blob: 8833a72905609a278fa620bb455503b9136a9e44 (
plain)
1 #!/usr/bin/env bash
2 set -euo pipefail
3 export IFS=$'\n\t'
4
5 #
6 # A script that handles basic crypttab functionality to mount encrypted volumes
7 # on execution.
8 #
9
10 TAB=/etc/crypttab
11
12 #
13 # Iterrates through all entries in crypttab with the purpose to close the
14 # decrypted block devices (typically at /dev/mapper/*).
15 #
16 # NOTE: If any of the listed encrypted devices are mounted, attempts to umount
17 # them first, since not doing so will cause the luksClose to hang.
18 #
19 function destroy_entries {
20 if [ ! -f "${TAB}" ]; then
21 printf 'Could not access %s.\n' "${tab}"
22 exit 1
23 fi
24
25 # For each entry in crypttab
26 while read entry; do
27 local name="${entry%% *}"
28
29 # Unmount all mountpoins if mounted anywhere
30 # Cryptsetup luksClose will repeatedly fail if the devices is mounted
31 # anywhere, causing shutdowns to hang up.
32 for i in "$(mount | grep /dev/mapper/${name})"; do
33 local mntpoint=$(echo ${i} | tr -s ' ' | cut -d ' ' -f 3)
34 # Skip if empty
35 [ "${mntpoint}" == '' ] && continue
36
37 printf '%s mounted at %s. Unmounting\n' "${name}" "${mntpoint}"
38
39 # Kill any running processes accessing mntpoint
40 for pid in $(lsof -t ${mntpoint}); do
41 pidstr=$(ps -f ${pid} | tail -n 1)
42 printf 'Halting %s %d\n' "${pid}" "${pidstr##* }"
43 kill "${pid}"
44 done
45
46 # Unmount
47 umount "${mntpoint}"
48 done
49 cryptsetup luksClose "${name}"
50 done < "${TAB}"
51 }
52
53
54 #
55 # Checks each device listed in the crypttab file for its current status
56 # (encrypted, or decrypted).
57 #
58 function stat_entries {
59 local _name # Name of the mount
60 local _dev # Device to be decrypted
61 if [ ! -f "${tab}" ]; then
62 printf 'Could not access %s.\n' "${tab}"
63 exit 1
64 fi
65
66 # For each entry in crypttab
67 while read line; do
68 _name=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 1)
69 _dev=$(echo ${line} | tr -s ' ' | cut -d ' ' -f 2)
70
71 if [ -L "/dev/mapper/${name}" ]; then
72 printf '%s decrypted at /dev/mapper/%s\n' "${_dev}" "${_name}"
73 else
74 printf '%s not decrypted\n' "${_dev}"
75 fi
76 done < "${TAB}"
77 }
78
79 #
80 # Decrypts each encrypted device listed in crypttab
81 #
82 function setup_entries {
83 local _name # Name of the encrypted mount
84 local _dev # Encrypted device path
85 local _key # Encryption key to decrypt the device with
86
87 if [ ! -f "${tab}" ]; then
88 printf 'Could not access %s.\n' "${tab}"
89 exit 1
90 fi
91
92 while read entry; do
93 _name=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 1)
94 _dev=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 2)
95 _key=$(echo ${entry} | tr -s ' ' | cut -d ' ' -f 3)
96
97 printf 'Decrypting %s using key %s.\n' "${_dev}" "${_key}"
98 printf 'Plaintext device is at /dev/mapper/%s\n' "${_name}"
99 cryptsetup luksOpen "${_dev}" "${_name}" --key-file "${_key}"
100 done
101 done < "${tab}"
102 }
103
104
105 case $1 in
106 start)
107 setup_entries
108 mount -a
109 ;;
110 stop)
111 destroy_entries
112 ;;
113 status)
114 stat_entries
115 ;;
116 restart)
117 $0 stop
118 $0 start
119 ;;
120 *)
121 echo "usage: $0 [start|stop|restart|status]"
122 ;;
123 esac
|
