Commit 384ab5d5 authored by Matthias Klumpp's avatar Matthias Klumpp

Add initial cryptsetup helper hack

parent d3738a21
# This file is autogenerated. DO NOT EDIT!
#
# Modifications should be made to debian/control.in instead.
# This file is regenerated automatically in the clean target.
Source: gnome-initial-setup
Section: gnome
Priority: optional
......@@ -43,12 +39,12 @@ Homepage: https://git.gnome.org/browse/gnome-initial-setup/
Package: gnome-initial-setup
Architecture: linux-any
Depends: ${shlibs:Depends},
policykit-1 (>= 0.103),
adduser,
Depends: adduser,
gnome-settings-daemon (>= 3.24),
policykit-1 (>= 0.103),
python3,
${misc:Depends}
${misc:Depends},
${shlibs:Depends}
Recommends: gnome-getting-started-docs
Suggests: gdm3
Description: Initial GNOME system setup helper
......
......@@ -39,12 +39,12 @@ Homepage: https://git.gnome.org/browse/gnome-initial-setup/
Package: gnome-initial-setup
Architecture: linux-any
Depends: ${shlibs:Depends},
policykit-1 (>= 0.103),
adduser,
Depends: adduser,
gnome-settings-daemon (>= 3.24),
policykit-1 (>= 0.103),
python3,
${misc:Depends}
${misc:Depends},
${shlibs:Depends}
Recommends: gnome-getting-started-docs
Suggests: gdm3
Description: Initial GNOME system setup helper
......
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# Copyright (C) 2018 Matthias Klumpp <matthias.klumpp@puri.sm>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>.
import os
import argparse
import subprocess
import shlex
ENCRYPT_BYPASS_INITRAMFS_HOOK = '/usr/share/initramfs-tools/hooks/bypass_encrypt_hook'
CRYPTTAB_FILE = '/etc/crypttab'
KEYFILE = '/crypto_keyfile.bin'
KEYFILE_OLD = '/crypto_keyfile.bin.old'
def run_command(command, input=None):
if not isinstance(command, list):
command = shlex.split(command)
if not input:
input = None
elif isinstance(input, str):
input = input.encode('utf-8')
elif not isinstance(input, bytes):
input = input.read()
try:
pipe = subprocess.Popen(command,
shell=False,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
except OSError:
return (None, None, -1)
(output, stderr) = pipe.communicate(input=input)
(output, stderr) = (c.decode('utf-8', errors='ignore') for c in (output, stderr))
return (output, stderr, pipe.returncode)
def run(new_password, partition_name):
partitions = [partition_name]
if not new_password:
raise Exception ("New disk password is empty")
# move old keyfile out of the way
os.rename(KEYFILE, KEYFILE_OLD)
# Generate random keyfile
out, err, ret = run_command(["dd",
"bs=512",
"count=4",
"if=/dev/urandom",
"of=/crypto_keyfile.bin"])
if ret != 0:
raise Exception("Unable to create crypto_keyfile.bin: {} - {}".format(out, err))
for partition in partitions:
out, err, ret = run_command(['cryptsetup',
'luksAddKey',
partition,
KEYFILE,
'--key-file', KEYFILE_OLD])
if ret != 0:
raise Exception("Unable to add key file: {} - {}".format(out, err))
out, err, ret = run_command(['cryptsetup',
'luksRemoveKey',
partition,
KEYFILE_OLD,
'--key-file', KEYFILE])
if ret != 0:
raise Exception("Unable to remove old key file: {} - {}".format(out, err))
out, err, ret = run_command(['cryptsetup',
'luksAddKey',
partition,
'--key-file', KEYFILE])
if ret != 0:
raise Exception("Unable to add key: {} - {}".format(out, err))
out, err, ret = run_command(['chmod',
'g-rwx,o-rwx',
KEYFILE])
if ret != 0:
raise Exception("Unable to set permissions on key file: {} - {}".format(out, err))
os.remove(KEYFILE_OLD)
os.remove(ENCRYPT_BYPASS_INITRAMFS_HOOK)
def main():
parser = argparse.ArgumentParser(description="Set a new disk password, replacing existing ones")
parser.add_argument('-p', '--password', type=str, required=True)
parser.add_argument('-d', '--partition', type=str, required=True)
args = parser.parse_args()
if not os.path.isfile(ENCRYPT_BYPASS_INITRAMFS_HOOK):
print('Encrypt bypass initramfs hook does not exist, script will not do anything')
return
run(args.password, args.partition)
if __name__ == '__main__':
main()
debian/gnome-initial-setup.pkla /var/lib/polkit-1/localauthority/10-vendor.d/
debian/extra/cryptsetup-helper.py /usr/lib/gnome-initial-setup/
debian/extra/install-locale.py /usr/lib/gnome-initial-setup/
debian/gnome-initial-setup.pkla /var/lib/polkit-1/localauthority/10-vendor.d/
......@@ -15,3 +15,4 @@ override_dh_auto_configure:
override_dh_install:
dh_install
chmod +x $(CURDIR)/debian/gnome-initial-setup/usr/lib/gnome-initial-setup/install-locale.py
chmod +x $(CURDIR)/debian/gnome-initial-setup/usr/lib/gnome-initial-setup/cryptsetup-helper.py
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment