#!/bin/sh # Reencrypt LUKS container and change Disk Recovery Key associated passphrase (Slot 0: main slot) . /etc/functions . /etc/gui_functions . /tmp/config select_luks_container() { if [ -s /boot/kexec_key_devices.txt ]; then LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) else #generate a list of devices to choose from that contain a LUKS header lvm vgscan||true blkid | cut -d ':' -f 1 | while read device;do cryptsetup isLuks $device;if [ $(echo $?) == 0 ]; then echo $device;fi; done | sort > /tmp/luks_devices.txt if [ $(cat /tmp/luks_devices.txt | wc -l) -gt 0 ]; then file_selector "/tmp/luks_devices.txt" "Select LUKS container device" if [ "$FILE" == "" ]; then return 1 else LUKS=$FILE detect_boot_device mount -o remount,rw /boot echo "$LUKS $(cryptsetup luksUUID $LUKS)" > /boot/kexec_key_devices.txt mount -o remount,ro /boot fi else warn "No encrypted device found." return 1 fi fi } test_luks_current_disk_recovery_key_passphrase() { while : ; do select_luks_container || return 1 if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then #if no external provisioning provides current Disk Recovery Key passphrase echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi #Validate past cryptsetup-reencrypt attempts if [ $(echo $?) -ne 0 ]; then whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round unset luks_current_Disk_Recovery_Key_passphrase #remove "known good" selected luks container so that next pass asks again user to select luks container. #maybe the container was not the right one detect_boot_device mount -o remount,rw /boot rm -f /boot/kexec_key_devices.txt mount -o remount,ro /boot else #LuksOpen test was successful. Cleanup should be called only when done #Exporting successfully used passphrase possibly reused by oem-factory-reset #We close the volume cryptsetup luksClose test export luks_current_Disk_Recovery_Key_passphrase break; fi done } luks_reencrypt(){ while : ; do select_luks_container || return 1 if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then #if no external provisioning provides current Disk Recovery Key passphrase whiptail --title 'Reencrypt LUKS disk encrypted container ?' \ --msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if setuped by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80 echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi #Validate past cryptsetup-reencrypt attempts if [ $(echo $?) -ne 0 ]; then whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round unset luks_current_Disk_Recovery_Key_passphrase #remove "known good" selected luks container so that next pass asks again user to select luks container. #maybe the container was not the right one detect_boot_device mount -o remount,rw /boot rm -f /boot/kexec_key_devices.txt mount -o remount,ro /boot else #Reencryption was successful. Cleanup should be called only when done #Exporting successfully used passphrase possibly reused by oem-factory-reset export luks_current_Disk_Recovery_Key_passphrase break; fi done } luks_change_passphrase() { while : ; do select_luks_container || return 1 #if actual or new Disk Recovery Key is not provisioned by oem-provisioning file if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ] ; then whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ "Please enter current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60 if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ] ; then echo -e "\nEnter desired replacement for actual Disk Recovery Key passphrase (At least 8 characters long):" while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do { read -r luks_new_Disk_Recovery_Key_passphrase };done fi if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ];then echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase fi export luks_current_Disk_Recovery_Key_passphrase export luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..." cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase else #If current and new Disk Recovery Key were exported echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..." cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase fi #Validate past cryptsetup attempts if [ $(echo $?) -ne 0 ]; then #Cryptsetup luksChangeKey was unsuccessful whiptail --title 'Invalid LUKS passphrase?' --msgbox \ "The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of USB drive,\n And select Boot from USB\n\nHit Enter to continue." 30 60 unset luks_current_Disk_Recovery_Key_passphrase unset luks_new_Disk_Recovery_Key_passphrase #remove "known good" selected luks container so that next pass asks again user to select LUKS container. #maybe the container was not the right one detect_boot_device mount -o remount,rw /boot rm -f /boot/kexec_key_devices.txt mount -o remount,ro /boot else #Cryptsetup was successful. #Cleanup should be called seperately. #Exporting successfully used passphrase possibly reused by oem-factory-reset export luks_new_Disk_Recovery_Key_passphrase break; fi done } luks_secrets_cleanup() { #Cleanup shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2> /dev/null || true shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null || true unset luks_current_Disk_Recovery_Key_passphrase unset luks_new_Disk_Recovery_Key_passphrase }