-
-
Save shokinn/9b25d0826a1f711ee53868ba82a02f99 to your computer and use it in GitHub Desktop.
LUKS remote decrypt (dropbear) for Ubuntu 16.04.1 on btrfs array
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## LUKS remote decrypt for Ubuntu 16.04.1 - by BinaryShrub | |
# NOTES: | |
# Tailor lines 108 - 110 to your system before running! | |
# Use at your own risk! | |
# Safety Check | |
if [ "$EUID" -ne 0 ] | |
then echo "You must run this as root" | |
exit | |
fi | |
# Install Dropbear | |
apt -y install dropbear | |
# Setup authorized keys | |
mkdir -p /etc/initramfs-tools/root/.ssh | |
echo "Insert client id_rsa.pub (Leave empty to use ~/.ssh/authorized_keys):" | |
read -e r | |
if [[ -z "$r" ]]; then | |
cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys | |
else | |
echo "$r" >> /etc/initramfs-tools/root/.ssh/authorized_keys | |
fi | |
# Convert OpenSSH host keys to prevent "remote host identification has changed!" message. | |
while [ "$stop_loop" != true ]; do | |
echo "Do you want to convert your existing OpenSSH host keys to dropbear host keys? (to prevent 'remote host identification has changed!' message) (yes/no):" | |
read -e confirm_convert | |
if [ "${confirm_convert,,}" = "yes" ]; then | |
rm /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key > /dev/null | |
rm /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key > /dev/null | |
rm /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key > /dev/null | |
# Convert DSS (DSA) host key | |
echo "Insert path to DSS (DSA) host key (Leave empty to use /etc/ssh/ssh_host_dsa_key):" | |
read -e dsa | |
if [[ -z "$dsa" ]]; then | |
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key | |
else | |
/usr/lib/dropbear/dropbearconvert openssh dropbear "$dsa" /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key | |
fi | |
# Convert ecdsa host key | |
echo "Insert path to ECDSA host key (Leave empty to use /etc/ssh/ssh_host_ecdsa_key):" | |
read -e ecdsa | |
if [[ -z "$ecdsa" ]]; then | |
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key | |
else | |
/usr/lib/dropbear/dropbearconvert openssh dropbear "$ecdsa" /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key | |
fi | |
# Convert RSA host key | |
echo "Insert path to RSA host key (Leave empty to use /etc/ssh/ssh_host_rsa_key):" | |
read -e rsa | |
if [[ -z "$rsa" ]]; then | |
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key | |
else | |
/usr/lib/dropbear/dropbearconvert openssh dropbear "$rsa" /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key | |
fi | |
stop_loop=true | |
elif [ "${confirm_convert,,}" = "no" ]; then | |
stop_loop=true | |
else | |
echo "You have to type 'yes' or 'no'." | |
sleep 3 | |
fi | |
done | |
# Add hook to create unlocker script | |
f=/usr/share/initramfs-tools/hooks/dropbear-unlocker | |
cat <<\END > "$f" | |
#!/bin/sh | |
PREREQ="dropbear" | |
prereqs() { | |
echo "$PREREQ" | |
} | |
case "$1" in | |
prereqs) | |
prereqs | |
exit 0 | |
;; | |
esac | |
. "$CONFDIR/initramfs.conf" | |
. /usr/share/initramfs-tools/hook-functions | |
# Copy dropbear if explicitly enabled, or in case of a cryptroot setup if not explicitly disabled | |
[ "$DROPBEAR" = y ] || [ "$DROPBEAR" != n -a -r /etc/crypttab ] || exit 0 | |
if [ ! -x "/usr/sbin/dropbear" ]; then | |
if [ "$DROPBEAR" = y ]; then | |
echo "dropbear-unlock: FAILURE: Dropbear not found, script wont start!" >&2 | |
else | |
echo "dropbear-unlock: WARNING: Dropbear not found, script wont start" >&2 | |
fi | |
exit 0 | |
fi | |
# Copy the unlock script | |
s="$DESTDIR/$(ls $DESTDIR | grep root)/unlocker" | |
echo "#!/bin/sh | |
# Ask for decrypt key with one disk | |
# /scripts/local-top/cryptroot | |
# With Multiple Disks | |
/sbin/cryptsetup open --type luks /dev/sda3 sda3_crypt | |
/sbin/cryptsetup open --type luks /dev/sdb3 sdb3_crypt | |
/sbin/cryptsetup open --type luks /dev/sdc3 sdc3_crypt | |
# Hack to address https://goo.gl/2fGjCY | |
mknod /dev/btrfs-control c 10 234 | |
btrfs device scan | |
# Kill these programs to keep 'init' moving. | |
echo "Loading OS..." | |
kill -9 \$(ps | grep cryptsetup | grep askpass | awk '{print \$1}') > /dev/null | |
kill -9 \$(ps | grep /bin/sh | grep cryptroot | awk '{print \$1}') > /dev/null | |
exit 0 | |
" > "$s" | |
chmod +x "$s" | |
echo "unlocker: loaded" | |
END | |
chmod +x "$f" | |
# Rebuild initramfs | |
update-initramfs -u | |
echo "Done! Reboot to initramfs and run ~/unlocker" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment