diff options
author | Eric Hameleers <alien@slackware.com> | 2016-01-22 15:15:17 +0100 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2016-01-22 15:15:17 +0100 |
commit | c4e4112bdc8aa5fe92d797ab77744d3bcd70caf9 (patch) | |
tree | 0ec836a54d4cf7eca147b887632e2583aad2680b /liveinit | |
parent | 1f94ea9542d4c54340e8b138d32c16f5c02a764e (diff) | |
download | liveslak-c4e4112bdc8aa5fe92d797ab77744d3bcd70caf9.tar.gz liveslak-c4e4112bdc8aa5fe92d797ab77744d3bcd70caf9.tar.xz |
Add support for a LUKS-encrypted /home in the USB Live version.
Using iso2usb.sh script's new '-c' parameter, you can define the size for
a container file in the root of the USB stick's Linux partition.
- The container file will be loop-mounted and LUKS-encrypted and the
Live OS will mount the filesystem inside the container on /home/.
- The LUKS passphrase will be defined when executing the 'iso2usb.sh' script.
- The original /home content of the ISO will be copied into the
LUKS-encrypted container during execution of the 'iso2usb.sh' script.
- If for whatever reason you do not want to unlock & mount the LUKS container
during boot, you must add the boot parameter " luksvol= " to the syslinux
or grub commandline.
Diffstat (limited to 'liveinit')
-rwxr-xr-x | liveinit | 56 |
1 files changed, 56 insertions, 0 deletions
@@ -50,6 +50,7 @@ DEBUG=0 INITRD=$(cat /initrd-name) WAIT=$(cat /wait-for-root) KEYMAP=$(cat /keymap) +LUKSVOL=$(cat /luksdev) INIT=/sbin/init PATH="/sbin:/bin:/usr/sbin:/usr/bin" @@ -100,6 +101,10 @@ for ARG in $(cat /proc/cmdline); do locale=*) LOCALE=$(echo $ARG | cut -f2 -d=) ;; + luksvol=*) + # Format: luksvol=file1[:/mountpoint1][,file1[:/mountpoint2],...] + LUKSVOL=$(echo $ARG | cut -f2 -d=) + ;; noload=*) NOLOAD=$(echo $ARG | cut -f2 -d=) ;; @@ -482,6 +487,57 @@ EOPW # Copy contents of rootcopy directory (may be empty) to overlay: cp -af /mnt/media/${LIVEMAIN}/rootcopy/* /mnt/overlay/ 2>/dev/null + # Bind any LUKS container into the Live filesystem: + if [ ! -z "$LUKSVOL" ]; then + # Even without persistence, we need to be able to write to the partition: + mount -o remount,rw /mnt/media + for luksvol in $(echo $LUKSVOL |tr ',' ' '); do + luksfil="$(echo $luksvol |cut -d: -f1)" + luksmnt="$(echo $luksvol |cut -d: -f2)" + luksnam="$(echo $(basename $luksfil) |tr '.' '_')" + if [ "$luksmnt" = "$luksfil" ]; then + # No optional mount point specified, so we use the default: /home/ + luksmnt="/home" + fi + + # The losetup of busybox is different from the real losetup - watch out! + lodev=$(losetup -f) + if [ -z "$lodev" ]; then + # We exhausted the available loop devices, so create the block device: + for NOD in $(seq 0 64); do + if [ ! -b /dev/loop${NOD} ]; then + mknod -m660 /dev/loop${NOD} b 7 ${NOD} + break + fi + done + lodev=/dev/loop${NOD} + elif [ ! -b $lodev ]; then + # We exhausted the available loop devices, so create the block device: + mknod -m660 $lodev b 7 $(echo $lodev |sed %/dev/loop%%) + fi + losetup $lodev /mnt/media/$luksfil + echo "Unlocking LUKS encrypted container '$luksfil' at mount point '$luksmnt'" + cryptsetup luksOpen $lodev $luksnam </dev/tty0 >/dev/tty0 2>&1 + if [ $? -ne 0 ]; then + echo "${INITRD}: Failed to unlock LUKS container '$luksfil'... trouble ahead." + fi + + # Create the directory if it does not exist (unlikely): + mkdir -p /mnt/overlay/$luksmnt + + # Let Slackware mount the unlocked container: + luksfs=$(blkid /dev/mapper/$luksnam |rev |cut -d'"' -f2 |rev) + if ! grep -q /dev/mapper/$luksnam /mnt/overlay/etc/fstab ; then + echo "/dev/mapper/$luksnam $luksmnt $luksfs defaults 1 1" >> /mnt/overlay/etc/fstab + fi + # On shutdown, ensure that the container gets locked again: + if ! grep -q "$luksnam $luksmnt" /mnt/overlay/etc/crypttab ; then + echo "$luksnam $luksmnt" >> /mnt/overlay/etc/crypttab + fi + + done + fi + # --------------------------------------------------------------------- # # SLACKWARE LIVE - !END! # # --------------------------------------------------------------------- # |