3 ### unlock-root KEY-FILE
10 *) echo >&2 "Usage: $0 KEY-FILE"; exit 16 ;;
13 ## Some preflight checks.
14 if [ ! -x
/usr
/bin
/gpg
]; then
15 echo >&2 "$0: can't find GnuPG executable"
19 ## Arrange to have somewhere for the key token.
22 ## Now we try to find a token.
28 ## Wait for a different device to be inserted. The first time through,
29 ## we'll accept any device.
32 ## If there's a token already inserted then go with that.
33 if info
=$
(blkid
-o full
-t LABEL
=keys
); then
37 *) lastuuid
=$UUID; break ;;
43 ## Otherwise we could be here for a while.
45 t
) echo >&2 -n
"Waiting for key token..."; prompt
=nil
;;
53 ## Mount the device somewhere.
54 mount
-o ro
-t ext2 UUID
="$UUID" /mnt
/keys
56 ## If we have the key file, then we're done.
57 if [ -f
/mnt
/keys
/"$keyfile".gpg
]; then
59 ## Update the eyecandy, such as it is.
61 nil
) >&2 echo " ok"; prompt
=t
;;
64 ## Get GnuPG to decrypt the key. The enormous `gpg' rune is taken from
65 ## the cryptsetup `decrypt_gnupg' script. The here-document prevents
66 ## the key ending up in a ps(1) listing, though the expected use-case is
67 ## to run this script from an initramfs so there won't be anyone
70 key
=$
(/lib
/cryptsetup
/askpass
"Enter passphrase for key $1: ")
71 case "$key" in "") break ;; esac
72 if /usr
/bin
/gpg
-q
--batch --no-options
--no-mdc-warning \
73 --no-random-seed-file
--no-default-keyring \
74 --keyring
/dev
/null
--secret-keyring
/dev
/null \
75 --trustdb-name
/dev
/null
--passphrase-fd
0 --decrypt \
76 /mnt
/keys
/"$keyfile".gpg
<<EOF
83 ## Unmount the filesystem.
86 ## If we did anything, stop.
87 case "$win" in t
) break ;; esac