From ee5fcdbe151056023d9e8b34eb62fac7e8fee36c Mon Sep 17 00:00:00 2001 From: Michael Gebetsroither Date: Mon, 7 Nov 2005 13:31:20 +0100 Subject: [PATCH] initial commit --- debian/changelog | 75 ++++++++++ debian/compat | 1 + debian/conffiles | 0 debian/control | 16 +++ debian/copyright | 22 +++ debian/dirs | 1 + debian/grml-crypt.8 | 152 ++++++++++++++++++++ debian/rules | 99 +++++++++++++ grml-crypt | 396 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 762 insertions(+) create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/conffiles create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/dirs create mode 100644 debian/grml-crypt.8 create mode 100755 debian/rules create mode 100755 grml-crypt diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..1429b61 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,75 @@ +grml-crypt (0.10) unstable; urgency=low + + * added another example to the manpage + * fixed a few typos in the manpage + + -- Michael Gebetsroither Sat, 22 Oct 2005 14:50:07 +0200 + +grml-crypt (0.09) unstable; urgency=low + + * added usage example for usb-stick encryption to manpage + + -- Michael Gebetsroither Sat, 22 Oct 2005 03:05:58 +0200 + +grml-crypt (0.08) unstable; urgency=low + + * added checks against invalied mountpoints + * fixed a few small bugs + + -- Michael Gebetsroither Sat, 22 Oct 2005 03:05:52 +0200 + +grml-crypt (0.07) unstable; urgency=low + + * added --batch-mode detection for cryptsetup + * added $CRYPTSETUP_ + + -- Michael Gebetsroither Wed, 14 Sep 2005 20:19:19 +0200 + +grml-crypt (0.06) unstable; urgency=low + + * fixed yesDialog with file which does not exist + + -- Michael Gebetsroither Mon, 15 Aug 2005 23:40:44 +0200 + +grml-crypt (0.05) unstable; urgency=low + + * added confirmation question + * manpage fixes + + -- Michael Gebetsroither Mon, 15 Aug 2005 23:34:16 +0200 + +grml-crypt (0.04) unstable; urgency=low + + * fixed a bug with filesystem images on unionfs + + -- Michael Gebetsroither Wed, 10 Aug 2005 12:19:36 +0200 + +grml-crypt (0.03) unstable; urgency=low + + * added cmdarg -S cipher size + * added cmdarg -C ciper + * added cmdarg -I number of iterations + * added cmdarg -A additional arguments passed through to cryptsetup + * added cmdarg -r setup mapping and mount in readonly mode + * added cmdarg -m additional arguments passed through to mount + * added all new cmdargs to manpage + + -- Michael Gebetsroither Wed, 10 Aug 2005 01:59:15 +0200 + +grml-crypt (0.02) unstable; urgency=low + + * small manpage fix + * removed function findNextFreeLoop, because it's now in sh-lib + * removed a few testing functions + + -- Michael Gebetsroither Tue, 9 Aug 2005 16:07:38 +0200 + +grml-crypt (0.01) unstable; urgency=low + + * Initial Release. + + -- Michael Gebetsroither Tue, 9 Aug 2005 12:46:08 +0200 + +Local variables: +mode: debian-changelog +End: diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..e69de29 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..4c9c10d --- /dev/null +++ b/debian/control @@ -0,0 +1,16 @@ +Source: grml-crypt +Section: admin +Priority: optional +Maintainer: Michael Gebetsroither +Build-Depends: debhelper (>= 4.0.0) +Standards-Version: 3.6.1 + +Package: grml-crypt +Architecture: all +Depends: sh-lib (>=1.02.02), cryptsetup-luks, realpath, dmsetup +Description: wrapper arround cryptsetup-luks + This software should provide an easy wrapper around cryptsetup-luks, + losetup and mount. + You could create and mount a encrypted filesystem image with only + only one command. This wrapper handles devices and filesystem-images + and implements an efficient but also secure initialisation algorithm. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..1f6b587 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,22 @@ +This is grml-crypt, written and maintained by Michael Gebetsroither +on Sun, 20 Mar 2005 19:39:26 +0100. + +Copyright (C) 2003 Michael Gebetsroither + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + 02111-1307, USA. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..236670a --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +usr/sbin diff --git a/debian/grml-crypt.8 b/debian/grml-crypt.8 new file mode 100644 index 0000000..af3bf23 --- /dev/null +++ b/debian/grml-crypt.8 @@ -0,0 +1,152 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH GRML-CRYPT 8 "AUG 9, 2005" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +grml-crypt \- Wrapper arround cryptsetup/losetup/mkfs/mount +.SH SYNOPSIS +.B grml-crypt +.RI [OPTIONS] " action " " [mountpoint] +.br +.SH DESCRIPTION +This manual page documents briefly the +.B grml-crypt program +.PP +.\" TeX users may be more comfortable with the \fB\fP and +.\" \fI\fP escape sequences to invode bold face and italics, +.\" respectively. +\fBgrml-crypt\fP is a program that +provides an easy wrapper arround cryptsetup, mkfs, losetup and mount. +You could create a loopback mountet crypted filesystem with only one command, but grml-crypt works for normal devices also. +.SH ACTIONS +.TP +.B format [mountpoint] +This command "formats" a device/file. +If the second parameter is not a blockdevice grml-crupt assumes that it should operate in file modus. If the file does not allready exist it will be created with the given size. +The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space is initialised with the given initialisation. If grml-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file allready exist (with -f vor overwriting). +Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount] +.TP +.B start +This command starts a encrypted device/file and mounts it to the given mountpoint. +Commands: [losetup], cryptsetup luksOpen, mount +.TP +.B stop +This command stops a encrypted filesystem mountet at mountpoint. +Even the loopdevice gets destroyed with this command. +Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup -d] +.SH OPTIONS +These program follow the long option style without dashes and +short options starting with one dash (`-'). +A summary of options is included below. +.TP +.B \-h, help +Show summary of options. +.TP +.B \-v +Show what is going on (more v => more output). +.TP +.B \-s (in MB, default=10) +Give the size of loopfilesystem grml-crypt should create. +.TP +.B \-t (default=vfat) +Give the type of the filesystem grml-crypt should create. +/sbin/mkfs. should exist. +.TP +.B \-r +Read-only mode. The device mapping AND the mountpoint will be made read-only. +In format mode only the mountpoint could be made read-only. +.TP +.B \-z +Insecure initialisation mode +.TP +.B \-o +Optimized initialisation mode +.TP +.B \-y +Verifies the password by asking for it twice during creation. +.TP +.B \-f +Force overwriting and/or disable confirmation dialog. +If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg. xfs needs a minimum of 4096 blocks). +.TP +.B \-m +Additional arguments passed through to mount. Could be like '-o noatime'. +.SH CRYPTSETUP FORMAT OPTIONS +.TP +.B \-S (in bits, default=128) +Cipher size used for the encryption. Usually 128, 192 or 256 (but higher maybe also possible) +.TP +.B \-C (default=aes-cbc-essiv:sha256) +Cipher mode, should be aes-plain for pre-2.6.10. Look at /proc/crypto for other ciphers. +.TP +.B \-I (in seconds, default=1) +The number of seconds to spend with PBKDF2 password processing. This time is comsumed for every key operation (format, start). +.TP +.B \-A (default="") +Additional arguments to cryptsetup luksFormat. +.SH INITIALISATION MODES +.TP +.B Default/Secure mode (no -o or -z given) +This mode is the default. It should be quite secure. +The device/file gets initialised with /dev/urandom. Except with an allready existing file and -f, where NO initialisation will be done (all other modes behave as usual). +.TP +.B Optimized secure mode (-o) +In this mode only the first 2MB of the device/file are initialised with /dev/urandom. +The encryption will be initialised and then the whole encrypted device is filled with /dev/zero. +.TP +.B Insecure mode (-z) +In this mode only the first 2MB of the device/file are initialised with /dev/urandom. +.SH EXAMPLES +.TP +.B grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp +Formats /dev/hda4 with xfs and apply optimized initialisation rules and mount it to /mnt/tmp +.TP +.B grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp +Creates /home/user/test.img with 10MB and apply only insecure initialisation rules. Create an ext2 filesystem on it and mount it to /mnt/tmp. +.TP +.B grml-crypt -f -S 256 -C aes-plain -I 2 -A "--verify-passphrase" -m '-o noatime' -vvv format img /mnt/tmp +Reuses the image img with no initialisation. The encryption is established with aes-plain with 256 bit keysize and an iteration time of 2 seconds. Cryptsetup is advised to verify the password by asking for it twice. Mount it to /mnt/tmp with '-o noatime'. And print what is going on (-vvv). +.SH ENCRYPT AN USBSTICK +.TP +.B grml-crypt -t ext2 -z format /dev/external1 +This command formats your usbstick which hopely is at /dev/external1 (please verify!!) with ext2 and nearly no initialisation. +You could als give the format action a mountpoint. In this case your crypto-partition gets also mounted on this mountpoint. +.TP +.B grml-crypt start /dev/external1 /mnt/tmp +This command asks you for the right passphrase for your crypto-partition and tries to mount it to /mnt/tmp. +.TP +.B grml-crypt stop /mnt/tmp +This command removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]). +.SH ENCRYPTED LOOPFILESYSTEM ON USBSTICK +.TP +.B mount /mnt/external1 +To mount your usb-stick on /mnt/external1 (please verify!!). +.TP +.B grml-crypt -o -t vfat -s 50 /mnt/external1/secure.img /mnt/tmp +This command creates a 50MB big file, encrypted with the default options and with vfat (also known as fat32). The optimized initialisation mode will be used for this file (without -o this could take REALLY LONG). +This command _also_ starts your cryptofile and mounts it on /mnt/tmp +.TP +.B grml-crypt stop /mnt/tmp +This command removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]). +.TP +.B umount /mnt/external1 +Guess what ;)? +.SH SEE ALSO +.BR cryptsetup (8) +.SH AUTHOR +grml-crypt was written by Michael Gebetsroither . +.PP +This manual page was written by Michael Gebetsroither . diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..82d9305 --- /dev/null +++ b/debian/rules @@ -0,0 +1,99 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + + + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + # $(MAKE) + #docbook-to-man debian/grml-terminalserver.sgml > grml-terminalserver.1 + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + #$(MAKE) clean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/grml-terminalserver. + #$(MAKE) install DESTDIR=$(CURDIR)/debian/grml-terminalserver + cp grml-crypt $(CURDIR)/debian/grml-crypt/usr/sbin + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples +# dh_install +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo + dh_installman debian/grml-crypt.8 + dh_link +# dh_strip + dh_compress + dh_fixperms +# dh_perl +# dh_python +# dh_makeshlibs + dh_installdeb +# dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure diff --git a/grml-crypt b/grml-crypt new file mode 100755 index 0000000..084c55d --- /dev/null +++ b/grml-crypt @@ -0,0 +1,396 @@ +#!/bin/sh +# Filename: grml-crypt +# Purpose: Program to format, mount and unmount encrypted devices/files +# Authors: Michael Gebetsroither +# Bug-Reports: see http://grml.org/bugs/ +# License: This file is licensed under the GPL v2. +# Latest change: Mon Aug 08 11:37:20 CEST 2005 +################################################################################ + + +### +### __INCLUDES +### +. /etc/grml/sh-lib +#. /etc/grml/sysexits-sh + + + +### +### __VARIABLES +### + +verbose_=0 +DEV_MAPPER_="/dev/mapper" +CRYPTSETUP_="cryptsetup" +IS_IMAGE_='false' +SIZE_="10" +SIZE_SET_='false' +FSTYPE_="vfat" +TARGET_="" +VERIFY_PW_="" +MKFS_="" +DM_NAME_="" +DM_PATH_="" +ACTION_="" +DM_PREFIX_="grml-crypt_" +FORCE_='false' +OVERWRITE_SOURCE_DEV_='/dev/urandom' +OPTIMIZED_MODE_SET_='false' +OPTIMIZING_LEVEL_=0 +CIPHER_SIZE_="128" +CIPHER_="aes-cbc-essiv:sha256" +ITERATION_TIME_="1" +ADDITIONAL_CRYPTSETUP_ARGS_="" +READONLY_SET_='false' +ADDITIONAL_MOUNT_ARGS_="" +BATCH_MODE_="--batch-mode" + +### +### __FUNCTIONS +### + +function printUsage +{ + cat < [mountpoint] + +$PROG_NAME__ is a wrapper arround cryptsetup with LUKS support to format a device + +OPTIONS: + -s size of the loop-filesystem to create, in MB (default=$SIZE_) + -t type of filesystem (default=$FSTYPE_) + -r read only mode (fully supported only by start) + -z insecure mode, using /dev/zero for most of the initialisation (INSECURE!) + -o optimized initialisation mode (should be as secure as the default but faster) + -y verifies the passphrase by asking for it twice + -f force file overwriting in format mode and/or disable confirmation dialog + -m additional arguments to mount + -v verbose (show what is going on, v++) + -h this help text + +CRYPTSETUP FORMAT OPTIONS: + -S cipher size, could be 128, 192 or 256 (default=$CIPHER_SIZE_) + -C cipher, should be aes-plain for pre-2.6.10 (default=$CIPHER_) + -I iteration time spend with PBKDF2 password processing in seconds (default=$ITERATION_TIME_) + -A additional arguments for cryptsetup (only supportet by format) + +ACTIONS: + format [mountpoint] + Format a device or a file (is created with the given size if it + does not exist) with the given filesystem and mount it, if a + mountpoint was given. + start + Mount the device/file in the mountpoint. + stop + Umount the given mountpoint (umount, luksClose, losetup -d) + +EOT +} + + +function getDMName +{ + device_="${1##*/}" + + # first trying normal devicename + tmp_="${DM_PREFIX_}${device_}" + if [ ! -e "$tmp_" ]; then + echo "$tmp_" + return 0 + fi + + # second trying uuid of luks + #uuid_=`execute "$CRYPTSETUP_ luksUUID $1"` + #if [[ $? == 0 ]]; then + # echo "$prefix_$uuid_" + # return 0 + #fi + warn "could not create device-mapper name for $1" + return 1 +} + + +function formatDevice +{ + type_="$1" # could be donothing or init + ret_=0 + + args_="$VERIFY_PW_ $BATCH_MODE_ --key-size $CIPHER_SIZE_ --cipher $CIPHER_ --iter-time $ITERATION_TIME_ $ADDITIONAL_CRYPTSETUP_ARGS_" + #args_=`echo "$args_" |tr -s ' '` + execute "$CRYPTSETUP_ $args_ luksFormat $TARGET_" warn || return 1 + + execute "$CRYPTSETUP_ luksOpen $TARGET_ $DM_NAME_" warn \ + "could not open $DM_PATH_ to create a filesystem on it!" || return 1 + if [[ $type_ == 'init' && $OPTIMIZED_MODE_SET_ == 'true' ]]; then + echo "finishing optimized initialisation (this could take some time)" + # FIXME + execute "dd if=/dev/zero of=$DM_PATH_ bs=1M &>/dev/null" # || \ + # warn "could not finish optimized initialisation properly" + ret_=$? + # cutted out because of no space left on device error :( + #if [[ $ret_ != 0 ]]; then + # execute "$CRYPTSETUP_ luksClose $DM_NAME_" warn + # return 1 + #fi + fi + + execute "$MKFS_ $DM_PATH_ >/dev/null" warn + if [[ $? != 0 ]]; then + execute "$CRYPTSETUP_ luksClose $DM_NAME_" + warn "could not create filesystem on $DM_PATH_" 1 + return 1 + else + echo "Successully created $FSTYPE_ on encrypted $TARGET_" + return 0 + fi +} + + +function actionStart +{ + ret_=0 + + # no mountpoint, by-by + if [[ "$MOUNT_POINT_" == "" ]]; then + printUsage + die 'no mountpoint given' + fi + if [ ! -d "$MOUNT_POINT_" ]; then + die "mountpoint $MOUNT_POINT_ does not exist" + fi + # removed due to unionfs problem isLuks does not work with filesystem images + # without losetup + #$CRYPTSETUP_ isLuks $TARGET_ || die "$TARGET_ is not a luks partition" + + # TARGET (is/should be) a filesystem image + if [ ! -b "$TARGET_" ]; then + notice "Operating on a file" + isExistent "$TARGET_" die "image does not exist" + TARGET_=`findNextFreeLoop` || die "could not find a free loop device" + + # TARGET_ is now /dev/loop + execute "losetup $TARGET_ $ORIG_TARGET_" die + fi + cargs_="" + $READONLY_SET_ && cargs_='--readonly' + execute "$CRYPTSETUP_ $cargs_ luksOpen $TARGET_ $DM_NAME_" warn || execute "losetup -d $TARGET_" || \ + die "could not luksOpen $TARGET_" + margs_="" + $READONLY_SET_ && margs_='-r' + execute "mount $margs_ $ADDITIONAL_MOUNT_ARGS_ $DM_PATH_ $MOUNT_POINT_" die +} + + +function actionStop +{ + mp_="$1" + ret_=0 + + isExistent "$mp_" die + tmp_=`realpath $mp_` || die "could not get realpath of $mp_" + dprint "realpath_=\"$tmp_\"" + + dm_path_=`mount |grep "$tmp_ "` || die "$tmp_ is not mounted" + dprint "dm_path_=\"$dm_path_\"" + dm_path_=`echo $dm_path_ |awk '{print $1}'` || die "could not get devicemapper name for $tmp_" + dprint "dm_path_=\"$dm_path_\"" + + dm_name_="${dm_path_##*/}" + dprint "dm_name_=\"$dm_name_\"" + + dmsetup info $dm_name_ >/dev/null ||die "$dm_name_ is not aktive" + device_=`$CRYPTSETUP_ status $dm_name_ |awk '/device:/{print $2}'` || \ + die "could not get underlying device of $dm_path_" + dprint "device_=\"$device_\"" + + execute "umount $dm_path_" die "could not unmount $device_" + execute "$CRYPTSETUP_ luksClose $dm_name_" die "could not close $dm_path_" + echo "$device_" |grep loop &>/dev/null && execute "losetup -d $device_" \ + die "could not delete loop device $device_" || \ + execute "losetup -d $device_ &>/dev/null" eprint "could not delete loop device $device_, \ +this device could possible not be a loop device => maybe bogus error" + notice "$mp_ successfully unmountet/closed/deleted" +} + +function yesDialog +{ + msg_="$1" + + echo "WARNING!" >&2 + echo "========" >&2 + echo -n "$msg_" >&2 + echo -n " (type uppercase yes): " >&2 + read input + if [[ $input == 'YES' ]]; then + return 0 + fi + + return 1 +} + +function actionFormat +{ + IS_IMAGE_='false' + ret_=0 + init_='init' + + if (( $SIZE_ < 3 )); then + die "the minimum size of an encrypted luks partition should be 2" + fi + + # TARGET (is/should be) a filesystem image + if [ ! -b "$TARGET_" ]; then + notice "Operating on a file" + IS_IMAGE_='true' + if [ -e "$TARGET_" ]; then + $FORCE_ || die "file $TARGET_ does allready exist" + warn "overwriting file $TARGET_" + init_='donothing' + else + echo -n "Initialising file with " + if [[ $OPTIMIZED_MODE_SET_ == 'true' ]]; then + echo "optimized SECURE mode" + execute "dd if=/dev/zero of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" \ + die "could not initialise $TARGET_ with /dev/zero" + else + if [[ $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then + echo "INSERCURE mode" + else + echo "SECURE mode (taking /dev/urandom as source, this could take some time)" + fi + execute "dd if=$OVERWRITE_SOURCE_DEV_ of=$TARGET_ bs=1M count=${SIZE_} &>/dev/null" ||\ + die "could not initialise $TARGET_ with $OVERWRITE_SOURCE_DEV_" + fi + fi + + TARGET_=`findNextFreeLoop` || die "could not find a free loop device" + + # TARGET_ is now /dev/loop + execute "losetup $TARGET_ $ORIG_TARGET_" die + if [[ $OPTIMIZED_MODE_SET_ == 'true' || $OVERWRITE_SOURCE_DEV_ == '/dev/zero' ]]; then + execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \ + die "could not initialise the fist 2MB of $TARGET_ with /dev/urandom" + fi + formatDevice "$init_" + ret_=$? + else + $FORCE_ || (yesDialog "Are you shure you want to overwrite $TARGET_ ?" || die 'You are not sure') + notice 'Operating on a device' + echo -n 'Initialising device with ' + if [[ $OPTIMIZED_MODE_SET_ == 'true' ]]; then + echo "optimised SECURE mode" + execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" ||\ + die "could not initialise the first 2MB of $TARGET_ with /dev/urandom" + elif [[ $OVERWRITE_SOURCE_DEV_ != '/dev/zero' ]]; then + # default mode + echo "SECURE mode (taking /dev/urandom as source, this could take some time)" + execute "dd if=/dev/urandom of=$TARGET_ bs=1M &>/dev/null" ||\ + die "could not initialise $TARGET_ with /dev/zero" + else + echo 'INSECURE mode (only initialising the fist 2MB with /dev/urandom)' + execute "dd if=/dev/urandom of=$TARGET_ bs=1M count=2 &>/dev/null" \ + die "could not initialise the first 2MB of $TARGET_ with /dev/urandom" + fi + + formatDevice "$init_" + ret_=$? + fi + + # formatDevice was successfully + if (( $ret_ == 0 )); then + # a mountpoint was given (don't luksClose the device) + local mount_point_exists_='true' + test -d "$MOUNT_POINT_" || mount_point_exists_='false' + + if [[ "$MOUNT_POINT_" != "" && "$mount_point_exists_" == 'true' ]]; then + $READONLY_SET_ && margs_='-r' + execute "mount $margs_ $ADDITIONAL_MOUNT_ARGS_ $DM_PATH_ $MOUNT_POINT_" die + else + $mount_point_exists_ || warn "mountpoint $MOUNT_POINT_ does not exist, not mounting. please use \"grml-crypt start $ORIG_TARGET_ \" to start the device" + execute "$CRYPTSETUP_ luksClose $DM_NAME_" warn + $IS_IMAGE_ && execute "losetup -d $TARGET_" warn + fi + else + $IS_IMAGE_ && execute "losetup -d $TARGET_" warn + fi +} + + + +### +### __MAIN +### + +while getopts "s:t:rzoyfm:hvS:C:I:A:" opt; do + case "$opt" in + s) SIZE_="$OPTARG"; SIZE_SET_='true' ;; + t) FSTYPE_="$OPTARG" ;; + r) READONLY_SET_='true' ;; + z) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1 + OVERWRITE_SOURCE_DEV_='/dev/zero' + warn 'initialising from INSECURE source /dev/zero' ;; + o) let OPTIMIZING_LEVEL_=$OPTIMIZING_LEVEL_+1 + OPTIMIZED_MODE_SET_='true' ;; + y) VERIFY_PW_="--verify-passphrase" ;; + f) FORCE_='true' ;; + m) ADDITIONAL_MOUNT_ARGS_="$OPTARG" ;; + h) printUsage; exit ;; + v) let verbose_=$verbose_+1 ;; + S) CIPHER_SIZE_="$OPTARG" ;; + C) CIPHER_="$OPTARG" ;; + I) ITERATION_TIME_="$OPTARG" ;; + A) ADDITIONAL_CRYPTSETUP_ARGS_="$OPTARG" ;; + ?) printUsage; exit 64 ;; + esac +done +shift $(($OPTIND - 1)) # set ARGV to the first not parsed commandline parameter +setVerbose $verbose_ + +checkRoot die "You have to be root to use this program" +disableSyslog + +if [[ $1 == 'help' ]]; then + printUsage + exit 0 +fi +if (( $# < 2 )); then + printUsage + die "wrong number of arguments ($#)" 1 +fi +if (( $OPTIMIZING_LEVEL_ > 1 )); then + printUsage + die "please choose ONE initialisation methode" +fi +TARGET_="$2" + +MKFS_="/sbin/mkfs.$FSTYPE_" +if [ ! -x "$MKFS_" ]; then + die "invalid filesystem type \"$FSTYPE_\"" 1 +fi + +# use batch-mode if available +$CRYPTSETUP_ $BATCH_MODE_ --help &>/dev/null; +ret_=$? +case "$ret_" in + 0) dprint "your cryptsetup understands --batch-mode" ;; + 1) BATCH_MODE_=""; notice "your cryptsetup does NOT understand --batch-mode, trying without" ;; + 127) die "could not execute cryptsetup" 127 ;; + *) warn "problems executing $CRYPTSETUP_" $ret_ +esac + +DM_NAME_="`getDMName $TARGET_`" +DM_PATH_="$DEV_MAPPER_/$DM_NAME_" +ORIG_TARGET_="$TARGET_" +MOUNT_POINT_="$3" + +case "$1" in + format) ACTION_='format'; actionFormat ;; + start) ACTION_='start'; actionStart ;; + stop) ACTION_='stop'; actionStop "$TARGET_" ;; + *) printUsage ;; +esac + +# END OF FILE +################################################################################ +# vim:foldmethod=marker -- 2.1.4