summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/initrd/btrfs-create.sh10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh
index 3066331..c076b9e 100644
--- a/src/initrd/btrfs-create.sh
+++ b/src/initrd/btrfs-create.sh
@@ -224,12 +224,18 @@ open_samizdat_blockdev_from_loop()
224open_samizdat_blockdev() 224open_samizdat_blockdev()
225{ 225{
226 local dev="$1" keyfile="$2" 226 local dev="$1" keyfile="$2"
227 local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret
227 228
228 local cryptname=samizdatcrypt
229 gpg2 --verify "$keyfile" || return 229 gpg2 --verify "$keyfile" || return
230
231 # TODO: we should be ensuring we can decrypt this secret key before even
232 # offering the option to boot the encrypted filesystem
233
230 # The first --decrypt merely strips the signature. The option is 234 # The first --decrypt merely strips the signature. The option is
231 # poorly named for that case. 235 # poorly named for that case.
232 gpg2 --decrypt "$keyfile" | gpg2 --decrypt | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return 236 gpg2 --decrypt "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return
237
238 cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return
233 239
234 [ -b /dev/mapper/"$cryptname" ] || return 240 [ -b /dev/mapper/"$cryptname" ] || return
235 241