--- /dev/null
+grml-crypt (0.10) unstable; urgency=low
+
+ * added another example to the manpage
+ * fixed a few typos in the manpage
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 22 Oct 2005 14:50:07 +0200
+
+grml-crypt (0.09) unstable; urgency=low
+
+ * added usage example for usb-stick encryption to manpage
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 22 Oct 2005 03:05:58 +0200
+
+grml-crypt (0.08) unstable; urgency=low
+
+ * added checks against invalied mountpoints
+ * fixed a few small bugs
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 22 Oct 2005 03:05:52 +0200
+
+grml-crypt (0.07) unstable; urgency=low
+
+ * added --batch-mode detection for cryptsetup
+ * added $CRYPTSETUP_
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Wed, 14 Sep 2005 20:19:19 +0200
+
+grml-crypt (0.06) unstable; urgency=low
+
+ * fixed yesDialog with file which does not exist
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 15 Aug 2005 23:40:44 +0200
+
+grml-crypt (0.05) unstable; urgency=low
+
+ * added confirmation question
+ * manpage fixes
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 15 Aug 2005 23:34:16 +0200
+
+grml-crypt (0.04) unstable; urgency=low
+
+ * fixed a bug with filesystem images on unionfs
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Wed, 10 Aug 2005 12:19:36 +0200
+
+grml-crypt (0.03) unstable; urgency=low
+
+ * added cmdarg -S cipher size
+ * added cmdarg -C ciper
+ * added cmdarg -I number of iterations
+ * added cmdarg -A additional arguments passed through to cryptsetup
+ * added cmdarg -r setup mapping and mount in readonly mode
+ * added cmdarg -m additional arguments passed through to mount
+ * added all new cmdargs to manpage
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Wed, 10 Aug 2005 01:59:15 +0200
+
+grml-crypt (0.02) unstable; urgency=low
+
+ * small manpage fix
+ * removed function findNextFreeLoop, because it's now in sh-lib
+ * removed a few testing functions
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 9 Aug 2005 16:07:38 +0200
+
+grml-crypt (0.01) unstable; urgency=low
+
+ * Initial Release.
+
+ -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 9 Aug 2005 12:46:08 +0200
+
+Local variables:
+mode: debian-changelog
+End:
--- /dev/null
+Source: grml-crypt
+Section: admin
+Priority: optional
+Maintainer: Michael Gebetsroither <gebi@grml.org>
+Build-Depends: debhelper (>= 4.0.0)
+Standards-Version: 3.6.1
+
+Package: grml-crypt
+Architecture: all
+Depends: sh-lib (>=1.02.02), cryptsetup-luks, realpath, dmsetup
+Description: wrapper arround cryptsetup-luks
+ This software should provide an easy wrapper around cryptsetup-luks,
+ losetup and mount.
+ You could create and mount a encrypted filesystem image with only
+ only one command. This wrapper handles devices and filesystem-images
+ and implements an efficient but also secure initialisation algorithm.
--- /dev/null
+This is grml-crypt, written and maintained by Michael Gebetsroither <gebi@grml.org>
+on Sun, 20 Mar 2005 19:39:26 +0100.
+
+Copyright (C) 2003 Michael Gebetsroither
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ 02111-1307, USA.
+
+On Debian systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'.
--- /dev/null
+.\" Hey, EMACS: -*- nroff -*-
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH GRML-CRYPT 8 "AUG 9, 2005"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+grml-crypt \- Wrapper arround cryptsetup/losetup/mkfs/mount
+.SH SYNOPSIS
+.B grml-crypt
+.RI [OPTIONS] " action " <device/file> " [mountpoint]
+.br
+.SH DESCRIPTION
+This manual page documents briefly the
+.B grml-crypt program
+.PP
+.\" TeX users may be more comfortable with the \fB<whatever>\fP and
+.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
+.\" respectively.
+\fBgrml-crypt\fP is a program that
+provides an easy wrapper arround cryptsetup, mkfs, losetup and mount.
+You could create a loopback mountet crypted filesystem with only one command, but grml-crypt works for normal devices also.
+.SH ACTIONS
+.TP
+.B format <device/file> [mountpoint]
+This command "formats" a device/file.
+If the second parameter is not a blockdevice grml-crupt assumes that it should operate in file modus. If the file does not allready exist it will be created with the given size.
+The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space is initialised with the given initialisation. If grml-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file allready exist (with -f vor overwriting).
+Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount]
+.TP
+.B start <device/file> <mountpoint>
+This command starts a encrypted device/file and mounts it to the given mountpoint.
+Commands: [losetup], cryptsetup luksOpen, mount
+.TP
+.B stop <mountpoint>
+This command stops a encrypted filesystem mountet at mountpoint.
+Even the loopdevice gets destroyed with this command.
+Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup -d]
+.SH OPTIONS
+These program follow the long option style without dashes and
+short options starting with one dash (`-').
+A summary of options is included below.
+.TP
+.B \-h, help
+Show summary of options.
+.TP
+.B \-v
+Show what is going on (more v => more output).
+.TP
+.B \-s (in MB, default=10)
+Give the size of loopfilesystem grml-crypt should create.
+.TP
+.B \-t (default=vfat)
+Give the type of the filesystem grml-crypt should create.
+/sbin/mkfs.<your choosen filesystem> should exist.
+.TP
+.B \-r
+Read-only mode. The device mapping AND the mountpoint will be made read-only.
+In format mode only the mountpoint could be made read-only.
+.TP
+.B \-z
+Insecure initialisation mode
+.TP
+.B \-o
+Optimized initialisation mode
+.TP
+.B \-y
+Verifies the password by asking for it twice during creation.
+.TP
+.B \-f
+Force overwriting and/or disable confirmation dialog.
+If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg. xfs needs a minimum of 4096 blocks).
+.TP
+.B \-m
+Additional arguments passed through to mount. Could be like '-o noatime'.
+.SH CRYPTSETUP FORMAT OPTIONS
+.TP
+.B \-S (in bits, default=128)
+Cipher size used for the encryption. Usually 128, 192 or 256 (but higher maybe also possible)
+.TP
+.B \-C (default=aes-cbc-essiv:sha256)
+Cipher mode, should be aes-plain for pre-2.6.10. Look at /proc/crypto for other ciphers.
+.TP
+.B \-I (in seconds, default=1)
+The number of seconds to spend with PBKDF2 password processing. This time is comsumed for every key operation (format, start).
+.TP
+.B \-A (default="")
+Additional arguments to cryptsetup luksFormat.
+.SH INITIALISATION MODES
+.TP
+.B Default/Secure mode (no -o or -z given)
+This mode is the default. It should be quite secure.
+The device/file gets initialised with /dev/urandom. Except with an allready existing file and -f, where NO initialisation will be done (all other modes behave as usual).
+.TP
+.B Optimized secure mode (-o)
+In this mode only the first 2MB of the device/file are initialised with /dev/urandom.
+The encryption will be initialised and then the whole encrypted device is filled with /dev/zero.
+.TP
+.B Insecure mode (-z)
+In this mode only the first 2MB of the device/file are initialised with /dev/urandom.
+.SH EXAMPLES
+.TP
+.B grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp
+Formats /dev/hda4 with xfs and apply optimized initialisation rules and mount it to /mnt/tmp
+.TP
+.B grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp
+Creates /home/user/test.img with 10MB and apply only insecure initialisation rules. Create an ext2 filesystem on it and mount it to /mnt/tmp.
+.TP
+.B grml-crypt -f -S 256 -C aes-plain -I 2 -A "--verify-passphrase" -m '-o noatime' -vvv format img /mnt/tmp
+Reuses the image img with no initialisation. The encryption is established with aes-plain with 256 bit keysize and an iteration time of 2 seconds. Cryptsetup is advised to verify the password by asking for it twice. Mount it to /mnt/tmp with '-o noatime'. And print what is going on (-vvv).
+.SH ENCRYPT AN USBSTICK
+.TP
+.B grml-crypt -t ext2 -z format /dev/external1
+This command formats your usbstick which hopely is at /dev/external1 (please verify!!) with ext2 and nearly no initialisation.
+You could als give the format action a mountpoint. In this case your crypto-partition gets also mounted on this mountpoint.
+.TP
+.B grml-crypt start /dev/external1 /mnt/tmp
+This command asks you for the right passphrase for your crypto-partition and tries to mount it to /mnt/tmp.
+.TP
+.B grml-crypt stop /mnt/tmp
+This command removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).
+.SH ENCRYPTED LOOPFILESYSTEM ON USBSTICK
+.TP
+.B mount /mnt/external1
+To mount your usb-stick on /mnt/external1 (please verify!!).
+.TP
+.B grml-crypt -o -t vfat -s 50 /mnt/external1/secure.img /mnt/tmp
+This command creates a 50MB big file, encrypted with the default options and with vfat (also known as fat32). The optimized initialisation mode will be used for this file (without -o this could take REALLY LONG).
+This command _also_ starts your cryptofile and mounts it on /mnt/tmp
+.TP
+.B grml-crypt stop /mnt/tmp
+This command removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).
+.TP
+.B umount /mnt/external1
+Guess what ;)?
+.SH SEE ALSO
+.BR cryptsetup (8)
+.SH AUTHOR
+grml-crypt was written by Michael Gebetsroither <gebi@grml.org>.
+.PP
+This manual page was written by Michael Gebetsroither <gebi@grml.org>.
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+
+
+CFLAGS = -Wall -g
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+ CFLAGS += -O0
+else
+ CFLAGS += -O2
+endif
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ # Add here commands to configure the package.
+
+ touch configure-stamp
+
+
+build: build-stamp
+
+build-stamp: configure-stamp
+ dh_testdir
+
+ # Add here commands to compile the package.
+ # $(MAKE)
+ #docbook-to-man debian/grml-terminalserver.sgml > grml-terminalserver.1
+
+ touch build-stamp
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+
+ # Add here commands to clean up after the build process.
+ #$(MAKE) clean
+
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+ # Add here commands to install the package into debian/grml-terminalserver.
+ #$(MAKE) install DESTDIR=$(CURDIR)/debian/grml-terminalserver
+ cp grml-crypt $(CURDIR)/debian/grml-crypt/usr/sbin
+
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+ dh_installexamples
+# dh_install
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installpam
+# dh_installmime
+# dh_installinit
+# dh_installcron
+# dh_installinfo
+ dh_installman debian/grml-crypt.8
+ dh_link
+# dh_strip
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_python
+# dh_makeshlibs
+ dh_installdeb
+# dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install configure
--- /dev/null
+#!/bin/sh
+# Filename: grml-crypt
+# Purpose: Program to format, mount and unmount encrypted devices/files
+# Authors: Michael Gebetsroither <gebi@grml.org>
+# Bug-Reports: see http://grml.org/bugs/
+# License: This file is licensed under the GPL v2.
+# Latest change: Mon Aug 08 11:37:20 CEST 2005
+################################################################################
+
+
+###
+### __INCLUDES
+###
+. /etc/grml/sh-lib
+#. /etc/grml/sysexits-sh
+
+
+
+###
+### __VARIABLES
+###
+
+verbose_=0
+DEV_MAPPER_="/dev/mapper"
+CRYPTSETUP_="cryptsetup"
+IS_IMAGE_='false'
+SIZE_="10"
+SIZE_SET_='false'
+FSTYPE_="vfat"
+TARGET_=""
+VERIFY_PW_=""
+MKFS_=""
+DM_NAME_=""
+DM_PATH_=""
+ACTION_=""
+DM_PREFIX_="grml-crypt_"
+FORCE_='false'
+OVERWRITE_SOURCE_DEV_='/dev/urandom'
+OPTIMIZED_MODE_SET_='false'
+OPTIMIZING_LEVEL_=0
+CIPHER_SIZE_="128"
+CIPHER_="aes-cbc-essiv:sha256"
+ITERATION_TIME_="1"
+ADDITIONAL_CRYPTSETUP_ARGS_=""
+READONLY_SET_='false'
+ADDITIONAL_MOUNT_ARGS_=""
+BATCH_MODE_="--batch-mode"
+
+###
+### __FUNCTIONS
+###
+
+function printUsage
+{
+ cat <<EOT
+Usage: "$PROG_NAME__" [OPTIONS] action <device/file> [mountpoint]
+
+$PROG_NAME__ is a wrapper arround cryptsetup with LUKS support to format a device
+
+OPTIONS:
+ -s size of the loop-filesystem to create, in MB (default=$SIZE_)
+ -t type of filesystem (default=$FSTYPE_)
+ -r read only mode (fully supported only by start)
+ -z insecure mode, using /dev/zero for most of the initialisation (INSECURE!)
+ -o optimized initialisation mode (should be as secure as the default but faster)
+ -y verifies the passphrase by asking for it twice
+ -f force file overwriting in format mode and/or disable confirmation dialog
+ -m additional arguments to mount
+ -v verbose (show what is going on, v++)
+ -h this help text
+
+CRYPTSETUP FORMAT OPTIONS:
+ -S cipher size, could be 128, 192 or 256 (default=$CIPHER_SIZE_)
+ -C cipher, should be aes-plain for pre-2.6.10 (default=$CIPHER_)
+ -I iteration time spend with PBKDF2 password processing in seconds (default=$ITERATION_TIME_)
+ -A additional arguments for cryptsetup (only supportet by format)
+
+ACTIONS:
+ format <device/file> [mountpoint]
+ Format a device or a file (is created with the given size if it
+ does not exist) with the given filesystem and mount it, if a
+ mountpoint was given.
+ start <device/file> <mountpoint>
+ Mount the device/file in the mountpoint.
+ stop <mountpoint>
+ Umount the given mountpoint (umount, luksClose, losetup -d)
+
+EOT
+}
+
+
+function getDMName
+{
+ device_="${1##*/}"
+
+ # first trying normal devicename
+ tmp_="${DM_PREFIX_}${device_}"
+ if [ ! -e "$tmp_" ]; then
+ echo "$tmp_"
+ return 0
+ fi
+
+ # second trying uuid of luks
+ #uuid_=`execute "$CRYPTSETUP_ luksUUID $1"`
+ #if [[ $? == 0 ]]; then
+ # echo "$prefix_$uuid_"
+ # return 0
+ #fi
+ warn "could not create device-mapper name for $1"
+ return 1
+}
+
+
+function formatDevice
+{
+ type_="$1" # could be donothing or init
+ ret_=0
+
+ args_="$VERIFY_PW_ $BATCH_MODE_ --key-size $CIPHER_SIZE_ --cipher $CIPHER_ --iter-time $ITERATION_TIME_ $ADDITIONAL_CRYPTSETUP_ARGS_"
+ #args_=`echo "$args_" |tr -s ' '`
+ execute "$CRYPTSETUP_ $args_ luksFormat $TARGET_" warn || return 1
+
+ execute "$CRYPTSETUP_ luksOpen $TARGET_ $DM_NAME_" warn \
+ "could not open $DM_PATH_ to create a filesystem on it!" || return 1
+ if [[ $type_ == 'init' && $OPTIMIZED_MODE_SET_ == 'true' ]]; then
+ echo "finishing optimized initialisation (this could take some time)"
+ # FIXME
+ execute "dd if=/dev/zero of=$DM_PATH_ bs=1M &>/dev/null" # || \
+ # warn "could not finish optimized initialisation properly"
+ ret_=$?
+ # cutted out because of no space left on device error :(
+ #if [[ $ret_ != 0 ]]; then
+ # execute "$CRYPTSETUP_ luksClose $DM_NAME_" warn
+ # return 1
+ #fi
+ fi
+
+ execute "$MKFS_ $DM_PATH_ >/dev/null" warn
+ if [[ $? != 0 ]]; then
+ execute "$CRYPTSETUP_ luksClose $DM_NAME_"
+ warn "could not create filesystem on $DM_PATH_" 1
+ return 1
+ else
+ echo "Successully created $FSTYPE_ on encrypted $TARGET_"
+ return 0
+ fi
+}
+
+
+function actionStart
+{
+ ret_=0
+
+ # no mountpoint, by-by
+ if [[ "$MOUNT_POINT_" == "" ]]; then
+ printUsage
+ die 'no mountpoint given'
+ fi
+ if [ ! -d "$MOUNT_POINT_" ]; then
+ die "mountpoint $MOUNT_POINT_ does not exist"
+ fi
+ # removed due to unionfs problem isLuks does not work with filesystem images
+ # without losetup
+ #$CRYPTSETUP_ isLuks $TARGET_ || die "$TARGET_ is not a luks partition"
+
+ # TARGET (is/should be) a filesystem image
+ if [ ! -b "$TARGET_" ]; then
+ notice "Operating on a file"
+ isExistent "$TARGET_" die "image does not exist"
+ TARGET_=`findNextFreeLoop` || die "could not find a free loop device"
+
+ # TARGET_ is now /dev/loop<x>
+ execute "losetup $TARGET_ $ORIG_TARGET_" die
+ fi
+ cargs_=""
+ $READONLY_SET_ && cargs_='--readonly'
+ execute "$CRYPTSETUP_ $cargs_ luksOpen $TARGET_ $DM_NAME_" warn || execute "losetup -d $TARGET_" || \
+ die "could not luksOpen $TARGET_"
+ margs_=""
+ $READONLY_SET_ && margs_='-r'
+ execute "mount $margs_ $ADDITIONAL_MOUNT_ARGS_ $DM_PATH_ $MOUNT_POINT_" die
+}
+
+
+function actionStop
+{
+ mp_="$1"
+ ret_=0
+
+ isExistent "$mp_" die
+ tmp_=`realpath $mp_` || die "could not get realpath of $mp_"
+ dprint "realpath_=\"$tmp_\""
+
+ dm_path_=`mount |grep "$tmp_ "` || die "$tmp_ is not mounted"
+ dprint "dm_path_=\"$dm_path_\""
+ dm_path_=`echo $dm_path_ |awk '{print $1}'` || die "could not get devicemapper name for $tmp_"
+ dprint "dm_path_=\"$dm_path_\""
+
+ dm_name_="${dm_path_##*/}"
+ dprint "dm_name_=\"$dm_name_\""
+
+ dmsetup info $dm_name_ >/dev/null ||die "$dm_name_ is not aktive"
+ device_=`$CRYPTSETUP_ status $dm_name_ |awk '/device:/{print $2}'` || \
+ die "could not get underlying device of $dm_path_"
+ dprint "device_=\"$device_\""
+
+ execute "umount $dm_path_" die "could not unmount $device_"
+ execute "$CRYPTSETUP_ luksClose $dm_name_" die "could not close $dm_path_"
+ echo "$device_" |grep loop &>/dev/null && execute "losetup -d $device_" \
+ die "could not delete loop device $device_" || \
+ execute "losetup -d $device_ &>/dev/null" eprint "could not delete loop device $device_, \
+this device could possible not be a loop device => maybe bogus error"
+ notice "$mp_ successfully unmountet/closed/deleted"
+}
+
+function yesDialog
+{
+ msg_="$1"
+
+ echo "WARNING!" >&2
+ echo "========" >&2
+ echo -n "$msg_" >&2
+ echo -n " (type uppercase yes): " >&2
+ read input
+ if [[ $input == 'YES' ]]; then
+ return 0
+ fi
+
+ return 1
+}
+
+function actionFormat
+{
+ IS_IMAGE_='false'
+ ret_=0
+ init_='init'
+
+ if (( $SIZE_ < 3 )); then
+ die "the minimum size of an encrypted luks partition should be 2"
+ fi
+
+ # TARGET (is/should be) a filesystem image
+ if [ ! -b "$TARGET_" ]; then
+ notice "Operating on a file"
+ IS_IMAGE_='true'
+ if [ -e "$TARGET_" ]; then
+ $FORCE_ || die "file $TARGET_ does allready exist"
+ warn "overwriting file $TARGET_"
+ init_='donothing'
+ else
+ echo -n "Initialising file with "
+ if [[ $OPTIMIZED_MODE_SET_ == 'true' ]]; then
+ echo "optimized SECURE mode"
+ execute "dd if=/dev/zero of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" \
+ die "could not initialise $TARGET_ with /dev/zero"
+ else
+ if [[ $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then
+ echo "INSERCURE mode"
+ else
+ echo "SECURE mode (taking /dev/urandom as source, this could take some time)"
+ fi
+ execute "dd if=$OVERWRITE_SOURCE_DEV_ of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" ||\
+ die "could not initialise $TARGET_ with $OVERWRITE_SOURCE_DEV_"
+ fi
+ fi
+
+ TARGET_=`findNextFreeLoop` || die "could not find a free loop device"
+
+ # TARGET_ is now /dev/loop<x>
+ execute "losetup $TARGET_ $ORIG_TARGET_" die
+ if [[ $OPTIMIZED_MODE_SET_ == 'true' || $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then
+ execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \
+ die "could not initialise the fist 2MB of $TARGET_ with /dev/urandom"
+ fi
+ formatDevice "$init_"
+ ret_=$?
+ else
+ $FORCE_ || (yesDialog "Are you shure you want to overwrite $TARGET_ ?" || die 'You are not sure')
+ notice 'Operating on a device'
+ echo -n 'Initialising device with '
+ if [[ $OPTIMIZED_MODE_SET_ == 'true' ]]; then
+ echo "optimised SECURE mode"
+ execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" ||\
+ die "could not initialise the first 2MB of $TARGET_ with /dev/urandom"
+ elif [[ $OVERWRITE_SOURCE_DEV_ != '/dev/zero' ]]; then
+ # default mode
+ echo "SECURE mode (taking /dev/urandom as source, this could take some time)"
+ execute "dd if=/dev/urandom of=$TARGET_ bs=1M &>/dev/null" ||\
+ die "could not initialise $TARGET_ with /dev/zero"
+ else
+ echo 'INSECURE mode (only initialising the fist 2MB with /dev/urandom)'
+ execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \
+ die "could not initialise the first 2MB of $TARGET_ with /dev/urandom"
+ fi
+
+ formatDevice "$init_"
+ ret_=$?
+ fi
+
+ # formatDevice was successfully
+ if (( $ret_ == 0 )); then
+ # a mountpoint was given (don't luksClose the device)
+ local mount_point_exists_='true'
+ test -d "$MOUNT_POINT_" || mount_point_exists_='false'
+
+ if [[ "$MOUNT_POINT_" != "" && "$mount_point_exists_" == 'true' ]]; then
+ $READONLY_SET_ && margs_='-r'
+ execute "mount $margs_ $ADDITIONAL_MOUNT_ARGS_ $DM_PATH_ $MOUNT_POINT_" die
+ else
+ $mount_point_exists_ || warn "mountpoint $MOUNT_POINT_ does not exist, not mounting. please use \"grml-crypt start $ORIG_TARGET_ <mountpoint>\" to start the device"
+ execute "$CRYPTSETUP_ luksClose $DM_NAME_" warn
+ $IS_IMAGE_ && execute "losetup -d $TARGET_" warn
+ fi
+ else
+ $IS_IMAGE_ && execute "losetup -d $TARGET_" warn
+ fi
+}
+
+
+
+###
+### __MAIN
+###
+
+while getopts "s:t:rzoyfm:hvS:C:I:A:" opt; do
+ case "$opt" in
+ s) SIZE_="$OPTARG"; SIZE_SET_='true' ;;
+ t) FSTYPE_="$OPTARG" ;;
+ r) READONLY_SET_='true' ;;
+ z) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1
+ OVERWRITE_SOURCE_DEV_='/dev/zero'
+ warn 'initialising from INSECURE source /dev/zero' ;;
+ o) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1
+ OPTIMIZED_MODE_SET_='true' ;;
+ y) VERIFY_PW_="--verify-passphrase" ;;
+ f) FORCE_='true' ;;
+ m) ADDITIONAL_MOUNT_ARGS_="$OPTARG" ;;
+ h) printUsage; exit ;;
+ v) let verbose_=$verbose_+1 ;;
+ S) CIPHER_SIZE_="$OPTARG" ;;
+ C) CIPHER_="$OPTARG" ;;
+ I) ITERATION_TIME_="$OPTARG" ;;
+ A) ADDITIONAL_CRYPTSETUP_ARGS_="$OPTARG" ;;
+ ?) printUsage; exit 64 ;;
+ esac
+done
+shift $(($OPTIND - 1)) # set ARGV to the first not parsed commandline parameter
+setVerbose $verbose_
+
+checkRoot die "You have to be root to use this program"
+disableSyslog
+
+if [[ $1 == 'help' ]]; then
+ printUsage
+ exit 0
+fi
+if (( $# < 2 )); then
+ printUsage
+ die "wrong number of arguments ($#)" 1
+fi
+if (( $OPTIMIZING_LEVEL_ > 1 )); then
+ printUsage
+ die "please choose ONE initialisation methode"
+fi
+TARGET_="$2"
+
+MKFS_="/sbin/mkfs.$FSTYPE_"
+if [ ! -x "$MKFS_" ]; then
+ die "invalid filesystem type \"$FSTYPE_\"" 1
+fi
+
+# use batch-mode if available
+$CRYPTSETUP_ $BATCH_MODE_ --help &>/dev/null;
+ret_=$?
+case "$ret_" in
+ 0) dprint "your cryptsetup understands --batch-mode" ;;
+ 1) BATCH_MODE_=""; notice "your cryptsetup does NOT understand --batch-mode, trying without" ;;
+ 127) die "could not execute cryptsetup" 127 ;;
+ *) warn "problems executing $CRYPTSETUP_" $ret_
+esac
+
+DM_NAME_="`getDMName $TARGET_`"
+DM_PATH_="$DEV_MAPPER_/$DM_NAME_"
+ORIG_TARGET_="$TARGET_"
+MOUNT_POINT_="$3"
+
+case "$1" in
+ format) ACTION_='format'; actionFormat ;;
+ start) ACTION_='start'; actionStart ;;
+ stop) ACTION_='stop'; actionStop "$TARGET_" ;;
+ *) printUsage ;;
+esac
+
+# END OF FILE
+################################################################################
+# vim:foldmethod=marker