Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:storage:disk.encryption [2019/05/13 04:45] – formatting vgaeteradocs:guide-user:storage:disk.encryption [2023/01/10 20:01] – Updated required packages, added steps to make a key-file and updated decrypt.sh for use in latest openwrt with ash mitchmurder
Line 5: Line 5:
  
 <code bash> <code bash>
-opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc kmod-crypto-user cryptsetup+opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-seqiv kmod-crypto-misc kmod-crypto-user cryptsetup
 </code> </code>
  
Line 61: Line 61:
 Automated: Automated:
  
-The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/etc/crypttab'' (like many linux distros) and ''/etc/config/fstab'':+The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/etc/crypttab'' (like many linux distros) and ''/etc/config/fstab''. To use the following script, a key-file must be generated. To see the occupied Keyslots in the LUKS device: 
 +<code bash> 
 +cryptsetup luksDump [encrypted-device] 
 +</code> 
 + 
 +''Keyslots'' should have 1 entry (''0:'', from the passphrase created earlier). To use a previously generated key-file, this step may be omitted. To create a new key-file: 
 +<code bash> 
 +dd if=/dev/urandom of=[path/to/key-file] bs=512 count=8 
 +</code> 
 + 
 +This will create a key-file that is filled with 4096 bytes of random data. Add this key-file to the LUKS device: 
 +<code bash>  
 +cryptsetup luksAddKey [encrypted-device] [path/to/key-file] 
 +</code> 
 + 
 +You will be prompted for the passphrase from above. 
 + 
 +<code bash> 
 +cryptsetup luksDump [encrypted-device] 
 +</code> 
 +''Keyslots'' should now contain 2 entries (''1:'' correlating to the newly created key-file). The format of ''/etc/crypttab'' should be as follows: 
 +''[map-name] [UUID=UUID-of-encrypted-device] [path/to/key-file] [type-of-encryption]'' 
 + 
 +[UUID] and [type-of-encryption] may be obtained from the output of: 
 +<code bash> 
 +block info 
 +</code> 
 + 
 +''[type-of-encryption]'' must match exactly with ''TYPE='' given by ''block info''.
  
 <code bash> <code bash>
 cat << "EOF" > /etc/hotplug.d/block/99-lukscrypt cat << "EOF" > /etc/hotplug.d/block/99-lukscrypt
-# note: this needs bash and awk installed and the #!/bin/bash does not seem to work on 18.06 +# note: this needs ash and awk installed 
-bash /bin/decrypt.sh+ash /bin/decrypt.sh
 EOF EOF
  
 cat << "EOF" > /bin/decrypt.sh cat << "EOF" > /bin/decrypt.sh
-#!/bin/bash+#!/bin/ash
 # Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt) # Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
 # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 # CC0: 21JUL18 by WaLLy3K, updated 09AUG18
 # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04
 +# Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30
  
 # Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx) # Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)
  
-# logger -s "start decrypt luks" $DEVNAME $ACTION;+# logger -s "start decrypt luks" $DEVNAME $ACTION
  
-[[ -z "${DEVNAME}" ]] && DEVNAME="${1##*/}" +if [ -z "${DEVNAME}" ] 
-msg() { logger -st "$(basename "${0%.*}")($DEVNAME)[$$]" -- "$@"; }+then 
 +    DEVNAME="${1##*/}" 
 +fi
  
-if [[ ! "$ACTION" == "add" ]];+msg() { 
 +    logger -st "$(basename "${0%.*}")($DEVNAME)[$$]" -- "$@" 
 +
 + 
 +if [ "$ACTION" != "add" ]
 then then
-  #only do something if a device is being added +    #only do something if a device is being added 
-  exit 0;+    exit 0
 fi fi
  
-if [[ "$DEVNAME" == dm-[0-9] ]];+if [[ "$DEVNAME" == dm-[0-9] ]]
 then then
-  #/dev/mapper block device has been created so now try to mount FS if set up +    #/dev/mapper block device has been created so now try to mount FS if set up 
-  # in /etc/config/fstab (or LuCI > System > Mount Points) +    # in /etc/config/fstab (or LuCI > System > Mount Points) 
-  block mount; +    block mount 
-  exit 0;+    exit 0
 fi fi
  
 BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')" BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
-BID_UUID="$(awk -F'/UUID/ {print $2}' <<< "$BID_RAW")" +BID_UUID="$(echo $BID_RAW | awk -F['/=',' '] '{print $5}')" 
-BID_TYPE="$(awk -F'/TYPE/ {print $2}' <<< "$BID_RAW")"+BID_TYPE="$(echo $BID_RAW | awk -F['/=',' '] '{print $7}')"
  
 # Determine whether drive needs to be decrypted # Determine whether drive needs to be decrypted
-[[ ! -r "/etc/crypttab" ]] && { msg "Unable to read file: /etc/crypttab"exit 1; }+if [[ ! -r "/etc/crypttab" ]] 
 +then 
 +    msg "Unable to read file: /etc/crypttab" 
 +    exit 1 
 +fi
 CT_RAW="$(grep "$BID_UUID" /etc/crypttab)" CT_RAW="$(grep "$BID_UUID" /etc/crypttab)"
 +if [[ -z "${CT_RAW:-}" ]]
 +then
 +    exit 0
 +fi
  
-if [[ -n "${CT_RAW:-}" ]]; then +CT_LABEL="$(echo $CT_RAW | awk '{print $1}')" 
-  CT_LABEL="$(awk '{print $1}' <<< "$CT_RAW")" +CT_KEYFILE="$(echo $CT_RAW | awk '{print $3}')" 
-  CT_KEYFILE="$(awk '{print $3}' <<< "$CT_RAW")" +CT_TYPE="$(echo $CT_RAW | awk -F '[ ,]+' '{print $4}')"
-  CT_TYPE="$(awk -F '[ ,]+' '{print $4}' <<< "$CT_RAW")" +
-  #CT_SCRIPT="$(awk -F "keyscript=" '{print $2}' <<< "$CT_RAW")"+
  
-  if [[ -e "/dev/mapper/${CT_LABEL,,}" ]]then+if [[ -e "/dev/mapper/${CT_LABEL}" ]] 
 +then
     msg "Drive already decrypted: $CT_LABEL"     msg "Drive already decrypted: $CT_LABEL"
     exit 0     exit 0
-  fi+fi
  
-  # Error Handling +# Error Handling 
-  if [[ ! -e "$CT_KEYFILE" ]]then+if [[ ! -e "$CT_KEYFILE" ]] 
 +then
     msg "Unable to view keyfile: '$CT_KEYFILE'"     msg "Unable to view keyfile: '$CT_KEYFILE'"
     exit 1     exit 1
-  fi +fi 
-  if [[ ! "${BID_TYPE,,}" == *"${CT_TYPE,,}"* ]]then+if [[ ! "${BID_TYPE}" == *"${CT_TYPE}"* ]] 
 +then
     msg "Unable to decrypt format: $CT_TYPE"     msg "Unable to decrypt format: $CT_TYPE"
     exit 1     exit 1
-  fi+fi
  
-  msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)" +msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)" 
-  cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL,,}" -d "$CT_KEYFILE" +cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL}" -d "$CT_KEYFILE" 
-  CS_EXIT="$?" +CS_EXIT="$?" 
-  case "$CS_EXIT" in +case "$CS_EXIT" in 
-    0)  if test -e "/dev/mapper/${CT_LABEL,,}"then +0)  if -e "/dev/mapper/${CT_LABEL}" 
-          msg "Drive decrypted: $CT_LABEL" +    then 
-        else +        msg "Drive decrypted: $CT_LABEL" 
-          msg "Drive not found after decrypting: $CT_LABEL" +    else 
-          exit 1 +        msg "Drive not found after decrypting: $CT_LABEL" 
-        fi;; +        exit 1 
-    5) msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;; +    fi;; 
-    *) msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;; +5)  msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;; 
-  esac +*)  msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;; 
- +esac
-fi+
 EOF EOF
 </code> </code>
  • Last modified: 2023/07/24 23:25
  • by crass