Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:storage:disk.encryption [2019/05/13 04:45] – formatting vgaetera | docs:guide-user:storage:disk.encryption [2023/01/10 20:01] – Updated required packages, added steps to make a key-file and updated decrypt.sh for use in latest openwrt with ash mitchmurder | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| <code bash> | <code bash> | ||
| - | opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc kmod-crypto-user cryptsetup | + | opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-seqiv kmod-crypto-misc kmod-crypto-user cryptsetup |
| </ | </ | ||
| Line 61: | Line 61: | ||
| Automated: | Automated: | ||
| - | The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/ | + | The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/ |
| + | <code bash> | ||
| + | cryptsetup luksDump [encrypted-device] | ||
| + | </ | ||
| + | |||
| + | '' | ||
| + | <code bash> | ||
| + | dd if=/ | ||
| + | </ | ||
| + | |||
| + | This will create a key-file that is filled with 4096 bytes of random data. Add this key-file to the LUKS device: | ||
| + | <code bash> | ||
| + | cryptsetup luksAddKey [encrypted-device] [path/ | ||
| + | </ | ||
| + | |||
| + | You will be prompted for the passphrase from above. | ||
| + | |||
| + | <code bash> | ||
| + | cryptsetup luksDump [encrypted-device] | ||
| + | </ | ||
| + | '' | ||
| + | '' | ||
| + | |||
| + | [UUID] and [type-of-encryption] may be obtained from the output of: | ||
| + | <code bash> | ||
| + | block info | ||
| + | </ | ||
| + | |||
| + | '' | ||
| <code bash> | <code bash> | ||
| cat << " | cat << " | ||
| - | # note: this needs bash and awk installed | + | # note: this needs ash and awk installed |
| - | bash / | + | ash / |
| EOF | EOF | ||
| cat << " | cat << " | ||
| - | #!/bin/bash | + | #!/bin/ash |
| # Perform tasks when called by BLOCK hotplug (/ | # Perform tasks when called by BLOCK hotplug (/ | ||
| # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 | # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 | ||
| # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 | # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 | ||
| + | # Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30 | ||
| # Hotplug Vars: $ACTION (add/ | # Hotplug Vars: $ACTION (add/ | ||
| - | # logger -s "start decrypt luks" $DEVNAME $ACTION; | + | # logger -s "start decrypt luks" $DEVNAME $ACTION |
| - | [[ -z " | + | if [ -z " |
| - | msg() { logger -st " | + | then |
| + | | ||
| + | fi | ||
| - | if [[ ! " | + | msg() { |
| + | logger -st " | ||
| + | } | ||
| + | |||
| + | if [ " | ||
| then | then | ||
| - | | + | |
| - | exit 0; | + | exit 0 |
| fi | fi | ||
| - | if [[ " | + | if [[ " |
| then | then | ||
| - | | + | |
| - | # in / | + | # in / |
| - | block mount; | + | block mount |
| - | exit 0; | + | exit 0 |
| fi | fi | ||
| BID_RAW=" | BID_RAW=" | ||
| - | BID_UUID=" | + | BID_UUID=" |
| - | BID_TYPE=" | + | BID_TYPE=" |
| # Determine whether drive needs to be decrypted | # Determine whether drive needs to be decrypted | ||
| - | [[ ! -r "/ | + | if [[ ! -r "/ |
| + | then | ||
| + | | ||
| + | | ||
| + | fi | ||
| CT_RAW=" | CT_RAW=" | ||
| + | if [[ -z " | ||
| + | then | ||
| + | exit 0 | ||
| + | fi | ||
| - | if [[ -n " | + | CT_LABEL=" |
| - | | + | CT_KEYFILE=" |
| - | CT_KEYFILE=" | + | CT_TYPE=" |
| - | CT_TYPE=" | + | |
| - | # | + | |
| - | | + | if [[ -e "/ |
| + | then | ||
| msg "Drive already decrypted: $CT_LABEL" | msg "Drive already decrypted: $CT_LABEL" | ||
| exit 0 | exit 0 | ||
| - | | + | fi |
| - | | + | # Error Handling |
| - | if [[ ! -e " | + | if [[ ! -e " |
| + | then | ||
| msg " | msg " | ||
| exit 1 | exit 1 | ||
| - | | + | fi |
| - | if [[ ! " | + | if [[ ! " |
| + | then | ||
| msg " | msg " | ||
| exit 1 | exit 1 | ||
| - | | + | fi |
| - | | + | msg " |
| - | cryptsetup luksOpen "/ | + | cryptsetup luksOpen "/ |
| - | CS_EXIT=" | + | CS_EXIT=" |
| - | case " | + | case " |
| - | 0) if test -e "/ | + | 0) if [ -e "/ |
| - | msg "Drive decrypted: $CT_LABEL" | + | |
| - | else | + | msg "Drive decrypted: $CT_LABEL" |
| - | msg "Drive not found after decrypting: $CT_LABEL" | + | else |
| - | exit 1 | + | msg "Drive not found after decrypting: $CT_LABEL" |
| - | fi;; | + | exit 1 |
| - | 5) msg " | + | fi;; |
| - | *) msg " | + | 5) msg " |
| - | esac | + | *) msg " |
| - | + | esac | |
| - | fi | + | |
| EOF | EOF | ||
| </ | </ | ||