diff options
-rwxr-xr-x | examples/hooks/losetup-lukshome.chroot | 495 |
1 files changed, 0 insertions, 495 deletions
diff --git a/examples/hooks/losetup-lukshome.chroot b/examples/hooks/losetup-lukshome.chroot deleted file mode 100755 index f8492d72a..000000000 --- a/examples/hooks/losetup-lukshome.chroot +++ /dev/null @@ -1,495 +0,0 @@ -#!/bin/sh - -# This hook was based and adapted from: -# http://lists.debian.org/debian-live/2009/04/msg00186.html -# --------------------------------------------------------- -# -# -# NOTE 1: this was not tested with persistent boot option, -# but it seems logic that persistent and lukshome can't -# coexist as boot options (because of snapshots and others), so lukshome -# won't be executed if any persistent option is given on boot. -# -# NOTE 2: if using an USB key, it will eventualy end up failing someday. -# You should backup the encrypted disk image file itself (luks-home.img) to -# prevent loosing your data. -# -# This hook will create 3 files: -# -# /usr/local/sbin/create-lukshome-file.sh -# script to create an disk file image (luks-home.img) with a -# LUKS encrypted ext2 filesystem inside to be placed in a -# partition labeled lukshome. -# -# /usr/local/sbin/lukshome.sh -# detects a partition with lukshome label, updates fstab and crypttab so -# the encrypted file is mounted later in a loopback device (/dev/loopX). -# It also changes /etc/init.d/umountfs so the encrypted home is correctly -# umounted. -# -# /usr/share/initramfs-tools/scripts/live-bottom/13live_luks_home -# a live-boot hook to execute lukshome.sh script -# in initrd. -# -# -# HOWTO lukshome -# -------------- -# -# First build your live system with this hook inside config/chroot_local-hooks/. -# If you have an existing live-build build directory with a previous live -# build, you might have to run -# -# lh_clean -# lh_clean --stage -# -# to make sure this hook is included in the live system. Then (re)build your -# live system. -# -# lh_build -# -# After booting your (re)built live system, setup the encrypted losetup -# filesystem to be used as /home using the instructions present in the -# create-lukshome-file.sh script. -# -# Reboot and now use the "lukshome" boot option to mount the encrypted /home, -# like when using "persistent" boot option with a home-rw file in some partition. -# - - -# install needed packages (in case apt recommends are off) -# make sure that cryptsetup is installed -echo "I: checking for cryptsetup." -if [ ! -x /sbin/cryptsetup ] -then - echo "I: installing cryptsetup." - DEBIAN_FRONTEND="dialog" apt-get install --yes --force-yes -y cryptsetup -fi - - -echo "I: to see how to use lukshome hook run create-lukshome-file.sh as root." -echo "I: creating script /usr/local/sbin/create-lukshome-file.sh" -cat > /usr/local/sbin/create-lukshome-file.sh << 'EOF' -#!/bin/sh - -# This script will create an encrypted filesystem in a file to -# be used as /home in a live system built with Debian Live Helper with -# this hook in config/chroot_local-hooks/. -# -# The lukshome boot option will do the following: -# - search for a partition with label 'lukshome' -# (btw, you can't use the live system partition itself) -# - mount the partition as /luks-home in the live system -# - open /luks-home/luks-home.img file as a loopback device (/dev/loop) -# - open the loopback device with cryptsetup -# - mount the encrypted filesystem as /home -# -# This script will only create the luks-home.img file. Next are details of how -# to use this script. -# -# CAUTION! THIS CAN WIPE YOUR DATA, backup first! -# Be sure to understand what you will do, or you can end up -# wiping disks or partitions you don't want to! -# -# Login as root: -# $ sudo -i -# -# Create a mountpoint (don't use /mnt, it will be used by this script): -# # mkdir /media/target -# -# !!! *** Skip the next line if you don't want to wipe a partition *** !!! -# !!! * Just change the partition label to 'lukshome' (without quotes) * !!! -# Create an ext2 filesystem in a partition with 'lukshome' label: -# # mkfs.ext2 -L lukshome /dev/the_partition_to_be_used -# -# Mount the partition and cd into it: -# # mount /dev/the_partition_to_be_used /media/target -# # cd /media/target -# -# Create the encrypted file: -# # create-lukshome-file.sh -# -# The script is located in /usr/local/sbin/, so it's in root $PATH. -# It will copy the directories in /home/* into the file. -# Now return to $HOME to be able to umount the target partition: -# # cd -# -# Umount the target partition: -# # umount /media/target -# -# Reboot and use the "lukshome" boot option to mount the encrypted /home, -# like in using "persistent" boot option with a home-rw file in some partition. -# -# To use another partition label use the following boot options: -# lukshome lukspart=partition_label -# -# If you want to use another filename instead of luks-home.img, rename (mv) -# the file and use the following boot options: -# lukshome luksfile=filename -# -# Both boot options can be used at the same time, but always with lukshome: -# lukshome lukspart=partition_label luksfile=filename -# -# By default, if just the lukshome boot option is used, the script will -# search for a partition labeled 'lukshome' and a file named 'luks-home.img'. -# -# Press Shift-PgUp/Shift-PgDn to scrool the instructions on the screen. - - -# check if root/sudo -if [ "${USER}" != "root" ] -then - echo " ** Please run this script as root or with sudo." - exit 1 -fi - -# check if /mnt is available and empty -mount | grep "/mnt" > /dev/null -MNT_IS_MOUNTED=${?} -if [ "${MNT_IS_MOUNTED}" == 0 ] -then - echo "** ERROR: /mnt is mounted at the moment. Please umount it to use this script." - exit 1 -fi -if [ "$(ls -A /mnt)" ] -then - echo "** ERROR: /mnt is not empty. An empty /mnt is needed to use this script." - exit 1 -fi - -# check if /dev/mapper/luks-home is available -if [ -f /dev/mapper/luks-home ] -then - echo "** ERROR: /dev/mapper/luks-home is being used at the moment. Please run «cryptsetup remove luks-home» to use this script." - exit 1 -fi - - -# show instructions -echo "" -echo "** Instructions to use create-lukshome-file.sh (this script):" -sed -n '2,64p' /usr/local/sbin/create-lukshome-file.sh | sed 's/^.//' -echo "" - - -# proceed? -echo "** Do you want to proceed with this script? (y/N)" -read CONFIRM - -case "${CONFIRM}" in - y*|Y*) - echo "" - ;; - *) - exit 0 - ;; -esac - - -# create file -echo "" -echo "** Please type the size of the file disk image." -echo "Size of the file in MB: " -read FILE_SIZE - -echo "" -echo "** Creating file luks-home.img." -echo "** Filling file image with /dev/urandom output. It will take some time." -echo "(Edit this script to use /dev/random. It's known to be more secure but " -echo "it will take a *very* long time to complete." -dd if=/dev/urandom of=luks-home.img bs=1M count=${FILE_SIZE} -# To use /dev/random comment the line above and uncomment the next line -#dd if=/dev/random of=luks-home.img ibs=128 obs=128 count=$((8192*${FILE_SIZE})) -# You might have to increase kernel entropy by moving the mouse, typing keyboard, -# make the computer read the disk or use network connections. -echo "** Done." -echo "" - -# losetup -FREE_LOSETUP=$(losetup -f) -echo "** Using ${FREE_LOSETUP} to open luks-home.img" -losetup ${FREE_LOSETUP} ./luks-home.img -echo "** Done." -echo "" - -# cryptsetup -echo "** Running cryptsetup." -echo "" -echo "** luksFormat" -cryptsetup luksFormat ${FREE_LOSETUP} -EXIT_CODE=${?} -if [ "${EXIT_CODE}" != 0 ] -then - echo "** ERROR: Error while trying to format disk file image." - losetup -d ${FREE_LOSETUP} - exit 1 -fi -echo "" - -echo "** luksOpen" -cryptsetup luksOpen ${FREE_LOSETUP} luks-home -EXIT_CODE=${?} -if [ "${EXIT_CODE}" != 0 ] -then - echo "** ERROR: Error while trying to open LUKS file image." - losetup -d ${FREE_LOSETUP} - exit 1 -fi -echo "" - -# format encrypted filesystem -echo "** Now formating /dev/mapper/luks-home" -mkfs.ext2 /dev/mapper/luks-home -EXIT_CODE=${?} -if [ "${EXIT_CODE}" != 0 ] -then - echo "** ERROR: Error while trying to format LUKS file." - cryptsetup remove luks-home - losetup -d ${FREE_LOSETUP} - exit 1 -fi -echo "" - -# mount in /mnt -echo "** Now mounting luks-home.img in /mnt" -mount /dev/mapper/luks-home /mnt -EXIT_CODE=${?} -if [ "${EXIT_CODE}" != 0 ] -then - echo "** ERROR: Error while trying to mount LUKS file in /mnt." - umount /mnt - cryptsetup remove luks-home - losetup -d ${FREE_LOSETUP} - exit 1 -fi -echo "" - -# copy files -HOME_DIR="/home/*" - -echo "** Copying ${HOME_DIR}." -cp -rav ${HOME_DIR} /mnt -EXIT_CODE=${?} -if [ "${EXIT_CODE}" != 0 ] -then - echo "** ERROR: Error while trying to copy files to /mnt." - umount /mnt - cryptsetup remove luks-home - losetup -d ${FREE_LOSETUP} - exit 1 -fi -echo "** Done." -echo "" - -echo "** All done." -echo "** Closing losetup, cryptsetup and mounted /mnt." -# umount and close -umount /mnt -cryptsetup remove luks-home -losetup -d ${FREE_LOSETUP} -echo "** The disk file image luks-home.img is done and ready. Move it into a partition" -echo "** with 'lukshome' as label and reboot with lukshome boot option to use it." -echo "" - -EOF - -chmod 0755 /usr/local/sbin/create-lukshome-file.sh - - - -echo "I: creating script /usr/local/sbin/lukshome.sh" -cat > /usr/local/sbin/lukshome.sh << 'EOF' -#!/bin/sh - -# this script is to be executed by a hook in live-boot. It searches -# for a partition with 'lukshome' label, mounts it as /luks-home, then opens an -# encrypted disk image file called luks-home.img as a loopback device, opens it -# with cryptsetup and finally mounts the present filesystem as /home. -# It also changes /etc/init.d/umountfs to umount the lukshome partition -# (/luks-home) and clear the loopback device on shutdown. - -# functions taken from live-helpers -. /usr/share/initramfs-tools/scripts/live-helpers - -# set default values -LUKSPART="lukshome" -LUKSFILE="luks-home.img" - -# get boot option lukshome - adapted from live-helpers -for ARGUMENT in $(cat /proc/cmdline) -do - case "${ARGUMENT}" in - lukshome) - LUKSHOME=1 - ;; - luksfile=*) - LUKSFILE="${ARGUMENT#luksfile=}" - LUKSHOME=1 - ;; - lukspart=*) - LUKSPART="${ARGUMENT#lukspart=}" - LUKSHOME=1 - ;; - - esac -done - -CRYPTHOME=$(/sbin/blkid -L ${LUKSPART}) - -# if no partition found, exit -if [ -z "${CRYPTHOME}" ] -then - echo "Could not find any partition with ${LUKSPART} label. " - echo "Proceeding with no encrypted /home." - exit 0 -fi - -# mount partition where file container is -echo "Mounting /luks-home with ${CRYPTHOME}." -mkdir -p /luks-home -mount -t $(get_fstype "${CRYPTHOME}") "${CRYPTHOME}" /luks-home - -# mount losetup encrypted file -FREE_LOOP="$(/sbin/losetup -f)" -echo "Opening file /luks-home/${LUKSFILE} in ${FREE_LOOP}." - -if [ -f /luks-home/"${LUKSFILE}" ] -then - /sbin/losetup ${FREE_LOOP} /luks-home/"${LUKSFILE}" - - echo "Adding ${FREE_LOOP} home to /etc/crypttab and setting it as /home in /etc/fstab." - - # update crypttab - echo "home ${FREE_LOOP} none luks,check,timeout" >> /etc/crypttab - - # update fstab - echo "/dev/mapper/home /home ext2 defaults,noatime 0 0" >> /etc/fstab -else - echo "Did not found any file named ${LUKSFILE} in ${CRYPTHOME}!" - echo "Proceeding with no encrypted /home." - sleep 2 - umount -r /luks-home - exit 0 -fi - -# changes to /etc/init.d/umountfs to make /luks-home being umounted on shutdown -sed -i 's/[\t]do_stop/CHANGE_HERE/' /etc/init.d/umountfs -sed -i 's|CHANGE_HERE| \ - # added by lukshome hook - umount \/luks-home to prevent busy device on shutdown \ - LOOP_LUKSHOME=$(losetup -a \| grep luks-home \|cut -c 1-10) \ - if [ -n ${LOOP_LUKSHOME} ] \ - then \ - umount -r -d \/home \ - cryptsetup remove home \ - losetup -d ${LOOP_LUKSHOME} \ - umount -r \/luks-home \ - fi \ -\ - do_stop \ -|' /etc/init.d/umountfs - -EOF - -chmod 0755 /usr/local/sbin/lukshome.sh - - - -# scripts/live-bottom/13live_luks_home, right after 12fstab -echo "I: creating /usr/share/initramfs-tools/scripts/live-bottom/13live_luks_home" - -cat > /usr/share/initramfs-tools/scripts/live-bottom/13live_luks_home << 'EOF' -#!/bin/sh - -#set -e - -# initramfs-tools header - -PREREQ="" - -prereqs() -{ - echo "${PREREQ}" -} - -case "${1}" in - prereqs) - prereqs - exit 0 - ;; -esac - -. /scripts/live-functions - -# live-boot hook to use an disk image file with encrypted filesystem as /home. - -log_begin_msg "Executing losetup-lukshome" - -# get boot option lukshome - adapted from live-helpers -for ARGUMENT in $(cat /proc/cmdline) -do - case "${ARGUMENT}" in - lukshome) - LUKSHOME=1 - ;; - luksfile=*) - LUKSFILE="${ARGUMENT#luksfile=}" - LUKSHOME=1 - ;; - lukspart=*) - LUKSPART="${ARGUMENT#lukspart=}" - LUKSHOME=1 - ;; - - esac -done - -# don't use persistent* and lukshome -if [ -n "${PERSISTENT}" ] && [ -n "${LUKSHOME}" ] -then - echo "You should not use persistent and lukshome at the same time." - echo "Skipping lukshome. Persistent medium, if any, will be used instead." - log_end_msg - exit 0 -fi - -# if no lukshome boot option, exit -if [ -z "${LUKSHOME}" ] -then - log_end_msg - exit 0 -fi - -log_begin_msg "Executing lukshome.sh script." - -mount -o bind /sys /root/sys -mount -o bind /proc /root/proc -mount -o bind /dev /root/dev - -# lukshome.sh detects lukshome partition and file location, mounts it -# and opens the file and then updates fstab and crypttab to use it as /home. -chroot /root /usr/local/sbin/lukshome.sh - -umount /root/sys -umount /root/proc -umount /root/dev - -# delete the lukshome.sh script, not needed anymore -# rm -f /root/usr/local/sbin/lukshome.sh - -log_end_msg - -EOF - -chmod 0755 /usr/share/initramfs-tools/scripts/live-bottom/13live_luks_home - - - -echo "I: update-initramfs to include 13live_luks_home." -# if you already have installed the update-initramfs.sh hook, you can remove -# this. - -for KERNEL in /boot/vmlinuz-* -do - VERSION="$(basename ${KERNEL} | sed -e 's|vmlinuz-||')" - - update-initramfs -k ${VERSION} -t -u -done |