X-Git-Url: http://git.grml.org/?p=grml-crypt.git;a=blobdiff_plain;f=grml-crypt;h=5dcace5dd2fe384579db5c717d5401ec2d04a599;hp=40f95ea38cb15521c2fb25ecb6174661b8617421;hb=6bdde2304c466c38d7e61d2d804df4df277fa5c0;hpb=d5428074d7410f3690dcf5ae1fbf47a2b457decd diff --git a/grml-crypt b/grml-crypt index 40f95ea..5dcace5 100755 --- a/grml-crypt +++ b/grml-crypt @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Filename: grml-crypt # Purpose: Program to format, mount and unmount encrypted devices/files # Authors: Michael Gebetsroither @@ -35,12 +35,13 @@ DM_PATH_="" ACTION_="" DM_PREFIX_="grml-crypt_" FORCE_='false' -OVERWRITE_SOURCE_DEV_='/dev/urandom' +FSCK_='false' +ENTROPY_SOURCE_='/dev/urandom' OPTIMIZED_MODE_SET_='false' OPTIMIZING_LEVEL_=0 -CIPHER_SIZE_="128" +CIPHER_SIZE_="256" CIPHER_="aes-cbc-essiv:sha256" -ITERATION_TIME_="1" +ITERATION_TIME_="1000" ADDITIONAL_CRYPTSETUP_ARGS_="" READONLY_SET_='false' ADDITIONAL_MOUNT_ARGS_="" @@ -65,6 +66,7 @@ OPTIONS: -o optimised initialisation mode (should be as secure as the default but faster) -y verifies the passphrase by asking for it twice -f force file overwriting in format mode and/or disable confirmation dialog + -F only for action start: run fsck before mounting the filesystem. Use fsck's -f option if given twice. -m additional arguments to mount -v verbose (show what is going on, v++) -h this help text @@ -184,6 +186,11 @@ function actionStart $READONLY_SET_ && cargs_='--readonly' execute "$CRYPTSETUP_ $cargs_ luksOpen $TARGET_ $DM_NAME_" warn || execute "losetup -d $TARGET_" || \ die "could not luksOpen $TARGET_" + if [[ "$FSCK_" == "true" ]] ; then + execute "fsck -C $DM_PATH_" || die "fsck failed on $DM_PATH_" + elif [[ "$FSCK_" == "trueforce" ]] ; then + execute "fsck -f -C $DM_PATH_" || die "fsck failed on $DM_PATH_" + fi margs_="" $READONLY_SET_ && margs_='-r' execute "mount $margs_ $ADDITIONAL_MOUNT_ARGS_ $DM_PATH_ $MOUNT_POINT_" die @@ -204,10 +211,25 @@ function actionStop dm_path_=`echo $dm_path_ |awk '{print $1}'` || die "could not get devicemapper name for $tmp_" dprint "dm_path_=\"$dm_path_\"" + # check for symlinks + unset tmp_dm_path_ + for dmapper in /dev/mapper/grml-crypt* ; do + link=$(readlink -f "$dmapper") + dprint "looping device mapper devices, dmapper=$dmapper => link=$link" + if [ "$link" = "$dm_path_" ] ; then + tmp_dm_path_="$dmapper" + fi + done + + if [ -n "$tmp_dm_path_" ] ; then + dm_path_="$tmp_dm_path_" + unset tmp_dm_path_ + fi + dm_name_="${dm_path_##*/}" dprint "dm_name_=\"$dm_name_\"" - dmsetup info $dm_name_ >/dev/null ||die "$dm_name_ is not aktive" + dmsetup info $dm_name_ >/dev/null ||die "$dm_name_ is not active" device_=`$CRYPTSETUP_ status $dm_name_ |awk '/device:/{print $2}'` || \ die "could not get underlying device of $dm_path_" dprint "device_=\"$device_\"" @@ -217,7 +239,7 @@ function actionStop echo "$device_" |grep loop &>/dev/null && execute "losetup -d $device_" \ die "could not delete loop device $device_" || \ execute "losetup -d $device_ &>/dev/null" eprint "could not delete loop device $device_, \ -this device could possible not be a loop device => maybe bogus error" +this device possibly is not a loop device => maybe bogus error" notice "$mp_ successfully unmountet/closed/deleted" } @@ -262,13 +284,13 @@ function actionFormat execute "dd if=/dev/zero of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" \ die "could not initialise $TARGET_ with /dev/zero" else - if [[ $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then + if [[ $ENTROPY_SOURCE_ == '/dev/zero' ]]; then echo "INSERCURE mode" else echo "SECURE mode (taking /dev/urandom as source, this could take some time)" fi - execute "dd if=$OVERWRITE_SOURCE_DEV_ of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" ||\ - die "could not initialise $TARGET_ with $OVERWRITE_SOURCE_DEV_" + execute "dd if=$ENTROPY_SOURCE_ of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" ||\ + die "could not initialise $TARGET_ with $ENTROPY_SOURCE_" fi fi @@ -276,7 +298,7 @@ function actionFormat # TARGET_ is now /dev/loop execute "losetup $TARGET_ $ORIG_TARGET_" die - if [[ $OPTIMIZED_MODE_SET_ == 'true' || $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then + if [[ $OPTIMIZED_MODE_SET_ == 'true' || $ENTROPY_SOURCE_ == '/dev/zero' ]]; then execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \ die "could not initialise the fist 2MB of $TARGET_ with /dev/urandom" fi @@ -290,12 +312,12 @@ function actionFormat echo "optimised SECURE mode" execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" ||\ die "could not initialise the first 2MB of $TARGET_ with /dev/urandom" - elif [[ $OVERWRITE_SOURCE_DEV_ != '/dev/zero' ]]; then + elif [[ $ENTROPY_SOURCE_ != '/dev/zero' ]]; then # default mode - echo "SECURE mode (taking $OVERWRITE_SOURCE_DEV_ as source, this could take some time)" - execute "dd if=$OVERWRITE_SOURCE_DEV_ of=$TARGET_ bs=1M &>/dev/null" #||\ + echo "SECURE mode (taking $ENTROPY_SOURCE_ as source, this could take some time)" + execute "dd if=$ENTROPY_SOURCE_ of=$TARGET_ bs=1M &>/dev/null" #||\ # skipped because "no space left on device" from dd - # die "could not initialise $TARGET_ with $OVERWRITE_SOURCE_DEV_" + # die "could not initialise $TARGET_ with $ENTROPY_SOURCE_" else echo 'INSECURE mode (only initialising the fist 2MB with /dev/urandom)' execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \ @@ -334,18 +356,24 @@ function actionFormat ### __MAIN ### -while getopts "s:t:rzoyfm:hvS:C:I:A:" opt; do +while getopts "s:t:rzoyfFm:hvS:C:I:A:" opt; do case "$opt" in s) SIZE_="$OPTARG"; SIZE_SET_='true' ;; t) FSTYPE_="$OPTARG" ;; r) READONLY_SET_='true' ;; z) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1 - OVERWRITE_SOURCE_DEV_='/dev/zero' + ENTROPY_SOURCE_='/dev/zero' warn 'initialising from INSECURE source /dev/zero' ;; o) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1 OPTIMIZED_MODE_SET_='true' ;; y) VERIFY_PW_="--verify-passphrase" ;; f) FORCE_='true' ;; + F) if [[ "$FSCK_" == "true" ]] ; then + FSCK_='trueforce' + else + FSCK_='true' + fi + ;; m) ADDITIONAL_MOUNT_ARGS_="$OPTARG" ;; h) printUsage; exit ;; v) let verbose_=$verbose_+1 ;;