Drew DeVault: 1 Support encrypted root in setup-disk 1 files changed, 42 insertions(+), 2 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/devel/patches/3076/mbox | git am -3Learn more about email & git
--- v2 fixes the prompt when an answer file is specified and adds -e to getopts. setup-disk.in | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/setup-disk.in b/setup-disk.in index 5eb8638..fb35ea9 100644 --- a/setup-disk.in +++ b/setup-disk.in @@ -402,6 +402,9 @@ install_mounted_root() { esac done + if [ "$USE_CRYPT" ]; then + initfs_features="${initfs_features% cryptsetup} cryptsetup" + fi if [ -n "$VERBOSE" ]; then echo "Root device: $rootdev" @@ -442,6 +445,11 @@ install_mounted_root() { if [ -n "$(get_bootopt nomodeset)" ]; then kernel_opts="nomodeset $kernel_opts" fi + if [ "$USE_CRYPT" ]; then + root=$(cryptsetup status "$rootdev" | grep "device:" | awk '{ print $2 }') + kernel_opts="cryptroot=$root cryptdm=root" + root=/dev/mapper/root + fi modules="sd-mod,usb-storage,${root_fs}${raidmod}" # generate the fstab
Ivan Tham <pickfire@riseup.net>Why not just `cryptsetup status "$rootdev" | awk '/device:/ { print $2 }'`?
@@ -503,6 +511,10 @@ unmount_partitions() {
# unmount the partitions
umount $(awk '{print $2}' /proc/mounts | egrep "^$mnt(/|\$)" | sort -r)
+
+ if [ "$USE_CRYPT" ]; then
+ cryptsetup close /dev/mapper/root
+ fi
}
# figure out decent default swap size in mega bytes
@@ -994,6 +1006,18 @@ native_disk_install_lvm() {
setup_root $root_dev $BOOT_DEV
}
+setup_crypt() {
+ mkdir -p /run/cryptsetup
+ echo "Preparing root partition for encryption." >&2
+ echo "You will be prompted for your password at boot." >&2
+ echo "If you forget your password, your data will be lost." >&2
+ cryptsetup luksFormat --type luks2 "$1" >&2
+ echo "Enter password again to unlock disk for installation." >&2
+ cryptsetup open "$1" root >&2
+ cryptroot="$1"
+ echo "/dev/mapper/root"
+}
+
native_disk_install() {
local prep_part_type=$(partition_id prep)
local root_part_type=$(partition_id linux)
@@ -1065,6 +1089,10 @@ native_disk_install() {
root_dev=$(find_nth_non_boot_parts $index "$root_part_type" $@)
fi
+ if [ "$USE_CRYPT" ]; then
+ root_dev=$(setup_crypt $root_dev)
+ fi
+
[ $SWAP_SIZE -gt 0 ] && setup_swap_dev $swap_dev
setup_root $root_dev $BOOT_DEV $@
}
Ivan Tham <pickfire@riseup.net>I think we should probably add a TODO for cryptkey.
@@ -1143,7 +1171,7 @@ ask_disk() {
usage() {
cat <<-__EOF__
- usage: setup-disk [-hLqrv] [-k kernelflavor] [-m MODE] [-o apkovl] [-s SWAPSIZE]
+ usage: setup-disk [-hLqrve] [-k kernelflavor] [-m MODE] [-o apkovl] [-s SWAPSIZE]
[MOUNTPOINT | DISKDEV...]
Install alpine on harddisk.
@@ -1157,6 +1185,7 @@ usage() {
options:
-h Show this help
+ -e Encrypt disk
-m Use disk for MODE without asking, where MODE is either 'data' or 'sys'
-o Restore system from given apkovl file
-k Use kernelflavor instead of $KERNEL_FLAVOR
@@ -1193,11 +1222,13 @@ case $kver in
*) KERNEL_FLAVOR=vanilla;;
esac
+USE_CRYPT=
DISK_MODE=
USE_LVM=
# Parse args
-while getopts "hk:Lm:o:qrs:v" opt; do
+while getopts "hek:Lm:o:qrs:v" opt; do
case $opt in
+ e) USE_CRYPT=1;;
m) DISK_MODE="$OPTARG";;
k) KERNEL_FLAVOR="$OPTARG";;
L) USE_LVM="_lvm";;
@@ -1290,6 +1321,15 @@ if [ -n "$diskdevs" ] && [ -z "$DISK_MODE" ]; then
esac
done
DISK_MODE="$answer"
+ # TODO: support encryption for more installation types
+ if [ -z "$USE_CRYPT" ] && [ "$DISK_MODE" = "sys" ] && [ -z "$USE_LVM" ]; then
+ echon "Would you like to encrypt $it_them? [y/N] "
+ default_read answer '?'
+ if yesno "$answer"
+ then
+ USE_CRYPT=1
+ fi
+ fi
fi
if [ -z "$SWAP_SIZE" ]; then
Ivan Tham <pickfire@riseup.net>I was wondering why only LVM gets that first, in my mind many people use LUKS without LVM, maybe I was wrong.
-- 2.23.0