scencrypt-install

#!/bin/bash

build() {
    local mod

    add_module dm-crypt
    if [[ $CRYPTO_MODULES ]]; then
        for mod in $CRYPTO_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules '/crypto/'
    fi

    if [ -d $BUILDROOT/etc/initcpio/gpg ]; then
        echo "WARNING! /etc/initcpio/gpg exists in initramfs buildroot. Huh?"
        rm -rf "$BUILDROOT/etc/initcpio/gpg"
    fi

    mkdir -p $BUILDROOT/etc/initcpio/gpg
    chmod 0700 $BUILDROOT/etc/initcpio/gpg
    echo "pinentry-program /usr/bin/pinentry" > $BUILDROOT/etc/initcpio/gpg/gpg-agent.conf

    add_binary "cryptsetup"
    add_binary "dmsetup"
    add_binary "gpg"
    add_binary "gpg-agent"
    add_binary "pinentry-tty"
    add_binary "gpg-connect-agent"
    add_binary "/usr/lib/gnupg/scdaemon"
    add_file "/usr/lib/udev/rules.d/10-dm.rules"
    add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"

    # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
    add_binary "/usr/lib/libgcc_s.so.1"

    # add_file "/etc/crypttab" # file is added later line by line

    ln -s "pinentry-tty" "$BUILDROOT/usr/bin/pinentry"

    # create a tmp dir
    mkdir -p $BUILDROOT/tmp

    # Iterate over entries in /etc/crypttab looking for regular keyfiles
    sed -re 's;#.*$;;g' -e '/^[ \t]*$/ d' /etc/crypttab | awk '{print $3;}' | \
    while read f; do
        # Path must begin with a slash and must be a regular file
        if [ "${f:0:1}" = "/" -a -f "$f" ]; then
            # file must end in .gpg
            extension="${f##*.}"
            if [[ "${extension}" =~ ^(gpg|pgp|asc)$ ]] ; then
                # add file line to crypttab
                fgrep -w $f /etc/crypttab >> "$BUILDROOT/tmp/crypttab"

                # Determine the keyid used to encrypt this keyfile
                keyid=$(gpg -q --list-packets --list-only $f 2>&1 | egrep -o '(ID|keyid) [0-9A-F]{16}' | awk '{print $2;}' | tail -1)

                # If we got a keyid, export that key. Recent versions of GPG will fail to
                # export secret key stubs, so if we don't get any output, export just the
                # public key. Note that this means decryption will fail if you add only the
                # public key to root's keyring.
                if [ -n "$keyid" ]; then
                    keyfile="$BUILDROOT/tmp/$keyid.asc"
                    gpg --homedir /root/.gnupg --export-options export-minimal --export-secret-keys -a 0x${keyid} 2>/dev/null > $keyfile
                    if ! egrep -q '.*' $keyfile; then
                        gpg --homedir /root/.gnupg --export-options export-minimal --export -a 0x${keyid} > $keyfile
                    fi
                    gpg --homedir "$BUILDROOT/etc/initcpio/gpg" --import $keyfile
                fi
            fi
            add_file "$f"
        fi
    done

    # Remove duplicate lines (first sort and then use uniq)
    sort "$BUILDROOT/tmp/crypttab" | uniq >  "$BUILDROOT/etc/crypttab"
    # Remove tmp dir
    rm -rf "$BUILDROOT/tmp"

    add_runscript
}

help() {
    cat <<HELPEOF
This hook adds support for the use of smartcards conforming to the OpenPGP
smartcard standard to Arch's initramfs. Encrypted objects listed in
/etc/crypttab will be decrypted with GnuPG during the initramfs stage if the
keyfile path ends in ".gpg". If GnuPG fails to decrypt the key file, the hook
will prompt for the passphrase instead.

Note that non-LUKS disks are unsupported at this time.

HELPEOF
}

# vim: set ft=sh ts=4 sw=4 et: