| 12345678910111213141516171819202122232425262728293031 |
- #!/bin/sh
- # WARNING: If you use the decrypt_derived keyscript for devices with
- # persistent data (i.e. not swap or temp devices), then you will lose
- # access to that data permanently if something damages the LUKS header
- # of the LUKS device you derive from. The same applies if you luksFormat
- # the device, even if you use the same passphrase(s). A LUKS header
- # backup, or better a backup of the data on the derived device may be
- # a good idea. See the Cryptsetup FAQ on how to do this right.
- if [ -z "$1" ]; then
- echo "$0: must be executed with a crypto device as argument" >&2
- exit 1
- fi
- unset -v keys count
- keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)"
- count="$(printf '%s' "$keys" | wc -l)"
- if [ -n "$keys" ] && [ $count -le 1 ]; then
- if [ "${keys#:}" = "$keys" ]; then
- printf '%s' "$keys" | tr -d '\n'
- else
- echo "$0: device $1 uses the kernel keyring"
- fi
- elif [ $count -eq 0 ]; then
- echo "$0: device $1 doesn't exist or isn't a crypto device" >&2
- else
- echo "$0: more than one device match" >&2
- fi
- exit 1
|
