diff options
| author | Aaron Ball <nullspoon@oper.io> | 2022-05-07 18:03:41 -0600 |
|---|---|---|
| committer | Aaron Ball <nullspoon@oper.io> | 2022-05-07 18:03:41 -0600 |
| commit | 81d8094ec2b632f144feddfecda75091d2a87308 (patch) | |
| tree | 3733a8456d2e7fca8203fcd1d7e7079caf1c0e7d | |
| parent | 30a84a1bbfbf8afc6aa8532ec61a272f13332a57 (diff) | |
| parent | 7dd13c6d15c49aea272bebdc2fbd2e00dd656ea5 (diff) | |
| download | crypttab-master.tar.gz crypttab-master.tar.xz | |
| -rw-r--r-- | Makefile | 4 | ||||
| -rwxr-xr-x | crypttab | 109 | ||||
| -rw-r--r-- | crypttab.example | 4 |
3 files changed, 55 insertions, 62 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..8a7c7a3 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +PREFIX ?= /usr +install: + install -D -m 755 crypttab "$(DESTDIR)$(PREFIX)/crypttab" + install -D -m 640 crypttab.example "$(DESTDIR)/etc/crypttab" @@ -1,4 +1,7 @@ #!/usr/bin/env bash +set -euo pipefail +export IFS=$'\n\t' + # # A script that handles basic crypttab functionality to mount encrypted volumes # on execution. @@ -6,106 +9,88 @@ TAB=/etc/crypttab -# # Iterrates through all entries in crypttab with the purpose to close the # decrypted block devices (typically at /dev/mapper/*). # # NOTE: If any of the listed encrypted devices are mounted, attempts to umount # them first, since not doing so will cause the luksClose to hang. -# -function destroy_entries { - if [[ ! -f ${TAB} ]]; then - echo "Could not access ${TAB}." +destroy_entries() { + local dev='' + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi # For each entry in crypttab - while read entry; do - local name=${entry%% *} - - # Unmount all mountpoins if mounted anywhere - # Cryptsetup luksClose will repeatedly fail if the devices is mounted - # anywhere, causing shutdowns to hang up. - for i in "$(mount | grep /dev/mapper/${name})"; do - local mntpoint=$(echo ${i} | tr -s ' ' | cut -d ' ' -f 3) - # Skip if empty - [[ ${mntpoint} == '' ]] && continue + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + mount="${entry##* }" + mapper="${dev////_}" - echo "${name} mounted at ${mntpoint}. Unmounting" + printf '%s mounted at %s. Unmounting\n' "${dev}" "${mount}" - # Kill any running processes accessing mntpoint + # Kill any running processes accessing mount point if lsof is available + if type lsof 2>/dev/null 1>/dev/null; then for pid in $(lsof -t ${mntpoint}); do pidstr=$(ps -f ${pid} | tail -n 1) - echo "Halting ${pid} ${pidstr##* }" - kill ${pid} + printf 'Halting %s %d\n' "${pid}" "${pidstr##* }" + kill "${pid}" done + fi - # Unmount - umount ${mntpoint} - done + umount -R "${mount}" || : - cryptsetup luksClose ${name} - done < "${TAB}" + printf 'Closing cryptdevice %s (%s)\n' "${dev}" "${mapper}" + cryptsetup luksClose "${mapper}" + done } -# # Checks each device listed in the crypttab file for its current status # (encrypted, or decrypted). -# -function stat_entries { - local _name # Name of the mount - local _dev # Device to be decrypted - if [[ ! -f ${TAB} ]]; then - echo "Could not access ${TAB}." +stat_entries() { + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi # For each entry in crypttab - while read line; do - _name=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 1) - _dev=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 2) + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + mapper="${dev////_}" - if [[ -L /dev/mapper/${_name} ]]; then - echo "${_name} (${_dev}) decrypted at /dev/mapper/${_name}" + if [ -L "/dev/mapper/${mapper}" ]; then + printf '%s decrypted at /dev/mapper/%s\n' "${dev}" "${mapper}" else - echo "${_name} (${_dev}) not decrypted." + printf '%s not decrypted\n' "${_dev}" fi done < "${TAB}" } -# # Decrypts each encrypted device listed in crypttab -# -function setup_entries { - local _name # Name of the encrypted mount - local _dev # Encrypted device path - local _key # Encryption key to decrypt the device with - - if [[ ! -f ${TAB} ]]; then - echo "Could not access ${TAB}." +setup_entries() { + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi - while read entry; do - _name=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 1) - _dev=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 2) - _key=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 3) - - # Skip any devices that are already decrypted - if [ -b "/dev/mapper/${_name}" ]; then - printf "Device ${_dev} already decrypted at /dev/mapper/${_name}.\n" - continue - fi - echo "Decrypting ${_dev} using key ${_key}." - echo "Plaintext device is at /dev/mapper/${_name}" - cryptsetup luksOpen ${_dev} ${_name} --key-file ${_key} - - done < "${TAB}" + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + key=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 2) + mount="${entry##* }" + mapper="${dev////_}" + + printf 'Decrypting %s using key %s.\n' "${dev}" "${key}" + cryptsetup luksOpen "${dev}" "${mapper}" --key-file "${key}" + printf 'Plaintext device is at /dev/mapper/%s\n' "${mapper}" + + printf 'Mounting /dev/mapper/%s to %s\n' "${mapper}" "${mount}" + mount "/dev/mapper/${mapper}" "${mount}" + done } -case $1 in +case "${1:-}" in start) setup_entries mount -a diff --git a/crypttab.example b/crypttab.example new file mode 100644 index 0000000..07b2586 --- /dev/null +++ b/crypttab.example @@ -0,0 +1,4 @@ +# +# /etc/crypttab: Crypttab file system information +# +# <crypt_device> <key_path> <mount_path> |