#! /bin/sh
### udpkey.keyscript KEY/SERVER:PORT[=TAG][#HASH];...
###
### This is an example cryptsetup key-script for fetching keys during early
### boot.  The argument is obtained as the `key-file' field from the
### crypttab(5) file.  The KEY is the key tag name requested from the
### server(s); the rest of the argument is a udpkey(1) source-spec.
###
### A hook script or similar should arrange for /usr/bin/udpkey to be
### installed and for the following things to be placed in /etc/udpkey in the
### initramfs.  See udpkey.initramfs-hook for an example.
###
### keyring	The keyring file used by udpkey.
###
### KEY.local	A locally held key fragment.  (Optional.)
###
### seed	A key for udpkey's random-number generator.  Ideally, a hook
###		script should write high-quality random data to this file
###		each time the initramfs is constructed.
###
### The generated initramfs will contain important secrets.  It must not be
### left readable by unprivileged users.

set -e

## Check the command-line argument.
case $#,$1 in
  1,*/*:*) tag=${1%%/*} server=${1#*/} ;;
  *) echo >&2 "Usage: $0 KEY/SERVER:PORT[=TAG][#HASH];..."; exit 16 ;;
esac

## Some preflight checks.
if [ ! -x /usr/bin/udpkey ]; then
  echo >&2 "$0: can't find udpkey executable"
  exit 8
fi
if [ ! -f /etc/udpkey/keyring ]; then
  echo >&2 "$0: can't find local keyring"
  exit 8
fi

## Make sure we have networking.
if [ -f /scripts/functions ]; then
  . /scripts/functions
  configure_networking
fi >&2

## Build a command line.
cmd="/usr/bin/udpkey -k/etc/udpkey/keyring"
if [ -f /etc/udpkey/seed ]; then
  cmd="$cmd -r/etc/udpkey/seed"
fi
cmd="$cmd $tag $server"
if [ -f /etc/udpkey/$tag.local ]; then
  cmd="$cmd /etc/udpkey/$tag.local"
fi

## Ready to rock.
exec $cmd