Commit | Line | Data |
---|---|---|
247f344a MW |
1 | #! /bin/sh |
2 | ### udpkey.keyscript KEY/SERVER:PORT[=TAG][#HASH];... | |
3 | ### | |
4 | ### This is an example cryptsetup key-script for fetching keys during early | |
5 | ### boot. The argument is obtained as the `key-file' field from the | |
6 | ### crypttab(5) file. The KEY is the key tag name requested from the | |
7 | ### server(s); the rest of the argument is a udpkey(1) source-spec. | |
8 | ### | |
9 | ### A hook script or similar should arrange for /usr/bin/udpkey to be | |
10 | ### installed and for the following things to be placed in /etc/udpkey in the | |
11 | ### initramfs. See udpkey.initramfs-hook for an example. | |
12 | ### | |
13 | ### keyring The keyring file used by udpkey. | |
14 | ### | |
15 | ### KEY.local A locally held key fragment. (Optional.) | |
16 | ### | |
17 | ### seed A key for udpkey's random-number generator. Ideally, a hook | |
18 | ### script should write high-quality random data to this file | |
19 | ### each time the initramfs is constructed. | |
20 | ### | |
21 | ### The generated initramfs will contain important secrets. It must not be | |
22 | ### left readable by unprivileged users. | |
23 | ||
24 | set -e | |
25 | ||
26 | ## Check the command-line argument. | |
27 | case $#,$1 in | |
28 | 1,*/*:*) tag=${1%%/*} server=${1#*/} ;; | |
29 | *) echo >&2 "Usage: $0 KEY/SERVER:PORT[=TAG][#HASH];..."; exit 16 ;; | |
30 | esac | |
31 | ||
32 | ## Some preflight checks. | |
33 | if [ ! -x /usr/bin/udpkey ]; then | |
34 | echo >&2 "$0: can't find udpkey executable" | |
35 | exit 8 | |
36 | fi | |
37 | if [ ! -f /etc/udpkey/keyring ]; then | |
38 | echo >&2 "$0: can't find local keyring" | |
39 | exit 8 | |
40 | fi | |
41 | ||
42 | ## Make sure we have networking. | |
43 | if [ -f /scripts/functions ]; then | |
44 | . /scripts/functions | |
45 | configure_networking | |
37b2b8ac | 46 | fi >&2 |
247f344a MW |
47 | |
48 | ## Build a command line. | |
49 | cmd="/usr/bin/udpkey -k/etc/udpkey/keyring" | |
50 | if [ -f /etc/udpkey/seed ]; then | |
51 | cmd="$cmd -r/etc/udpkey/seed" | |
52 | fi | |
53 | cmd="$cmd $tag $server" | |
54 | if [ -f /etc/udpkey/$tag.local ]; then | |
55 | cmd="$cmd /etc/udpkey/$tag.local" | |
56 | fi | |
57 | ||
58 | ## Ready to rock. | |
59 | exec $cmd |