#! /bin/sh set -e # Set up encrypted swap using ecryptfs-setup-swap. # # This duplicates some code from user-setup-apply, but this is necessary; # this operation involves disabling swap, can't be done until after the user # page (normally well after partitioning, but may be before partitioning in # noninteractive installs), and must be done before the slideshow starts to # avoid out-of-memory problems. # # Fortunately, in some ways it's simpler to use tools in the live filesystem # to do this! . /usr/share/debconf/confmodule db_get user-setup/encrypt-home [ "$RET" = true ] || exit 0 if [ "$(grep -c "^/" /proc/swaps)" -eq 0 ]; then # No swap partitions, so we can't and don't need to set up encrypted # swap. exit 0 fi # We must allow partitioning to finish before we continue. Unfortunately # there is currently no hook that will reliably run after both the user page # and partitioning, and the parallel questions arrangement makes it hard to # construct one, so for now we have to poll. while pidof -x ubiquity >/dev/null && \ [ ! -e /var/lib/ubiquity/started-installing ]; do sleep 2 done if ! pidof -x ubiquity; then exit 0 fi for module in aes cbc ecb; do modprobe -q "$module" || true done apt-install ecryptfs-utils 2>/dev/null apt-install cryptsetup 2>/dev/null # Temporarily make sure that /etc/fstab and /etc/crypttab match the target # system. ln -f /etc/fstab /etc/fstab.ubiquity if [ -e /etc/crypttab ]; then ln -f /etc/crypttab /etc/crypttab.ubiquity else rm -f /etc/crypttab.ubiquity fi cleanup () { mv /etc/fstab.ubiquity /etc/fstab if [ -e /etc/crypttab.ubiquity ]; then mv /etc/crypttab.ubiquity /etc/crypttab else rm -f /etc/crypttab fi } trap cleanup EXIT cp -a /target/etc/fstab /etc/fstab if [ -e /target/etc/crypttab ]; then cp -a /target/etc/crypttab /etc/crypttab else rm -f /etc/crypttab fi if ! log-output -t ubiquity ecryptfs-setup-swap -f -n; then echo "ecryptfs-setup-swap failed." >&2 db_input critical user-setup/encrypt-home-failed || true db_go || true exit 0 fi # Zero out all encrypted swap partitions. # cryptswap0 /dev/sda5 /dev/urandom swap,cipher=aes-cbc-essiv:sha256 # Ideally we would do some kind of progress thing here, but it's not clear # that we can do that sensibly while on a question page. while read name device source options; do if echo "$options" | grep -q "swap"; then case $device in LABEL=*|UUID=*) device="$(blkid -l -o device -t "$device")" [ "$device" ] || continue ;; esac if swapoff $device; then if [ ! -b $device ]; then ONE_MEG=$((1024*1024)) size=$(($(stat -c %s ${device})/${ONE_MEG})) dd if=/dev/zero of=$device bs=${ONE_MEG} count=$size 2>/dev/null || true else dd if=/dev/zero of=$device bs=16M 2>/dev/null || true fi cryptdisks_start "$name" && swapon "/dev/mapper/$name" || true fi fi done < /etc/crypttab cp -a /etc/fstab /etc/crypttab /target/etc/ touch /var/lib/ubiquity/encrypted-swap