#!/bin/bash

# When using the Arch Linux mkinitcpio encrypt if the file /crypto_keyfile.bin
# exists in the initramfs then it will be used to attempt unlocking.
# 1. dd if=/dev/urandom of=/crypto_keyfile.bin bs=1 count=512
# 2. Add /crypto_keyfile.bin to FILES in /etc/mkinitcpio.conf
# 3. mkinitcpio -p linux
# 4. Enable the disable-crypto_keyfiles@<root-disk-id>.service
# 5. Run this script when you want to reboot without a passphrase


crypto_keyfile="/crypto_keyfile.bin"
reboot_cmd="${1:-sudo reboot}"

if [ ! -f "$crypto_keyfile" ]; then
    echo "Failed to find $crypto_keyfile"
    exit 1
fi

found_devices=""
for disk_id in $(ls /etc/systemd/system/basic.target.wants/disable-crypto_keyfile@*.service | cut -d'@' -f2 | cut -d. -f1); do
    found=1
    found_devices="${found_devices} /dev/disk/by-id/${disk_id}"
done

if [ -z "$found_devices" ]; then
    echo "Failed to find your encrypted device. You must have disable-crypto_keyfile@.service enabled."
    exit 1
fi

echo -n "Enter password for devices: "
read -r -s pw
echo ""
for device_filename in $found_devices; do
    echo "Adding key to $device_filename"
    sudo cryptsetup luksAddKey "$device_filename" "$crypto_keyfile" --key-slot 7 <<EOF
${pw}
EOF
done

$reboot_cmd