aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile1
-rw-r--r--features.d/cryptkey.files1
-rwxr-xr-xinitramfs-init.in11
-rw-r--r--nlplug-findfs.c17
-rwxr-xr-xtest.sh28
5 files changed, 55 insertions, 3 deletions
diff --git a/Makefile b/Makefile
index 40dc284..458dffb 100644
--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,7 @@ CONF_FILES := mkinitfs.conf \
features.d/btrfs.modules \
features.d/cdrom.modules \
features.d/cramfs.modules \
+ features.d/cryptkey.files \
features.d/cryptsetup.files \
features.d/cryptsetup.modules \
features.d/ena.modules \
diff --git a/features.d/cryptkey.files b/features.d/cryptkey.files
new file mode 100644
index 0000000..6bdda2e
--- /dev/null
+++ b/features.d/cryptkey.files
@@ -0,0 +1 @@
+/crypto_keyfile.bin
diff --git a/initramfs-init.in b/initramfs-init.in
index fd3c50c..df704d5 100755
--- a/initramfs-init.in
+++ b/initramfs-init.in
@@ -274,9 +274,9 @@ setup_nbd() {
set -- $(cat /proc/cmdline)
myopts="alpine_dev autodetect autoraid chart cryptroot cryptdm cryptheader cryptoffset
- cryptdiscards debug_init dma init_args keep_apk_new modules ovl_dev pkgs quiet
- root_size root usbdelay ip alpine_repo apkovl alpine_start splash blacklist
- overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
+ cryptdiscards cryptkey debug_init dma init_args keep_apk_new modules ovl_dev
+ pkgs quiet root_size root usbdelay ip alpine_repo apkovl alpine_start splash
+ blacklist overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
for opt; do
case "$opt" in
@@ -397,6 +397,11 @@ if [ -n "$KOPT_cryptroot" ]; then
if [ -n "$KOPT_cryptoffset" ]; then
cryptopts="$cryptopts -o ${KOPT_cryptoffset}"
fi
+ if [ "$KOPT_cryptkey" = "yes" ]; then
+ cryptopts="$cryptopts -k /crypto_keyfile.bin"
+ elif [ -n "$KOPT_cryptkey" ]; then
+ cryptopts="$cryptopts -k ${KOPT_cryptkey}"
+ fi
fi
if [ -n "$KOPT_nbd" ]; then
diff --git a/nlplug-findfs.c b/nlplug-findfs.c
index 6614991..e037a93 100644
--- a/nlplug-findfs.c
+++ b/nlplug-findfs.c
@@ -309,6 +309,7 @@ static int spawn_active(struct spawn_manager *mgr)
struct cryptdev {
char *device;
char *name;
+ char *key;
char devnode[256];
};
@@ -594,6 +595,18 @@ static void *cryptsetup_thread(void *data)
goto free_out;
}
+ struct stat st;
+ if (!stat(c->crypt.data.key, &st)) {
+ pthread_mutex_lock(&c->crypt.mutex);
+ r = crypt_activate_by_keyfile(cd, c->crypt.data.name,
+ CRYPT_ANY_SLOT,
+ c->crypt.data.key, st.st_size,
+ c->crypt.flags);
+ pthread_mutex_unlock(&c->crypt.mutex);
+ if (r >= 0)
+ goto free_out;
+ }
+
while (passwd_tries > 0) {
char pass[1024];
@@ -1173,6 +1186,7 @@ static void usage(int rc)
" -c CRYPTDEVICE run cryptsetup luksOpen when CRYPTDEVICE is found\n"
" -h show this help\n"
" -H HEADERDEVICE use HEADERDEVICE as the LUKS header\n"
+ " -k CRYPTKEY path to keyfile\n"
" -m CRYPTNAME use CRYPTNAME name for crypto device mapping\n"
" -o OFFSET cryptsetup payload offset\n"
" -D allow discards on crypto device\n"
@@ -1238,6 +1252,9 @@ int main(int argc, char *argv[])
case 'h':
usage(0);
break;
+ case 'k':
+ conf.crypt.data.key = EARGF(usage(1));
+ break;
case 'm':
conf.crypt.data.name = EARGF(usage(1));
break;
diff --git a/test.sh b/test.sh
index f187215..e0cc3f9 100755
--- a/test.sh
+++ b/test.sh
@@ -76,6 +76,13 @@ then
[ "$operation" = "header" ] && echo "> Formatting '$block' with header '$header' and passphrase '$passphrase'."
[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q $block - 2>&1 | sed 's/^/\t/g'
[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q --header $header $block - 2>&1 | sed 's/^/\t/g'
+
+ echo "> Creating keyfile"
+ dd if=/dev/urandom of=keyfile count=1 bs=512 2>&1 | sed 's/^/\t/g'
+ echo "> Adding keyfile to device"
+ [ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q $block keyfile - 2>&1 | sed 's/^/\t/g'
+ [ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q --header $header $block keyfile - 2>&1 | sed 's/^/\t/g'
+
echo "> Opening the device '$block' as /dev/mapper/temp-test"
[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q $block temp-test - 2>&1 | sed 's/^/\t/g'
[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q --header $header $block temp-test - 2>&1 | sed 's/^/\t/g'
@@ -92,6 +99,27 @@ then
echo "> Closing the device '/dev/mapper/temp-test'"
sudo cryptsetup luksClose temp-test
+ echo "> Testing nlplug-findfs on $block using keyfile"
+ [ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
+ [ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
+
+ if [ $retcode -eq 0 ]; then
+ echo "> Mounting the device"
+ sudo mount /dev/mapper/test-device local-mount
+ echo "> Getting proof"
+ check=$(cat local-mount/proof)
+ echo "Retrieved proof is: $check"
+ if [ "$check" != "$proof" ]; then
+ retcode=1
+ fi
+ fi
+ [ $retcode -eq 0 ] && echo "Operation succeeded, proofs match" || echo "Operation failed, proofs don't match"
+
+ echo "> Unmounting the fs"
+ mountpoint local-mount && sudo umount local-mount
+ echo "> Closing the device '/dev/mapper/test-device'"
+ [ -b /dev/mapper/test-device ] && sudo cryptsetup luksClose test-device
+
echo "> Testing nlplug-findfs on $block (passphrase was '$passphrase')"
[ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; }
[ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; }