Adding dm-crypt as core pkg

Signed-off-by: Christian Wuerdig <christian.wuerdig@gmail.com>
2025-09-01 15:08:33 +00:00 · 2018-12-20 11:33:41 +13:00
parent 8cd16c4904
commit a9bc7372de
16 changed files with 491 additions and 1 deletions
--- a/pkg/dm-crypt/Dockerfile
+++ b/pkg/dm-crypt/Dockerfile
@@ -0,0 +1,19 @@
+FROM linuxkit/alpine:3683c9a66cd4da40bd7d6c7da599b2dcd738b559 AS mirror
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out  \
+    alpine-baselayout \
+    cryptsetup \
+    e2fsprogs
+
+# Remove apk residuals
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=mirror /out/ /
+
+COPY crypto.sh /usr/bin/crypto
+RUN chmod +x /usr/bin/crypto
+
+CMD ["/usr/bin/crypto"]
--- a/pkg/dm-crypt/build.yml
+++ b/pkg/dm-crypt/build.yml
@@ -0,0 +1,8 @@
+image: dm-crypt
+config:
+  binds:
+    - /dev:/dev
+    - /etc/dm-crypt:/etc/dm-crypt
+  capabilities:
+    - CAP_SYS_ADMIN
+    - CAP_MKNOD
--- a/pkg/dm-crypt/crypto.sh
+++ b/pkg/dm-crypt/crypto.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+set -e
+
+help()
+{
+    echo "Usage: $0 [options] <dm_name> <device>"
+    echo
+    echo "Options:"
+    echo "    -l|--luks       Use LUKS extension"
+    echo "    -k|--key-file   Name of the key file, default: key"
+    echo "    <dm_name>       Name of the device mapper file, the encrypted device will become available under /dev/mapper/<dm_name>"
+    echo "    <device>        The encrypted device (e.g. /dev/sda1, /dev/loop0, etc)"
+    echo
+}
+
+luks=false
+key_file="key"
+
+O=`getopt -l key-file:luks,help -- k:lh "$@"` || exit 1
+eval set -- "$O"
+while true; do
+    case "$1" in
+        -l|--luks)      luks=true; shift;;
+        -k|--key-file)  key_file=$2; shift 2;;
+        -h|--help)      help; exit 0;;
+        --)             shift; break;;
+        *)              echo "Unknown option $1"; help; exit 1;;
+        esac
+done
+
+if [ -z "$1" ]; then
+    echo "Missing argument <dm_name>"
+    help
+    exit 1
+fi
+
+if [ -z "$2" ]; then
+    echo "Missing argument <device>"
+    help
+    exit 1
+fi
+
+dm_name=$1
+device=$2
+dmdev_name="/dev/mapper/$dm_name"
+cipher="aes-cbc-essiv:sha256"
+
+case "$key_file" in
+    /*) ;;
+    *)  key_file="/etc/dm-crypt/$key_file" ;;
+esac
+
+if [ ! -f "$key_file" ]; then
+    echo "Couldn't find encryption keyfile $key_file!"
+    exit 1
+fi
+
+if [ ! -d "/run/cryptsetup" ]; then
+    echo "Creating cryptsetup lock directory"
+    mkdir /run/cryptsetup
+fi
+
+if [ $luks = true ]; then
+    echo "Creating dm-crypt LUKS mapping for $device under $dmdev_name"
+    if ! cryptsetup isLuks $device; then
+        echo "Device $device doesn't seem to have a valid LUKS setup so one will be created."
+        cryptsetup --key-file "$key_file" --cipher "$cipher" luksFormat "$device"
+    fi
+    cryptsetup --key-file "$key_file" luksOpen "$device" "$dm_name"
+else
+    echo "Creating dm-crypt mapping for $device under $dmdev_name"
+    cryptsetup --key-file "$key_file" --cipher "$cipher" create "$dm_name" "$device"
+fi
+
+o=`blkid $dmdev_name`
+if [ -z "$o" ]; then
+	echo "Device $dmdev_name doesn't seem to contain a filesystem, creating one."
+    # dd will write the device until it's full and then return with an error because "no space left"
+    dd if=/dev/zero of="$dmdev_name" || true
+    mkfs.ext4 "$dmdev_name"
+else
+	echo "Device $dmdev_name seems to contain filesystem: $o"
+fi