shokinn/initramfs-unlocker.sh

## initramfs-unlocker.sh
#!/bin/bash
## LUKS remote decrypt for Ubuntu 16.04.1 - by BinaryShrub

# NOTES:
# Tailor lines 108 - 110 to your system before running!
# Use at your own risk!

# Safety Check
if [ "$EUID" -ne 0 ]
  then echo "You must run this as root"
  exit
fi

# Install Dropbear
apt -y install dropbear

# Setup authorized keys
mkdir -p /etc/initramfs-tools/root/.ssh
echo "Insert client id_rsa.pub (Leave empty to use ~/.ssh/authorized_keys):"
read -e r
if [[ -z "$r" ]]; then
    cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys
else
    echo "$r" >> /etc/initramfs-tools/root/.ssh/authorized_keys
fi

# Convert OpenSSH host keys to prevent "remote host identification has changed!" message.
while [ "$stop_loop" != true ]; do
  echo "Do you want to convert your existing OpenSSH host keys to dropbear host keys? (to prevent 'remote host identification has changed!' message) (yes/no):"
  read -e confirm_convert
  if [ "${confirm_convert,,}" = "yes" ]; then
    rm /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key > /dev/null
    rm /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key > /dev/null
    rm /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key > /dev/null
    # Convert DSS (DSA) host key
    echo "Insert path to DSS (DSA) host key (Leave empty to use /etc/ssh/ssh_host_dsa_key):"
    read -e dsa
    if [[ -z "$dsa" ]]; then
        /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
    else
        /usr/lib/dropbear/dropbearconvert openssh dropbear "$dsa" /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
    fi
    # Convert ecdsa host key
    echo "Insert path to ECDSA host key (Leave empty to use /etc/ssh/ssh_host_ecdsa_key):"
    read -e ecdsa
    if [[ -z "$ecdsa" ]]; then
        /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
    else
        /usr/lib/dropbear/dropbearconvert openssh dropbear "$ecdsa" /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
    fi
    # Convert RSA host key
    echo "Insert path to RSA host key (Leave empty to use /etc/ssh/ssh_host_rsa_key):"
    read -e rsa
    if [[ -z "$rsa" ]]; then
        /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
    else
        /usr/lib/dropbear/dropbearconvert openssh dropbear "$rsa" /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
    fi
    stop_loop=true
  elif [ "${confirm_convert,,}" = "no" ]; then
    stop_loop=true
  else
    echo "You have to type 'yes' or 'no'."
    sleep 3
  fi
done

# Add hook to create unlocker script
f=/usr/share/initramfs-tools/hooks/dropbear-unlocker
cat <<\END > "$f"
#!/bin/sh

PREREQ="dropbear"

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
    ;;
esac

. "$CONFDIR/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

# Copy dropbear if explicitly enabled, or in case of a cryptroot setup if not explicitly disabled
[ "$DROPBEAR" = y ] || [ "$DROPBEAR" != n -a -r /etc/crypttab ] || exit 0

if [ ! -x "/usr/sbin/dropbear" ]; then
    if [ "$DROPBEAR" = y ]; then
        echo "dropbear-unlock: FAILURE: Dropbear not found, script wont start!" >&2
    else
        echo "dropbear-unlock: WARNING: Dropbear not found, script wont start" >&2
    fi
    exit 0
fi

# Copy the unlock script
s="$DESTDIR/$(ls $DESTDIR | grep root)/unlocker"
echo "#!/bin/sh

# Ask for decrypt key with one disk
# /scripts/local-top/cryptroot
# With Multiple Disks
/sbin/cryptsetup open --type luks /dev/sda3 sda3_crypt
/sbin/cryptsetup open --type luks /dev/sdb3 sdb3_crypt
/sbin/cryptsetup open --type luks /dev/sdc3 sdc3_crypt

# Hack to address https://goo.gl/2fGjCY
mknod /dev/btrfs-control c 10 234
btrfs device scan

# Kill these programs to keep 'init' moving.
echo "Loading OS..."
kill -9 \$(ps | grep cryptsetup | grep askpass | awk '{print \$1}') > /dev/null
kill -9 \$(ps | grep /bin/sh | grep cryptroot | awk '{print \$1}') > /dev/null
exit 0
" > "$s"

chmod +x "$s"

echo "unlocker: loaded"
END

chmod +x "$f"

# Rebuild initramfs
update-initramfs -u

echo "Done! Reboot to initramfs and run ~/unlocker"
	#!/bin/bash
	## LUKS remote decrypt for Ubuntu 16.04.1 - by BinaryShrub

	# NOTES:
	# Tailor lines 108 - 110 to your system before running!
	# Use at your own risk!

	# Safety Check
	if [ "$EUID" -ne 0 ]
	then echo "You must run this as root"
	exit
	fi

	# Install Dropbear
	apt -y install dropbear

	# Setup authorized keys
	mkdir -p /etc/initramfs-tools/root/.ssh
	echo "Insert client id_rsa.pub (Leave empty to use ~/.ssh/authorized_keys):"
	read -e r
	if [[ -z "$r" ]]; then
	cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys
	else
	echo "$r" >> /etc/initramfs-tools/root/.ssh/authorized_keys
	fi

	# Convert OpenSSH host keys to prevent "remote host identification has changed!" message.
	while [ "$stop_loop" != true ]; do
	echo "Do you want to convert your existing OpenSSH host keys to dropbear host keys? (to prevent 'remote host identification has changed!' message) (yes/no):"
	read -e confirm_convert
	if [ "${confirm_convert,,}" = "yes" ]; then
	rm /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key > /dev/null
	rm /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key > /dev/null
	rm /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key > /dev/null
	# Convert DSS (DSA) host key
	echo "Insert path to DSS (DSA) host key (Leave empty to use /etc/ssh/ssh_host_dsa_key):"
	read -e dsa
	if [[ -z "$dsa" ]]; then
	/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
	else
	/usr/lib/dropbear/dropbearconvert openssh dropbear "$dsa" /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
	fi
	# Convert ecdsa host key
	echo "Insert path to ECDSA host key (Leave empty to use /etc/ssh/ssh_host_ecdsa_key):"
	read -e ecdsa
	if [[ -z "$ecdsa" ]]; then
	/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
	else
	/usr/lib/dropbear/dropbearconvert openssh dropbear "$ecdsa" /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
	fi
	# Convert RSA host key
	echo "Insert path to RSA host key (Leave empty to use /etc/ssh/ssh_host_rsa_key):"
	read -e rsa
	if [[ -z "$rsa" ]]; then
	/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
	else
	/usr/lib/dropbear/dropbearconvert openssh dropbear "$rsa" /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
	fi
	stop_loop=true
	elif [ "${confirm_convert,,}" = "no" ]; then
	stop_loop=true
	else
	echo "You have to type 'yes' or 'no'."
	sleep 3
	fi
	done

	# Add hook to create unlocker script
	f=/usr/share/initramfs-tools/hooks/dropbear-unlocker
	cat <<\END > "$f"
	#!/bin/sh

	PREREQ="dropbear"

	prereqs() {
	echo "$PREREQ"
	}

	case "$1" in
	prereqs)
	prereqs
	exit 0
	;;
	esac

	. "$CONFDIR/initramfs.conf"
	. /usr/share/initramfs-tools/hook-functions

	# Copy dropbear if explicitly enabled, or in case of a cryptroot setup if not explicitly disabled
	[ "$DROPBEAR" = y ] \|\| [ "$DROPBEAR" != n -a -r /etc/crypttab ] \|\| exit 0

	if [ ! -x "/usr/sbin/dropbear" ]; then
	if [ "$DROPBEAR" = y ]; then
	echo "dropbear-unlock: FAILURE: Dropbear not found, script wont start!" >&2
	else
	echo "dropbear-unlock: WARNING: Dropbear not found, script wont start" >&2
	fi
	exit 0
	fi

	# Copy the unlock script
	s="$DESTDIR/$(ls $DESTDIR \| grep root)/unlocker"
	echo "#!/bin/sh

	# Ask for decrypt key with one disk
	# /scripts/local-top/cryptroot
	# With Multiple Disks
	/sbin/cryptsetup open --type luks /dev/sda3 sda3_crypt
	/sbin/cryptsetup open --type luks /dev/sdb3 sdb3_crypt
	/sbin/cryptsetup open --type luks /dev/sdc3 sdc3_crypt

	# Hack to address https://goo.gl/2fGjCY
	mknod /dev/btrfs-control c 10 234
	btrfs device scan

	# Kill these programs to keep 'init' moving.
	echo "Loading OS..."
	kill -9 \$(ps \| grep cryptsetup \| grep askpass \| awk '{print \$1}') > /dev/null
	kill -9 \$(ps \| grep /bin/sh \| grep cryptroot \| awk '{print \$1}') > /dev/null
	exit 0
	" > "$s"

	chmod +x "$s"

	echo "unlocker: loaded"
	END

	chmod +x "$f"

	# Rebuild initramfs
	update-initramfs -u

	echo "Done! Reboot to initramfs and run ~/unlocker"