From 9eeb94e8b531278e0769618d57d5d4538a2fabb4 Mon Sep 17 00:00:00 2001
From: salevdns <24809481+salevdns@users.noreply.github.com>
Date: Thu, 25 Nov 2021 04:44:31 +0100
Subject: [PATCH] Add encryption support to CreatePersistentImg.sh (#1130)

Added option to create persistent fs inside LUKS container.
Had to change to #!/bin/bash to parse interactive user input for the encryption passphrase.
The _freeloop=$freeloop part is kind of bad style, but I kept it for now to keep changes minimal.
---
 INSTALL/CreatePersistentImg.sh | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/INSTALL/CreatePersistentImg.sh b/INSTALL/CreatePersistentImg.sh
index 8a4480db..3041873f 100644
--- a/INSTALL/CreatePersistentImg.sh
+++ b/INSTALL/CreatePersistentImg.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 size=1024
 fstype=ext4
@@ -7,13 +7,14 @@ config=''
 outputfile=persistence.dat
 
 print_usage() {
-    echo 'Usage:  CreatePersistentImg.sh [ -s size ] [ -t fstype ] [ -l LABEL ] [ -c CFG ]'
+    echo 'Usage:  sudo ./CreatePersistentImg.sh [ -s size ] [ -t fstype ] [ -l LABEL ] [ -c CFG ] [ -e ]'
     echo '  OPTION: (optional)'
     echo '   -s size in MB, default is 1024'
     echo '   -t filesystem type, default is ext4  ext2/ext3/ext4/xfs are supported now'
     echo '   -l label, default is casper-rw'
     echo '   -c configfile name inside the persistence file. File content is "/ union"'
     echo '   -o outputfile name, default is persistence.dat'
+    echo '   -e enable encryption, disabled by default (only few distros support this)'    
     echo ''
 }
 
@@ -33,6 +34,9 @@ while [ -n "$1" ]; do
     elif [ "$1" = "-o" ]; then
         shift
         outputfile=$1
+    elif [ "$1" = "-e" ]; then
+        read -s -p "Encryption passphrase: " passphrase
+        echo
     elif [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
         print_usage
         exit 0
@@ -86,6 +90,13 @@ freeloop=$(losetup -f)
 
 losetup $freeloop "$outputfile"
 
+if [ ! -z "$passphrase" ]; then
+    printf "$passphrase" | cryptsetup -q --verbose luksFormat $freeloop -
+    printf "$passphrase" | cryptsetup -q --verbose luksOpen $freeloop persist_decrypted -
+    _freeloop=$freeloop
+    freeloop="/dev/mapper/persist_decrypted"
+fi
+
 mkfs -t $fstype $fsopt -L $label $freeloop 
 
 sync
@@ -104,4 +115,9 @@ if [ -n "$config" ]; then
     rm -rf ./persist_tmp_mnt
 fi
 
+if [ ! -z "$passphrase" ]; then
+    cryptsetup luksClose $freeloop
+    freeloop=$_freeloop
+fi
+
 losetup -d $freeloop