Here is a solution I am using in Lucid and Maverick, when not using LVM
so as to alllow use of separately encrypted partitions. This is to
support multi-disk video editing machines. It is crude and uses
hardcoded UUID values for each partition, not reading crypttab for now.
Eventually I will play with making it use the crypttab values, but I was
simply seeking a quick solution when I wrote this. I've been using this
for months with no problems.
ALGORITHM:
Steps:
1: prompt for pasphrase, cache in a variable in ram (runs in initramfs,
nothing should write to any disk)
a: if plymouth is running, use plymouth ask-for-passphrase
2: unlock encrypted volumes-hard code these into script for now
3: if cryptsetup returns error, go back to 1.
4: forcibly reset the variable to a string of zeros
5: Delete the variable
6: exit
INITRAMFS SCRIPT: Name Cryptall, remove cryptroot in /usr/share
/initramfs-tools/scripts/local-top
#!/bin/sh
# This is a drop-in replacement for cryptsetup's cryptroot script. It
# caches the passphrase in ram, /tmp/unlocks all volumes, then deletes the
# cached passphrase
#
# Standard initramfs preamble
#
#HARDCODED FOR LUCID ON /DEV/SDA5
#
# Standard initramfs preamble
#
prereqs()
{
# Make sure that cryptall is run last in local-top
for req in $(dirname $0)/*; do
script=${req##*/}
if [ $script != cryptall ]; then
echo $script
fi
done
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
plymouth "ask-for-password" --prompt="cryptsetup: unlocking all encrypted boot
disks" > /tmp/unlock
cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot
if [ -e /dev/mapper/cryptroot ] ; then
plymouth message --text="cryptsetup: cryptroot setup successfully"
else
plymouth message --text="cryptsetup: unknown fstype, bad password or
options?"
plymouth "ask-for-password" --prompt="cryptsetup: unlocking all encrypted
boot disks" > /tmp/unlock
cat /tmp/unlock | cryptsetup luksOpen /dev/sda5 cryptroot
if [ -e /dev/mapper/cryptroot ] ; then
plymouth message --text="cryptsetup: cryptroot setup
successfully"
else
plymouth message --text="cryptsetup: unknown fstype, bad
password or options?"
plymouth "ask-for-password" --prompt="cryptsetup:
unlocking all encrypted boot disks" > /tmp/unlock
cat /tmp/unlock | cryptsetup luksOpen /dev/sda5
cryptroot
if [ -e /dev/mapper/cryptroot ] ; then
plymouth message --text="cryptsetup:
cryptroot setup successfully"
else
plymouth message --text="Are you sure you are
authorized to boot this computer?"
exit 1
fi
fi
fi
cat /tmp/unlock | cryptsetup luksOpen /dev/sda8 crypthome
if [ -e /dev/mapper/crypthome ] ; then
plymouth message --text="cryptsetup: cryptroot setup
successfully"
else
plymouth message --text="home directory passphrase does not
match root key-you need to make a new home key"
fi
cat /tmp/unlock | cryptsetup luksOpen /dev/sda7 cryptswap
if [ -e /dev/mapper/crypthome ] ; then
1: prompt for pasphrase, cache in a variable in ram (initramfs
plymouth message --text="cryptsetup: cryptswap setup successfully"
else
plymouth message --text="swap passphrase does not match root
key-you need to make a new home key"
fi
echo "0000000000000000000000000000000000000000000000000000000000000000"
>/tmp/unlock
rm /tmp/unlock
exit 0
--
Should try given password for next partition
https://bugs.launchpad.net/bugs/139057
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
