Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id E4F17781A8B for <~alpine/devel@lists.alpinelinux.org>; Wed, 25 Sep 2019 15:12:33 +0000 (UTC) Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id 026171A1283 for <~alpine/devel@lists.alpinelinux.org>; Wed, 25 Sep 2019 08:12:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1569424351; bh=pi1jczjh0d/1DmhduN2p1UDuQvz7h4FybZYTjM5n3ts=; h=Date:From:To:Subject:References:In-Reply-To:From; b=WzW8ayo2tx48FoJ64cElk1CtGG3d7GKe+K48LHQRtK6lAsLPQVOM3XpPeS4XoMpo9 M8MDReJ/BkdaA41AhQ9K57tBAVi5xj3kMlSuJGCsF0yPcJJX2yMVGZ9L++kvxz3AXK hrW6Jqu2RFI503I2NlKfcq1jlm+ixAvXVfmKMqJk= X-Riseup-User-ID: 6E03215B8FB9E1DCD070974B70D6D220F5B6643652EEA31D9F2F7987D031B06F Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id E503B22563E for <~alpine/devel@lists.alpinelinux.org>; Wed, 25 Sep 2019 08:12:29 -0700 (PDT) Date: Wed, 25 Sep 2019 23:12:26 +0800 From: Ivan Tham To: ~alpine/devel@lists.alpinelinux.org Subject: Re: [PATCH v2] Support encrypted root in setup-disk Message-ID: <20190925151226.mcurtpbxekq4gvtu@arch> References: <20190925145906.73692-1-sir@cmpwn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: <20190925145906.73692-1-sir@cmpwn.com> On Wed, Sep 25, 2019 at 10:59:06AM -0400, Drew DeVault wrote: >@@ -442,6 +445,11 @@ install_mounted_root() { > if [ -n "$(get_bootopt nomodeset)" ]; then > kernel_opts="nomodeset $kernel_opts" > fi >+ if [ "$USE_CRYPT" ]; then >+ root=$(cryptsetup status "$rootdev" | grep "device:" | awk '{ print $2 }') >+ kernel_opts="cryptroot=$root cryptdm=root" >+ root=/dev/mapper/root >+ fi > modules="sd-mod,usb-storage,${root_fs}${raidmod}" > > # generate the fstab Why not just `cryptsetup status "$rootdev" | awk '/device:/ { print $2 }'`? > native_disk_install() { > local prep_part_type=$(partition_id prep) > local root_part_type=$(partition_id linux) >@@ -1065,6 +1089,10 @@ native_disk_install() { > root_dev=$(find_nth_non_boot_parts $index "$root_part_type" $@) > fi > >+ if [ "$USE_CRYPT" ]; then >+ root_dev=$(setup_crypt $root_dev) >+ fi >+ > [ $SWAP_SIZE -gt 0 ] && setup_swap_dev $swap_dev > setup_root $root_dev $BOOT_DEV $@ > } I think we should probably add a TODO for cryptkey. >@@ -1290,6 +1321,15 @@ if [ -n "$diskdevs" ] && [ -z "$DISK_MODE" ]; then > esac > done > DISK_MODE="$answer" >+ # TODO: support encryption for more installation types >+ if [ -z "$USE_CRYPT" ] && [ "$DISK_MODE" = "sys" ] && [ -z "$USE_LVM" ]; then >+ echon "Would you like to encrypt $it_them? [y/N] " >+ default_read answer '?' >+ if yesno "$answer" >+ then >+ USE_CRYPT=1 >+ fi >+ fi > fi > > if [ -z "$SWAP_SIZE" ]; then I was wondering why only LVM gets that first, in my mind many people use LUKS without LVM, maybe I was wrong.