LUKS Partitionen verwalten

Written by cobalt on März 2nd, 2012

Das folgende script erleichtert die Verwaltung von verschlüsselten Partitionen.

Angelegt wird die Partition durch Eingabe des Kommandos „luks.sh add private“.

Hier wird ein LV als Container angelegt, darin liegt die Partition mit einem Filesystem verschlüsselt. Die Partition wird eingetragen, nach einem Reboot kann die Partition durch Eingabe des Komandos: „luks.sh mount private“ und des Passworts gemounted werden.

Download: luks.sh

#!/bin/bash

# luks (c) Hans-Helmar Althaus 
#
#  Version 1.0 - 24.02.2012
#

# this is convention, we mount volumes in $fsbase/fsN
fsbase="/export"

# keylen and cipher to use on crypted device
cipher="aes-cbc-essiv:sha256"
keylen=256

# filesystem type and size to use on crypted device
fstype="ext4"
fssize="64G"

# try to determine system volume group:
vg=$(vgdisplay | grep "VG Name" | head -1 | awk '{print $3}')

# try to determine next unused volume mount point,
# according to our convention $fsbase/fsN for mount points.
fsnum=1
while [ -d "${fsbase}/fs${fsnum}" ]; do
  fsnum=$((${fsnum}+1))
done

##################################################################################
# shell functions ################################################################
##################################################################################

function luks_add_fs() { # add LUKS-Volume
  name=$1
  lvcreate -L${fssize} ${vg} -n ${name} || return 1
  cryptsetup luksFormat -c ${cipher} -s ${keylen} /dev/${vg}/${name} || return 2
  echo "# show: cryptsetup luksDump /dev/${vg}/${name}"
  cryptsetup luksOpen /dev/${vg}/${name} luks-${name} || return 3
  echo "# show: dmsetup info luks-${name}"
  echo "# show: cryptsetup status /dev/mapper/luks-${name}"
  mkfs.${fstype} -m0 /dev/mapper/luks-${name} || return 4
  mkdir -p ${fsbase}/fs${fsnum} || return 5
  mount /dev/mapper/luks-${name} ${fsbase}/fs${fsnum} || return 6
  cat <<-EOFFSTAB >> /etc/fstab
        #     
        /dev/mapper/luks-${name} ${fsbase}/fs${fsnum} ${fstype} defaults,noauto 0 0
        EOFFSTAB
  cat <<-EOFCRTAB >> /etc/crypttab
        #   
        luks-${name} /dev/${vg}/${name} none none
        EOFCRTAB
  return 0
}

function luks_mount_fs() { # mount LUKS-Volume
  name="$1"
  cryptsetup luksOpen /dev/${vg}/${name} luks-${name} || return 1
  mount /dev/mapper/luks-${name} || return 2
}

function luks_remove_fs() { # remove LUKS-Volume
  name=$1
  doumount=0
  mntpnt=$(mount | grep "^/dev/mapper/luks-${name} on" | awk '{print $3}' )
  if [ -z "${mntpnt}" ]; then
    doumount=1
    mntpnt=$(egrep "^/dev/mapper/luks-${name}\\s" /etc/fstab | awk '{print $2}' )
    if [ -z "${mntpnt}" ]; then
      echo "can not determine mount point."
      return 1
    fi
  fi
  [ $doumount ] && umount ${mntpnt} || return 2
  cryptsetup luksClose /dev/mapper/luks-${name} || return 3
  lvremove /dev/${vg}/${name} || return 4
  if [ ! -f /etc/luks-${name}.keyfile ]; then
    rm -f /etc/luks-${name}.keyfile
  fi
  rmdir ${fsbase}/fs${fsnum} || return 4
  sed -e "s:^luks-${name}.*:#&:g" -i /etc/crypttab
  sed -e "s:^/dev/mapper/luks-${name}.*:#&:g" -i /etc/fstab
  return 0
}

function luks_add_key() { # add a keyfile to mount LUKS-Volume
  name=$1
  if [ -f /etc/luks-${name}.keyfile ]; then
    echo "keyfile exists."
    return 1
  fi
  dd if=/dev/urandom of=/etc/luks-${name}.keyfile bs=1 count=${keylen}
  chown root.root /etc/luks-${name}.keyfile
  chmod 0600 /etc/luks-${name}.keyfile
  cryptsetup luksAddKey /dev/${vg}/${name} /etc/luks-${name}.keyfile || return 2
  sed -e "s:^luks-${name}.*:#&:g" -i /etc/crypttab
  cat <<-EOFCRTAB >> /etc/crypttab
        luks-${name} /dev/${vg}/${name} /etc/luks-${name}.keyfile none
        EOFCRTAB
  return 0
}

function luks_remove_key() { # remove key from LUKS-Volume
  name=$1
  if [ ! -f /etc/luks-${name}.keyfile ]; then
    echo "keyfile does not exist."
    return 1
  fi
  cryptsetup luksRemoveKey /dev/${vg}/${name} /etc/luks-${name}.keyfile || return 2
  rm -f /etc/luks-${name}.keyfile
  sed -e "s:^luks-${name}.*:#&:g" -i /etc/crypttab
  cat <<-EOFCRTAB >> /etc/crypttab
        luks-${name} /dev/${vg}/${name} none none
        EOFCRTAB
  return 0
}

function usage() {
  cat <<-EOUSAGE
        $(basename $0) [options] command 
        
        create logical fsume container on volume group
        and mount crypted filesystem on $fsbase/fsN
        
        options:
          --vg         - volume group (def:$vg)
          -n, --fsnum  - filesystem-number (def:$fsnum)
          -t, --fstype - filesystem-type (def:$fstype)
          -s, --fssize - volume-size (def:$fssize)
          -l, --keylen - key-length (def:$keylen)
        
        command is one of:
          add    - add a crypted volume
          mount  - mount crypted volume
          remove - remove crypted volume
          addkey - add a keyfile to volume
          delkey - remove keyfile from volume
        EOUSAGE
  exit 0
}

if [ -z "$1" ]; then
  usage
fi

##################################################################################
# main function ##################################################################
##################################################################################
  
while [ -n "$1" ]; do
  case "$1" in
    --vg) vg="$2"; shift ;;
    -n|--fsnum)  fsnum="$2"; shift ;;
    -t|--fstype) fstype="$2"; shift ;;
    -b|--fsbase) fsbase="$2"; shift ;;
    -l|--keylen) keylen="$2"; shift ;;
    -s|--fssize) fssize="$2"; shift ;;
    add)       luks_add_fs $2; break ;;
    mount)     luks_mount_fs $2; break ;;
    remove)    luks_remove_fs $2; break ;;
    addkey)    luks_add_key $2; break ;;
    removekey) luks_remove_key $2; break ;;
    *) usage ;;
  esac
done
rt=$?

if [ $rt -gt 0 ]; then
  echo "operation failed with errorcode: $rt"
fi
exit $rt
 

Comments are closed.