Skip to content

Commit 6b936e7

Browse files
tlauriontlaurion
authored
Merge pull request #1542 from UndeadDevel/luks_reencrypt_text_patch
Luks functions text patch & change order of reencrypt and passphrase change
2 parents 851cc7f + d640c3b commit 6b936e7

File tree

2 files changed

+24
-20
lines changed

2 files changed

+24
-20
lines changed

initrd/bin/oem-factory-reset

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1148,8 +1148,8 @@ fi
11481148

11491149
if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
11501150
#Reencryption of disk, disk recovery key and Disk Recovery Key passphrase change is requested
1151-
luks_reencrypt
11521151
luks_change_passphrase
1152+
luks_reencrypt
11531153
elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
11541154
#Reencryption of disk was requested but not passphrase change
11551155
luks_reencrypt

initrd/etc/luks-functions

Lines changed: 23 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -300,20 +300,20 @@ test_luks_current_disk_recovery_key_passphrase()
300300
select_luks_container || return 1
301301
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
302302
#if no external provisioning provides current Disk Recovery Key passphrase
303-
echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
303+
echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
304304
read -r luks_current_Disk_Recovery_Key_passphrase
305305
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
306-
warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
306+
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..."
307307
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
308308
else
309309
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
310-
warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
310+
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..."
311311
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
312312
fi
313313
#Validate past cryptsetup-reencrypt attempts
314314
if [ $? -eq 0 ]; then
315315
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
316-
"If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
316+
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
317317
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
318318
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round
319319
unset luks_current_Disk_Recovery_Key_passphrase
@@ -339,24 +339,28 @@ luks_reencrypt() {
339339
TRACE "Under /etc/luks-functions:luks_reencrypt()"
340340
while :; do
341341
select_luks_container || return 1
342+
#If the user just set a new Disk Recovery Key passphrase
343+
if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
344+
luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase"
345+
fi
342346
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
343347
#if no external provisioning provides current Disk Recovery Key passphrase
344-
whiptail --title 'Reencrypt LUKS disk encrypted container ?' \
345-
--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if set up by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
346-
echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
348+
whiptail --title 'Reencrypt LUKS encrypted container ?' \
349+
--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under\nthe following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete the TPM Disk Unlock Key slot, if set up, by setting a default\n boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
350+
echo -e "\nEnter the current Disk Recovery Key passphrase:"
347351
read -r luks_current_Disk_Recovery_Key_passphrase
348352
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
349-
warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
353+
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!"
350354
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
351355
else
352356
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
353-
warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
357+
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!"
354358
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
355359
fi
356360
#Validate past cryptsetup-reencrypt attempts
357361
if [ $(echo $?) -ne 0 ]; then
358362
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
359-
"If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
363+
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
360364
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
361365
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round
362366
unset luks_current_Disk_Recovery_Key_passphrase
@@ -383,37 +387,37 @@ luks_change_passphrase()
383387
#if actual or new Disk Recovery Key is not provisioned by oem-provisioning file
384388
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
385389
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
386-
"Please enter current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
390+
"Please enter the current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
387391
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
388-
echo -e "\nEnter desired replacement for actual Disk Recovery Key passphrase (At least 8 characters long):"
392+
echo -e "\nEnter your desired replacement for the actual Disk Recovery Key passphrase (At least 8 characters long):"
389393
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
390-
{
391-
read -r luks_new_Disk_Recovery_Key_passphrase
392-
};done
394+
{
395+
read -r luks_new_Disk_Recovery_Key_passphrase
396+
};done
393397
fi
394398
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
395-
echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
399+
echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
396400
read -r luks_current_Disk_Recovery_Key_passphrase
397401
fi
398402
export luks_current_Disk_Recovery_Key_passphrase
399403
export luks_new_Disk_Recovery_Key_passphrase
400404
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
401405
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
402-
warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..."
406+
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..."
403407
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
404408
else
405409
#If current and new Disk Recovery Key were exported
406410
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
407411
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
408-
warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..."
412+
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..."
409413
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
410414
fi
411415

412416
#Validate past cryptsetup attempts
413417
if [ $(echo $?) -ne 0 ]; then
414418
#Cryptsetup luksChangeKey was unsuccessful
415419
whiptail --title 'Invalid LUKS passphrase?' --msgbox \
416-
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of USB drive,\n And select Boot from USB\n\nHit Enter to continue." 30 60
420+
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60
417421
unset luks_current_Disk_Recovery_Key_passphrase
418422
unset luks_new_Disk_Recovery_Key_passphrase
419423
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.

0 commit comments

Comments
 (0)