Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revisionBoth sides next revision
docs:guide-user:storage:disk.encryption [2019/05/13 06:38] – formatting vgaeteradocs:guide-user:storage:disk.encryption [2023/01/10 20:01] – Updated required packages, added steps to make a key-file and updated decrypt.sh for use in latest openwrt with ash mitchmurder
Line 5: Line 5:
  
 <code bash> <code bash>
-opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-iv kmod-crypto-misc kmod-crypto-user cryptsetup+opkg install kmod-crypto-ecb kmod-crypto-xts kmod-crypto-seqiv kmod-crypto-misc kmod-crypto-user cryptsetup
 </code> </code>
  
Line 61: Line 61:
 Automated: Automated:
  
-The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/etc/crypttab'' (like many linux distros) and ''/etc/config/fstab'':+The following script can be used to automate decrypting and mounting removable storage that is encrypted by using entries in ''/etc/crypttab'' (like many linux distros) and ''/etc/config/fstab''. To use the following script, a key-file must be generated. To see the occupied Keyslots in the LUKS device: 
 +<code bash> 
 +cryptsetup luksDump [encrypted-device] 
 +</code> 
 + 
 +''Keyslots'' should have 1 entry (''0:'', from the passphrase created earlier). To use a previously generated key-file, this step may be omitted. To create a new key-file: 
 +<code bash> 
 +dd if=/dev/urandom of=[path/to/key-file] bs=512 count=8 
 +</code> 
 + 
 +This will create a key-file that is filled with 4096 bytes of random data. Add this key-file to the LUKS device: 
 +<code bash>  
 +cryptsetup luksAddKey [encrypted-device] [path/to/key-file] 
 +</code> 
 + 
 +You will be prompted for the passphrase from above. 
 + 
 +<code bash> 
 +cryptsetup luksDump [encrypted-device] 
 +</code> 
 +''Keyslots'' should now contain 2 entries (''1:'' correlating to the newly created key-file). The format of ''/etc/crypttab'' should be as follows: 
 +''[map-name] [UUID=UUID-of-encrypted-device] [path/to/key-file] [type-of-encryption]'' 
 + 
 +[UUID] and [type-of-encryption] may be obtained from the output of: 
 +<code bash> 
 +block info 
 +</code> 
 + 
 +''[type-of-encryption]'' must match exactly with ''TYPE='' given by ''block info''.
  
 <code bash> <code bash>
 cat << "EOF" > /etc/hotplug.d/block/99-lukscrypt cat << "EOF" > /etc/hotplug.d/block/99-lukscrypt
-# note: this needs bash and awk installed and the #!/bin/bash does not seem to work on 18.06 +# note: this needs ash and awk installed 
-bash /bin/decrypt.sh+ash /bin/decrypt.sh
 EOF EOF
  
 cat << "EOF" > /bin/decrypt.sh cat << "EOF" > /bin/decrypt.sh
-#!/bin/bash+#!/bin/ash
 # Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt) # Perform tasks when called by BLOCK hotplug (/etc/hotplug.d/block/99-lukscrypt)
 # CC0: 21JUL18 by WaLLy3K, updated 09AUG18 # CC0: 21JUL18 by WaLLy3K, updated 09AUG18
 # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04 # Further adapted for OpenWRT 18.06 by jmm on 2018-09-04
 +# Further apapted for OpenWRT 21.02.2 by mdpc on 2022-12-30
  
 # Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx) # Hotplug Vars: $ACTION (add/remove), $DEVICE (?), $DEVNAME (sdx)
Line 103: Line 132:
  
 BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')" BID_RAW="$(block info "/dev/$DEVNAME" | awk -v RS=' ' '{gsub("[:\"]",""); print $0}')"
-BID_UUID="$(awk -F'/UUID/ {print $2}' <<< "$BID_RAW")" +BID_UUID="$(echo $BID_RAW | awk -F['/=',' '] '{print $5}')" 
-BID_TYPE="$(awk -F'/TYPE/ {print $2}' <<< "$BID_RAW")"+BID_TYPE="$(echo $BID_RAW | awk -F['/=',' '] '{print $7}')"
  
 # Determine whether drive needs to be decrypted # Determine whether drive needs to be decrypted
Line 118: Line 147:
 fi fi
  
-CT_LABEL="$(awk '{print $1}' <<< "$CT_RAW")" +CT_LABEL="$(echo $CT_RAW | awk '{print $1}')" 
-CT_KEYFILE="$(awk '{print $3}' <<< "$CT_RAW")" +CT_KEYFILE="$(echo $CT_RAW | awk '{print $3}')" 
-CT_TYPE="$(awk -F '[ ,]+' '{print $4}' <<< "$CT_RAW")" +CT_TYPE="$(echo $CT_RAW | awk -F '[ ,]+' '{print $4}')"
-#CT_SCRIPT="$(awk -F "keyscript=" '{print $2}' <<< "$CT_RAW")"+
  
-if [[ -e "/dev/mapper/${CT_LABEL,,}" ]]+if [[ -e "/dev/mapper/${CT_LABEL}" ]]
 then then
     msg "Drive already decrypted: $CT_LABEL"     msg "Drive already decrypted: $CT_LABEL"
Line 135: Line 163:
     exit 1     exit 1
 fi fi
-if [[ ! "${BID_TYPE,,}" == *"${CT_TYPE,,}"* ]]+if [[ ! "${BID_TYPE}" == *"${CT_TYPE}"* ]]
 then then
     msg "Unable to decrypt format: $CT_TYPE"     msg "Unable to decrypt format: $CT_TYPE"
Line 142: Line 170:
  
 msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)" msg "Decrypting drive: $CT_LABEL (/dev/$DEVNAME)"
-cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL,,}" -d "$CT_KEYFILE"+cryptsetup luksOpen "/dev/$DEVNAME" "${CT_LABEL}" -d "$CT_KEYFILE"
 CS_EXIT="$?" CS_EXIT="$?"
 case "$CS_EXIT" in case "$CS_EXIT" in
-0)  if [ -e "/dev/mapper/${CT_LABEL,,}" ]+0)  if [ -e "/dev/mapper/${CT_LABEL}" ]
     then     then
         msg "Drive decrypted: $CT_LABEL"         msg "Drive decrypted: $CT_LABEL"
  • Last modified: 2023/07/24 23:25
  • by crass