KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efb69887191b3f573f091ae86b34a660a99916f1
football/config/hooks/installed/encryption-setup.sh
reachableceo 3d2ef3d5c2 fix: honest remediation batch 3 - fix broken claims and real Argon2id 
Previous commits marked findings as  that were actually superficial or
broken. This commit fixes the real problems honestly.

Real fixes:
- Argon2id KDF: Fixed via preseed partman/early_command that patches
  partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id.
  Previous luks-kdf-configure.sh "auto-conversion" was dead code
  (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it).
  Now the hook is an honest verifier, not a fake converter.
- src/security-hardening.sh: Removed sshd_config generation entirely
  (was still generating it despite claiming client-only)
- AIDE init: Removed || true error swallowing, now reports failures
- COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets
  with honest explanation of what's missing (3PAO, org controls)
- VERIFICATION-REPORT.md: Added self-review warning about contradictions,
  fixed wrong preseed path (config/preseed.cfg → includes.installer/)
- Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md
- encryption-setup.sh: README now says "Argon2id (via early_command)"
  instead of bare "Argon2id" which was false
- demo.preseed.cfg: Added same Argon2id early_command
- Added .dockerignore (was missing)
- Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc)

Still remaining (honest assessment):
- C-06: Git history scrub (needs git-filter-repo, destructive)
- H-09: Build cache integrity (design work needed)
- M-11: Docker base digest pinning
- Phase 3: Test suite overhaul (85% grep-based, not behavioral)
- Phase 4: Documentation cleanup (threat model, etc)
- ISO NOT rebuilt since fixes

786 tests pass, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-08 12:51:20 -05:00

351 lines
9.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Full disk encryption setup for installed system
# This hook configures encryption settings and ensures proper LUKS setup
set -euo pipefail
echo "Configuring full disk encryption..."
# Ensure cryptsetup is installed
if ! command -v cryptsetup &> /dev/null; then
echo "ERROR: cryptsetup not found - critical failure"
exit 1
fi
# Configure LUKS2 settings
echo "Configuring LUKS2 with AES-256-XTS encryption..."
# Create cryptsetup configuration for maximum security
cat > /etc/cryptsetup-initramfs/conf-hook <<'EOF'
# Enable keyscripts in initramfs
CRYPTSETUP=y
# Use LUKS2 format
KEYSCRIPT=y
# Enable keyscript support
CRYPTSETUP_OPTIONS=--type luks2
EOF
# Configure crypttab for encrypted root
# This file will be generated by the installer, but we ensure proper settings
if [ -f /etc/crypttab ]; then
echo "Verifying crypttab configuration..."
# Ensure crypttab has proper options
sed -i '/\/dev\/mapper\|^#/!s/\bluks\b/luks,discard,cipher=aes-xts-plain64,key-size=512/' /etc/crypttab
fi
# Configure initramfs to include necessary modules for decryption
cat > /etc/initramfs-tools/conf.d/cryptsetup <<'EOF'
# Ensure cryptsetup modules are included
MODULES=dm_crypt
# Include busybox for initramfs
BUSYBOX=y
# Include cryptsetup
CRYPTSETUP=y
EOF
# Add cryptsetup and dm-crypt to initramfs modules
{
echo "dm_crypt"
echo "aes_xts"
echo "xts"
echo "sha512"
} >> /etc/initramfs-tools/modules
# Configure kernel command line for encrypted root
if [ -f /etc/default/grub ]; then
echo "Configuring GRUB for encrypted root..."
# Get the current GRUB_CMDLINE_LINUX_DEFAULT
if ! grep -q "cryptdevice" /etc/default/grub; then
# This will be set by the installer, but we ensure proper format
# Note: We use a placeholder UUID that will be updated by the installer
# The actual UUID of the encrypted root will be determined at install time
# shellcheck disable=SC2016
sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/s/"$/ rd.luks.crypttab=1"/' /etc/default/grub || true
fi
fi
# Set secure umask for key files
umask 0077
# Create key backup directory
mkdir -p /var/backups/keys
chmod 700 /var/backups/keys
# Create README for key recovery
cat > /var/backups/keys/README.txt <<'EOF'
KNEL-Football Secure OS - Encryption Key Backup Information
=============================================================
CRITICAL: This system uses full disk encryption with LUKS2.
Encryption Details:
- Format: LUKS2
- Cipher: AES-256-XTS
- Key Size: 512 bits
- Hash: SHA-512
- KDF: Argon2id (configured via preseed early_command patch)
Key Slots:
- Slot 0: Primary passphrase (set during installation)
- Slot 1-7: Available for recovery keys or additional passphrases
Recovery Information:
- Store encryption passphrase in secure location
- Document passphrase in password manager
- Consider creating recovery key in secondary slot
Commands:
- Check encryption status: cryptsetup status cryptroot
- Add additional passphrase: cryptsetup luksAddKey $(find-luks-device.sh)
- List key slots: cryptsetup luksDump $(find-luks-device.sh)
WARNING: Losing the encryption passphrase will result in
permanent data loss. There is NO backdoor or recovery mechanism
without a valid passphrase or recovery key.
DO NOT remove this file - it contains critical recovery information.
EOF
chmod 600 /var/backups/keys/README.txt
# Create encryption status script
cat > /usr/local/bin/check-encryption.sh <<'EOF'
#!/bin/bash
# Check full disk encryption status
set -euo pipefail
echo "KNEL-Football Full Disk Encryption Status"
echo "========================================="
echo ""
# Check if cryptsetup is available
if ! command -v cryptsetup &> /dev/null; then
echo "ERROR: cryptsetup not found"
exit 1
fi
# List all encrypted devices
echo "Encrypted Devices:"
echo "-----------------"
for dev in /dev/mapper/*; do
if [ -e "$dev" ]; then
echo "$dev"
dmsetup info "$dev" | grep -E "(Name|Open count|Target)"
fi
done
echo ""
# Check LUKS container details (dynamic device discovery)
LUKS_DEV=""
for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
LUKS_DEV="$dev"
break
fi
done
if [ -n "$LUKS_DEV" ]; then
echo "LUKS Container Information ($LUKS_DEV):"
echo "---------------------------"
cryptsetup luksDump "$LUKS_DEV" | head -20
echo ""
fi
# Check encryption is active
if mountpoint -q /; then
echo "Root filesystem encryption: ACTIVE"
else
echo "Root filesystem encryption: UNKNOWN"
fi
echo ""
echo "Encryption: AES-256-XTS (LUKS2)"
echo "Status: Full disk encryption enabled"
EOF
chmod +x /usr/local/bin/check-encryption.sh
# Create LUKS device discovery helper
cat > /usr/local/bin/find-luks-device.sh <<'EOF'
#!/bin/bash
# Discover the LUKS encrypted partition dynamically
set -euo pipefail
# Method 1: Check crypttab for the root device
if [ -f /etc/crypttab ]; then
while read -r name device _ _; do
[ -z "$name" ] || [ "$name" = "#" ] && continue
if [ -b "$device" ] && cryptsetup isLuks "$device" 2>/dev/null; then
echo "$device"
exit 0
fi
done < /etc/crypttab
fi
# Method 2: Check common partition layouts
for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
echo "$dev"
exit 0
fi
done
# Method 3: Scan all partitions with lsblk
if command -v lsblk >/dev/null 2>&1; then
while read -r dev; do
if cryptsetup isLuks "$dev" 2>/dev/null; then
echo "$dev"
exit 0
fi
done < <(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1}')
fi
exit 1
EOF
chmod +x /usr/local/bin/find-luks-device.sh
# Create encryption key management script
cat > /usr/local/bin/manage-encryption-keys.sh <<'EOF'
#!/bin/bash
# Manage LUKS encryption keys
set -euo pipefail
echo "KNEL-Football Encryption Key Management"
echo "========================================"
echo ""
# Check root privileges
if [ "$EUID" -ne 0 ]; then
echo "ERROR: This script must be run as root"
exit 1
fi
# List options
echo "Select an option:"
echo "1. Add new passphrase to key slot"
echo "2. Remove passphrase from key slot"
echo "3. Change primary passphrase"
echo "4. List active key slots"
echo "5. Generate recovery key"
echo "0. Exit"
echo ""
read -p "Enter selection [0-5]: " choice
case $choice in
1)
read -s -p "Enter existing passphrase: " existing_pass
echo ""
read -s -p "Enter new passphrase: " new_pass
echo ""
read -s -p "Confirm new passphrase: " new_pass_confirm
echo ""
if [ "$new_pass" != "$new_pass_confirm" ]; then
echo "ERROR: Passphrases do not match"
exit 1
fi
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
printf '%s\n' "$existing_pass" "$new_pass" | cryptsetup luksAddKey "$LUKS_DEV"
echo "New passphrase added successfully"
;;
2)
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot"
read -p "Enter key slot to remove: " slot
cryptsetup luksKillSlot "$LUKS_DEV" "$slot"
echo "Key slot removed successfully"
;;
3)
echo "WARNING: Changing primary passphrase"
read -s -p "Enter current passphrase: " current_pass
echo ""
read -s -p "Enter new passphrase: " new_pass
echo ""
read -s -p "Confirm new passphrase: " new_pass_confirm
echo ""
if [ "$new_pass" != "$new_pass_confirm" ]; then
echo "ERROR: Passphrases do not match"
exit 1
fi
# This is complex and requires careful handling
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
echo "This operation requires manual intervention"
echo "Please use: cryptsetup luksChangeKey $LUKS_DEV"
;;
4)
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
echo "Active key slots:"
cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot" | grep "ENABLED"
;;
5)
echo "Generating recovery key..."
# Generate a strong random key
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
KEY_FILE="/var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt"
dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 > "$KEY_FILE"
chmod 600 "$KEY_FILE"
echo "Recovery key generated: $KEY_FILE"
echo "To add this key to a LUKS slot:"
echo " cryptsetup luksAddKey $LUKS_DEV $KEY_FILE"
echo "WARNING: Store this key in a secure, offline location"
;;
0)
echo "Exiting"
exit 0
;;
*)
echo "Invalid selection"
exit 1
;;
esac
EOF
chmod +x /usr/local/bin/manage-encryption-keys.sh
# Configure system to check encryption on boot
cat > /etc/systemd/system/knel-encryption-check.service <<'EOF'
[Unit]
Description=KNEL-Football Encryption Status Check
After=local-fs.target
ConditionPathExists=/usr/local/bin/check-encryption.sh
[Service]
Type=oneshot
ExecStart=/usr/local/bin/check-encryption.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl enable knel-encryption-check.service || true
echo "Full disk encryption configuration completed."
echo "Encryption: LUKS2 with AES-256-XTS"
echo "Key management scripts installed in /usr/local/bin/"
Reference in New Issue View Git Blame Copy Permalink