2023-02-08 21:01:48 +00:00
#!/bin/bash
2023-07-19 22:48:03 +00:00
# LUKS related functions
2022-03-23 19:47:33 +00:00
. /etc/functions
. /etc/gui_functions
. /tmp/config
2023-07-19 22:48:03 +00:00
#List all LUKS devices on the system
2023-10-18 17:15:48 +00:00
list_luks_devices() {
2023-07-19 22:48:03 +00:00
#generate a list of devices to choose from that contain a LUKS header
2023-10-18 17:15:48 +00:00
lvm vgscan || true
blkid | cut -d ':' -f 1 | while read device; do
2023-10-31 17:05:36 +00:00
if cryptsetup isLuks $device; then echo $device; fi
2023-10-18 17:15:48 +00:00
done | sort
2023-07-19 22:48:03 +00:00
}
2023-10-18 17:15:48 +00:00
#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
select_luks_container_size_percent() {
2023-07-19 22:48:03 +00:00
TRACE "Under /etc/luks-functions:select_luks_container_size_percent()"
if [ -x /bin/whiptail ]; then
2023-10-18 17:15:48 +00:00
#whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
2023-07-19 22:48:03 +00:00
#whiptail returns the percentage of the device to use for LUKS container
whiptail --title "Select LUKS container size percentage of device" --menu \
"Select LUKS container size percentage of device:" 0 80 10 \
"10" "10%" \
"25" "25%" \
"50" "50%" \
"75" "75%" \
2> /tmp/luks_container_size_percent \
|| die "Error selecting LUKS container size percentage of device"
else
#console prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75
#console prompt returns the percentage of the device to use for LUKS container
echo "Select LUKS container size percentage of device:"
echo "1. 10%"
echo "2. 25%"
echo "3. 50%"
echo "4. 75%"
read -p "Choose your LUKS container size percentage of device [1-3]: " option_index
if [ "$option_index" = "1" ]; then
echo "10" > /tmp/luks_container_size_percent
elif [ "$option_index" = "2" ]; then
echo "25" > /tmp/luks_container_size_percent
elif [ "$option_index" = "3" ]; then
echo "50" > /tmp/luks_container_size_percent
elif [ "$option_index" = "4" ]; then
echo "75" > /tmp/luks_container_size_percent
else
die "Error selecting LUKS container size percentage of device"
fi
fi
}
2023-11-13 19:37:19 +00:00
# Partition a device interactively with two partitions: a LUKS container
# containing private ext4 partition and second public exFAT partition
2023-07-19 22:48:03 +00:00
# Size provisioning is done by percentage of the device
2023-11-13 19:37:19 +00:00
interactive_prepare_thumb_drive()
2023-07-19 22:48:03 +00:00
{
2023-11-13 19:37:19 +00:00
TRACE "Under /etc/luks-functions:interactive_prepare_thumb_drive()"
2023-07-19 22:48:03 +00:00
#Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning
#If no passphrase was provided, ask user to select passphrase for LUKS container
# if no device provided as parameter, we will ask user to select device to partition
# if no percentage provided as parameter, we will default to 10% of device to use for LUKS container
# we will validate parameters and not make them positional and print a usage function first
#Set defaults
DEVICE="" #Will list all usb storage devices if not provided as parameter
PERCENTAGE="10" #default to 10% of device to use for LUKS container (requires a LUKS partition bigger then 32mb!)
PASSPHRASE="" #Will prompt user for passphrase if not provided as parameter
#Parse parameters
while [ $# -gt 0 ]; do
case "$1" in
--device)
DEVICE=$2
shift 2
;;
--percentage)
PERCENTAGE=$2
shift 2
;;
2023-10-18 17:15:48 +00:00
--pass)
2023-07-19 22:48:03 +00:00
PASSPHRASE=$2
shift 2
;;
*)
2023-10-18 17:15:48 +00:00
echo "usage: prepare_thumb_drive [--device device] [--percentage percentage] [--pass passphrase]"
2023-11-13 19:37:19 +00:00
return 1
2023-07-19 22:48:03 +00:00
;;
esac
done
DEBUG "DEVICE to partition: $DEVICE"
DEBUG "PERCENTAGE of device that will be used for LUKS container: $PERCENTAGE"
#Output provided if passphrase is provided as parameter
DEBUG "PASSPHRASE for LUKS container: ${PASSPHRASE:+provided}"
#Prompt for passphrase if not provided as parameter
if [ -z "$PASSPHRASE" ]; then
#If no passphrase was provided, ask user to select passphrase for LUKS container
#console based no whiptail
while [[ ${#PASSPHRASE} -lt 8 ]]; do
{
echo -e "\nEnter passphrase for LUKS container (At least 8 characters long):"
#hide passphrase input from read command
read -r -s PASSPHRASE
#skip confirmation if passphrase is less then 8 characters long (continue)
if [[ ${#PASSPHRASE} -lt 8 ]]; then
echo -e "\nPassphrase must be at least 8 characters long. Please try again."
unset PASSPHRASE
continue
fi
#validate passphrase and ask user to re-enter if not at least 8 characters long
#confirm passphrase
echo -e "\nConfirm passphrase for LUKS container:"
#hide passphrase input from read command
read -r -s PASSPHRASE_CONFIRM
#compare passphrase and passphrase confirmation
if [ "$PASSPHRASE" != "$PASSPHRASE_CONFIRM" ]; then
echo -e "\nPassphrases do not match. Please try again."
unset PASSPHRASE
unset PASSPHRASE_CONFIRM
fi
};done
fi
#If no device was provided, ask user to select device to partition
if [ -z "$DEVICE" ]; then
#warn user to disconnect all external drives
if [ -x /bin/whiptail ]; then
whiptail $BG_COLOR_WARNING --title "WARNING: Disconnect all external drives" --msgbox \
"WARNING: Please disconnect all external drives before proceeding.\n\nHit Enter to continue." 0 80 \
|| die "User cancelled wiping and repartitioning of $DEVICE"
else
echo -e -n "Warning: Please disconnect all external drives before proceeding.\n\nHit Enter to continue?"
read -r -p " [Y/n] " response
#transform response to uppercase with bash parameter expansion
response=${response^^}
#continue if response different then uppercase N
if [[ $response =~ ^(N)$ ]]; then
die "User cancelled wiping and repartitioning of $DEVICE"
fi
fi
#enable usb
enable_usb
#enable usb storage
enable_usb_storage
#list all usb storage devices
list_usb_storage disks > /tmp/devices.txt
if [ $(cat /tmp/devices.txt | wc -l) -gt 0 ]; then
file_selector "/tmp/devices.txt" "Select device to partition"
if [ "$FILE" == "" ]; then
die "Error: No device selected"
else
DEVICE=$FILE
fi
else
die "Error: No device found"
fi
fi
#Check if device is a block device
if [ ! -b $DEVICE ]; then
die "Error: $DEVICE is not a block device"
fi
if [ -z "$PERCENTAGE" ]; then
#If no percentage was provided, ask user to select percentage of device to use for LUKS container
select_luks_container_size_percent
PERCENTAGE=$(cat /tmp/luks_container_size_percent)
fi
2023-11-13 19:37:19 +00:00
confirm_thumb_drive_format "$DEVICE" "$PERCENTAGE" ||
die "User cancelled wiping and repartitioning of $DEVICE"
prepare_thumb_drive "$DEVICE" "$PERCENTAGE" "$PASSPHRASE"
}
# Show a prompt to confirm formatting a flash drive with a percentage allocated
# to LUKS. interactive_prepare_thumb_drive() uses this; during OEM reset it is
# used separately before performing any reset actions
#
# parameters:
# $1 - block device of flash drive
# $2 - percent of device allocated to LUKS [1-99]
confirm_thumb_drive_format()
{
TRACE "Under /etc/luks-functions:confirm_thumb_drive_format()"
local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG
DEVICE="$1"
LUKS_PERCENTAGE="$2"
LUKS_SIZE_MB=
2023-07-19 22:48:03 +00:00
2023-11-13 19:37:19 +00:00
#Get disk size in bytes
2023-07-19 22:48:03 +00:00
DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")"
2023-11-13 19:37:19 +00:00
DISK_SIZE_DISPLAY="$(display_size "$DISK_SIZE_BYTES")"
2023-07-19 22:48:03 +00:00
#Convert disk size to MB
DISK_SIZE_MB=$((DISK_SIZE_BYTES/1024/1024))
2023-11-13 19:37:19 +00:00
#Calculate percentage of device in MB
LUKS_SIZE_MB="$((DISK_SIZE_BYTES*LUKS_PERCENTAGE/100/1024/1024))"
2023-10-18 17:15:48 +00:00
2023-11-13 19:37:19 +00:00
MSG="WARNING: Wiping and repartitioning $DEVICE ($DISK_SIZE_DISPLAY) with $LUKS_SIZE_MB MB\n assigned to private LUKS ext4 partition,\n rest assigned to exFAT public partition.\n\nAre you sure you want to continue?"
2023-07-19 22:48:03 +00:00
if [ -x /bin/whiptail ]; then
2023-11-13 19:37:19 +00:00
whiptail $BG_COLOR_WARNING --title "WARNING: Wiping and repartitioning $DEVICE ($DISK_SIZE_DISPLAY)" --yesno \
"$MSG" 0 80
2023-07-19 22:48:03 +00:00
else
2023-11-13 19:37:19 +00:00
echo -e -n "$MSG"
2023-07-19 22:48:03 +00:00
read -r -p " [Y/n] " response
#transform response to uppercase with bash parameter expansion
response=${response^^}
2023-11-13 19:37:19 +00:00
#continue if response is Y, y, or empty, abort for anything else
if [ -n "$response" ] && [ "${response^^}" != Y ]; then
return 1
2023-07-19 22:48:03 +00:00
fi
fi
2023-11-13 19:37:19 +00:00
}
# Prepare a flash drive with a private LUKS-encrypted ext4 partition and a
# public exFAT partition. This is not interactive - during OEM reset, any
# selections/confirmations must occur before OEM reset starts resetting the
# system.
#
# $1 - block device of flash drive
# $2 - percentage of flash drive to allocate to LUKS [1-99]
# $3 - passphrase for LUKS container
prepare_thumb_drive()
{
TRACE "Under /etc/luks-functions:prepare_thumb_drive()"
local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB
DEVICE="$1"
PERCENTAGE="$2"
PASSPHRASE="$3"
#Get disk size in bytes
DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")"
#Calculate percentage of device in MB
PERCENTAGE_MB="$((DISK_SIZE_BYTES*PERCENTAGE/100/1024/1024))"
2023-07-19 22:48:03 +00:00
2023-11-13 19:37:19 +00:00
echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container while rest of device will be assigned to exFAT public partition...\n"
2023-10-19 19:42:27 +00:00
echo "Please wait..."
2023-07-19 22:48:03 +00:00
DEBUG "Creating empty DOS partition table on device through fdisk to start clean"
2023-10-18 17:15:48 +00:00
echo -e "o\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error creating partition table"
2023-07-19 22:48:03 +00:00
DEBUG "partition device with two partitions: first one being the percent applied and rest for second partition through fdisk"
2023-10-18 17:15:48 +00:00
echo -e "n\np\n1\n\n+"$PERCENTAGE_MB"M\nn\np\n2\n\n\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error partitioning device"
DEBUG "cryptsetup luksFormat first partition with LUKS container aes-xts-plain64 cipher with sha256 hash and 512 bit key"
2023-07-19 22:48:03 +00:00
DEBUG "Creating ${PERCENTAGE_MB}MB LUKS container on ${DEVICE}1..."
DO_WITH_DEBUG cryptsetup --batch-mode -c aes-xts-plain64 -h sha256 -s 512 -y luksFormat ${DEVICE}1 \
--key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \
|| die "Error formatting LUKS container"
DEBUG "Opening LUKS device and mapping under /dev/mapper/private..."
DO_WITH_DEBUG cryptsetup open ${DEVICE}1 private --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \
|| die "Error opening LUKS container"
DEBUG "Formatting LUKS container mapped under /dev/mapper/private as an ext4 partition..."
2023-10-18 17:15:48 +00:00
mke2fs -t ext4 -L private /dev/mapper/private >/dev/null 2>&1 || die "Error formatting LUKS container's ext4 filesystem"
2023-07-19 22:48:03 +00:00
DEBUG "Closing LUKS device /dev/mapper/private..."
cryptsetup close private > /dev/null 2>&1 || die "Error closing LUKS container"
DEBUG "Formatting second partition ${DEVICE}2 with exfat filesystem..."
2023-10-18 17:15:48 +00:00
mkfs.exfat -L public ${DEVICE}2 >/dev/null 2>&1 || die "Error formatting second partition with exfat filesystem"
2023-07-19 22:48:03 +00:00
echo "Done."
}
2022-03-23 19:47:33 +00:00
select_luks_container()
{
2023-07-19 22:48:03 +00:00
TRACE "Under /etc/luks-functions:select_luks_container()"
2022-03-23 19:47:33 +00:00
if [ -s /boot/kexec_key_devices.txt ]; then
2023-07-19 22:48:03 +00:00
DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
2022-03-23 19:47:33 +00:00
LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt)
else
2023-07-19 22:48:03 +00:00
list_luks_devices > /tmp/luks_devices.txt
#if /tmp/luks_devices.txt exists and is not empty
if [ -s /tmp/luks_devices.txt ]; then
2022-03-23 19:47:33 +00:00
file_selector "/tmp/luks_devices.txt" "Select LUKS container device"
if [ "$FILE" == "" ]; then
2022-04-06 22:01:09 +00:00
return 1
2022-03-23 19:47:33 +00:00
else
LUKS=$FILE
detect_boot_device
mount -o remount,rw /boot
2023-10-18 17:15:48 +00:00
echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt
2022-03-23 19:47:33 +00:00
mount -o remount,ro /boot
fi
else
2023-10-19 19:42:27 +00:00
warn "No encrypted device found"
2022-04-06 22:01:09 +00:00
return 1
2022-03-23 19:47:33 +00:00
fi
fi
}
test_luks_current_disk_recovery_key_passphrase()
{
2023-07-19 22:48:03 +00:00
TRACE "Under /etc/luks-functions:test_luks_current_disk_recovery_key_passphrase()"
2023-10-18 17:15:48 +00:00
while :; do
2022-04-06 22:02:14 +00:00
select_luks_container || return 1
2022-03-23 19:47:33 +00:00
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase
2023-12-01 22:00:52 +00:00
echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
2022-03-23 19:47:33 +00:00
read -r luks_current_Disk_Recovery_Key_passphrase
2023-10-18 17:15:48 +00:00
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
2023-12-01 22:00:52 +00:00
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..."
2023-07-19 22:48:03 +00:00
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
2022-03-23 19:47:33 +00:00
else
2023-10-18 17:15:48 +00:00
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
2023-12-01 22:00:52 +00:00
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..."
2023-07-19 22:48:03 +00:00
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
2022-03-23 19:47:33 +00:00
fi
#Validate past cryptsetup-reencrypt attempts
2023-07-19 22:48:03 +00:00
if [ $? -eq 0 ]; then
2022-03-23 19:47:33 +00:00
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
2023-12-01 22:00:52 +00:00
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
2023-10-18 17:15:48 +00:00
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
2022-03-23 19:47:33 +00:00
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
2023-10-23 15:52:44 +00:00
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
2022-03-23 19:47:33 +00:00
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#LuksOpen test was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
2023-10-18 17:15:48 +00:00
2022-03-23 19:47:33 +00:00
#We close the volume
2023-07-19 22:48:03 +00:00
cryptsetup close test
2022-03-23 19:47:33 +00:00
export luks_current_Disk_Recovery_Key_passphrase
break;
fi
done
}
2023-10-18 17:15:48 +00:00
luks_reencrypt() {
TRACE "Under /etc/luks-functions:luks_reencrypt()"
while :; do
select_luks_container || return 1
2023-12-01 22:00:52 +00:00
#If the user just set a new Disk Recovery Key passphrase
if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase"
fi
2023-10-18 17:15:48 +00:00
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase
2023-12-01 22:00:52 +00:00
whiptail --title 'Reencrypt LUKS encrypted container ?' \
--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under\nthe following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete the TPM Disk Unlock Key slot, if set up, by setting a default\n boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
echo -e "\nEnter the current Disk Recovery Key passphrase:"
2023-10-18 17:15:48 +00:00
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
2023-12-01 22:00:52 +00:00
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!"
2023-10-18 17:15:48 +00:00
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
2023-12-01 22:00:52 +00:00
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!"
2023-10-18 17:15:48 +00:00
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup-reencrypt attempts
if [ $(echo $?) -ne 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
2023-12-01 22:00:52 +00:00
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
2023-10-18 17:15:48 +00:00
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
2023-10-23 15:52:44 +00:00
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
2023-10-18 17:15:48 +00:00
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Reencryption was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_current_Disk_Recovery_Key_passphrase
2022-03-23 19:47:33 +00:00
break;
2023-10-18 17:15:48 +00:00
fi
done
2022-03-23 19:47:33 +00:00
}
luks_change_passphrase()
{
2023-07-19 22:48:03 +00:00
TRACE "Under /etc/luks-functions:luks_change_passphrase()"
2023-10-18 17:15:48 +00:00
while :; do
select_luks_container || return 1
#if actual or new Disk Recovery Key is not provisioned by oem-provisioning file
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
2023-12-01 22:00:52 +00:00
"Please enter the current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
2023-10-18 17:15:48 +00:00
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
2023-12-01 22:00:52 +00:00
echo -e "\nEnter your desired replacement for the actual Disk Recovery Key passphrase (At least 8 characters long):"
2023-10-18 17:15:48 +00:00
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
2023-12-01 22:00:52 +00:00
{
read -r luks_new_Disk_Recovery_Key_passphrase
};done
2023-10-18 17:15:48 +00:00
fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
2023-12-01 22:00:52 +00:00
echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
2023-10-18 17:15:48 +00:00
read -r luks_current_Disk_Recovery_Key_passphrase
fi
export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
2023-12-01 22:00:52 +00:00
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..."
2023-10-18 17:15:48 +00:00
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
else
#If current and new Disk Recovery Key were exported
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
2023-12-01 22:00:52 +00:00
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..."
2023-10-18 17:15:48 +00:00
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
2022-03-23 19:47:33 +00:00
fi
2023-10-18 17:15:48 +00:00
#Validate past cryptsetup attempts
if [ $(echo $?) -ne 0 ]; then
#Cryptsetup luksChangeKey was unsuccessful
whiptail --title 'Invalid LUKS passphrase?' --msgbox \
2023-12-01 22:00:52 +00:00
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60
2023-10-18 17:15:48 +00:00
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
2023-10-23 15:52:44 +00:00
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
2023-10-18 17:15:48 +00:00
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Cryptsetup was successful.
#Cleanup should be called seperately.
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_new_Disk_Recovery_Key_passphrase
2022-03-23 19:47:33 +00:00
break;
2023-10-18 17:15:48 +00:00
fi
done
2022-03-23 19:47:33 +00:00
}
luks_secrets_cleanup()
{
#Cleanup
2023-10-18 17:15:48 +00:00
shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true
2022-03-23 19:47:33 +00:00
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
}
