| 1 | #! /bin/sh |
| 2 | ### udpkey.keyscript KEY/SERVER:PORT[=TAG][#HASH];... |
| 3 | ### |
| 4 | ### This is an example cryptsetup key-script for fetching keys during early |
| 5 | ### boot. The argument is obtained as the `key-file' field from the |
| 6 | ### crypttab(5) file. The KEY is the key tag name requested from the |
| 7 | ### server(s); the rest of the argument is a udpkey(1) source-spec. |
| 8 | ### |
| 9 | ### A hook script or similar should arrange for /usr/bin/udpkey to be |
| 10 | ### installed and for the following things to be placed in /etc/udpkey in the |
| 11 | ### initramfs. See udpkey.initramfs-hook for an example. |
| 12 | ### |
| 13 | ### keyring The keyring file used by udpkey. |
| 14 | ### |
| 15 | ### KEY.local A locally held key fragment. (Optional.) |
| 16 | ### |
| 17 | ### seed A key for udpkey's random-number generator. Ideally, a hook |
| 18 | ### script should write high-quality random data to this file |
| 19 | ### each time the initramfs is constructed. |
| 20 | ### |
| 21 | ### The generated initramfs will contain important secrets. It must not be |
| 22 | ### left readable by unprivileged users. |
| 23 | |
| 24 | set -e |
| 25 | |
| 26 | ## Check the command-line argument. |
| 27 | case $#,$1 in |
| 28 | 1,*/*:*) tag=${1%%/*} server=${1#*/} ;; |
| 29 | *) echo >&2 "Usage: $0 KEY/SERVER:PORT[=TAG][#HASH];..."; exit 16 ;; |
| 30 | esac |
| 31 | |
| 32 | ## Some preflight checks. |
| 33 | if [ ! -x /usr/bin/udpkey ]; then |
| 34 | echo >&2 "$0: can't find udpkey executable" |
| 35 | exit 8 |
| 36 | fi |
| 37 | if [ ! -f /etc/udpkey/keyring ]; then |
| 38 | echo >&2 "$0: can't find local keyring" |
| 39 | exit 8 |
| 40 | fi |
| 41 | |
| 42 | ## Make sure we have networking. |
| 43 | if [ -f /scripts/functions ]; then |
| 44 | . /scripts/functions |
| 45 | configure_networking |
| 46 | fi >&2 |
| 47 | |
| 48 | ## Build a command line. |
| 49 | cmd="/usr/bin/udpkey -k/etc/udpkey/keyring" |
| 50 | if [ -f /etc/udpkey/seed ]; then |
| 51 | cmd="$cmd -r/etc/udpkey/seed" |
| 52 | fi |
| 53 | cmd="$cmd $tag $server" |
| 54 | if [ -f /etc/udpkey/$tag.local ]; then |
| 55 | cmd="$cmd /etc/udpkey/$tag.local" |
| 56 | fi |
| 57 | |
| 58 | ## Ready to rock. |
| 59 | exec $cmd |