Cryptobike, or USB server keys

Many system administrators more than once "reinvent the wheel", to perform some seemingly quite trivial tasks. I want to tell you a detailed story, inspired by the logs of the server that came to the preventive maintenance and recovered from the service documentation, about the invention of one of these bicycles. Caution many letters and (s) console!

Approximately 2 years ago I was provided with a rack server for my work, containing the GNU / linux operating system (read the rather ancient ubuntu), and 2 Transcend USB flash drives with 16 gigabytes of Transcend (I don’t know why this volume) for making key carriers.
The task was set: to encrypt partitions with databases located on the server to prevent unauthorized access.
To implement the task, the LUKS partition encryption technology was chosen.
Also needed the following tools:

External media (usb hdd) containing the GNU / linux bootable operating system and enough free space;
A computer with the arch-linux operating system for writing and testing scripts;

Initially, it was planned to use the algorithm built in the distribution for mounting and connecting encrypted file systems, but either experience deficiencies or some other reasons led me to a standstill. Well, everything in order.

In the beginning, of course, I booted from external media and made a full backup of all data from the server, at the same time I studied the file / etc / fstab. Since no one knew the superuser password immediately after removing the backup, I modified the / etc / shadow file by writing the hash of the password I know into the root line. Having thus gained access to the installed system, I got down to business:
Connected to the network:

# dhclient

Installed the cryptsetup utility, which includes tools for the operation of the LUKS encryption system:

 # apt-get update # apt-get install cryptsetup

Generated a pseudo-random sequence of 256 characters written to the file "/ tmp / key":

 # dd if=/dev/random of=/tmp/key bs=1 count=256

By the way tmp mounted in the operative. Set the type of the second partition of the first volume in crypto_LUKS and created the virtual partition "/ dev / mapper / dtb", which is mapped to the real one encrypted using LUKS algorithms:

 # cryptsetup luksFormat /dev/sdb2 /tmp/key # cryptsetup luksOpen /dev/sdb2 dtb

On a virtual partition mapped to an encrypted one, I created a new ext4 file system, and mounted it in the / mnt directory:

 # mkfs.ext4 /dev/mapper/dtb # mount /dev/mapper/dtb /mnt

In order to perform data transfer using the command:

 # /etc/init.d/postgresql stop

stopped the postgresql daemon, and using the Midnight Commander program copied all the files from / var / lib / pgsql to / mnt, then cleared the / var / lib / pgsql directory. The encrypted second partition of the first volume was remounted to the / var / lib / pgsql directory:

 # umount /dev/mapper/dtb # mount /dev/mapper/dtb /var/lib/pgsql

')
The file "/ tmp / key", used as the key for encrypting the partition, sent to one of the flash drives.

How to cook a flash drive

Flash drives brought right in the package. When I stuck one of the flash drives to my computer, to see if it was formatted and in which file system, it turned out that there are seven megabytes of free space in front of the main section. Immediately it occurred to me how to protect the user from accidentally deleting the key! I created a section in front, formatted in ext2. Under the windows section is not visible at all, even if the user format the main section of the flash drive does not lose its server startup capabilities.

Using the Midnight Commander program and command shell utilities, the configuration of the encrypted partition was added to the / etc / cryptsetup file. However, during the test reboot, it was determined that due to the operating system boot features, it cannot mount the key media from / etc / fstab until the / etc / cryptsetup file is processed, as a result, the encrypted partition is not mounted, as cannot be mounted without key file.

The necessary instructions (mounting the key carrier, activating the encrypted partition, unmounting the key partition and mounting the encrypted partition) were entered using the appropriate commands in the /etc/rc.local file

This action gave positive results (after the download was completed, the partition was mounted in the right place), however, the rc.local file was launched much later than the postgresql daemon, which could have unpredictable consequences as the database files were mounted right during the daemon operation.

After analyzing the situation, as well as taking into account the need to encrypt the backup section and the paging section, to prevent unauthorized access to information from the database and the keys that could be in the paging space, it was decided to create a special startup script. That would mount the key device and encrypted partitions at an early stage of loading, until the postgresql daemon is launched and the need for paging appears.

As a result, a special starting bash script was created that performed all the above functions, namely

Search and mount key device
In case of detection and successful mounting of a key device, connected and mounted encrypted partitions
Unmount key device for safe removal.
Regardless of the result of previous operations, would ensure that the swap partition is mounted on an encrypted partition

Also in the process of writing and debugging the script managed to implement the following features:

The ability to centrally manage all luks encrypted volumes using a special file with a simple syntax similar to the fstab file syntax
Theoretical ability to use an unlimited number of keys for an unlimited number of encrypted partitions (there are certain limitations associated with the exhaustion of system resources)
Ability to create various independent key media with a different set of key files
The ability to mount and unmount different sets of encrypted disks

In the process of writing the script, it was found that the ubuntu repositories contain an outdated version of the cryptsetup package (did not know how to generate a section with a given UUID) therefore the current version of the program was compiled from the source codes and installed instead of the standard ubuntu package.
The bash script was installed in /etc/init.d/encryptdb. After installing the script, various debugging actions were performed that did not change the general state of the system. After debugging, the script, using the update-rc.d encryptdb defaults command, was activated to run in automatic mode. The / etc / keycrypt / keycryptab and / etc / keycrypt / keydrv settings files were installed along with the script.

Applications:

Script encryptdb with comments in Russian

 #!/bin/bash ### BEGIN INIT INFO # Provides: cryptdisks # Required-Start: checkroot cryptdisks-early # Required-Stop: umountroot cryptdisks-early # Should-Start: udev mdadm-raid lvm2 # Should-Stop: udev mdadm-raid lvm2 # X-Start-Before: checkfs # X-Interactive: true # Default-Start: 2 3 4 5 # Default-Stop: 0 6 # Short-Description: Setup remaining encrypted block devices. # Description: ### END INIT INFO #     ,   , #          KEYCRYPTAB_DIR=/etc/keycrypt #   KEYCRYPTAB_FILE=$KEYCRYPTAB_DIR/keycryptab #        #       #              # : # <uuid > <  > <   links> < > #          "swap". #          2 : "none"  "random" # Use the option "none" is not recommended. # Examples: # 11111111-2222-3333-4444-555555555555 random swap1 swap # #safety swap partition. It no need any keyfile, but must be encrypted # 12345678-1234-4321-1234-567890123456 harry.key harry /home/harry # #home directory for Harry, Harry have the "harry.key" in his flash drive # 66666666-9999-8888-7777-000000000000 ntldr public "/var/ftp" # #publuc directory, all staff have the "ntldr" file in flash drives KEYDRIVER_FILE=$KEYCRYPTAB_DIR/keydrv #       #              # : # <uuid> <timeout> <dotmount> # Examples: # kkkkkkkk-kkkk-kkkk-kkkk-kkkkkkkkkkkk 20 /media/keys SWAPCLEAN_FILE=$KEYCRYPTAB_DIR/swapclean.flg # NOTE!!! If u are not using the encription swap # u need to run "dd if=/dev/urandom of=/u/swap/partition". # Otherwise encryption will not make sense. # I was include this functional on the skript, but # it will take a very long time to load OS. #=====================Begin of script===================== # Do not edit next if you are not sure what you are doing! #DBG="on" #       UMOUNT_FLAG="" #       #   ,     , 6  ( !     ) DEBUG() { if [ "$DBG" = "on" ] then echo -e "\E[33;40m$1 $2 $3 $4 $5 $6"; tput sgr0 fi } #           SetStruct() { str=`echo $1 | sed 's/#.*/ /g'` n=0 for arg in $str do let "n+=1" case "$n" in 1) CRYPT_UUID=$arg ;; 2) KEY_FILENAME=$arg ;; 3) CRYPT_NAME=$arg ;; 4) CRYPT_MOUNTPOINT=$arg return 0 ;; *) DEBUG "too many arguments: $arg" ;; esac done return 1 } #            SetKey() { nk=0 str=`echo $1 | sed 's/#.*/ /g'` for arg in $str do let "nk+=1" case "$nk" in 1) KEY_UUID=$arg ;; 2) KEY_TIMEOUT=$arg if (( KEY_TIMEOUT < 0 )) then echo "Invalid key timeout for $KEY_UUID" KEY_TIMEOUT=1 fi if (( KEY_TIMEOUT > 60 )) then echo "Invalid key timeout for $KEY_UUID" KEY_TIMEOUT=60 fi DEBUG "KEY_TIMEOUT=$KEY_TIMEOUT" ;; 3) KEY_MOUNTPOINT=$arg return 0 ;; *) DEBUG "too many arguments: $arg" ;; esac done return 1 } #     PrepareKeyDrv() { if [ ! -e "/dev/disk/by-uuid/$KEY_UUID" ] then #     echo -en "Waiting $KEY_TIMEOUT seconds for the key device \r" #    for (( n = ++KEY_TIMEOUT; n ; n-- )) do if [ ! -e "/dev/disk/by-uuid/$KEY_UUID" ] then (( KEY_TIMEOUT-- )) echo -en "Waiting $KEY_TIMEOUT seconds for the key device \r" else echo echo "Key device was found!" DEBUG $KEY_UUID break fi if [ "$n" = "1" ] then echo echo "Not found a key device!" DEBUG "Now completing PrepareKeyDrv()" # ,  return 1 fi sleep 1 # it is not a debug! Do not comment it! done fi #, ,     uuid DEBUG "Mounting the key device" if [ ! -d "$KEY_MOUNTPOINT" ]; then RM_KMP=1 mkdir $KEY_MOUNTPOINT fi uuid_l=`echo $KEY_UUID | wc -m` case "$uuid_l" in 10) mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -t vfat -o ro DEBUG "fat detected" ;; 17) mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -t ntfs-3g -o force,ro DEBUG "ntfs detected" ;; 37) mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -o ro DEBUG `mount | grep $KEY_MOUNTPOINT ` ;; *) DEBUG "Can not identify type of the file system on the specified uuid:" DEBUG "$KEY_UUID" mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -o ro ;; esac } #       UmountKey() { DEBUG "Unmounting the key device" umount $1 /dev/disk/by-uuid/$KEY_UUID if [ "$RM_KMP" = "1" ]; then rmdir $KEY_MOUNTPOINT fi } #      PrepareSwap() { if [ "$KEY_FILENAME" = "random" ] then #      if [ ! -e "/dev/disk/by-uuid/$CRYPT_UUID" ] then #    #  echo "Not found any partition for swap with UUID:" echo "$CRYPT_UUID" ###              else #   echo "Prepare to encripting swap" DEBUG "Disable all swaps" #    (,     ?) swapoff -a DEBUG "Regenerating new temporary key" #      mkdir /tmp/key ###                  #       (   ?     ?) mount -t ramfs none /tmp/key -o maxsize=1 #   dd if=/dev/urandom of=/tmp/key/swapkey$CRYPT_UUID bs=1 count=256 &> /dev/null DEBUG "Configuring encrypt on the swap partition" #      echo "YES"|cryptsetup luksFormat /dev/disk/by-uuid/$CRYPT_UUID /tmp/key/swapkey$CRYPT_UUID --uuid=$CRYPT_UUID #   DEBUG "Openinig swap partition for operations" cryptsetup luksOpen /dev/disk/by-uuid/$CRYPT_UUID $CRYPT_NAME --key-file /tmp/key/swapkey$CRYPT_UUID #   DEBUG "Erasing temporary key" rm -r -f /tmp/key/swapkey$CRYPT_UUID #   umount none #   UUID   (   uuid luks    ) DEBUG "Regenerating swapfs uuid" FS_CRYPT_UUID=`uuidgen` #echo $FS_CRYPT_UUID > $KEYCRYPTAB_DIR/swaps/$CRYPT_UUID DEBUG "Creating swap format" if [ -e "$SWAPCLEAN_FILE" ] then #     -            ###            ,   ,            . echo "Swap partition was mounted unsafe, cleaning..." echo -e 'It may take a long time. \e[31;40mDo not halt the computer! \e[0m' S=`fdisk -s /dev/mapper/$CRYPT_NAME` let "S *= 1024" dd if=/dev/urandom | pv -s $S | dd of=/dev/mapper/$CRYPT_NAME 2> /dev/null rm -r -f $SWAPCLEAN_FILE fi #  swapfs mkswap -f -U $FS_CRYPT_UUID /dev/mapper/$CRYPT_NAME &> /dev/null #   DEBUG "Activating swap" swapon -U $FS_CRYPT_UUID fi else #  ,           - if [ ! -e "/dev/disk/by-uuid/$CRYPT_UUID" ] then echo "Not found any partition for swap with UUID:" echo "$CRYPT_UUID" else chkswapt=`cat /proc/swaps | grep "$CRYPT_NAME"` if [ ! "$chkswapt" = "" ] then echo "Oops! \e[31;40mYou already have the swap! \e[0m" cat /proc/swaps echo "heck your 'fstab', 'cryptab' and '$KEYCRYPTAB_FILE'" echo "files for duplicate entries for swap partition" echo "In future use only one of these files to manage swaps" return 0 else echo -e '\e[31;40mWARNING!!! \e[0mThe system uses the unface way to manage swap!' echo 'You need to use value "random" of <key filename> on the' echo "$KEYCRYPTAB_FILE file for all swap partition!" fi swapoff -a mkswap -f -U $CRYPT_UUID /dev/disk/by-uuid/$CRYPT_UUID &> /dev/null swapon -U $CRYPT_UUID && echo "Remoove this file for disable cleaning swap on boot time" > $SWAPCLEAN_FILE # echo $CRYPT_UUID > $KEYCRYPTAB_DIR/swaps/$CRYPT_UUID fi fi } #       PrepareVolumes() { cat $KEYCRYPTAB_FILE | while read line; do #        if SetStruct "$line" then #     if [ ! -e "/dev/disk/by-uuid/$CRYPT_UUID" ] then #     # ,    echo "Not found encrypted partition with UUID:" echo "$CRYPT_UUID" else #    if [[ "$CRYPT_MOUNTPOINT" = "swap" && "$1" = "swaps" ]] then #          "swaps" #        PrepareSwap else #     if [[ "$CRYPT_MOUNTPOINT" != "swap" && "$1" != "swaps" ]] ###   ,  !                 ,            . then #        "swaps" #    echo "Opening encrypted volume" cryptsetup luksOpen /dev/disk/by-uuid/$CRYPT_UUID $CRYPT_NAME --key-file $KEY_MOUNTPOINT/$KEY_FILENAME if [ -e "/dev/mapper/$CRYPT_NAME" ] then #   #      echo "Mounting encrypted volume" if [ ! -d "$CRYPT_MOUNTPOINT" ]; then mkdir $CRYPT_MOUNTPOINT fi mount /dev/mapper/$CRYPT_NAME $CRYPT_MOUNTPOINT fi fi fi fi fi done } case "$1" in start) #         start #     # if [ -d "$KEYCRYPTAB_DIR/swaps/" ] # then # rm -r -f $KEYCRYPTAB_DIR/swaps/*.* # else # mkdir --parents $KEYCRYPTAB_DIR/swaps/ # fi cat $KEYDRIVER_FILE | while read line; do #      if SetKey "$line" then #     if PrepareKeyDrv then #      #    PrepareVolumes #    UmountKey fi fi done #   PrepareVolumes swaps DEBUG "Now comleting" ;; stop) #         st #    OS cat $KEYCRYPTAB_FILE | while read line; do #        if SetStruct "$line" then #     if [ "$CRYPT_MOUNTPOINT" = "swap" ] then #       DEBUG "Deactivating swap /dev/mapper/$CRYPT_NAME" #      swapoff /dev/mapper/$CRYPT_NAME # swapoff -UUID=`cat $KEYCRYPTAB_DIR/swaps/$CRYPT_UUID` else #  (    ) #      chkmnt=`mount | grep "$CRYPT_NAME"` if [ "$chkmnt" != "" ] then #   #  echo "Unmounting encrypted volume" DEBUG "/dev/mapper/$CRYPT_NAME" umount $UMOUNT_FLAG /dev/mapper/$CRYPT_NAME fi fi if [ -e "/dev/mapper/$CRYPT_NAME" ] then #     echo "Closing encrypted volume" DEBUG "/dev/mapper/$CRYPT_NAME" #  cryptsetup luksClose $CRYPT_NAME fi fi done ;; restart|reload) do_stop do_start ;; force-reload) UMOUNT_FLAG="-f" do_stop do_start ;; *) echo "Usage: $1 {start|stop|restart|reload|force-reload}" echo "Actions 'stop', 'restart', 'reload' and 'force-reload' will unmount" echo "all encrypted disk partitions, including partition containing swap" echo "To mount the additional partitions without unount already mounted," echo "run $1 script with the parameter 'start' again" exit 1 ;; esac

Keycryptab file

 #All swap partition is required for the mount point "swap" #key file name for swap can take only 2 values: #"none" (is strongly not recommended) and "random" example: #11111111-2222-3333-4444-555555555555 random swap1 swap #<uuid> <key filename> <luks name> <dotmount> 0cf1c420-09a0-4338-85b4-df6aed780425 random swap1 swap 4ebecf51-4a5a-4aaf-ba97-3523129e567c keyfile.key dtb /var/lib/pgsql 0feb764f-195e-487d-a0ed-1de525fb3282 bacup.key bkp /media/old #this file MUST contain final newline or final comment

Keydrv file

 # Syntax: # <uuid> <timeout> <dotmount> # Example: # kkkkkkkk-kkkk-kkkk-kkkk-kkkkkkkkkkkk 20 /media/keys # <uuid> <timeout> <dotmount> 609e85b7-5fa8-4434-9210-b8df1d4c0a66 20 /media/keys bc5e202a-1523-46bc-95f4-3c89f10edd27 120 /media/keys #bacup user #this file MUST contain final newline or final comment

Currently, the solution is already running on several servers and has been adapted for Debian and

Archlinux

 #!/bin/bash #Keycrypt 1.1 2012  ArchLinux #     ,   , #          #         . /etc/rc.conf . /etc/rc.d/functions KEYCRYPTAB_DIR=/etc/keycrypt #   KEYCRYPTAB_FILE=$KEYCRYPTAB_DIR/keycryptab #    #        #       #              # : # <uuid > <  > <   links> < > #          "swap". #          2 : "none"  "random" # Use the option "none" is not recommended. # Examples: # 11111111-2222-3333-4444-555555555555 random swap1 swap # #safety swap partition. It no need any keyfile, but must be encrypted # 12345678-1234-4321-1234-567890123456 harry.key harry /home/harry # #home directory for Harry, Harry have the "harry.key" in his flash drive # 66666666-9999-8888-7777-000000000000 ntldr public "/var/ftp" # #publuc directory, all staff have the "ntldr" file in flash drives KEYDRIVER_FILE=$KEYCRYPTAB_DIR/keydrv #     #       #              # : # <uuid> <timeout> <dotmount> # Examples: # kkkkkkkk-kkkk-kkkk-kkkk-kkkkkkkkkkkk 20 /media/keys SWAPCLEAN_FILE=$KEYCRYPTAB_DIR/swapclean.flg # NOTE!!! If u are not using the encription swap # u need to run "dd if=/dev/urandom of=/u/swap/partition". # Otherwise encryption will not make sense. # I was include this functional on  sript, but # it will take a very long time to load OS. DBG="on" #       #=====================Begin of script===================== # Do not edit next if you are not sure what you are doing! UMOUNT_FLAG="" #       #   ,     , 6  ( !     ) DEBUG() { if [ "$DBG" = "on" ] then echo -e "\E[33;40m$1 $2 $3 $4 $5 $6"; tput sgr0 fi } #           SetStruct() { str=`echo $1 | sed 's/#.*/ /g'` n=0 for arg in $str do let "n+=1" case "$n" in 1) CRYPT_UUID=$arg ;; 2) KEY_FILENAME=$arg ;; 3) CRYPT_NAME=$arg ;; 4) CRYPT_MOUNTPOINT=$arg return 0 ;; *) DEBUG "too many arguments: $arg" ;; esac done return 1 } #            SetKey() { nk=0 str=`echo $1 | sed 's/#.*/ /g'` for arg in $str do let "nk+=1" case "$nk" in 1) KEY_UUID=$arg ;; 2) KEY_TIMEOUT=$arg if (( KEY_TIMEOUT < 0 )) then echo "Invalid key timeout for $KEY_UUID" KEY_TIMEOUT=1 fi if (( KEY_TIMEOUT > 60 )) then echo "Invalid key timeout for $KEY_UUID" KEY_TIMEOUT=60 fi DEBUG "KEY_TIMEOUT=$KEY_TIMEOUT" ;; 3) KEY_MOUNTPOINT=$arg return 0 ;; *) DEBUG "too many arguments: $arg" ;; esac done return 1 } #     PrepareKeyDrv() { if [ ! -e "/dev/disk/by-uuid/$KEY_UUID" ] then #     echo -en "Waiting $KEY_TIMEOUT seconds for the key device \r" #    for (( n = ++KEY_TIMEOUT; n ; n-- )) do if [ ! -e "/dev/disk/by-uuid/$KEY_UUID" ] then (( KEY_TIMEOUT-- )) echo -en "Waiting $KEY_TIMEOUT seconds for the key device \r" else DEBUG "Key device was found!" DEBUG $KEY_UUID break fi if [ "$n" = "1" ] then DEBUG "Not found a key device!" DEBUG "Now completing PrepareKeyDrv()" # ,  return 1 fi sleep 1 # it is not a debug! Do not comment it! done fi #, ,     uuid DEBUG "Mounting the key device" if [ ! -d "$KEY_MOUNTPOINT" ]; then RM_KMP=1 mkdir $KEY_MOUNTPOINT fi uuid_l=`echo $KEY_UUID | wc -m` case "$uuid_l" in 10) mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -t vfat -o ro DEBUG "fat detected" ;; 17) mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -t ntfs-3g -o force,ro DEBUG "ntfs detected" ;; 37) mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -o ro DEBUG `mount | grep $KEY_MOUNTPOINT ` ;; *) DEBUG "Can not identify type of the file system on the specified uuid:" DEBUG "$KEY_UUID" mount /dev/disk/by-uuid/$KEY_UUID $KEY_MOUNTPOINT -o ro ;; esac } #       UmountKey() { DEBUG "Unmounting the key device" umount $1 /dev/disk/by-uuid/$KEY_UUID if [ "$RM_KMP" = "1" ]; then rmdir $KEY_MOUNTPOINT fi } #      PrepareSwap() { if [ "$KEY_FILENAME" = "random" ] then #      if [ ! -e "/dev/disk/by-uuid/$CRYPT_UUID" ] then #    #  DEBUG "Not found any partition for swap with UUID:" DEBUG "$CRYPT_UUID" ###              else #   DEBUG "Prepare to encripting swap" DEBUG "Disable all swaps" #    (,     ?) swapoff -a DEBUG "Regenerating new temporary key" #      mkdir /tmp/key ###                  #       (   ?     ?) mount -t ramfs none /tmp/key -o maxsize=1 #   dd if=/dev/urandom of=/tmp/key/swapkey$CRYPT_UUID bs=1 count=256 &> /dev/null DEBUG "Configuring encrypt on the swap partition" #      echo "YES"|cryptsetup luksFormat /dev/disk/by-uuid/$CRYPT_UUID /tmp/key/swapkey$CRYPT_UUID --uuid=$CRYPT_UUID #   DEBUG "Openinig swap partition for operations" cryptsetup luksOpen /dev/disk/by-uuid/$CRYPT_UUID $CRYPT_NAME --key-file /tmp/key/swapkey$CRYPT_UUID #   DEBUG "Erasing temporary key" rm -r -f /tmp/key/swapkey$CRYPT_UUID #   umount none #   UUID   (   uuid luks    ) DEBUG "Regenerating swapfs uuid" FS_CRYPT_UUID=`uuidgen` #echo $FS_CRYPT_UUID > $KEYCRYPTAB_DIR/swaps/$CRYPT_UUID DEBUG "Creating swap format" if [ -e "$SWAPCLEAN_FILE" ] then #     -            ###            ,   ,            . echo "Swap partition was mounted unsafe, cleaning..." echo -e 'It may take a long time. \e[31;40mDo not halt the computer! \e[0m' S=`fdisk -s /dev/mapper/$CRYPT_NAME` let "S *= 1024" dd if=/dev/urandom | pv -s $S | dd of=/dev/mapper/$CRYPT_NAME 2> /dev/null rm -r -f $SWAPCLEAN_FILE fi #  swapfs mkswap -f -U $FS_CRYPT_UUID /dev/mapper/$CRYPT_NAME &> /dev/null #   DEBUG "Activating swap" swapon -U $FS_CRYPT_UUID fi else #  ,           - if [ ! -e "/dev/disk/by-uuid/$CRYPT_UUID" ] then DEBUG "Not found any partition for swap with UUID:" DEBUG "$CRYPT_UUID" else chkswapt=`cat /proc/swaps | grep "$CRYPT_NAME"` if [ ! "$chkswapt" = "" ] then echo "Oops! \e[31;40mYou already have the swap! \e[0m" cat /proc/swaps echo "heck your 'fstab', 'cryptab' and '$KEYCRYPTAB_FILE'" echo "files for duplicate entries for swap partition" echo "In future use only one of these files to manage swaps" return 0 else echo -e '\e[31;40mWARNING!!! \e[0mThe system uses the unface way to manage swap!' echo 'You need to use value "random" of <key filename> on the' echo "$KEYCRYPTAB_FILE file for all swap partition!" fi swapoff -a mkswap -f -U $CRYPT_UUID /dev/disk/by-uuid/$CRYPT_UUID &> /dev/null swapon -U $CRYPT_UUID && echo "Remoove this file for disable cleaning swap on boot time" > $SWAPCLEAN_FILE # echo $CRYPT_UUID > $KEYCRYPTAB_DIR/swaps/$CRYPT_UUID fi fi } #       PrepareVolumes() { cat $KEYCRYPTAB_FILE | while read line; do #        if SetStruct "$line" then #     if [ ! -e "/dev/disk/by-uuid/$CRYPT_UUID" ] then #     # ,    DEBUG "Not found encrypted partition with UUID:" DEBUG "$CRYPT_UUID" else #    if [[ "$CRYPT_MOUNTPOINT" = "swap" && "$1" = "swaps" ]] then #          "swaps" #        PrepareSwap else #     if [[ "$CRYPT_MOUNTPOINT" != "swap" && "$1" != "swaps" ]] ###   ,  !                 ,            . then #        "swaps" #    DEBUG "Opening encrypted volume" cryptsetup luksOpen /dev/disk/by-uuid/$CRYPT_UUID $CRYPT_NAME --key-file $KEY_MOUNTPOINT/$KEY_FILENAME if [ -e "/dev/mapper/$CRYPT_NAME" ] then #   #      DEBUG "Mounting encrypted volume" if [ ! -d "$CRYPT_MOUNTPOINT" ]; then mkdir $CRYPT_MOUNTPOINT fi mount /dev/mapper/$CRYPT_NAME $CRYPT_MOUNTPOINT fi fi fi fi fi done } case "$1" in start) #         start #     stat_busy "Preparing encrypted partitions" # if [ -d "$KEYCRYPTAB_DIR/swaps/" ] # then # rm -r -f $KEYCRYPTAB_DIR/swaps/*.* # else # mkdir --parents $KEYCRYPTAB_DIR/swaps/ # fi cat $KEYDRIVER_FILE | while read line; do #      if SetKey "$line" then #     if PrepareKeyDrv then #      #    PrepareVolumes #    UmountKey fi fi done #   PrepareVolumes swaps DEBUG "Now comleting" if [ $? -gt 0 ]; then stat_fail else stat_done fi add_daemon internet ;; stop) #         st #    OS cat $KEYCRYPTAB_FILE | while read line; do #        if SetStruct "$line" then #     if [ "$CRYPT_MOUNTPOINT" = "swap" ] then #       DEBUG "Deactivating swap /dev/mapper/$CRYPT_NAME" #      swapoff /dev/mapper/$CRYPT_NAME # swapoff -UUID=`cat $KEYCRYPTAB_DIR/swaps/$CRYPT_UUID` else #  (    ) #      chkmnt=`mount | grep "$CRYPT_NAME"` if [ "$chkmnt" != "" ] then #   #  DEBUG "Unmounting encrypted volume" DEBUG "/dev/mapper/$CRYPT_NAME" umount $UMOUNT_FLAG /dev/mapper/$CRYPT_NAME fi fi if [ -e "/dev/mapper/$CRYPT_NAME" ] then #     DEBUG "Closing encrypted volume" DEBUG "/dev/mapper/$CRYPT_NAME" #  cryptsetup luksClose $CRYPT_NAME fi fi done rm_daemon internet if [ $? -gt 0 ]; then stat_fail else stat_done fi ;; restart|reload) do_stop do_start ;; force-reload) UMOUNT_FLAG="-f" do_stop do_start ;; *) echo "Usage: $1 {start|stop|restart|reload|force-reload}" echo "Actions 'stop', 'restart', 'reload' and 'force-reload' will unmount" echo "all encrypted disk partitions, including partition containing swap" echo "To mount the additional partitions without unount already mounted," echo "run $1 script with the parameter 'start' again" exit 1 ;; esac

(even before he got systemd).

Source: https://habr.com/ru/post/172923/

All Articles

Cryptobike, or USB server keys

More articles: