Commit 069ecd43 authored by Matthias Klumpp's avatar Matthias Klumpp

cryptsetup-helper: Deal with LUKS root partition as intended

parent 0adf7154
......@@ -20,6 +20,7 @@ import os
import argparse
import subprocess
import shlex
import json
ENCRYPT_BYPASS_INITRAMFS_HOOK = '/usr/share/initramfs-tools/hooks/bypass_encrypt_hook'
......@@ -28,7 +29,7 @@ CRYPTTAB_FILE = '/etc/crypttab'
KEYFILE = '/crypto_keyfile.bin'
KEYFILE_OLD = '/crypto_keyfile.bin.old'
CALAMARES_LUKS_PARTITION_FILE = '/var/lib/encrypted_partitions'
CALAMARES_LUKS_PARTITION_FILE = '/encrypted_partitions.json'
def run_command(command, input=None):
......@@ -58,24 +59,30 @@ def run_command(command, input=None):
def run(new_password):
clp_f = open(CALAMARES_LUKS_PARTITION_FILE, 'r')
partitions = clp_f.readlines()
luks_partitions = json.load(open(CALAMARES_LUKS_PARTITION_FILE, 'r'))
luks_root_device = luks_partitions.get('rootDevice')
additional_luks_devices = luks_partitions.get('additionalDevices', [])
if not new_password:
raise Exception ("New disk password is empty")
raise Exception("New disk password is empty")
if not luks_root_device:
raise Exception("No LUKS root device set in encrypted_partitions.json")
# move old keyfile out of the way
os.rename(KEYFILE, KEYFILE_OLD)
# Generate random keyfile
out, err, ret = run_command(["dd",
"bs=512",
"count=4",
"if=/dev/urandom",
"of=/crypto_keyfile.bin"])
out, err, ret = run_command(['dd',
'bs=512',
'count=4',
'if=/dev/urandom',
'of=/crypto_keyfile.bin'])
if ret != 0:
raise Exception("Unable to create new crypto_keyfile.bin: {} - {}".format(out, err))
# make a list of all partitions we deal with
partitions = additional_luks_devices.copy()
partitions.insert(0, luks_root_device)
for partition in partitions:
partition = partition.strip()
......@@ -83,33 +90,36 @@ def run(new_password):
continue
out, err, ret = run_command(['cryptsetup',
'luksAddKey',
partition,
KEYFILE,
'--key-file', KEYFILE_OLD])
'luksAddKey',
partition,
KEYFILE,
'--key-file', KEYFILE_OLD])
if ret != 0:
raise Exception("Unable to add key file: {} - {}".format(out, err))
out, err, ret = run_command(['cryptsetup',
'luksRemoveKey',
partition,
KEYFILE_OLD])
'luksRemoveKey',
partition,
KEYFILE_OLD])
if ret != 0:
raise Exception("Unable to remove old key file: {} - {}".format(out, err))
out, err, ret = run_command(['cryptsetup',
'luksAddKey',
partition,
'--key-file', KEYFILE,
'-q'],
input=new_password)
if ret != 0:
raise Exception("Unable to add key: {} - {}".format(out, err))
# only add a real password to the root partition.
# once that is unlocked, the system has access to the keyfile and can automatically
# decrypt all other partitions
if partition == luks_root_device:
out, err, ret = run_command(['cryptsetup',
'luksAddKey',
partition,
'--key-file', KEYFILE,
'-q'],
input=new_password)
if ret != 0:
raise Exception("Unable to add key: {} - {}".format(out, err))
out, err, ret = run_command(['chmod',
'g-rwx,o-rwx',
KEYFILE])
'g-rwx,o-rwx',
KEYFILE])
if ret != 0:
raise Exception("Unable to set permissions on key file: {} - {}".format(out, err))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment