diff options
author | Andrew Cady <d@cryptonomic.net> | 2021-03-02 14:09:11 -0500 |
---|---|---|
committer | Andrew Cady <d@cryptonomic.net> | 2021-03-02 14:09:11 -0500 |
commit | 6726860c3ee36e26ebae4fbc8b72c9955b50230f (patch) | |
tree | ade8b8a47ddd84c07a28aded24bfe3d805a1f746 | |
parent | 02ce104d54db0fcc56ff86baa65ebe3de064fe3a (diff) |
initrd: improve readability and robustness to recovery
The luks.secret is stored per block device, and any existing
/dev/mapper/samizdatcrypt is removed before we try to create
that device.
This makes it more possible to recover from a failed menu-select
from the emergency console.
-rw-r--r-- | src/initrd/btrfs-create.sh | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh index 6e0f22e..969ddf6 100644 --- a/src/initrd/btrfs-create.sh +++ b/src/initrd/btrfs-create.sh | |||
@@ -311,21 +311,22 @@ open_samizdat_blockdev_from_loop() | |||
311 | open_samizdat_blockdev() | 311 | open_samizdat_blockdev() |
312 | { | 312 | { |
313 | local dev="$1" keyfile="$2" | 313 | local dev="$1" keyfile="$2" |
314 | local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret | 314 | local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret."${dev##*/}" |
315 | 315 | ||
316 | gpg2 --verify "$keyfile" || return | 316 | if [ -b /dev/mapper/"$cryptname" ] |
317 | 317 | then | |
318 | # TODO: we should be ensuring we can decrypt this secret key before even | 318 | cryptsetup luksClose "$cryptname" || return |
319 | # offering the option to boot the encrypted filesystem | 319 | fi |
320 | 320 | ||
321 | # The first --decrypt merely strips the signature. The option is | 321 | if [ ! -e "$decrypted_keyfile" ] |
322 | # poorly named for that case. | 322 | then |
323 | gpg2 --decrypt "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return | 323 | gpg2 --verify "$keyfile" || return |
324 | gpg2 --output=- --verify "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return | ||
325 | fi | ||
324 | 326 | ||
325 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return | 327 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return |
326 | 328 | ||
327 | [ -b /dev/mapper/"$cryptname" ] || return | 329 | [ -b /dev/mapper/"$cryptname" ] || return |
328 | |||
329 | } | 330 | } |
330 | 331 | ||
331 | init_samizdat_blockdev() | 332 | init_samizdat_blockdev() |