X-Git-Url: http://git.grml.org/?a=blobdiff_plain;f=grml-crypt;h=fade32e42c56e1b0b5cc906420ba504580d082ea;hb=5011d9d13056bfdccc4afdc7d5f8f55dd7a0996f;hp=084c55d5d95e64f345a206ac6e1e334850ec9de7;hpb=ee5fcdbe151056023d9e8b34eb62fac7e8fee36c;p=grml-crypt.git diff --git a/grml-crypt b/grml-crypt index 084c55d..fade32e 100755 --- a/grml-crypt +++ b/grml-crypt @@ -1,10 +1,10 @@ -#!/bin/sh +#!/bin/bash # Filename: grml-crypt # Purpose: Program to format, mount and unmount encrypted devices/files # Authors: Michael Gebetsroither # Bug-Reports: see http://grml.org/bugs/ # License: This file is licensed under the GPL v2. -# Latest change: Mon Aug 08 11:37:20 CEST 2005 +# Latest change: Don Jul 26 19:57:28 CEST 2007 [mika] ################################################################################ @@ -35,12 +35,13 @@ DM_PATH_="" ACTION_="" DM_PREFIX_="grml-crypt_" FORCE_='false' -OVERWRITE_SOURCE_DEV_='/dev/urandom' +FSCK_='false' +ENTROPY_SOURCE_='/dev/urandom' OPTIMIZED_MODE_SET_='false' OPTIMIZING_LEVEL_=0 -CIPHER_SIZE_="128" +CIPHER_SIZE_="256" CIPHER_="aes-cbc-essiv:sha256" -ITERATION_TIME_="1" +ITERATION_TIME_="1000" ADDITIONAL_CRYPTSETUP_ARGS_="" READONLY_SET_='false' ADDITIONAL_MOUNT_ARGS_="" @@ -55,16 +56,17 @@ function printUsage cat < [mountpoint] -$PROG_NAME__ is a wrapper arround cryptsetup with LUKS support to format a device +$PROG_NAME__ is a wrapper around cryptsetup with LUKS support to format a device OPTIONS: -s size of the loop-filesystem to create, in MB (default=$SIZE_) -t type of filesystem (default=$FSTYPE_) -r read only mode (fully supported only by start) -z insecure mode, using /dev/zero for most of the initialisation (INSECURE!) - -o optimized initialisation mode (should be as secure as the default but faster) + -o optimised initialisation mode (should be as secure as the default but faster) -y verifies the passphrase by asking for it twice -f force file overwriting in format mode and/or disable confirmation dialog + -F only for action start: run fsck before mounting the filesystem -m additional arguments to mount -v verbose (show what is going on, v++) -h this help text @@ -86,13 +88,21 @@ ACTIONS: Umount the given mountpoint (umount, luksClose, losetup -d) EOT + + isGrml && cat < grml-crypt with a filesystem image does ONLY + work if the image is on a tmpfs (eg. in /home/grml or /tmp). + +EOT + } function getDMName { device_="${1##*/}" - + # first trying normal devicename tmp_="${DM_PREFIX_}${device_}" if [ ! -e "$tmp_" ]; then @@ -123,10 +133,10 @@ function formatDevice execute "$CRYPTSETUP_ luksOpen $TARGET_ $DM_NAME_" warn \ "could not open $DM_PATH_ to create a filesystem on it!" || return 1 if [[ $type_ == 'init' && $OPTIMIZED_MODE_SET_ == 'true' ]]; then - echo "finishing optimized initialisation (this could take some time)" + echo "finishing optimised initialisation (this could take some time)" # FIXME execute "dd if=/dev/zero of=$DM_PATH_ bs=1M &>/dev/null" # || \ - # warn "could not finish optimized initialisation properly" + # warn "could not finish optimised initialisation properly" ret_=$? # cutted out because of no space left on device error :( #if [[ $ret_ != 0 ]]; then @@ -144,13 +154,13 @@ function formatDevice echo "Successully created $FSTYPE_ on encrypted $TARGET_" return 0 fi -} +} function actionStart { ret_=0 - + # no mountpoint, by-by if [[ "$MOUNT_POINT_" == "" ]]; then printUsage @@ -176,6 +186,9 @@ function actionStart $READONLY_SET_ && cargs_='--readonly' execute "$CRYPTSETUP_ $cargs_ luksOpen $TARGET_ $DM_NAME_" warn || execute "losetup -d $TARGET_" || \ die "could not luksOpen $TARGET_" + if [[ "$FSCK_" == "true" ]] ; then + execute "fsck -C $DM_NAME_" || die "fsck failed on $DM_NAME_" + fi margs_="" $READONLY_SET_ && margs_='-r' execute "mount $margs_ $ADDITIONAL_MOUNT_ARGS_ $DM_PATH_ $MOUNT_POINT_" die @@ -190,12 +203,12 @@ function actionStop isExistent "$mp_" die tmp_=`realpath $mp_` || die "could not get realpath of $mp_" dprint "realpath_=\"$tmp_\"" - + dm_path_=`mount |grep "$tmp_ "` || die "$tmp_ is not mounted" dprint "dm_path_=\"$dm_path_\"" dm_path_=`echo $dm_path_ |awk '{print $1}'` || die "could not get devicemapper name for $tmp_" dprint "dm_path_=\"$dm_path_\"" - + dm_name_="${dm_path_##*/}" dprint "dm_name_=\"$dm_name_\"" @@ -203,7 +216,7 @@ function actionStop device_=`$CRYPTSETUP_ status $dm_name_ |awk '/device:/{print $2}'` || \ die "could not get underlying device of $dm_path_" dprint "device_=\"$device_\"" - + execute "umount $dm_path_" die "could not unmount $device_" execute "$CRYPTSETUP_ luksClose $dm_name_" die "could not close $dm_path_" echo "$device_" |grep loop &>/dev/null && execute "losetup -d $device_" \ @@ -216,7 +229,7 @@ this device could possible not be a loop device => maybe bogus error" function yesDialog { msg_="$1" - + echo "WARNING!" >&2 echo "========" >&2 echo -n "$msg_" >&2 @@ -244,23 +257,23 @@ function actionFormat notice "Operating on a file" IS_IMAGE_='true' if [ -e "$TARGET_" ]; then - $FORCE_ || die "file $TARGET_ does allready exist" + $FORCE_ || die "$TARGET_ does already exist" warn "overwriting file $TARGET_" init_='donothing' else echo -n "Initialising file with " if [[ $OPTIMIZED_MODE_SET_ == 'true' ]]; then - echo "optimized SECURE mode" + echo "optimised SECURE mode" execute "dd if=/dev/zero of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" \ die "could not initialise $TARGET_ with /dev/zero" else - if [[ $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then + if [[ $ENTROPY_SOURCE_ == '/dev/zero' ]]; then echo "INSERCURE mode" else echo "SECURE mode (taking /dev/urandom as source, this could take some time)" fi - execute "dd if=$OVERWRITE_SOURCE_DEV_ of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" ||\ - die "could not initialise $TARGET_ with $OVERWRITE_SOURCE_DEV_" + execute "dd if=$ENTROPY_SOURCE_ of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" ||\ + die "could not initialise $TARGET_ with $ENTROPY_SOURCE_" fi fi @@ -268,7 +281,7 @@ function actionFormat # TARGET_ is now /dev/loop execute "losetup $TARGET_ $ORIG_TARGET_" die - if [[ $OPTIMIZED_MODE_SET_ == 'true' || $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then + if [[ $OPTIMIZED_MODE_SET_ == 'true' || $ENTROPY_SOURCE_ == '/dev/zero' ]]; then execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \ die "could not initialise the fist 2MB of $TARGET_ with /dev/urandom" fi @@ -282,11 +295,12 @@ function actionFormat echo "optimised SECURE mode" execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" ||\ die "could not initialise the first 2MB of $TARGET_ with /dev/urandom" - elif [[ $OVERWRITE_SOURCE_DEV_ != '/dev/zero' ]]; then + elif [[ $ENTROPY_SOURCE_ != '/dev/zero' ]]; then # default mode - echo "SECURE mode (taking /dev/urandom as source, this could take some time)" - execute "dd if=/dev/urandom of=$TARGET_ bs=1M &>/dev/null" ||\ - die "could not initialise $TARGET_ with /dev/zero" + echo "SECURE mode (taking $ENTROPY_SOURCE_ as source, this could take some time)" + execute "dd if=$ENTROPY_SOURCE_ of=$TARGET_ bs=1M &>/dev/null" #||\ + # skipped because "no space left on device" from dd + # die "could not initialise $TARGET_ with $ENTROPY_SOURCE_" else echo 'INSECURE mode (only initialising the fist 2MB with /dev/urandom)' execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \ @@ -303,15 +317,18 @@ function actionFormat local mount_point_exists_='true' test -d "$MOUNT_POINT_" || mount_point_exists_='false' - if [[ "$MOUNT_POINT_" != "" && "$mount_point_exists_" == 'true' ]]; then + if [[ $MOUNT_POINT_ != "" && "$mount_point_exists_" == 'true' ]]; then $READONLY_SET_ && margs_='-r' execute "mount $margs_ $ADDITIONAL_MOUNT_ARGS_ $DM_PATH_ $MOUNT_POINT_" die else - $mount_point_exists_ || warn "mountpoint $MOUNT_POINT_ does not exist, not mounting. please use \"grml-crypt start $ORIG_TARGET_ \" to start the device" + if [[ $MOUNT_POINT_ != "" ]]; then + $mount_point_exists_ || warn "mountpoint $MOUNT_POINT_ does not exist, not mounting. please use \"grml-crypt start $ORIG_TARGET_ \" to start the device" + fi execute "$CRYPTSETUP_ luksClose $DM_NAME_" warn $IS_IMAGE_ && execute "losetup -d $TARGET_" warn fi else + execute "$CRYPTSETUP_ luksClose $DM_NAME_" warn $IS_IMAGE_ && execute "losetup -d $TARGET_" warn fi } @@ -322,18 +339,19 @@ function actionFormat ### __MAIN ### -while getopts "s:t:rzoyfm:hvS:C:I:A:" opt; do +while getopts "s:t:rzoyfFm:hvS:C:I:A:" opt; do case "$opt" in s) SIZE_="$OPTARG"; SIZE_SET_='true' ;; t) FSTYPE_="$OPTARG" ;; r) READONLY_SET_='true' ;; z) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1 - OVERWRITE_SOURCE_DEV_='/dev/zero' + ENTROPY_SOURCE_='/dev/zero' warn 'initialising from INSECURE source /dev/zero' ;; o) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1 OPTIMIZED_MODE_SET_='true' ;; y) VERIFY_PW_="--verify-passphrase" ;; f) FORCE_='true' ;; + F) FSCK_='true' ;; m) ADDITIONAL_MOUNT_ARGS_="$OPTARG" ;; h) printUsage; exit ;; v) let verbose_=$verbose_+1 ;; @@ -393,4 +411,4 @@ esac # END OF FILE ################################################################################ -# vim:foldmethod=marker +# vim:foldmethod=marker tabstop=2 expandtab shiftwidth=2