Last active
October 5, 2017 15:51
-
-
Save thorrr/d49cb71c4158b34ae06bb040e46ffb1b to your computer and use it in GitHub Desktop.
Disable password on encrypted LUKS drive
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -euf -o pipefail | |
| ################## | |
| # User variables | |
| ################# | |
| KEY_SLOT=5 | |
| DEVICE=/dev/sda5 | |
| PASSWORD=password | |
| # make tmpfiles here | |
| TMP_DIR=$(mktemp -d) | |
| TMP_PASSWORD="$TMP_DIR/password_fifo" | |
| mkfifo $TMP_PASSWORD | |
| function finish { | |
| rm -rf "$TMP_DIR" | |
| } | |
| trap finish EXIT | |
| ############## | |
| # constants | |
| ############## | |
| UNLOCK_FILE=/usr/local/sbin/crypto-unlock-drive.sh | |
| RAW_DEVICENAME=$(basename "$DEVICE") | |
| ############### | |
| # start | |
| ############### | |
| # Sanity checks | |
| set +e | |
| cryptsetup luksDump "$DEVICE" > /dev/null 2>&1 | |
| if [ $? -ne 0 ]; then | |
| echo "error: device $DEVICE isn't a valid LUKS device" | |
| exit 1 | |
| fi | |
| if [ "$KEY_SLOT" -eq 0 ]; then | |
| echo "error: you've chosen to overwrite key slot 0." | |
| echo "you almost certainly don't want to do this." | |
| echo "exiting..." | |
| exit 1 | |
| fi | |
| cryptsetup luksDump "$DEVICE" | grep "$KEY_SLOT: DISABLED" > /dev/null 2>&1 | |
| if [ $? -ne 0 ]; then | |
| echo "error: key slot $KEY_SLOT is in use" | |
| exit 1 | |
| fi | |
| # check for crypttab that mentions (for example) sda5 | |
| UPDATE_DEVICE=0 | |
| grep "$RAW_DEVICENAME" /etc/crypttab > /dev/null 2>&1 | |
| if [ $? -eq 0 ]; then | |
| # found the raw devicename so we need to replace it | |
| UPDATE_DEVICE=1 | |
| fi | |
| UPDATE_DEVICE=0 # not needed on physical machines | |
| set -e # turn error checking back on | |
| # backup the files we're about to change | |
| cp /etc/crypttab "/etc/crypttab.bak.$(date +%F_%R)" | |
| if [ -f "$UNLOCK_FILE" ]; then | |
| cp "$UNLOCK_FILE" "$UNLOCK_FILE.$(date +%F_%R)" | |
| fi | |
| # create unlock script with hardcoded password | |
| cat << EOF > "$UNLOCK_FILE" | |
| #!/bin/sh | |
| echo -n $PASSWORD | |
| EOF | |
| chmod +x "$UNLOCK_FILE" | |
| # add password | |
| "$UNLOCK_FILE" > "$TMP_PASSWORD" & | |
| cryptsetup luksAddKey "$DEVICE" --key-slot "$KEY_SLOT" "$TMP_PASSWORD" | |
| # modify /etc/crypttab in place | |
| # use ":" instead of "/" because $UNLOCK_FILE has forward slashes | |
| sed -i -e "s:luks\$:luks,keyscript=$UNLOCK_FILE:" /etc/crypttab | |
| DEVICE_UUID=$(sed -e 's/^.*UUID=\([^[:space:]]*\) none.*/\1/' /etc/crypttab) | |
| if [ $UPDATE_DEVICE -eq 1 ]; then | |
| sed -i -e "s/${RAW_DEVICENAME}_crypt/luks-$DEVICE_UUID/" /etc/crypttab | |
| fi | |
| # finally, update initramfs | |
| update-initramfs -u -k all |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment