cryptsetup_with_bash/cryptsetup_with_bash.sh at main · WaszaSwiatobliwosc/cryptsetup_with_bash · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
#!/bin/bash
set -e

echo "--- LUKS Encryption Volume Creator (REAL DEVICE MODE) ---"
echo ""
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "!!                      EXTREME DANGER                      !!"
echo "!!                                                          !!"
echo "!! This script will format a REAL BLOCK DEVICE with LUKS.   !!"
echo "!! ALL EXISTING DATA ON THE SELECTED DEVICE WILL BE         !!"
echo "!! PERMANENTLY DESTROYED AND UNRECOVERABLE.                 !!"
echo "!!                                                          !!"
echo "!! Double-check the device path you enter.There is NO undo! !!"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo ""
echo "Ensure you have root privileges (run with sudo)."

# 1. List available block devices
echo ""
echo "Available block devices and partitions:"
lsblk -o NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT
echo "---------------------------------------------------------------------"
echo "Carefully identify the target device (e.g., /dev/sda1, /dev/nvme0n1p3)."
echo "Do NOT choose a device that is currently mounted or contains data you need."
echo "Whole disks (like /dev/sda) can be used, but this will erase ALL partitions on it."
echo "---------------------------------------------------------------------"
echo ""

# --- Configuration ---

# 2. Ask for the target block device
TARGET_DEVICE=""
while true; do
    read -p "Enter the FULL PATH of the target block device: " TARGET_DEVICE
    if [[ -z "$TARGET_DEVICE" ]]; then
        echo "Device path cannot be empty."
    elif ! test -b "$TARGET_DEVICE"; then
        echo "Error: '$TARGET_DEVICE' is not a valid block device."
        echo "Please enter a path like /dev/sda1 or /dev/nvme0n1p2"
    elif findmnt -n "$TARGET_DEVICE" > /dev/null; then
        # Check if the device or anything it contains is mounted
        echo "WARNING: '$TARGET_DEVICE' appears to be mounted or part of a mounted filesystem!"
        lsblk -o NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT "$TARGET_DEVICE"
        read -p "Formatting a mounted device is extremely risky. Are you absolutely sure? (yes/NO): " MOUNT_CONFIRM
        if [[ "${MOUNT_CONFIRM,,}" == "yes" ]]; then
            echo "Proceeding despite mounted device warning..."
            break
        else
            echo "Aborting due to mounted device."
            exit 1
        fi
    else
        # Device exists and is not mounted (basic check)
        break
    fi
done
echo ""
echo "Selected target device: $TARGET_DEVICE"


# 3. Ask for volume name (used for mapper)
while [[ -z "$VOLNAME" ]]; do
    read -p "Enter a logical name for the encrypted volume's mapper (e.g., 'secure_data'): " VOLNAME
done
CRYPTNAME=$VOLNAME

# 4. Ask for encryption type
echo "Select encryption type:"
select ENCTYPE in LUKS2 LUKS1; do
    if [[ -n "$ENCTYPE" ]]; then echo "Selected Type: $ENCTYPE"; break; else echo "Invalid choice."; fi
done

# 5. Ask for key size
echo "Select key size (bits):"
if [[ "$ENCTYPE" == "LUKS1" ]]; then VALID_KEYSIZES=("256" "512" "128"); else VALID_KEYSIZES=("512" "256"); fi
select KEYSIZE in "${VALID_KEYSIZES[@]}"; do
     if [[ -n "$KEYSIZE" ]]; then echo "Selected Key Size: $KEYSIZE bits"; break; else echo "Invalid choice."; fi
done

# 6. Ask for key derivation function (PBKDF)
echo "Select key derivation function:"
if [[ "$ENCTYPE" == "LUKS2" ]]; then VALID_KDFS=("Argon2id" "PBKDF2"); else VALID_KDFS=("PBKDF2"); fi
select KDF in "${VALID_KDFS[@]}"; do
    if [[ -n "$KDF" ]]; then echo "Selected KDF: $KDF"; break; else echo "Invalid choice."; fi
done

# 7. Configure KDF parameters with defaults
KDF_ARGS=""
DEFAULT_ITER_TIME=3000 # Default milliseconds for PBKDF2 iter-time

if [[ "$KDF" == "PBKDF2" ]]; then
    while true; do
        read -p "Enter PBKDF2 iteration time target in milliseconds [default: $DEFAULT_ITER_TIME]: " ITERTIME_IN
        if [[ -z "$ITERTIME_IN" ]]; then
            ITERTIME=$DEFAULT_ITER_TIME
            echo "Using default iteration time: ${ITERTIME}ms"
            break
        elif [[ "$ITERTIME_IN" =~ ^[0-9]+$ ]] && (( ITERTIME_IN > 500 )); then
            ITERTIME=$ITERTIME_IN
            echo "Using custom iteration time: ${ITERTIME}ms"
            break
        else
            echo "Invalid time. Enter a positive number > 500, or press Enter for default."
        fi
    done
    KDF_ARGS="--iter-time $ITERTIME"

elif [[ "$KDF" == "Argon2id" ]]; then
    echo "Configure Argon2id parameters (press Enter to use cryptsetup defaults):"
    # Memory Cost
    while true; do
        read -p "- Memory cost in KiB (e.g., 1048576 for 1GiB) [cryptsetup default]: " ARGON_MEM_IN
        if [[ -z "$ARGON_MEM_IN" ]]; then
            echo "  Using cryptsetup default memory cost."
            break # Use default
        elif [[ "$ARGON_MEM_IN" =~ ^[0-9]+$ ]] && (( ARGON_MEM_IN >= 16384 )); then
            KDF_ARGS="$KDF_ARGS --pbkdf-memory $ARGON_MEM_IN"
            echo "  Using memory cost: $ARGON_MEM_IN KiB"
            break
        else echo "  Invalid memory value (use KiB, >= 16384, or Enter for default)."; fi
    done
    # Parallel Cost
    while true; do
        read -p "- Parallel cost (CPU threads, e.g., 4) [cryptsetup default]: " ARGON_PAR_IN
        if [[ -z "$ARGON_PAR_IN" ]]; then
            echo "  Using cryptsetup default parallel cost."
            break # Use default
        elif [[ "$ARGON_PAR_IN" =~ ^[0-9]+$ ]] && (( ARGON_PAR_IN > 0 )); then
            KDF_ARGS="$KDF_ARGS --pbkdf-parallel $ARGON_PAR_IN"
            echo "  Using parallel cost: $ARGON_PAR_IN"
            break
        else echo "  Invalid parallel value (must be > 0, or Enter for default)."; fi
    done
    # Iteration Cost
    while true; do
        read -p "- Iteration cost (e.g., 4) [cryptsetup default]: " ARGON_ITER_IN
        if [[ -z "$ARGON_ITER_IN" ]]; then
            echo "  Using cryptsetup default iteration cost."
            break # Use default
        elif [[ "$ARGON_ITER_IN" =~ ^[0-9]+$ ]] && (( ARGON_ITER_IN > 0 )); then
            KDF_ARGS="$KDF_ARGS --iter-time $ARGON_ITER_IN"
            echo "  Using iteration cost: $ARGON_ITER_IN"
            break
        else echo "  Invalid iterations value (must be > 0, or Enter for default)."; fi
    done
    if [[ -z "$KDF_ARGS" ]]; then
         echo "Using all cryptsetup default parameters for Argon2id."
    else
         echo "Using custom Argon2id parameters: $KDF_ARGS"
    fi
fi

# 8. Ask for filesystem type
echo "Select filesystem type:"
FILESYSTEMS=("ext4" "xfs" "btrfs" "f2fs")
FS_DESCR=(
    "ext4: Standard Linux FS. Reliable, journaled, widely compatible."
    "xfs: High-performance 64-bit journaling FS, good for large files/volumes."
    "btrfs: Modern Copy-on-Write FS with snapshots, checksums, pooling."
    "f2fs: Flash-Friendly File System, optimized for SSDs/flash media."
)
PS3="Choose filesystem number: "
select FSTYPE_CHOICE in "${FS_DESCR[@]}"; do
    if [[ "$REPLY" -gt 0 && "$REPLY" -le "${#FILESYSTEMS[@]}" ]]; then
        FSTYPE=${FILESYSTEMS[$((REPLY-1))]}
        echo "Selected Filesystem: $FSTYPE"
        break
    else
        echo "Invalid choice. Try again."
    fi
done

# --- Review Configuration ---
echo ""
echo "--- Review Configuration ---"
echo "TARGET DEVICE        : $TARGET_DEVICE"
echo "Mapper Name          : $CRYPTNAME (/dev/mapper/$CRYPTNAME)"
echo "Encryption Type      : $ENCTYPE"
echo "Key Size             : $KEYSIZE bits"
echo "KDF                  : $KDF"
echo "KDF Arguments        : ${KDF_ARGS:-<cryptsetup defaults>}" # Display args or default message
echo "Filesystem           : $FSTYPE"
echo "---------------------------"
echo ""
read -p "Press 'Enter' to confirm configuration and continue, or 'Ctrl+C' to abort..."
echo ""
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "!!           PROCEEDING TO FORMAT DEVICE             !!"
echo "!!           '$TARGET_DEVICE'                        !!"
echo "!!          ALL DATA WILL BE DESTROYED!              !!"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "Script will proceed in 5 seconds. Press Ctrl+C to abort."
sleep 5
echo "Proceeding..."


# --- Execution ---

# Trap to attempt cleanup if script exits unexpectedly after mapper is opened
MAPPER_DEVICE="/dev/mapper/$CRYPTNAME"
trap '{ echo "Cleaning up mapper device (if open)..."; cryptsetup close "$CRYPTNAME" 2>/dev/null || true; }' EXIT INT TERM

# 9. Format the target device with cryptsetup LUKS
echo "Formatting $TARGET_DEVICE with $ENCTYPE LUKS..."
echo "You will be prompted to enter and verify your new passphrase."

cryptsetup luksFormat \
    -q \
    --type "$ENCTYPE" \
    --key-size "$KEYSIZE" \
    --pbkdf "$KDF" \
    $KDF_ARGS \
    --verify-passphrase \
    "$TARGET_DEVICE"
if [[ $? -ne 0 ]]; then echo "Error: cryptsetup luksFormat failed. Device not formatted."; exit 1; fi

echo "LUKS formatting successful."

# 10. Open the LUKS volume
echo "Opening LUKS volume as $MAPPER_DEVICE..."
echo "Enter the passphrase you just set."
cryptsetup open "$TARGET_DEVICE" "$CRYPTNAME"
if [[ $? -ne 0 ]]; then echo "Error: cryptsetup open failed (check passphrase?)."; exit 1; fi # Cleanup via trap

echo "Volume opened successfully."

# 11. Create the filesystem
echo "Creating $FSTYPE filesystem on $MAPPER_DEVICE..."
MKFS_CMD=""
case $FSTYPE in
    ext4) MKFS_CMD="mkfs.ext4 -L \"$CRYPTNAME\" \"$MAPPER_DEVICE\"" ;;
    xfs) MKFS_CMD="mkfs.xfs -L \"$CRYPTNAME\" \"$MAPPER_DEVICE\"" ;;
    btrfs) MKFS_CMD="mkfs.btrfs -L \"$CRYPTNAME\" \"$MAPPER_DEVICE\"" ;;
    f2fs) MKFS_CMD="mkfs.f2fs -l \"$CRYPTNAME\" \"$MAPPER_DEVICE\"" ;;
    *) echo "Internal Error: Unknown filesystem type selected for mkfs."; exit 1 ;;
esac

echo "Running: $MKFS_CMD"
eval "$MKFS_CMD"
if [[ $? -ne 0 ]]; then echo "Error: Filesystem creation (mkfs) failed."; exit 1; fi # Cleanup via trap

echo "Filesystem created."

# 12. Suggest mounting (optional)
MOUNTPOINT="/mnt/$CRYPTNAME"
echo ""
echo "--- Success! ---"
echo "Encrypted volume '$CRYPTNAME' created successfully on '$TARGET_DEVICE'."
echo "The underlying device $TARGET_DEVICE is formatted."
echo "The encrypted container is open as $MAPPER_DEVICE."
echo "A $FSTYPE filesystem has been created on it."
echo ""
echo "To use the volume, you can mount it:"
echo "  sudo mkdir -p \"$MOUNTPOINT\""
echo "  sudo mount \"$MAPPER_DEVICE\" \"$MOUNTPOINT\""
echo ""
echo "To close the encrypted volume later (unmount first!):"
echo "  sudo umount \"$MOUNTPOINT\"" # Or use the actual mount point if different
echo "  sudo cryptsetup close \"$CRYPTNAME\""
echo ""
echo "To re-open and mount later:"
echo "  sudo cryptsetup open \"$TARGET_DEVICE\" \"$CRYPTNAME\""
echo "  sudo mount \"$MAPPER_DEVICE\" \"$MOUNTPOINT\"" # Or use the actual mount point
echo "-----------------"

# Remove the cleanup trap for successful exit, leaving the mapper open
trap - EXIT INT TERM

exit 0