LogalDeveloper/Arch-Linux-Installer
0
Fork 0
Code Issues Activity
Files
14f7b610bb08c4a28c0ee46a7f2aac84118a3940
Arch-Linux-Installer/lib/disk/luks.sh
Logan Fick f6fe732b4b Refactored helpers to reduce duplication and improve naming. 
- Renamed chroot_install/chroot_enable to chroot_pacman_install/chroot_systemd_enable.
- Made chroot_systemd_enable auto-print status, removing need for wrapper functions.
- Used generic prompt helpers instead of duplicating logic in specialized functions.
- Inlined and removed single-use wrapper functions throughout.
2026-01-17 10:58:37 -05:00

155 lines
4.4 KiB
Bash
Raw Blame History

#!/bin/bash
# Copyright 2026 Logan Fick
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# luks.sh - LUKS encryption functions
#
# Manages full-disk encryption using LUKS2:
# - Prompts for encryption passphrase with confirmation
# - Formats partitions with LUKS2 using secure defaults from luks.conf
# - Opens/unlocks encrypted containers for filesystem creation
# - Supports both single-disk and RAID1 encryption setups
# - Securely clears passwords from memory after use
# Format a partition with LUKS encryption
# Arguments:
# $1 - partition path
# $2 - encryption password
setup_luks_encryption() {
local partition="$1"
local password="$2"
print "Setting up encryption on ${partition}..."
# Wrapped manually (not using run_visible_cmd) due to piped password input
echo -ne "${COLOR_BG_GRAY}"
echo -n "$password" | cryptsetup luksFormat \
--type "$LUKS_TYPE" \
--cipher "$LUKS_CIPHER" \
--hash "$LUKS_HASH" \
--key-size "$LUKS_KEY_SIZE" \
--pbkdf "$LUKS_PBKDF" \
--pbkdf-force-iterations "$LUKS_PBKDF_ITERATIONS" \
--pbkdf-memory "$LUKS_PBKDF_MEMORY" \
--pbkdf-parallel "$LUKS_PBKDF_PARALLEL" \
--use-urandom \
--key-file - \
"$partition"
echo -e "${COLOR_RESET}"
}
# Open (unlock) a LUKS container
# Arguments:
# $1 - partition path
# $2 - encryption password
# $3 - mapper name (e.g., cryptroot)
open_luks_container() {
local partition="$1"
local password="$2"
local mapper_name="$3"
print "Unlocking ${partition}..."
# Wrapped manually (not using run_visible_cmd) due to piped password input
echo -ne "${COLOR_BG_GRAY}"
echo -n "$password" | cryptsetup open \
--allow-discards \
--key-file - \
"$partition" \
"$mapper_name"
echo -e "${COLOR_RESET}"
}
# Get the UUID of a LUKS container
# Arguments:
# $1 - partition path
# Outputs:
# UUID to stdout
get_luks_uuid() {
local partition="$1"
cryptsetup luksDump "$partition" | grep 'UUID:' | awk '{print $2}'
}
# Close a LUKS container
# Arguments:
# $1 - mapper name
close_luks_container() {
local mapper_name="$1"
cryptsetup close "$mapper_name" 2>/dev/null || true
}
# Prompt for encryption password with confirmation
# Sets:
# ENCRYPTION_PASSWORD - the entered password
# Returns:
# 0 on success, 1 on mismatch
prompt_encryption_password() {
if ! prompt_password "Please enter your desired encryption passphrase." ENCRYPTION_PASSWORD; then
return 1
fi
return 0
}
# Setup encryption for single-disk mode
# Arguments:
# $1 - root partition path
# Sets:
# LUKS_UUID - UUID of the LUKS container
setup_encryption_single() {
local root_partition="$1"
if ! prompt_encryption_password; then
exit 1
fi
setup_luks_encryption "$root_partition" "$ENCRYPTION_PASSWORD"
open_luks_container "$root_partition" "$ENCRYPTION_PASSWORD" "cryptroot"
LUKS_UUID=$(get_luks_uuid "$root_partition")
# Clear password from memory
unset ENCRYPTION_PASSWORD
}
# Setup encryption for RAID1 mode
# Arguments:
# $1 - first root partition path
# $2 - second root partition path
# Sets:
# LUKS_UUID - UUID of the first LUKS container
# LUKS_UUID_2 - UUID of the second LUKS container
setup_encryption_raid1() {
local root_partition_1="$1"
local root_partition_2="$2"
if ! prompt_encryption_password; then
exit 1
fi
# Setup first disk
setup_luks_encryption "$root_partition_1" "$ENCRYPTION_PASSWORD"
open_luks_container "$root_partition_1" "$ENCRYPTION_PASSWORD" "cryptroot-primary"
LUKS_UUID=$(get_luks_uuid "$root_partition_1")
# Setup second disk
setup_luks_encryption "$root_partition_2" "$ENCRYPTION_PASSWORD"
open_luks_container "$root_partition_2" "$ENCRYPTION_PASSWORD" "cryptroot-secondary"
LUKS_UUID_2=$(get_luks_uuid "$root_partition_2")
# Clear password from memory
unset ENCRYPTION_PASSWORD
}
Reference in New Issue View Git Blame Copy Permalink