diff options
| author | Aaron Ball <nullspoon@oper.io> | 2022-05-07 17:53:18 -0600 |
|---|---|---|
| committer | Aaron Ball <nullspoon@oper.io> | 2022-05-07 18:02:11 -0600 |
| commit | 7dd13c6d15c49aea272bebdc2fbd2e00dd656ea5 (patch) | |
| tree | 3733a8456d2e7fca8203fcd1d7e7079caf1c0e7d | |
| parent | 2c6df93b2d10aa06f899a6c13a6394bc798fd357 (diff) | |
| download | crypttab-7dd13c6d15c49aea272bebdc2fbd2e00dd656ea5.tar.gz crypttab-7dd13c6d15c49aea272bebdc2fbd2e00dd656ea5.tar.xz | |
Lots of backwards incompatible changes to improve the experience
This adds a sample crypttab file for users to deploy to /etc/crypttab.
This version changes the syntax of the crypttab file. Previously, the
syntax was
<mapper_name> <device_path> <key_path>
The mapper name is now inferred from the device path (replacing all `/`
with `_` so `/dev/sda1` becomes `_dev_sda1` for example). The new syntax
is:
<crypt_device> <key_path> <mount_path>
Note that the mount path is now included. Previously it was expected
that the user would include the mapper path in their fstab file so a
subsequent `mount -a` would mount it once decrypted. This has all kinds
of service start order problems. Now crypttab handles mounting and
unmouting, so the mount path is part of the config file.
This also now makes `lsof` and optional program so stopping mount still
works if lsof is not installed.
| -rw-r--r-- | Makefile | 4 | ||||
| -rwxr-xr-x | crypttab | 90 | ||||
| -rw-r--r-- | crypttab.example | 4 |
3 files changed, 47 insertions, 51 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..8a7c7a3 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +PREFIX ?= /usr +install: + install -D -m 755 crypttab "$(DESTDIR)$(PREFIX)/crypttab" + install -D -m 640 crypttab.example "$(DESTDIR)/etc/crypttab" @@ -9,100 +9,88 @@ export IFS=$'\n\t' TAB=/etc/crypttab -# # Iterrates through all entries in crypttab with the purpose to close the # decrypted block devices (typically at /dev/mapper/*). # # NOTE: If any of the listed encrypted devices are mounted, attempts to umount # them first, since not doing so will cause the luksClose to hang. -# -function destroy_entries { +destroy_entries() { + local dev='' if [ ! -f "${TAB}" ]; then - printf 'Could not access %s.\n' "${tab}" + printf 'Could not access %s.\n' "${TAB}" exit 1 fi # For each entry in crypttab - while read entry; do - local name="${entry%% *}" + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + mount="${entry##* }" + mapper="${dev////_}" - # Unmount all mountpoins if mounted anywhere - # Cryptsetup luksClose will repeatedly fail if the devices is mounted - # anywhere, causing shutdowns to hang up. - for i in "$(mount | grep /dev/mapper/${name})"; do - local mntpoint=$(echo ${i} | tr -s ' ' | cut -d ' ' -f 3) - # Skip if empty - [ "${mntpoint}" == '' ] && continue + printf '%s mounted at %s. Unmounting\n' "${dev}" "${mount}" - printf '%s mounted at %s. Unmounting\n' "${name}" "${mntpoint}" - - # Kill any running processes accessing mntpoint + # Kill any running processes accessing mount point if lsof is available + if type lsof 2>/dev/null 1>/dev/null; then for pid in $(lsof -t ${mntpoint}); do pidstr=$(ps -f ${pid} | tail -n 1) printf 'Halting %s %d\n' "${pid}" "${pidstr##* }" kill "${pid}" done + fi - # Unmount - umount "${mntpoint}" - done - cryptsetup luksClose "${name}" - done < "${TAB}" + umount -R "${mount}" || : + + printf 'Closing cryptdevice %s (%s)\n' "${dev}" "${mapper}" + cryptsetup luksClose "${mapper}" + done } -# # Checks each device listed in the crypttab file for its current status # (encrypted, or decrypted). -# -function stat_entries { - local _name # Name of the mount - local _dev # Device to be decrypted - if [ ! -f "${tab}" ]; then - printf 'Could not access %s.\n' "${tab}" +stat_entries() { + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi # For each entry in crypttab - while read line; do - _name=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 1) - _dev=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 2) + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + mapper="${dev////_}" - if [ -L "/dev/mapper/${name}" ]; then - printf '%s decrypted at /dev/mapper/%s\n' "${_dev}" "${_name}" + if [ -L "/dev/mapper/${mapper}" ]; then + printf '%s decrypted at /dev/mapper/%s\n' "${dev}" "${mapper}" else printf '%s not decrypted\n' "${_dev}" fi done < "${TAB}" } -# # Decrypts each encrypted device listed in crypttab -# -function setup_entries { - local _name # Name of the encrypted mount - local _dev # Encrypted device path - local _key # Encryption key to decrypt the device with - - if [ ! -f "${tab}" ]; then - printf 'Could not access %s.\n' "${tab}" +setup_entries() { + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi - while read entry; do - _name=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 1) - _dev=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 2) - _key=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 3) + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + key=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 2) + mount="${entry##* }" + mapper="${dev////_}" - printf 'Decrypting %s using key %s.\n' "${_dev}" "${_key}" - printf 'Plaintext device is at /dev/mapper/%s\n' "${_name}" - cryptsetup luksOpen "${_dev}" "${_name}" --key-file "${_key}" + printf 'Decrypting %s using key %s.\n' "${dev}" "${key}" + cryptsetup luksOpen "${dev}" "${mapper}" --key-file "${key}" + printf 'Plaintext device is at /dev/mapper/%s\n' "${mapper}" + + printf 'Mounting /dev/mapper/%s to %s\n' "${mapper}" "${mount}" + mount "/dev/mapper/${mapper}" "${mount}" done - done < "${tab}" } -case $1 in +case "${1:-}" in start) setup_entries mount -a diff --git a/crypttab.example b/crypttab.example new file mode 100644 index 0000000..07b2586 --- /dev/null +++ b/crypttab.example @@ -0,0 +1,4 @@ +# +# /etc/crypttab: Crypttab file system information +# +# <crypt_device> <key_path> <mount_path> |