ref: fdc28f072ae269ab9c3f876ed452c6c3d5a769aa
parent: 7e7fed4fee4c2e0bafd4a9714649b185b8696921
author: lemmarathon <lemmarathon@protonmail.com>
date: Mon Apr 30 15:51:50 CDT 2018
Add support for keyfiles The "cryptkey" boot parameter enables keyfile decryption. By default, init will look for a keyfile named "/crypto_keyfile.bin". Another file may be specified like so: "cryptkey=/path/to/keyfile.bin". If keyfile decryption fails, init will fall back to passphrase mode.
--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,7 @@
features.d/btrfs.modules \
features.d/cdrom.modules \
features.d/cramfs.modules \
+ features.d/cryptkey.files \
features.d/cryptsetup.files \
features.d/cryptsetup.modules \
features.d/ena.modules \
--- /dev/null
+++ b/features.d/cryptkey.files
@@ -1,0 +1,1 @@
+/crypto_keyfile.bin
--- a/initramfs-init.in
+++ b/initramfs-init.in
@@ -274,9 +274,9 @@
set -- $(cat /proc/cmdline)
myopts="alpine_dev autodetect autoraid chart cryptroot cryptdm cryptheader cryptoffset
- cryptdiscards debug_init dma init_args keep_apk_new modules ovl_dev pkgs quiet
- root_size root usbdelay ip alpine_repo apkovl alpine_start splash blacklist
- overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
+ cryptdiscards cryptkey debug_init dma init_args keep_apk_new modules ovl_dev
+ pkgs quiet root_size root usbdelay ip alpine_repo apkovl alpine_start splash
+ blacklist overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
for opt; do
case "$opt" in
@@ -396,6 +396,11 @@
fi
if [ -n "$KOPT_cryptoffset" ]; then
cryptopts="$cryptopts -o ${KOPT_cryptoffset}"
+ fi
+ if [ "$KOPT_cryptkey" = "yes" ]; then
+ cryptopts="$cryptopts -k /crypto_keyfile.bin"
+ elif [ -n "$KOPT_cryptkey" ]; then
+ cryptopts="$cryptopts -k ${KOPT_cryptkey}"
fi
fi
--- a/nlplug-findfs.c
+++ b/nlplug-findfs.c
@@ -309,6 +309,7 @@
struct cryptdev {
char *device;
char *name;
+ char *key;
char devnode[256];
};
@@ -594,6 +595,18 @@
goto free_out;
}
+ struct stat st;
+ if (!stat(c->crypt.data.key, &st)) {
+ pthread_mutex_lock(&c->crypt.mutex);
+ r = crypt_activate_by_keyfile(cd, c->crypt.data.name,
+ CRYPT_ANY_SLOT,
+ c->crypt.data.key, st.st_size,
+ c->crypt.flags);
+ pthread_mutex_unlock(&c->crypt.mutex);
+ if (r >= 0)
+ goto free_out;
+ }
+
while (passwd_tries > 0) {
char pass[1024];
@@ -1173,6 +1186,7 @@
" -c CRYPTDEVICE run cryptsetup luksOpen when CRYPTDEVICE is found\n"
" -h show this help\n"
" -H HEADERDEVICE use HEADERDEVICE as the LUKS header\n"
+ " -k CRYPTKEY path to keyfile\n"
" -m CRYPTNAME use CRYPTNAME name for crypto device mapping\n"
" -o OFFSET cryptsetup payload offset\n"
" -D allow discards on crypto device\n"
@@ -1237,6 +1251,9 @@
break;
case 'h':
usage(0);
+ break;
+ case 'k':
+ conf.crypt.data.key = EARGF(usage(1));
break;
case 'm':
conf.crypt.data.name = EARGF(usage(1));
--- a/test.sh
+++ b/test.sh
@@ -76,6 +76,13 @@
[ "$operation" = "header" ] && echo "> Formatting '$block' with header '$header' and passphrase '$passphrase'."
[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q $block - 2>&1 | sed 's/^/\t/g'
[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q --header $header $block - 2>&1 | sed 's/^/\t/g'
+
+ echo "> Creating keyfile"
+ dd if=/dev/urandom of=keyfile count=1 bs=512 2>&1 | sed 's/^/\t/g'
+ echo "> Adding keyfile to device"
+ [ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q $block keyfile - 2>&1 | sed 's/^/\t/g'
+ [ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q --header $header $block keyfile - 2>&1 | sed 's/^/\t/g'
+
echo "> Opening the device '$block' as /dev/mapper/temp-test"
[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q $block temp-test - 2>&1 | sed 's/^/\t/g'
[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q --header $header $block temp-test - 2>&1 | sed 's/^/\t/g'
@@ -91,6 +98,27 @@
sudo umount local-mount
echo "> Closing the device '/dev/mapper/temp-test'"
sudo cryptsetup luksClose temp-test
+
+ echo "> Testing nlplug-findfs on $block using keyfile"
+ [ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
+ [ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
+
+ if [ $retcode -eq 0 ]; then
+ echo "> Mounting the device"
+ sudo mount /dev/mapper/test-device local-mount
+ echo "> Getting proof"
+ check=$(cat local-mount/proof)
+ echo "Retrieved proof is: $check"
+ if [ "$check" != "$proof" ]; then
+ retcode=1
+ fi
+ fi
+ [ $retcode -eq 0 ] && echo "Operation succeeded, proofs match" || echo "Operation failed, proofs don't match"
+
+ echo "> Unmounting the fs"
+ mountpoint local-mount && sudo umount local-mount
+ echo "> Closing the device '/dev/mapper/test-device'"
+ [ -b /dev/mapper/test-device ] && sudo cryptsetup luksClose test-device
echo "> Testing nlplug-findfs on $block (passphrase was '$passphrase')"
[ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; }