initrd: improve readability and robustness to recovery

The luks.secret is stored per block device, and any existing /dev/mapper/samizdatcrypt is removed before we try to create that device. This makes it more possible to recover from a failed menu-select from the emergency console.
author: Andrew Cady <d@cryptonomic.net> 2021-03-02 14:09:11 -0500
committer: Andrew Cady <d@cryptonomic.net> 2021-03-02 14:09:11 -0500
commit: 6726860c3ee36e26ebae4fbc8b72c9955b50230f (patch)
tree: ade8b8a47ddd84c07a28aded24bfe3d805a1f746
parent: 02ce104d54db0fcc56ff86baa65ebe3de064fe3a (diff)
1 files changed, 10 insertions, 9 deletions
diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh
index 6e0f22e..969ddf6 100644
--- a/src/initrd/btrfs-create.sh
+++ b/src/initrd/btrfs-create.sh
@@ -311,21 +311,22 @@ open_samizdat_blockdev_from_loop()
 open_samizdat_blockdev()
 {
  local dev="$1" keyfile="$2"
-  local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret
+  local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret."${dev##*/}"
-  gpg2 --verify "$keyfile" || return
+  if [ -b /dev/mapper/"$cryptname" ]
+  then
-  # TODO: we should be ensuring we can decrypt this secret key before even
+    cryptsetup luksClose "$cryptname" || return
-  # offering the option to boot the encrypted filesystem
+  fi
-  # The first --decrypt merely strips the signature.  The option is
+  if [ ! -e "$decrypted_keyfile" ]
-  # poorly named for that case.
+  then
-  gpg2 --decrypt "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return
+    gpg2 --verify "$keyfile" || return
+    gpg2 --output=- --verify "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return
+  fi
  cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return
  [ -b /dev/mapper/"$cryptname" ] || return
 }
 init_samizdat_blockdev()
author	Andrew Cady <d@cryptonomic.net>	2021-03-02 14:09:11 -0500
committer	Andrew Cady <d@cryptonomic.net>	2021-03-02 14:09:11 -0500
commit	6726860c3ee36e26ebae4fbc8b72c9955b50230f (patch)
tree	ade8b8a47ddd84c07a28aded24bfe3d805a1f746
parent	02ce104d54db0fcc56ff86baa65ebe3de064fe3a (diff)

diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh index 6e0f22e..969ddf6 100644 --- a/src/initrd/btrfs-create.sh +++ b/src/initrd/btrfs-create.sh
@@ -311,21 +311,22 @@ open_samizdat_blockdev_from_loop()
311	open_samizdat_blockdev()	311	open_samizdat_blockdev()
312	{	312	{
313	local dev="$1" keyfile="$2"	313	local dev="$1" keyfile="$2"
314	local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret	314	local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret."${dev##*/}"
315		315
316	gpg2 --verify "$keyfile" \|\| return	316	if [ -b /dev/mapper/"$cryptname" ]
317		317	then
318	# TODO: we should be ensuring we can decrypt this secret key before even	318	cryptsetup luksClose "$cryptname" \|\| return
319	# offering the option to boot the encrypted filesystem	319	fi
320		320
321	# The first --decrypt merely strips the signature. The option is	321	if [ ! -e "$decrypted_keyfile" ]
322	# poorly named for that case.	322	then
323	gpg2 --decrypt "$keyfile" \| gpg2 --decrypt > "$decrypted_keyfile" \|\| return	323	gpg2 --verify "$keyfile" \|\| return
		324	gpg2 --output=- --verify "$keyfile" \| gpg2 --decrypt > "$decrypted_keyfile" \|\| return
		325	fi
324		326
325	cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" \|\| return	327	cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" \|\| return
326		328
327	[ -b /dev/mapper/"$cryptname" ] \|\| return	329	[ -b /dev/mapper/"$cryptname" ] \|\| return
328
329	}	330	}
330		331
331	init_samizdat_blockdev()	332	init_samizdat_blockdev()