Skip to content

Instantly share code, notes, and snippets.

@shokinn
Forked from BinaryShrub/initramfs-unlocker.sh
Last active November 22, 2017 06:40
Show Gist options
  • Save shokinn/9b25d0826a1f711ee53868ba82a02f99 to your computer and use it in GitHub Desktop.
Save shokinn/9b25d0826a1f711ee53868ba82a02f99 to your computer and use it in GitHub Desktop.
LUKS remote decrypt (dropbear) for Ubuntu 16.04.1 on btrfs array
#!/bin/bash
## LUKS remote decrypt for Ubuntu 16.04.1 - by BinaryShrub
# NOTES:
# Tailor lines 108 - 110 to your system before running!
# Use at your own risk!
# Safety Check
if [ "$EUID" -ne 0 ]
then echo "You must run this as root"
exit
fi
# Install Dropbear
apt -y install dropbear
# Setup authorized keys
mkdir -p /etc/initramfs-tools/root/.ssh
echo "Insert client id_rsa.pub (Leave empty to use ~/.ssh/authorized_keys):"
read -e r
if [[ -z "$r" ]]; then
cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys
else
echo "$r" >> /etc/initramfs-tools/root/.ssh/authorized_keys
fi
# Convert OpenSSH host keys to prevent "remote host identification has changed!" message.
while [ "$stop_loop" != true ]; do
echo "Do you want to convert your existing OpenSSH host keys to dropbear host keys? (to prevent 'remote host identification has changed!' message) (yes/no):"
read -e confirm_convert
if [ "${confirm_convert,,}" = "yes" ]; then
rm /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key > /dev/null
rm /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key > /dev/null
rm /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key > /dev/null
# Convert DSS (DSA) host key
echo "Insert path to DSS (DSA) host key (Leave empty to use /etc/ssh/ssh_host_dsa_key):"
read -e dsa
if [[ -z "$dsa" ]]; then
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
else
/usr/lib/dropbear/dropbearconvert openssh dropbear "$dsa" /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
fi
# Convert ecdsa host key
echo "Insert path to ECDSA host key (Leave empty to use /etc/ssh/ssh_host_ecdsa_key):"
read -e ecdsa
if [[ -z "$ecdsa" ]]; then
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
else
/usr/lib/dropbear/dropbearconvert openssh dropbear "$ecdsa" /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
fi
# Convert RSA host key
echo "Insert path to RSA host key (Leave empty to use /etc/ssh/ssh_host_rsa_key):"
read -e rsa
if [[ -z "$rsa" ]]; then
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
else
/usr/lib/dropbear/dropbearconvert openssh dropbear "$rsa" /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
fi
stop_loop=true
elif [ "${confirm_convert,,}" = "no" ]; then
stop_loop=true
else
echo "You have to type 'yes' or 'no'."
sleep 3
fi
done
# Add hook to create unlocker script
f=/usr/share/initramfs-tools/hooks/dropbear-unlocker
cat <<\END > "$f"
#!/bin/sh
PREREQ="dropbear"
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. "$CONFDIR/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
# Copy dropbear if explicitly enabled, or in case of a cryptroot setup if not explicitly disabled
[ "$DROPBEAR" = y ] || [ "$DROPBEAR" != n -a -r /etc/crypttab ] || exit 0
if [ ! -x "/usr/sbin/dropbear" ]; then
if [ "$DROPBEAR" = y ]; then
echo "dropbear-unlock: FAILURE: Dropbear not found, script wont start!" >&2
else
echo "dropbear-unlock: WARNING: Dropbear not found, script wont start" >&2
fi
exit 0
fi
# Copy the unlock script
s="$DESTDIR/$(ls $DESTDIR | grep root)/unlocker"
echo "#!/bin/sh
# Ask for decrypt key with one disk
# /scripts/local-top/cryptroot
# With Multiple Disks
/sbin/cryptsetup open --type luks /dev/sda3 sda3_crypt
/sbin/cryptsetup open --type luks /dev/sdb3 sdb3_crypt
/sbin/cryptsetup open --type luks /dev/sdc3 sdc3_crypt
# Hack to address https://goo.gl/2fGjCY
mknod /dev/btrfs-control c 10 234
btrfs device scan
# Kill these programs to keep 'init' moving.
echo "Loading OS..."
kill -9 \$(ps | grep cryptsetup | grep askpass | awk '{print \$1}') > /dev/null
kill -9 \$(ps | grep /bin/sh | grep cryptroot | awk '{print \$1}') > /dev/null
exit 0
" > "$s"
chmod +x "$s"
echo "unlocker: loaded"
END
chmod +x "$f"
# Rebuild initramfs
update-initramfs -u
echo "Done! Reboot to initramfs and run ~/unlocker"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment