code.delx.au - monosys/blob - bin/reboot-no-passphrase

   1 #!/bin/bash
   2
   3 # When using the Arch Linux mkinitcpio encrypt if the file /crypto_keyfile.bin
   4 # exists in the initramfs then it will be used to attempt unlocking.
   5 # 1. dd if=/dev/urandom of=/crypto_keyfile.bin bs=1 count=512
   6 # 2. Add /crypto_keyfile.bin to FILES in /etc/mkinitcpio.conf
   7 # 3. mkinitcpio -p linux
   8 # 4. systemctl enable disable-crypto_keyfiles@$(systemd-escape /dev/disk/by-id/xxx).service
   9 # 5. Run this script when you want to reboot without a passphrase
  10
  11
  12 crypto_keyfile="/crypto_keyfile.bin"
  13 reboot_cmd="${1:-sudo reboot}"
  14
  15 if [ ! -f "$crypto_keyfile" ]; then
  16     echo "Failed to find $crypto_keyfile"
  17     exit 1
  18 fi
  19
  20 readarray -t devnames < <(
  21     find \
  22         /etc/systemd/system/basic.target.wants/ \
  23         -maxdepth 1 \
  24         -name 'disable-crypto_keyfile@*' \
  25         -printf '%f\0' \
  26     | xargs -0 -n1 systemd-escape -u --instance
  27 )
  28
  29 if [ ${#devnames[@]} = 0 ]; then
  30     echo "Failed to find your encrypted device. You must have disable-crypto_keyfile@.service enabled."
  31     exit 1
  32 fi
  33
  34 echo -n "Enter password for devices: "
  35 read -r -s pw
  36 echo ""
  37 for devname in "${devnames[@]}"; do
  38     echo "Adding key to $devname"
  39     sudo cryptsetup luksAddKey "$devname" "$crypto_keyfile" --new-key-slot 7 <<EOF
  40 ${pw}
  41 EOF
  42 done
  43
  44 $reboot_cmd