diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/initrd/btrfs-create.sh | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh index 6e0f22e..969ddf6 100644 --- a/src/initrd/btrfs-create.sh +++ b/src/initrd/btrfs-create.sh | |||
@@ -311,21 +311,22 @@ open_samizdat_blockdev_from_loop() | |||
311 | open_samizdat_blockdev() | 311 | open_samizdat_blockdev() |
312 | { | 312 | { |
313 | local dev="$1" keyfile="$2" | 313 | local dev="$1" keyfile="$2" |
314 | local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret | 314 | local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret."${dev##*/}" |
315 | 315 | ||
316 | gpg2 --verify "$keyfile" || return | 316 | if [ -b /dev/mapper/"$cryptname" ] |
317 | 317 | then | |
318 | # TODO: we should be ensuring we can decrypt this secret key before even | 318 | cryptsetup luksClose "$cryptname" || return |
319 | # offering the option to boot the encrypted filesystem | 319 | fi |
320 | 320 | ||
321 | # The first --decrypt merely strips the signature. The option is | 321 | if [ ! -e "$decrypted_keyfile" ] |
322 | # poorly named for that case. | 322 | then |
323 | gpg2 --decrypt "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return | 323 | gpg2 --verify "$keyfile" || return |
324 | gpg2 --output=- --verify "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return | ||
325 | fi | ||
324 | 326 | ||
325 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return | 327 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return |
326 | 328 | ||
327 | [ -b /dev/mapper/"$cryptname" ] || return | 329 | [ -b /dev/mapper/"$cryptname" ] || return |
328 | |||
329 | } | 330 | } |
330 | 331 | ||
331 | init_samizdat_blockdev() | 332 | init_samizdat_blockdev() |