-
Notifications
You must be signed in to change notification settings - Fork 6
/
decrypt_keyctl
executable file
·97 lines (92 loc) · 3.15 KB
/
decrypt_keyctl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/bin/sh
# decrypt_keyctl - to use in /etc/crypttab as keyscript
# Allows to cache passwords for cryptdevices for 60s
# The same password is used for for cryptdevices with the same identifier.
# The keyfile parameter, which is the third field from /etc/crypttab, is
# used as identifier in this keyscript.
#
# sample crypttab entries:
# test1 /dev/sda1 test_pw: luks,keyscript=decrypt_keyctl
# test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl
# test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl
#
# test1 and test2 have the same identifier thus test2 does not need a password
# typed in manually
#
# Identifiers ending with : are asked for every time. Use this for your first
# groupkey entry.
die()
{
echo "$@" >&2
exit 1
}
# check for keygroup ending with ':'
CRYPTTABID_="$1"
TMP_="${CRYPTTABID_%:}"
if [ "x$CRYPTTABID_" != "x$TMP_" ]; then
ASKFORKEY_="true"
CRYPTTABID_="$TMP_"
else
ASKFORKEY_="false"
fi
# the keyfile given from crypttab is used as identifier in the keyring
# including the prefix "cryptkey:"
ID_="cryptkey:${CRYPTTABID_}"
TIMEOUT_='60'
ASKPASS_='/lib/cryptsetup/askpass'
STTY_='/bin/stty'
PW_READER_='undefined'
PROMPT_="Caching passphrase for ${CRYPTTAB_SOURCE}: "
test -x "$STTY_" && PW_READER_='stty' # 1. backup method
test -x "$ASKPASS_" && PW_READER_='askpass' # prefered method
KID_=$(keyctl search @u user "$ID_" 2>/dev/null)
if [ $? -ne 0 ] || [ -z "$KID_" ] || [ "$ASKFORKEY_" = "true" ]; then
# key not found, ask the user
case "$PW_READER_" in
askpass)
KEY_=$($ASKPASS_ "$PROMPT_") || die "Error executing $ASKPASS_"
;;
stty) # disable echoing with stty
$STTY_ -echo
if ! read -r KEY_; then
$STTY_ echo
die "Error reading key from /dev/stdin"
else
$STTY_ echo
echo >&2
fi
;;
*) # first try to read the posix way, then at least give the user a chance
echo -n "$PROMPT_" >&2
if ! read -res KEY_; then
echo
echo "ERROR: Can not disable echoing, YOUR PASSWORD WILL BE VISIBLE!" >&2
echo "This can be fixed if you add either $ASKPASS_" >&2
echo "or $STTY_ to your initramfs" >&2
echo -n "$PROMPT_" >&2
if ! read -r KEY_; then
die "Error reading key from /dev/stdin"
else
echo >&2
fi
else
echo >&2
fi
;;
esac
KID_=$(echo -n "$KEY_" |keyctl padd user "$ID_" @s)
[ -z "$KID_" ] && die "Error adding passphrase to kernel keyring"
if ! keyctl setperm $KID_ 0x3f3f0000; then
keyctl unlink $KID_ @s
die "Error setting permissions on key ($KID_), removing"
fi
keyctl unlink $KID_ @s
keyctl link $KID_ @u
if ! keyctl timeout $KID_ $TIMEOUT_; then
keyctl unlink $KID_ @u
die "Error setting timeout on key ($KID_), removing"
fi
else
echo "Using cached passphrase for ${CRYPTTAB_SOURCE}." >&2
fi
keyctl pipe $KID_