83 lines
3.1 KiB
Bash
Executable file
83 lines
3.1 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
#echo "this is not yet done!"
|
|
#echo "Currently it does not add swap to /etc/fstab or /etc/crypttab"
|
|
#exit 1
|
|
if [[ "$(whoami)" == "root" ]];then
|
|
printf "[-] running as root, continuing...\n"
|
|
else
|
|
printf "[!] Run this script as root!\n"
|
|
exit 1
|
|
fi
|
|
|
|
read -p '[?] keyfile path [/etc/crypttab.d/swap_key]: ' keyfile_dest
|
|
keyfile_dest=${keyfile_dest:-/etc/crypttab.d/swap_key}
|
|
read -p '[?] swap partition name [swap_crypt]: ' part_name
|
|
part_name=${part_name:-swap_crypt}
|
|
read -p '[?] partition password (input hidden): ' -s part_pass
|
|
while [[ -z "${part_pass}" ]]; do
|
|
printf '[!] empty password\n'
|
|
read -p '[?] partition password (input hidden): ' -s part_pass
|
|
done
|
|
|
|
#printf '\n'
|
|
#lsblk -o NAME,SIZE,FSTYPE
|
|
lsblk -o PATH,SIZE,FSTYPE
|
|
read -p '[?] encrypted swap device: ' swap_blk_dev
|
|
while [[ ! "$(file ${swap_blk_dev})" == *'block'* ]]; do
|
|
printf '[!] bad encrypted swap device\n'
|
|
read -p '[?] encrypted swap device: ' swap_blk_dev
|
|
done
|
|
|
|
printf '[!] ALL DATA AT THE SELECTED KEYFILE PATH WILL BE OVERWRITTEN\n'
|
|
printf '[!] ALL DATA ON THE SELECTED DEVICE WILL BE DELETED\n'
|
|
printf '[!] keyfile path: %s\n' "${keyfile_dest}"
|
|
printf '[!] encrypted swap device: %s\n' "${swap_blk_dev}"
|
|
printf '[!] decrypted partition name: %s\n' "${part_name}"
|
|
read -p '[?] Proceed? [y/N] ' proceed_confirm
|
|
proceed_confirm=${proceed_confirm:-n}
|
|
case "${proceed_confirm}" in
|
|
[Nn][Oo]|[Nn])
|
|
printf '[!] Exiting without making changes\n'
|
|
;;
|
|
*)
|
|
printf '[!] Here we go!\n'
|
|
;;
|
|
esac
|
|
|
|
#exit
|
|
|
|
printf '[-] Writing keyfile...\n'
|
|
mkdir -p "$(dirname ${keyfile_dest})"
|
|
openssl genrsa -out "${keyfile_dest}" 4096
|
|
|
|
printf '[-] Setting keyfile permissions...\n'
|
|
chmod -v 0400 "${keyfile_dest}"
|
|
chown root:root "${keyfile_dest}"
|
|
|
|
printf '[-] Formatting encrypted swap block device...\n'
|
|
#printf '[!] When prompted, set the device\'s password\n'
|
|
printf '%s' "${part_pass}" | cryptsetup luksFormat "${swap_blk_dev}" -
|
|
|
|
printf '[-] Adding keyfile to encrypted device header\n'
|
|
#printf '[!] When prompted, set the device\'s password\n'
|
|
printf '%s' "${part_pass}" | cryptsetup luksAddKey "${swap_blk_dev}" "${keyfile_dest}" -
|
|
|
|
printf '[-] Opening encrypted partition using keyfile\n'
|
|
cryptsetup luksOpen "${swap_blk_dev}" "${part_name}" --key-file "${keyfile_dest}"
|
|
|
|
printf '[-] Creating swap inside encrypted partition\n'
|
|
mkswap "/dev/mapper/${part_name}"
|
|
|
|
crypt_uuid=$(lsblk -rno UUID "${swap_blk_dev}")
|
|
|
|
printf '[!] Finished. Follow the instructions below to complete setup.\n\n'
|
|
printf '[-] 1. Add the following line to your /etc/crypttab file:\n\n'
|
|
printf 'swap_crypt UUID=%s /etc/crypttab.d/swap_key luks,swap,discard\n\n' "${crypt_uuid}"
|
|
printf '[-] 1a. if a similar crypttab entry previously existed, remove it from the crypttab file\n'
|
|
printf '[-] 2. If it does not already exist, add the following line to your /etc/fstab file:\n'
|
|
printf '/dev/mapper/%s none swap sw 0 0\n' "${part_name}"
|
|
printf '[-] 3. run the following command to enable the swap partition for the current session:\n'
|
|
printf 'sudo swapon -a\n'
|
|
printf '[-] 4. run the following command to regenerate your initial ramdisk:\n\n'
|
|
printf 'sudo update-initramfs -u -k all\n\n'
|