disk/mkcrypt

#!/usr/bin/env sh

CIPHER="aes-xts-plain64"
KEYSIZ='512'
HSHTYP='sha512'
ITTIME='5000'
USERAN='random'
DEVICE="${1}"
LKSTYP=0

# WE NEED ROOT PRIVILEGES

if [ $EUID -ne 0 ]; then
  echo "This script must be run as root."
  exit 1
fi

# CONFIRM THE DEVICE

echo "You are about to format the following device with LUKS:"
echo ""

\lsblk -o NAME,SIZE,FSTYPE,MOUNTPOINT,LABEL,UUID "${DEVICE}"
echo ""

echo -n "Are you sure [y/N]? "
read CONFRM
echo ""

if [ "${CONFRM,,}" = "y" ]; then

  echo -n "Fill ${DEVICE} with random data [Y/n]? "
  read DEVFIL
  echo ""

  if [ "${DEVFIL,,}" = "n" ]; then
    echo "Not filling ${DEVICE} with random data."
  else
    echo "Filling ${DEVICE} with random data..."
    echo ""
    openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt </dev/zero | sudo dd of=${DEVICE} bs=4M status=progress
  fi

  echo ""

  while [ ! "${LKSTYP}" = "1" ] && [ ! "${LKSTYP}" = "2" ]; do
    echo -n "Use version 1 or 2? "
    read LKSTYP
    echo ""
  done

  echo "Setting up encryption with password..."
  echo ""

  cryptsetup --type luks${LKSTYP} --verbose --cipher "${CIPHER}" --key-size "${KEYSIZ}" --hash "${HSHTYP}" --iter-time "${ITTIME}" --use-${USERAN} --verify-passphrase luksFormat "${DEVICE}"
  echo ""

  echo -n "Do you wish to also use a key file [y/N]? "
  read CONFRM
  echo ""

  if [ "${CONFRM,,}" = "y" ]; then
    echo -n "Path to key file: "
    read EKFILE
    echo ""
    cryptsetup --verbose luksAddKey "${DEVICE}" "${EKFILE}"
    echo ""
  fi

  DVUUID="$(\lsblk -nlo UUID "${DEVICE}")"
  DVNAME="$(\lsblk -nlo MODEL,SERIAL "${DEVICE}" | sed 's/  */ /g' | tr ' ' '_')"

  echo "Added the following line to /etc/crypttab:"
  echo ""

  echo "${DVNAME}"$'\t'"UUID=${DVUUID}"$'\t'"${EKFILE}"$'\t'"cipher=aes-xts-plain64:sha512:size=512" | tee -a /etc/crypttab
  echo ""

else

  echo "Aborting."

fi