From bc706d9745c72c3051117641dc90f22856d5075b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 11 Oct 2013 06:15:17 +0200 Subject: Possibility to skip full-disk encryption. --- partition.sh | 44 +++++++++++++++++++++++++------------------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/partition.sh b/partition.sh index 3b12468..78cb55d 100755 --- a/partition.sh +++ b/partition.sh @@ -14,6 +14,8 @@ set -ue device=/dev/sda fripost_wipe $device +db_get fripost-partman/encryption +encrypt=$RET # Create a disk label /sbin/parted -s $device mklabel gpt @@ -31,33 +33,37 @@ db_fset grub-installer/bootdev seen true # Create boot and system partitions part_boot=$( fripost_mkpart $device boot 64M ) -part_system=$( fripost_mkpart $device system 100% ) #+lvm +part_system=$( fripost_mkpart $device system 100% ) /sbin/parted -s $device align-check opt ${part_system#$device} \ || fatal "$part_system is not aligned" -# Encrypt the system partition. We choose the key length and digest -# depending on the architecture we're on; we use AES128 and SHA-256 on -# 32-bits platforms, and AES256 and SHA-512 on 64-bits platforms. -arch=$(uname -m) -if [ x"$arch" = x"x86_64" ]; then - keysize=256 - hash=sha512 -elif [ x"$arch" = x"i386" -o x"$arch" = x"i686" ]; then - keysize=128 - hash=sha256 +if [ $encrypt = true ]; then + # Encrypt the system partition. We choose the key length and digest + # depending on the architecture we're on; we use AES128 and SHA-256 + # on 32-bits platforms, and AES256 and SHA-512 on 64-bits platforms. + arch=$(uname -m) + if [ x"$arch" = x"x86_64" ]; then + keysize=256 + hash=sha512 + elif [ x"$arch" = x"i386" -o x"$arch" = x"i686" ]; then + keysize=128 + hash=sha256 + fi + # Note: XTS requires the key size to be doubled. + fripost_encrypt $part_system system_crypt \ + --cipher aes-xts-plain64 --key-size $(( $keysize * 2 )) --hash $hash \ + --iter-time 5000 --use-random + part_system=/dev/mapper/system_crypt fi -# Note: XTS requires the key size to be doubled. -fripost_encrypt $part_system system_crypt \ - --cipher aes-xts-plain64 --key-size $(( $keysize * 2 )) --hash $hash \ - --iter-time 5000 --use-random -# Create logical volumes for /, swap and /home using LVM2 +# Ensure LVM2 is installed in the target chroot; create logical volumes +# for /, swap and /home. +apt-install lvm2 || true vg=$(hostname) -apt-install lvm2 || true # LVM need to be installed in the target chroot -pvcreate -ff -y /dev/mapper/system_crypt -vgcreate $vg /dev/mapper/system_crypt +pvcreate -ff -y $part_system +vgcreate $vg $part_system lvcreate -L 5G -n root $vg lvcreate -L 1G -n swap $vg -- cgit v1.2.3