Bug#529343: debian-installer: physical volume for encryption: doesnt care if already encrypted and kills data
On Tue, May 19, 2009 at 07:02:42AM +0200, Christian Perrier wrote:
> Quoting Tobias Winter (tobias@linuxdingsda.de):
> > When having to reinstall a system with an encrypted root-partition, the installer gives no means to
> > reuse a physical colume for encryption which has already been set up in a previous install.
>
> Already reported as #451535. given the current lack of manpower
> working on partman-crypto, I doubt this is fixed unless someone comes
> up with a patch.
Here's a first pass at this. What do people think?
The one thing I don't think I've got right yet is writing out
/etc/crypttab at the end of installation. This needs a bit more work to
write out the correct files in the partman device directory without
causing partman to reinitialise the encrypted volume.
* Add an "Activate existing encrypted volumes" option to the
partman-crypto main menu. If selected, this searches for existing
volumes, and for each one prompts for its passphrase and attempts to
open it; it then returns directly to the partitioning menu
(closes: #529343, LP: #420080).
=== modified file 'choose_partition/crypto/do_option'
--- choose_partition/crypto/do_option 2009-11-10 14:20:25 +0000
+++ choose_partition/crypto/do_option 2011-09-07 14:18:17 +0000
@@ -12,6 +12,113 @@
. /lib/partman/lib/crypto-base.sh
+find_encrypted_partitions () {
+ local ret dev num id size type fs path name
+
+ ret=1
+ for dev in $DEVICES/*; do
+ [ -d "$dev" ] || continue
+ cd "$dev"
+
+ open_dialog PARTITIONS
+ while { read_line num id size type fs path name; [ "$id" ]; }; do
+ [ "$ret" = 1 ] || continue
+ [ "$fs" != free ] || continue
+ if cryptsetup isLuks "$path" 2>/dev/null; then
+ ret=0
+ fi
+ done
+ close_dialog
+
+ if [ "$ret" = 0 ]; then
+ return 0
+ fi
+ done
+
+ return 1
+}
+
+get_passphrase () {
+ db_set partman-crypto/passphrase-existing ""
+ db_fset partman-crypto/passphrase-existing seen false
+ db_subst partman-crypto/passphrase-existing DEVICE "$1"
+ db_input critical partman-crypto/passphrase-existing
+
+ db_go || return 1
+
+ db_get partman-crypto/passphrase-existing || RET=''
+ echo -n "$RET"
+}
+
+do_cryptsetup () {
+ local id path cryptdev pass
+
+ id="$1"
+ path="$2"
+ cipher="$(cryptsetup luksDump "$path" |
+ sed -n '/^Cipher name:/s/.*[[:space:]]//p')"
+ if [ "$cipher" ]; then
+ crypto_load_modules dm-crypt "$cipher"
+ fi
+
+ cryptdev="${path##*/}_crypt"
+ if ! cryptsetup status "$cryptdev" >/dev/null 2>&1; then
+ while :; do
+ pass="$(get_passphrase "$path")" || return 1
+ if [ -z "$pass" ]; then
+ return 1
+ fi
+ echo -n "$pass" | log-output -t partman-crypto \
+ cryptsetup -d - luksOpen "$path" "$cryptdev" \
+ && break
+ done
+
+ echo "$cryptdev" >"$id/crypt_active"
+ db_subst partman-crypto/text/in_use DEV "${cryptdev##*/}"
+ db_metaget partman-crypto/text/in_use description
+ partman_lock_unit "$(mapdevfs "$path")" "$RET"
+ fi
+}
+
+do_activate () {
+ local dev partitions num id size type fs path name part
+
+ for dev in $DEVICES/*; do
+ [ -d "$dev" ] || continue
+ cd "$dev"
+
+ partitions=
+ open_dialog PARTITIONS
+ while { read_line num id size type fs path name; [ "$id" ]; }; do
+ [ "$fs" != free ] || continue
+ partitions="$partitions $id,$path"
+ done
+ close_dialog
+
+ for part in $partitions; do
+ id="${part%%,*}"
+ path="${part#*,}"
+
+ if cryptsetup isLuks "$path" 2>/dev/null; then
+ do_cryptsetup "$id" "$path" || continue
+ fi
+ done
+ done
+
+ # Encrypted devices as configured by d-i usually contain LVM PVs
+ export LVM_SUPPRESS_FD_WARNINGS=1
+ log-output -t partman-crypto pvscan
+ log-output -t partman-crypto vgscan
+ log-output -t partman-crypto vgchange -a y
+
+ # Tell partman to detect filesystems again.
+ rm -f /var/lib/partman/filesystems_detected
+
+ stop_parted_server
+ restart_partman
+ exit 0
+}
+
do_create () {
local parts line pv output vg pathmap
parts=""
@@ -89,10 +196,25 @@ confirm_changes partman-crypto || exit 0
commit_changes partman-crypto/commit_failed || exit $?
while :; do
+ CHOICES=
+ DESCRIPTIONS=
+ add_choice () {
+ CHOICES="${CHOICES:+$CHOICES, }$1"
+ db_metaget "partman-crypto/mainmenu/$1" description
+ DESCRIPTIONS="${DESCRIPTIONS:+$DESCRIPTIONS, }$RET"
+ }
+ if find_encrypted_partitions; then
+ add_choice activate
+ fi
+ add_choice create
+ add_choice finish
+ db_subst partman-crypto/mainmenu CHOICES "$CHOICES"
+ db_subst partman-crypto/mainmenu DESCRIPTIONS "$DESCRIPTIONS"
db_input critical partman-crypto/mainmenu
db_go || exit 10
db_get partman-crypto/mainmenu
case $RET in
+ activate) do_activate ;; # does not return
create) do_create ;;
finish) break ;;
*)
=== modified file 'debian/partman-crypto.templates'
--- debian/partman-crypto.templates 2009-12-05 22:29:36 +0000
+++ debian/partman-crypto.templates 2011-09-06 23:21:59 +0000
@@ -364,6 +364,14 @@ _Description: Use weak passphrase?
You entered a passphrase that consists of less than ${MINIMUM} characters,
which is considered too weak. You should choose a stronger passphrase.
+Template: partman-crypto/passphrase-existing
+Type: password
+# :sl3:
+_Description: Passphrase for ${DEVICE}:
+ Please enter the passphrase for the encrypted volume ${DEVICE}.
+ .
+ If you don't enter anything, the volume will not be activated.
+
Template: partman-crypto/entropy
Type: entropy
# :sl3:
@@ -430,15 +438,35 @@ _Description: Proceed to install crypto
Template: partman-crypto/mainmenu
Type: select
-Choices-C: create, finish
+Choices-C: ${CHOICES}
+Choices: ${DESCRIPTIONS}
+# :sl3:
+_Description: Encryption configuration actions
+ This menu allows you to configure encrypted volumes.
+
+Template: partman-crypto/mainmenu/activate
+Type: text
# Note to translators : Please keep your translations of the choices
# below a 65 columns limit (which means 65 characters
# in single-byte languages)
# :sl3:
-__Choices: Create encrypted volumes, Finish
+_Description: Activate existing encrypted volumes
+
+Template: partman-crypto/mainmenu/create
+Type: text
+# Note to translators : Please keep your translations of the choices
+# below a 65 columns limit (which means 65 characters
+# in single-byte languages)
# :sl3:
-_Description: Encryption configuration actions
- This menu allows you to configure encrypted volumes.
+_Description: Create encrypted volumes
+
+Template: partman-crypto/mainmenu/finish
+Type: text
+# Note to translators : Please keep your translations of the choices
+# below a 65 columns limit (which means 65 characters
+# in single-byte languages)
+# :sl3:
+_Description: Finish
Template: partman-crypto/create/partitions
Type: multiselect
--
Colin Watson [cjwatson@ubuntu.com]
Reply to: