |