Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:storage:disk.encryption [2019/05/13 06:33] – formatting vgaeteradocs:guide-user:storage:disk.encryption [2023/01/10 20:01] – Updated required packages, added steps to make a key-file and updated decrypt.sh for use in latest openwrt with ash mitchmurder
Line 5: Line 5:
  
 <code bash> <code bash>
-opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc kmod-crypto-user cryptsetup+opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-seqiv kmod-crypto-misc kmod-crypto-user cryptsetup
 </code> </code>
  
Line 61: Line 61:
 Automated: Automated:
  
-The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/etc/crypttab'' (like many linux distros) and ''/etc/config/fstab'':+The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/etc/crypttab'' (like many linux distros) and ''/etc/config/fstab''. To use the following script, a key-file must be generated. To see the occupied Keyslots in the LUKS device: 
 +<code bash> 
 +cryptsetup luksDump [encrypted-device] 
 +</code> 
 + 
 +''Keyslots'' should have 1 entry (''0:'', from the passphrase created earlier). To use a previously generated key-file, this step may be omitted. To create a new key-file: 
 +<code bash> 
 +dd if=/dev/urandom of=[path/to/key-file] bs=512 count=8 
 +</code> 
 + 
 +This will create a key-file that is filled with 4096 bytes of random data. Add this key-file to the LUKS device: 
 +<code bash>  
 +cryptsetup luksAddKey [encrypted-device] [path/to/key-file] 
 +</code> 
 + 
 +You will be prompted for the passphrase from above. 
 + 
 +<code bash> 
 +cryptsetup luksDump [encrypted-device] 
 +</code> 
 +''Keyslots'' should now contain 2 entries (''1:'' correlating to the newly created key-file). The format of ''/etc/crypttab'' should be as follows: 
 +''[map-name] [UUID=UUID-of-encrypted-device] [path/to/key-file] [type-of-encryption]'' 
 + 
 +[UUID] and [type-of-encryption] may be obtained from the output of: 
 +<code bash> 
 +block info 
 +</code> 
 + 
 +''[type-of-encryption]'' must match exactly with ''TYPE='' given by ''block info''.
  
 <code bash> <code bash>
 cat << "EOF" > /etc/hotplug.d/block/99-lukscrypt cat << "EOF" > /etc/hotplug.d/block/99-lukscrypt
-# note: this needs bash and awk installed and the #!/bin/bash does not seem to work on 18.06 +# note: this needs ash and awk installed 
-bash /bin/decrypt.sh+ash /bin/decrypt.sh
 EOF EOF
  
 cat << "EOF" > /bin/decrypt.sh cat << "EOF" > /bin/decrypt.sh
-#!/bin/bash+#!/bin/ash
 # Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt) # Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
 # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 # CC0: 21JUL18 by WaLLy3K, updated 09AUG18
 # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04
 +# Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30
  
 # Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx) # Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)
Line 103: Line 132:
  
 BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')" BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
-BID_UUID="$(awk -F'/UUID/ {print $2}' <<< "$BID_RAW")" +BID_UUID="$(echo $BID_RAW | awk -F['/=',' '] '{print $5}')" 
-BID_TYPE="$(awk -F'/TYPE/ {print $2}' <<< "$BID_RAW")"+BID_TYPE="$(echo $BID_RAW | awk -F['/=',' '] '{print $7}')"
  
 # Determine whether drive needs to be decrypted # Determine whether drive needs to be decrypted
Line 113: Line 142:
 fi fi
 CT_RAW="$(grep "$BID_UUID" /etc/crypttab)" CT_RAW="$(grep "$BID_UUID" /etc/crypttab)"
 +if [[ -z "${CT_RAW:-}" ]]
 +then
 +    exit 0
 +fi
  
-if [[ -"${CT_RAW:-}" ]]+CT_LABEL="$(echo $CT_RAW | awk '{print $1}')" 
 +CT_KEYFILE="$(echo $CT_RAW | awk '{print $3}')" 
 +CT_TYPE="$(echo $CT_RAW | awk -F '[ ,]+' '{print $4}')" 
 + 
 +if [[ -"/dev/mapper/${CT_LABEL}" ]]
 then then
-    CT_LABEL="$(awk '{print $1}' <<< "$CT_RAW")+    msg "Drive already decrypted: $CT_LABEL
-    CT_KEYFILE="$(awk '{print $3}' <<< "$CT_RAW")" +    exit 0 
-    CT_TYPE="$(awk -F '[ ,]+' '{print $4}' <<< "$CT_RAW")" +fi
-    #CT_SCRIPT="$(awk -F "keyscript=" '{print $2}' <<< "$CT_RAW")"+
  
-    if [[ -e "/dev/mapper/${CT_LABEL,,}" ]] +# Error Handling 
-    then +if [[ -e "$CT_KEYFILE" ]] 
-        msg "Drive already decrypted: $CT_LABEL+then 
-        exit 0 +    msg "Unable to view keyfile: '$CT_KEYFILE'" 
-    fi+    exit 1 
 +fi 
 +if [[ ! "${BID_TYPE}" == *"${CT_TYPE}"]] 
 +then 
 +    msg "Unable to decrypt format: $CT_TYPE
 +    exit 1 
 +fi
  
-    # Error Handling +msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)" 
-    if [[ ! -e "$CT_KEYFILE]]+cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL}" -d "$CT_KEYFILE" 
 +CS_EXIT="$?" 
 +case "$CS_EXIT" in 
 +0)  if [ -e "/dev/mapper/${CT_LABEL}" ]
     then     then
-        msg "Unable to view keyfile'$CT_KEYFILE'"+        msg "Drive decrypted: $CT_LABEL" 
 +    else 
 +        msg "Drive not found after decrypting: $CT_LABEL"
         exit 1         exit 1
-    fi +    fi;; 
-    if [[ ! "${BID_TYPE,,}" == *"${CT_TYPE,,}"* ]] +5)  msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;; 
-    then +*)  msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;; 
-        msg "Unable to decrypt format: $CT_TYPE" +esac
-        exit 1 +
-    fi +
- +
-    msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)" +
-    cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL,,}" -d "$CT_KEYFILE" +
-    CS_EXIT="$?" +
-    case "$CS_EXIT" in +
-        0)  if [ -e "/dev/mapper/${CT_LABEL,,}"+
-            then +
-                msg "Drive decrypted: $CT_LABEL" +
-            else +
-                msg "Drive not found after decrypting: $CT_LABEL" +
-                exit 1 +
-            fi;; +
-        5)  msg "Device already exists: $CT_LABEL (Dmsetup stuck?)"; exit 1;; +
-        *)  msg "Unable to decrypt drive: $CT_LABEL ($CS_EXIT)"; exit 1;; +
-    esac +
-fi+
 EOF EOF
 </code> </code>
  • Last modified: 2023/07/24 23:25
  • by crass