#!/bin/sh # lh_binary_encryption(1) - encrypts rootfs # Copyright (C) 2006-2007 Daniel Baumann # # live-helper comes with ABSOLUTELY NO WARRANTY; for details see COPYING. # This is free software, and you are welcome to redistribute it # under certain conditions; see COPYING for details. set -e # Including common functions LH_BASE="${LH_BASE:-/usr/share/live-helper}" for FUNCTION in "${LH_BASE}"/functions/*.sh do . "${FUNCTION}" done # Setting static variables DESCRIPTION="encrypts rootfs" HELP="" USAGE="${PROGRAM} [--force]" Arguments "${@}" # Reading configuration files Read_conffile config/common Read_conffile config/bootstrap Read_conffile config/chroot Read_conffile config/binary Read_conffile config/source Read_conffile "${LH_CONFIG}" Set_defaults if [ -z "${LH_ENCRYPTION}" ] then exit 0 fi Echo_message "Begin encrypting root filesystem image..." # Requiring stage file Require_stagefile .stage/bootstrap Require_stagefile .stage/binary_rootfs # Checking stage file Check_stagefile .stage/binary_encryption # Checking lock file Check_lockfile .lock # Creating lock file Create_lockfile .lock case "${LH_INITRAMFS}" in casper) INITFS="casper" ;; live-initramfs) INITFS="live" ;; esac case "${LH_CHROOT_FILESYSTEM}" in ext2) ROOTFS="ext2" ;; plain) Echo_warning "encryption not supported on plain filesystem." exit 0 ;; squashfs) ROOTFS="squashfs" ;; esac # Checking depends Check_package chroot/usr/bin/aespipe aespipe # Restoring cache Restore_cache cache/packages_binary # Installing depends Install_package case "${LH_CHROOT_BUILD}" in enabled) # Moving image mv binary/${INITFS}/filesystem.${LH_CHROOT_FILESYSTEM} chroot echo "Encrypting binary/${INITFS}/filesystem.${ROOTFS} with ${LH_ENCRYPTION}..." cat >> chroot/encrypt.sh << EOF while true do cat filesystem.${ROOTFS} | aespipe -e ${LH_ENCRYPTION} -T > filesystem.${ROOTFS}.tmp && mv filesystem.${ROOTFS}.tmp filesystem.${ROOTFS} && break echo -n "Something went wrong... Retry? [YES/no] " read ANSWER if [ "no" = "${ANSWER}" ] then unset ANSWER break fi done EOF Chroot "sh encrypt.sh" # Move image mv chroot/filesystem.${LH_CHROOT_FILESYSTEM} binary/${INITFS} rm -f chroot/encrypt.sh ;; disabled) while true do cat binary/${INITFS}/filesystem.${ROOTFS} | aespipe -e ${LH_ENCRYPTION} -T > binary/${INITFS}/filesystem.${ROOTFS}.tmp && mv binary/${INITFS}/filesystem.${ROOTFS}.tmp binary/${INITFS}/filesystem.${ROOTFS} && break echo -n "Something went wrong... Retry? [YES/no] " read ANSWER if [ "no" = "${ANSWER}" ] then unset ANSWER break fi done ;; esac # Saving cache Save_cache cache/packages_binary # Removing depends Remove_package # Creating stage file Create_stagefile .stage/binary_encryption