# 1. dd if=/dev/urandom of=/crypto_keyfile.bin bs=1 count=512
# 2. Add /crypto_keyfile.bin to FILES in /etc/mkinitcpio.conf
# 3. mkinitcpio -p linux
-# 4. Enable the disable-crypto_keyfiles@<root-disk-id>.service
+# 4. systemctl enable disable-crypto_keyfiles@$(systemd-escape /dev/disk/by-id/xxx).service
# 5. Run this script when you want to reboot without a passphrase
exit 1
fi
-found_devices=""
-for disk_id in $(ls /etc/systemd/system/basic.target.wants/disable-crypto_keyfile@*.service | cut -d'@' -f2 | cut -d. -f1); do
- found=1
- found_devices="${found_devices} /dev/disk/by-id/${disk_id}"
-done
+readarray -t devnames < <(
+ find \
+ /etc/systemd/system/basic.target.wants/ \
+ -maxdepth 1 \
+ -name 'disable-crypto_keyfile@*' \
+ -printf '%f\0' \
+ | xargs -0 -n1 systemd-escape -u --instance
+)
-if [ -z "$found_devices" ]; then
+if [ ${#devnames[@]} = 0 ]; then
echo "Failed to find your encrypted device. You must have disable-crypto_keyfile@.service enabled."
exit 1
fi
echo -n "Enter password for devices: "
read -r -s pw
echo ""
-for device_filename in $found_devices; do
- echo "Adding key to $device_filename"
- sudo cryptsetup luksAddKey "$device_filename" "$crypto_keyfile" --key-slot 7 <<EOF
+for devname in "${devnames[@]}"; do
+ echo "Adding key to $devname"
+ sudo cryptsetup luksAddKey "$devname" "$crypto_keyfile" --key-slot 7 <<EOF
${pw}
EOF
done