Last active
May 29, 2020 04:32
-
-
Save BinaryShrub/0587b170dc22b1e7ff7b435c92b53093 to your computer and use it in GitHub Desktop.
LUKS remote decrypt (dropbear) for Ubuntu 16.04.1 on btrfs array
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## LUKS remote decrypt for Ubuntu 16.04.1 - by BinaryShrub | |
| # NOTES: | |
| # Tailor lines 67 - 69 to your system before running! | |
| # Use at your own risk! | |
| # Safety Check | |
| if [ "$EUID" -ne 0 ] | |
| then echo "You must run this as root" | |
| exit | |
| fi | |
| # Install Dropbear | |
| apt -y install dropbear | |
| # Setup authorized keys | |
| mkdir -p /etc/initramfs-tools/root/.ssh | |
| echo "Insert client id_rsa.pub (Leave empty to use ~/.ssh/authorized_keys):" | |
| read -e r | |
| if [[ -z "$r" ]]; then | |
| cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys | |
| else | |
| echo "$r" >> /etc/initramfs-tools/root/.ssh/authorized_keys | |
| fi | |
| # Add hook to create unlocker script | |
| f=/usr/share/initramfs-tools/hooks/dropbear-unlocker | |
| cat <<\END > "$f" | |
| #!/bin/sh | |
| PREREQ="dropbear" | |
| prereqs() { | |
| echo "$PREREQ" | |
| } | |
| case "$1" in | |
| prereqs) | |
| prereqs | |
| exit 0 | |
| ;; | |
| esac | |
| . "$CONFDIR/initramfs.conf" | |
| . /usr/share/initramfs-tools/hook-functions | |
| # Copy dropbear if explicitly enabled, or in case of a cryptroot setup if not explicitly disabled | |
| [ "$DROPBEAR" = y ] || [ "$DROPBEAR" != n -a -r /etc/crypttab ] || exit 0 | |
| if [ ! -x "/usr/sbin/dropbear" ]; then | |
| if [ "$DROPBEAR" = y ]; then | |
| echo "dropbear-unlock: FAILURE: Dropbear not found, script wont start!" >&2 | |
| else | |
| echo "dropbear-unlock: WARNING: Dropbear not found, script wont start" >&2 | |
| fi | |
| exit 0 | |
| fi | |
| # Copy the unlock script | |
| s="$DESTDIR/$(ls $DESTDIR | grep root)/unlocker" | |
| echo "#!/bin/sh | |
| # Ask for decrypt key with one disk | |
| # /scripts/local-top/cryptroot | |
| # With Multiple Disks | |
| /sbin/cryptsetup luksOpen /dev/sda3 sda3_crypt | |
| /sbin/cryptsetup luksOpen /dev/sdb3 sdb3_crypt | |
| /sbin/cryptsetup luksOpen /dev/sdc3 sdc3_crypt | |
| # Hack to address https://goo.gl/2fGjCY | |
| mknod /dev/btrfs-control c 10 234 | |
| btrfs device scan | |
| # Kill these programs to keep 'init' moving. | |
| echo "Loading OS..." | |
| kill -9 \$(ps | grep cryptsetup | grep askpass | awk '{print \$1}') > /dev/null | |
| kill -9 \$(ps | grep /bin/sh | grep cryptroot | awk '{print \$1}') > /dev/null | |
| exit 0 | |
| " > "$s" | |
| chmod +x "$s" | |
| echo "unlocker: loaded" | |
| END | |
| chmod +x "$f" | |
| # Rebuild initramfs | |
| update-initramfs -u | |
| echo "Done! Reboot to initramfs and run ~/unlocker" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Check out https://github.com/BinaryShrub/ubuntu-btrfs-luks for a guide and updated info for Ubuntu 20.04 LTS