From 6ffad46704d417b7a84cd5088849d77964f99580 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 7 Oct 2013 06:31:59 +0200 Subject: Encryption, LVM. --- pre-partman.sh | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) (limited to 'pre-partman.sh') diff --git a/pre-partman.sh b/pre-partman.sh index 527299a..de391dd 100755 --- a/pre-partman.sh +++ b/pre-partman.sh @@ -29,8 +29,6 @@ while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \ | sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \ > /tmp/initramfs-modules -anna-install cryptsetup-udeb - ############################################################################## # Slurp encryption key @@ -198,3 +196,37 @@ parted -a optimal -sm $dev mkpart system ${offset}s $(( $offset2 - 1))s system=${dev}$(parted -sm $dev p | grep -m 1 '^[1-9][0-9]*:.*:system:[^:]*;$' | sed 's/:.*//') parted -sm $dev align-check opt ${system#$dev} + +############################################################################## +# Encryption + +anna-install cryptsetup-udeb crypto-dm-modules + +arch=$(uname -m) +if [ x"$arch" = x"x86_64" ]; then + keysize=256 + hash=sha512 +elif [ x"$arch" = x"i386" -o x"$arch" = x"i686" ]; then + keysize=128 + hash=sha256 +fi +# Notes: 1/ XTS requires the key size to be doubled, 2/ We use AES128 +# and SHA-256 on 32-bits platforms, and AES256 and SHA-512 on 64-bits +# platforms. +# TODO: Note: Generating key... (this may take a while) +/sbin/cryptsetup -q --align-payload $grain \ + --cipher aes-xts-plain64 --key-size $(( $keysize * 2 )) --hash $hash \ + --iter-time 5000 --use-random --key-file="$keyfile" \ + luksFormat $system +/sbin/cryptsetup luksOpen --key-file="$keyfile" $system system_crypt +rm "$keyfile" # We are on a ramdisk, so it's good enough to unlink(2) + + +############################################################################## +# LVM + +/sbin/pvcreate /dev/mapper/system_crypt +db_get netcfg/get_hostname +/sbin/vgcreate "$RET" /dev/mapper/system_crypt + +# TODO: Point the installer at the partitions we created -- cgit v1.2.3