Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:storage:disk.encryption [2019/05/13 06:33] – formatting vgaetera | docs:guide-user:storage:disk.encryption [2023/01/10 20:01] – Updated required packages, added steps to make a key-file and updated decrypt.sh for use in latest openwrt with ash mitchmurder | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| <code bash> | <code bash> | ||
| - | opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc kmod-crypto-user cryptsetup | + | opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-seqiv kmod-crypto-misc kmod-crypto-user cryptsetup |
| </ | </ | ||
| Line 61: | Line 61: | ||
| Automated: | Automated: | ||
| - | The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/ | + | The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/ |
| + | <code bash> | ||
| + | cryptsetup luksDump [encrypted-device] | ||
| + | </ | ||
| + | |||
| + | '' | ||
| + | <code bash> | ||
| + | dd if=/ | ||
| + | </ | ||
| + | |||
| + | This will create a key-file that is filled with 4096 bytes of random data. Add this key-file to the LUKS device: | ||
| + | <code bash> | ||
| + | cryptsetup luksAddKey [encrypted-device] [path/ | ||
| + | </ | ||
| + | |||
| + | You will be prompted for the passphrase from above. | ||
| + | |||
| + | <code bash> | ||
| + | cryptsetup luksDump [encrypted-device] | ||
| + | </ | ||
| + | '' | ||
| + | '' | ||
| + | |||
| + | [UUID] and [type-of-encryption] may be obtained from the output of: | ||
| + | <code bash> | ||
| + | block info | ||
| + | </ | ||
| + | |||
| + | '' | ||
| <code bash> | <code bash> | ||
| cat << " | cat << " | ||
| - | # note: this needs bash and awk installed | + | # note: this needs ash and awk installed |
| - | bash / | + | ash / |
| EOF | EOF | ||
| cat << " | cat << " | ||
| - | #!/bin/bash | + | #!/bin/ash |
| # Perform tasks when called by BLOCK hotplug (/ | # Perform tasks when called by BLOCK hotplug (/ | ||
| # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 | # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 | ||
| # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 | # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 | ||
| + | # Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30 | ||
| # Hotplug Vars: $ACTION (add/ | # Hotplug Vars: $ACTION (add/ | ||
| Line 103: | Line 132: | ||
| BID_RAW=" | BID_RAW=" | ||
| - | BID_UUID=" | + | BID_UUID=" |
| - | BID_TYPE=" | + | BID_TYPE=" |
| # Determine whether drive needs to be decrypted | # Determine whether drive needs to be decrypted | ||
| Line 113: | Line 142: | ||
| fi | fi | ||
| CT_RAW=" | CT_RAW=" | ||
| + | if [[ -z " | ||
| + | then | ||
| + | exit 0 | ||
| + | fi | ||
| - | if [[ -n "${CT_RAW:-}" ]] | + | CT_LABEL=" |
| + | CT_KEYFILE=" | ||
| + | CT_TYPE=" | ||
| + | |||
| + | if [[ -e "/ | ||
| then | then | ||
| - | | + | |
| - | | + | |
| - | | + | fi |
| - | # | + | |
| - | | + | # Error Handling |
| - | then | + | if [[ ! -e "$CT_KEYFILE" |
| - | msg "Drive already decrypted: $CT_LABEL" | + | then |
| - | exit 0 | + | msg " |
| - | fi | + | exit 1 |
| + | fi | ||
| + | if [[ ! "${BID_TYPE}" | ||
| + | then | ||
| + | msg "Unable to decrypt format: $CT_TYPE" | ||
| + | exit 1 | ||
| + | fi | ||
| - | # Error Handling | + | msg " |
| - | if [[ ! -e "$CT_KEYFILE" | + | cryptsetup luksOpen "/ |
| + | CS_EXIT=" | ||
| + | case " | ||
| + | 0) | ||
| then | then | ||
| - | msg "Unable to view keyfile: '$CT_KEYFILE' | + | msg "Drive decrypted: $CT_LABEL" |
| + | else | ||
| + | msg "Drive not found after decrypting: $CT_LABEL" | ||
| exit 1 | exit 1 | ||
| - | | + | fi;; |
| - | if [[ ! " | + | 5) msg " |
| - | then | + | *) msg " |
| - | msg " | + | esac |
| - | exit 1 | + | |
| - | fi | + | |
| - | + | ||
| - | msg " | + | |
| - | cryptsetup luksOpen "/ | + | |
| - | CS_EXIT=" | + | |
| - | case " | + | |
| - | 0) if [ -e "/ | + | |
| - | then | + | |
| - | msg "Drive decrypted: $CT_LABEL" | + | |
| - | else | + | |
| - | msg "Drive not found after decrypting: $CT_LABEL" | + | |
| - | exit 1 | + | |
| - | | + | |
| - | 5) msg " | + | |
| - | *) msg " | + | |
| - | esac | + | |
| - | fi | + | |
| EOF | EOF | ||
| </ | </ | ||