diff options
Diffstat (limited to 'crypttab')
| -rwxr-xr-x | crypttab | 109 |
1 files changed, 47 insertions, 62 deletions
@@ -1,4 +1,7 @@ #!/usr/bin/env bash +set -euo pipefail +export IFS=$'\n\t' + # # A script that handles basic crypttab functionality to mount encrypted volumes # on execution. @@ -6,106 +9,88 @@ TAB=/etc/crypttab -# # Iterrates through all entries in crypttab with the purpose to close the # decrypted block devices (typically at /dev/mapper/*). # # NOTE: If any of the listed encrypted devices are mounted, attempts to umount # them first, since not doing so will cause the luksClose to hang. -# -function destroy_entries { - if [[ ! -f ${TAB} ]]; then - echo "Could not access ${TAB}." +destroy_entries() { + local dev='' + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi # For each entry in crypttab - while read entry; do - local name=${entry%% *} - - # Unmount all mountpoins if mounted anywhere - # Cryptsetup luksClose will repeatedly fail if the devices is mounted - # anywhere, causing shutdowns to hang up. - for i in "$(mount | grep /dev/mapper/${name})"; do - local mntpoint=$(echo ${i} | tr -s ' ' | cut -d ' ' -f 3) - # Skip if empty - [[ ${mntpoint} == '' ]] && continue + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + mount="${entry##* }" + mapper="${dev////_}" - echo "${name} mounted at ${mntpoint}. Unmounting" + printf '%s mounted at %s. Unmounting\n' "${dev}" "${mount}" - # Kill any running processes accessing mntpoint + # Kill any running processes accessing mount point if lsof is available + if type lsof 2>/dev/null 1>/dev/null; then for pid in $(lsof -t ${mntpoint}); do pidstr=$(ps -f ${pid} | tail -n 1) - echo "Halting ${pid} ${pidstr##* }" - kill ${pid} + printf 'Halting %s %d\n' "${pid}" "${pidstr##* }" + kill "${pid}" done + fi - # Unmount - umount ${mntpoint} - done + umount -R "${mount}" || : - cryptsetup luksClose ${name} - done < "${TAB}" + printf 'Closing cryptdevice %s (%s)\n' "${dev}" "${mapper}" + cryptsetup luksClose "${mapper}" + done } -# # Checks each device listed in the crypttab file for its current status # (encrypted, or decrypted). -# -function stat_entries { - local _name # Name of the mount - local _dev # Device to be decrypted - if [[ ! -f ${TAB} ]]; then - echo "Could not access ${TAB}." +stat_entries() { + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi # For each entry in crypttab - while read line; do - _name=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 1) - _dev=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 2) + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + mapper="${dev////_}" - if [[ -L /dev/mapper/${_name} ]]; then - echo "${_name} (${_dev}) decrypted at /dev/mapper/${_name}" + if [ -L "/dev/mapper/${mapper}" ]; then + printf '%s decrypted at /dev/mapper/%s\n' "${dev}" "${mapper}" else - echo "${_name} (${_dev}) not decrypted." + printf '%s not decrypted\n' "${_dev}" fi done < "${TAB}" } -# # Decrypts each encrypted device listed in crypttab -# -function setup_entries { - local _name # Name of the encrypted mount - local _dev # Encrypted device path - local _key # Encryption key to decrypt the device with - - if [[ ! -f ${TAB} ]]; then - echo "Could not access ${TAB}." +setup_entries() { + if [ ! -f "${TAB}" ]; then + printf 'Could not access %s.\n' "${TAB}" exit 1 fi - while read entry; do - _name=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 1) - _dev=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 2) - _key=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 3) - - # Skip any devices that are already decrypted - if [ -b "/dev/mapper/${_name}" ]; then - printf "Device ${_dev} already decrypted at /dev/mapper/${_name}.\n" - continue - fi - echo "Decrypting ${_dev} using key ${_key}." - echo "Plaintext device is at /dev/mapper/${_name}" - cryptsetup luksOpen ${_dev} ${_name} --key-file ${_key} - - done < "${TAB}" + for entry in "$(grep -v -e '^#' -e '^ *$' ${TAB})"; do + dev="${entry%% *}" + key=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 2) + mount="${entry##* }" + mapper="${dev////_}" + + printf 'Decrypting %s using key %s.\n' "${dev}" "${key}" + cryptsetup luksOpen "${dev}" "${mapper}" --key-file "${key}" + printf 'Plaintext device is at /dev/mapper/%s\n' "${mapper}" + + printf 'Mounting /dev/mapper/%s to %s\n' "${mapper}" "${mount}" + mount "/dev/mapper/${mapper}" "${mount}" + done } -case $1 in +case "${1:-}" in start) setup_entries mount -a |