cat << "EOF" > /etc/hotplug.d/block/99-lukscrypt
# note: this needs ash installed
ash /sbin/decrypt.sh
EOF

cat << "EOF" > /sbin/decrypt.sh
#!/bin/sh
# Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
# CC0: 21JUL18 by WaLLy3K, updated 09AUG18
# Further adapted for OpenWRT 18.06 by jmm on 2018-09-04
# Further adapted for OpenWRT 21.02.2 by mdpc on 2022-12-30
# Further adapted for OpenWRT 22.03 by crass on 2023-07-24
#  * remove dependency on awk
#  * allow specifying alternate path to crypttab and alternate root for keyfile
# https://openwrt.org/docs/guide-user/storage/disk.encryption

# Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)

# logger -s "start decrypt luks" $DEVNAME $ACTION

if [ -z "${DEVNAME}" ]; then
    DEVNAME="${1##*/}"
fi

msg() {
    echo "$@" >/dev/kmsg
}

if [ "$ACTION" != "add" ]; then
    #only do something if a device is being added
    exit 1
fi

if [[ "$DEVNAME" == dm-[0-9] ]]; then
    #/dev/mapper block device has been created so now try to mount FS if set up
    # in /etc/config/fstab (or LuCI > System > Mount Points)
    block mount
    exit 0
fi

# Determine whether drive needs to be decrypted
CRYPTTAB=${CRYPTTAB:-"${ALTROOT}/etc/crypttab"}
if [[ ! -r "$CRYPTTAB" ]]; then
    msg "Unable to read crypttab file: ${CRYPTTAB}"
    exit 1
fi

[ -e /dev/fd ] || ln -s /proc/self/fd /dev

#IFS=: read BID_DEVNAME BID_RAW < <(block info "/dev/$DEVNAME")
BID_DEVNAME=$(block info "/dev/$DEVNAME" | (read V _; echo $V))
BID_RAW=$(block info "/dev/$DEVNAME" | (read _ V; echo $V))
if [[ -n "${BID_RAW}" ]]; then
    eval "export ${BID_RAW#*:}"
fi

if [[ -n "$UUID" ]]; then
    CT_RAW="$(grep -m 1 "UUID=${UUID:-NO_UUID}" "$CRYPTTAB")"
fi

if [[ -z "$CT_RAW" ]] && [[ -n "$LABEL" ]]; then
    CT_RAW="$(grep -m 1 "LABEL=${LABEL:-NO_LABEL}" "$CRYPTTAB")"
fi

if [[ -z "$CT_RAW" ]]; then
    CT_RAW="$(grep -m 1 " /dev/${DEVNAME} " "$CRYPTTAB")"
fi

if [[ -z "${CT_RAW:-}" ]]; then
    # No crypttab entry found for this device
    exit 1
fi
#read CT_LABEL _ CT_KEYFILE CT_TYPE < <(echo $CT_RAW)
CT_LABEL=$(echo $CT_RAW | (read V _; echo $V))
CT_KEYFILE=$(echo $CT_RAW | (read _ _ V _; echo $V))
CT_TYPE=$(echo $CT_RAW | (read _ _ _ V; echo $V))

if [[ -e "/dev/mapper/${CT_LABEL}" ]]; then
    msg "Drive already decrypted: $CT_LABEL"
    exit 1
fi

# Error Handling
if [[ ! -e "${ALTROOT:+${ALTROOT}/}$CT_KEYFILE" ]]; then
    msg "Unable to view keyfile: '$CT_KEYFILE'"
    exit 1
fi
if [[ ! "${TYPE}" == *"${CT_TYPE}"* ]]; then
    msg "Unable to decrypt format: $CT_TYPE"
    exit 1
fi

msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)"
cryptsetup open "/dev/$DEVNAME" "${CT_LABEL}" -d "${ALTROOT:+${ALTROOT}/}$CT_KEYFILE"
CS_EXIT="$?"
case "$CS_EXIT" in
0)  if [ -e "/dev/mapper/${CT_LABEL}" ]; then
        msg "Drive decrypted: $CT_LABEL"
    else
        msg "Drive not found after decrypting: $CT_LABEL"
        exit 1
    fi;;
5)  msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;;
*)  msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;;
esac

exit 0
EOF

chmod +x /sbin/decrypt.sh