---
 setup-disk.in | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/setup-disk.in b/setup-disk.in
index 5eb8638..1f66230 100644
--- a/setup-disk.in
+++ b/setup-disk.in
@@ -402,6 +402,9 @@ install_mounted_root() {
 		esac
 	done
 
+	if [ "$USE_CRYPT" ]; then
+		initfs_features="${initfs_features% cryptsetup} cryptsetup"
+	fi
 
 	if [ -n "$VERBOSE" ]; then
 		echo "Root device:     $rootdev"
@@ -442,6 +445,11 @@ install_mounted_root() {
 	if [ -n "$(get_bootopt nomodeset)" ]; then
 		kernel_opts="nomodeset $kernel_opts"
 	fi
+	if [ "$USE_CRYPT" ]; then
+		root=$(cryptsetup status "$rootdev" | grep "device:" | awk '{ print $2 }')
+		kernel_opts="cryptroot=$root cryptdm=root"
+		root=/dev/mapper/root
+	fi
 	modules="sd-mod,usb-storage,${root_fs}${raidmod}"
 
 	# generate the fstab
@@ -503,6 +511,10 @@ unmount_partitions() {
 
 	# unmount the partitions
 	umount $(awk '{print $2}' /proc/mounts | egrep "^$mnt(/|\$)" | sort -r)
+
+	if [ "$USE_CRYPT" ]; then
+		cryptsetup close /dev/mapper/root
+	fi
 }
 
 # figure out decent default swap size in mega bytes
@@ -994,6 +1006,18 @@ native_disk_install_lvm() {
 	setup_root $root_dev $BOOT_DEV
 }
 
+setup_crypt() {
+	mkdir -p /run/cryptsetup
+	echo "Preparing root partition for encryption." >&2
+	echo "You will be prompted for your password at boot." >&2
+	echo "If you forget your password, your data will be lost." >&2
+	cryptsetup luksFormat --type luks2 "$1" >&2
+	echo "Enter password again to unlock disk for installation." >&2
+	cryptsetup open "$1" root >&2
+	cryptroot="$1"
+	echo "/dev/mapper/root"
+}
+
 native_disk_install() {
 	local prep_part_type=$(partition_id prep)
 	local root_part_type=$(partition_id linux)
@@ -1065,6 +1089,10 @@ native_disk_install() {
 		root_dev=$(find_nth_non_boot_parts $index "$root_part_type" $@)
 	fi
 
+	if [ "$USE_CRYPT" ]; then
+		root_dev=$(setup_crypt $root_dev)
+	fi
+
 	[ $SWAP_SIZE -gt 0 ] && setup_swap_dev $swap_dev
 	setup_root $root_dev $BOOT_DEV $@
 }
@@ -1143,7 +1171,7 @@ ask_disk() {
 
 usage() {
 	cat <<-__EOF__
-		usage: setup-disk [-hLqrv] [-k kernelflavor] [-m MODE] [-o apkovl] [-s SWAPSIZE]
+		usage: setup-disk [-hLqrve] [-k kernelflavor] [-m MODE] [-o apkovl] [-s SWAPSIZE]
 		                  [MOUNTPOINT | DISKDEV...]
 
 		Install alpine on harddisk.
@@ -1157,6 +1185,7 @@ usage() {
 
 		options:
 		 -h  Show this help
+		 -e  Encrypt disk
 		 -m  Use disk for MODE without asking, where MODE is either 'data' or 'sys'
 		 -o  Restore system from given apkovl file
 		 -k  Use kernelflavor instead of $KERNEL_FLAVOR
@@ -1198,6 +1227,7 @@ USE_LVM=
 # Parse args
 while getopts "hk:Lm:o:qrs:v" opt; do
 	case $opt in
+		e) USE_CRYPT=1;;
 		m) DISK_MODE="$OPTARG";;
 		k) KERNEL_FLAVOR="$OPTARG";;
 		L) USE_LVM="_lvm";;
@@ -1290,6 +1320,15 @@ if [ -n "$diskdevs" ] && [ -z "$DISK_MODE" ]; then
 		esac
 	done
 	DISK_MODE="$answer"
+	# TODO: support encryption for more installation types
+	if [ "$DISK_MODE" = "sys" ] && [ -z "$USE_LVM" ]; then
+		echon "Would you like to encrypt $it_them? [y/N] "
+		default_read answer '?'
+		if yesno "$answer"
+		then
+			USE_CRYPT=1
+		fi
+	fi
 fi
 
 if [ -z "$SWAP_SIZE" ]; then
-- 
2.21.0



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Bump. Cc'ing recent committers to this repo.

Trying to take a look but doesn't seem to apply cleanly to master for
me -- I may be driving git wrong though.
Not familiar with dm-crypt but looking through the patch, it seems plausible.
Possibly need to add "e" to the parameter list to getopts?

On Mon, 23 Sep 2019 at 21:25, Drew DeVault <sir@cmpwn.com> wrote:
>
> Bump. Cc'ing recent committers to this repo.



-- 
Richard Mortier
mort@cantab.net

On Wed Sep 25, 2019 at 2:55 PM Richard Mortier wrote:
> Trying to take a look but doesn't seem to apply cleanly to master for
> me -- I may be driving git wrong though.

Cheers, I'll rebase it.

> Not familiar with dm-crypt but looking through the patch, it seems plausible.

Note, I've used this patch in production on a half a dozen machines
without any issues so far.

> Possibly need to add "e" to the parameter list to getopts?

Ah, you're right.

Actually, it seems to apply cleanly to me. Try this command:

curl -s https://lists.alpinelinux.org/~alpine/devel/%3C20190424160230.26544-1-sir%40cmpwn.com%3E/raw | git am -3

Huh, notwithstanding git appearing to give me errors, at least one of
the combinations of apply/am/mailinfo that I tried seemed to have in
fact worked. Sigh. One day I'll learn how to use git properly... :)

One other query - I don't understand the #TODO message...?

Don't have a machine handy to try it on but like I said, seems ok to
me, and if you've been using it for a while then SGTM.

Thanks!

On Wed, 25 Sep 2019 at 14:58, Drew DeVault <sir@cmpwn.com> wrote:
>
> Actually, it seems to apply cleanly to me. Try this command:
>
> curl -s https://lists.alpinelinux.org/~alpine/devel/%3C20190424160230.26544-1-sir%40cmpwn.com%3E/raw | git am -3



-- 
Richard Mortier
mort@cantab.net

On Wed Sep 25, 2019 at 3:11 PM Richard Mortier wrote:
> One other query - I don't understand the #TODO message...?

The if statement it's TODO'ing skips prompting the user for encryption
if they're using LVM or a non-sys disk setup. The task that remains to
be done is tweaking the crypt support to support setting up encrypted
disks for any case other than the basic one.

Ah ok; FWIW I didn't interpret it like that.

I think the only other query I'd have is whether that interactive
block can be entered even if the user has specified -e -- if so, seems
odd to ask when they've already told you.

On Wed, 25 Sep 2019 at 15:13, Drew DeVault <sir@cmpwn.com> wrote:
>
> On Wed Sep 25, 2019 at 3:11 PM Richard Mortier wrote:
> > One other query - I don't understand the #TODO message...?
>
> The if statement it's TODO'ing skips prompting the user for encryption
> if they're using LVM or a non-sys disk setup. The task that remains to
> be done is tweaking the crypt support to support setting up encrypted
> disks for any case other than the basic one.



-- 
Richard Mortier
mort@cantab.net