Add encryption support to CreatePersistentImg.sh (#1130)

Added option to create persistent fs inside LUKS container. Had to change to #!/bin/bash to parse interactive user input for the encryption passphrase. The _freeloop=$freeloop part is kind of bad style, but I kept it for now to keep changes minimal.
2021-11-25 04:44:31 +01:00 · 2021-11-25 04:44:31 +01:00 · 9eeb94e8b5
parent f4987fd7f4
commit 9eeb94e8b5
1 changed files with 18 additions and 2 deletions
--- a/INSTALL/CreatePersistentImg.sh
+++ b/INSTALL/CreatePersistentImg.sh
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash

 size=1024
 fstype=ext4
@ -7,13 +7,14 @@ config=''
 outputfile=persistence.dat

 print_usage() {
-    echo 'Usage:  CreatePersistentImg.sh [ -s size ] [ -t fstype ] [ -l LABEL ] [ -c CFG ]'
+    echo 'Usage:  sudo ./CreatePersistentImg.sh [ -s size ] [ -t fstype ] [ -l LABEL ] [ -c CFG ] [ -e ]'
    echo '  OPTION: (optional)'
    echo '   -s size in MB, default is 1024'
    echo '   -t filesystem type, default is ext4  ext2/ext3/ext4/xfs are supported now'
    echo '   -l label, default is casper-rw'
    echo '   -c configfile name inside the persistence file. File content is "/ union"'
    echo '   -o outputfile name, default is persistence.dat'
+    echo '   -e enable encryption, disabled by default (only few distros support this)'    
    echo ''
 }

@ -33,6 +34,9 @@ while [ -n "$1" ]; do
    elif [ "$1" = "-o" ]; then
        shift
        outputfile=$1
+    elif [ "$1" = "-e" ]; then
+        read -s -p "Encryption passphrase: " passphrase
+        echo
    elif [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
        print_usage
        exit 0
@ -86,6 +90,13 @@ freeloop=$(losetup -f)

 losetup $freeloop "$outputfile"

+if [ ! -z "$passphrase" ]; then
+    printf "$passphrase" | cryptsetup -q --verbose luksFormat $freeloop -
+    printf "$passphrase" | cryptsetup -q --verbose luksOpen $freeloop persist_decrypted -
+    _freeloop=$freeloop
+    freeloop="/dev/mapper/persist_decrypted"
+fi
+
 mkfs -t $fstype $fsopt -L $label $freeloop 

 sync
@ -104,4 +115,9 @@ if [ -n "$config" ]; then
    rm -rf ./persist_tmp_mnt
 fi

+if [ ! -z "$passphrase" ]; then
+    cryptsetup luksClose $freeloop
+    freeloop=$_freeloop
+fi
+
 losetup -d $freeloop