Zellius/rpi_prepare_luks_unlock.sh

## rpi_prepare_luks_unlock.sh
#!/bin/bash

#https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/
#https://www.kali.org/tutorials/secure-kali-pi-2018/

#-k public ssh key
#-p dropbear initramfs port

DROPBEAR_OPTIONS='-s -j -k'

while getopts ":k:p:" opt; do
    case $opt in
        k) AUTH_KEY="$OPTARG"
        ;;
        p) DROPBEAR_OPTIONS+=" -p $OPTARG"
        ;;
        \?) echo "Invalid option -$OPTARG" >&2
            exit 1
        ;;
    esac
done

INITRAMFS_NAME='initramfs.gz'
NETWORK_DEVICE='eth1'

apt update && apt --assume-yes full-upgrade
#apt install busybox-static
apt --assume-yes install dropbear cryptsetup

echo "Add $NETWORK_DEVICE interface"
cat >/etc/network/interfaces.d/$NETWORK_DEVICE << EOL
allow-hotplug $NETWORK_DEVICE
iface $NETWORK_DEVICE inet dhcp
EOL

echo 'Add USB ethernet adapter into initramfs'
ethtool -i $NETWORK_DEVICE | grep -o '^driver: .*' | cut -f2- -d ' ' >> /etc/initramfs-tools/modules

echo 'Enable BusyBox and Dropbear in Initramf config'
cat >/etc/initramfs-tools/conf.d/my << EOL
BUSYBOX=y
DROPBEAR=y
#Optionally you can set DEVICE and IP params
#DEVICE=eth0
#IP=:::::eth0:dhcp
#IP=192.168.XX.XX::192.168.YY.YY:255.255.255.0::eth0:off
EOL

echo 'Add needed params into RPI cmdline.txt'
sed -i "1s/^/net.ifnames=0 ip=:::::$NETWORK_DEVICE:dhcp /" /boot/cmdline.txt

echo 'Add custom initramfs file'
cat >>/boot/config.txt << EOL

#Custom initramfs file
initramfs $INITRAMFS_NAME followkernel
EOL

if [ -z "$AUTH_KEY" ];
then
    echo 'You did't provide authorized_key! Don't forget to provide it to deopbear and recreate initramfs!'
else
    echo "no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command=\"/bin/cryptroot-unlock\" $AUTH_KEY" > /etc/dropbear-initramfs/authorized_keys
fi

echo 'Add dropbear options'
echo "DROPBEAR_OPTIONS=\"$DROPBEAR_OPTIONS\"" >> /etc/dropbear-initramfs/config

echo 'Make initramfs file'
# uname -r - current active kernel
# ls /lib/modules - all available kernels
mkinitramfs -o /boot/$INITRAMFS_NAME

cat << EOL
Double check /boot/config.txt it shoud contains initramfs field!

Create LUKS partitions:

$ cryptsetup luksFormat /dev/sda1
$ cryptsetup luksOpen /dev/sda1 name
$ mkfs.ext4 /dev/mapper/name

/etc/crypttab:
name    UUID=XXXXX  none    luks,initramfs

/etc/fstab:
/dev/mapper/name /home ext4 defaults,noatime 0 1

Rebuild  initramfs (remember to open LUKS partition first!)

$ mkinitramfs -o /boot/$INITRAMFS_NAME

$ reboot
EOL
	#!/bin/bash

	#https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/
	#https://www.kali.org/tutorials/secure-kali-pi-2018/

	#-k public ssh key
	#-p dropbear initramfs port

	DROPBEAR_OPTIONS='-s -j -k'

	while getopts ":k:p:" opt; do
	case $opt in
	k) AUTH_KEY="$OPTARG"
	;;
	p) DROPBEAR_OPTIONS+=" -p $OPTARG"
	;;
	\?) echo "Invalid option -$OPTARG" >&2
	exit 1
	;;
	esac
	done

	INITRAMFS_NAME='initramfs.gz'
	NETWORK_DEVICE='eth1'

	apt update && apt --assume-yes full-upgrade
	#apt install busybox-static
	apt --assume-yes install dropbear cryptsetup

	echo "Add $NETWORK_DEVICE interface"
	cat >/etc/network/interfaces.d/$NETWORK_DEVICE << EOL
	allow-hotplug $NETWORK_DEVICE
	iface $NETWORK_DEVICE inet dhcp
	EOL

	echo 'Add USB ethernet adapter into initramfs'
	ethtool -i $NETWORK_DEVICE \| grep -o '^driver: .*' \| cut -f2- -d ' ' >> /etc/initramfs-tools/modules

	echo 'Enable BusyBox and Dropbear in Initramf config'
	cat >/etc/initramfs-tools/conf.d/my << EOL
	BUSYBOX=y
	DROPBEAR=y
	#Optionally you can set DEVICE and IP params
	#DEVICE=eth0
	#IP=:::::eth0:dhcp
	#IP=192.168.XX.XX::192.168.YY.YY:255.255.255.0::eth0:off
	EOL

	echo 'Add needed params into RPI cmdline.txt'
	sed -i "1s/^/net.ifnames=0 ip=:::::$NETWORK_DEVICE:dhcp /" /boot/cmdline.txt

	echo 'Add custom initramfs file'
	cat >>/boot/config.txt << EOL

	#Custom initramfs file
	initramfs $INITRAMFS_NAME followkernel
	EOL

	if [ -z "$AUTH_KEY" ];
	then
	echo 'You did't provide authorized_key! Don't forget to provide it to deopbear and recreate initramfs!'
	else
	echo "no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command=\"/bin/cryptroot-unlock\" $AUTH_KEY" > /etc/dropbear-initramfs/authorized_keys
	fi

	echo 'Add dropbear options'
	echo "DROPBEAR_OPTIONS=\"$DROPBEAR_OPTIONS\"" >> /etc/dropbear-initramfs/config

	echo 'Make initramfs file'
	# uname -r - current active kernel
	# ls /lib/modules - all available kernels
	mkinitramfs -o /boot/$INITRAMFS_NAME

	cat << EOL
	Double check /boot/config.txt it shoud contains initramfs field!

	Create LUKS partitions:

	$ cryptsetup luksFormat /dev/sda1
	$ cryptsetup luksOpen /dev/sda1 name
	$ mkfs.ext4 /dev/mapper/name

	/etc/crypttab:
	name UUID=XXXXX none luks,initramfs

	/etc/fstab:
	/dev/mapper/name /home ext4 defaults,noatime 0 1

	Rebuild initramfs (remember to open LUKS partition first!)

	$ mkinitramfs -o /boot/$INITRAMFS_NAME

	$ reboot
	EOL