|
|
|
#!/usr/bin/env sh
|
|
|
|
|
|
|
|
CIPHER="aes-xts-plain64"
|
|
|
|
KEYSIZ='512'
|
|
|
|
HSHTYP='sha512'
|
|
|
|
ITTIME='5000'
|
|
|
|
USERAN='random'
|
|
|
|
DEVICE="${1}"
|
|
|
|
LKSTYP=0
|
|
|
|
|
|
|
|
# WE NEED ROOT PRIVILEGES
|
|
|
|
|
|
|
|
if [ $EUID -ne 0 ]; then
|
|
|
|
echo "This script must be run as root."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
# CONFIRM THE DEVICE
|
|
|
|
|
|
|
|
echo "You are about to format the following device with LUKS:"
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
\lsblk -o NAME,SIZE,FSTYPE,MOUNTPOINT,LABEL,UUID "${DEVICE}"
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
echo -n "Are you sure [y/N]? "
|
|
|
|
read CONFRM
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
if [ "${CONFRM,,}" = "y" ]; then
|
|
|
|
|
|
|
|
echo -n "Fill ${DEVICE} with random data [Y/n]? "
|
|
|
|
read DEVFIL
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
if [ "${DEVFIL,,}" = "n" ]; then
|
|
|
|
echo "Not filling ${DEVICE} with random data."
|
|
|
|
else
|
|
|
|
echo "Filling ${DEVICE} with random data..."
|
|
|
|
echo ""
|
|
|
|
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt </dev/zero | sudo dd of=${DEVICE} bs=4M status=progress
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
while [ ! "${LKSTYP}" = "1" ] && [ ! "${LKSTYP}" = "2" ]; do
|
|
|
|
echo -n "Use version 1 or 2? "
|
|
|
|
read LKSTYP
|
|
|
|
echo ""
|
|
|
|
done
|
|
|
|
|
|
|
|
echo "Setting up encryption with password..."
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
cryptsetup --type luks${LKSTYP} --verbose --cipher "${CIPHER}" --key-size "${KEYSIZ}" --hash "${HSHTYP}" --iter-time "${ITTIME}" --use-${USERAN} --verify-passphrase luksFormat "${DEVICE}"
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
echo -n "Do you wish to also use a key file [y/N]? "
|
|
|
|
read CONFRM
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
if [ "${CONFRM,,}" = "y" ]; then
|
|
|
|
echo -n "Path to key file: "
|
|
|
|
read EKFILE
|
|
|
|
echo ""
|
|
|
|
cryptsetup --verbose luksAddKey "${DEVICE}" "${EKFILE}"
|
|
|
|
echo ""
|
|
|
|
fi
|
|
|
|
|
|
|
|
DVUUID="$(\lsblk -nlo UUID "${DEVICE}")"
|
|
|
|
DVNAME="$(\lsblk -nlo MODEL,SERIAL "${DEVICE}" | sed 's/ */ /g' | tr ' ' '_')"
|
|
|
|
|
|
|
|
echo "Added the following line to /etc/crypttab:"
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
echo "${DVNAME}"$'\t'"UUID=${DVUUID}"$'\t'"${EKFILE}"$'\t'"cipher=aes-xts-plain64:sha512:size=512" | tee -a /etc/crypttab
|
|
|
|
echo ""
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
echo "Aborting."
|
|
|
|
|
|
|
|
fi
|