-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathunlock-luks
More file actions
executable file
·43 lines (34 loc) · 981 Bytes
/
unlock-luks
File metadata and controls
executable file
·43 lines (34 loc) · 981 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash
# unlock-luks: Connect to a host's SSH server running from initramfs to unlock
# LUKS-encrypted disks. Uses the `pass` script to obtain the passphrase.
set -e -o pipefail
BASE_DIR="$(dirname "$0")"
PASS_CMD="$BASE_DIR/pass"
PASSFIFO='/lib/cryptsetup/passfifo'
REMOTE_CMD="test -p '$PASSFIFO' && cat > '$PASSFIFO'"
fail() {
echo "$@" >&2
exit 1
}
HOST="$1"
shift || fail "Usage: $0 <hostname>"
SHORT_HOST="${HOST%%.*}"
SECRET=
for key in "$HOST" "$SHORT_HOST"; do
SECRET=$("$PASS_CMD" "$key/luks" 2>/dev/null) || continue
echo "Using secret: '$key/luks'" >&2
break
done
[ -n "$SECRET" ] || fail "No secret available"
SSH_OPTS=(
# Avoid DNS at this stage.
-o VerifyHostKeyDNS=no
# Use a different identifier in the known_hosts file.
-o HostKeyAlias="initramfs:$HOST"
# Log in as root.
-l root
# Pass any command line parameters.
"$@"
)
tr -d '\n' <<<"$SECRET" | \
ssh "${SSH_OPTS[@]}" "$HOST" "$REMOTE_CMD" || fail "Operation failed"