Added luks creation with keyfile support

scripts/config.sh

@@ -5,6 +5,26 @@ source "$GENTOO_INSTALL_REPO_DIR/scripts/internal_config.sh" || exit 1
 ################################################
 # Disk configuration
 
+# This function will be called when the key for a luks device is needed.
+# Parameters:
+#	$1 will be the id of the luks device as given in `create_luks new_id=<id> ...`.
+# Example: Keyfile
+#   1. Generate a 512-bit (or anything < 8MiB) keyfile with
+#      `dd if=/dev/urandom bs=1024 count=1 of=/path/to/keyfile`
+#   2. Copy the keyfile somewhere safe, but don't delete the original,
+#      which we will use in the live environment.
+#   3. Use `cat /path/to/keyfile` below.
+# Example: GPG Smartcard
+#   Same as above, but do not store a copy of the keyfile and instead store a
+#   gpg encrypted copy: `cat /path/to/keyfile | gpg --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --output /my/permanent/storage/luks-key.gpg`
+luks_getkey() {
+	case "$1" in
+		#'my_luks_partition') echo -n 'yourLuksPassword_MakeItLongAndStrong' ;;
+		*) cat "/path/to/luks-keyfile" ;;
+	esac
+}
+
+# Below you can see examples of how to use the two provided default schemes.
 # See the respective functions in internal_config.sh if you
 # want to use a different disk configuration.
 

scripts/functions.sh

@@ -136,6 +136,7 @@ resolve_id_to_device() {
 		'ptuuid')   get_device_by_ptuuid     "$arg" ;;
 		'uuid')     get_device_by_uuid       "$arg" ;;
 		'mdadm')    get_device_by_mdadm_uuid "$arg" ;;
+		'luks')     get_device_by_luks_uuid  "$arg" ;;
 		*) die "Cannot resolve '$type:$arg' to device (unkown type)"
 	esac
 }
@@ -266,17 +267,34 @@ disk_create_luks() {
 
 	local device="$(resolve_id_to_device "$id")"
 	local uuid="${DISK_ID_TO_UUID[$new_id]}"
-	disk_id_to_resolvable[$new_id]="uuid:$uuid"
+	disk_id_to_resolvable[$new_id]="luks:$uuid"
 
 	einfo "Creating luks ($new_id) on $device ($id)"
+	local luks_key
+	luks_key="$(luks_getkey "$new_id")" \
+		|| die "Error in luks_getkey for id=$id"
 	cryptsetup luksFormat \
-			--uuid="$uuid" \
-			--type=luks2 \
+			--type luks2 \
+			--uuid "$uuid" \
+			--key-file '-' \
 			--cipher aes-xts-plain64 \
-			--key-size 512 \
+			--hash sha512 \
 			--pbkdf argon2id \
-			--iter-time=4000 "$device" \
+			--iter-time 4000 \
+			--key-size 512 \
+			"$device" \
+				<<< "$luks_key" \
 		|| die "Could not create luks on '$device' ($id)"
+	mkdir -p "$LUKS_HEADER_BACKUP_DIR" \
+		|| die "Could not create luks header backup dir '$LUKS_HEADER_BACKUP_DIR'"
+	cryptsetup luksHeaderBackup "$device" \
+			--header-backup-file "$LUKS_HEADER_BACKUP_DIR/luks-header-$id-${uuid,,}.img" \
+		|| die "Could not backup luks header on '$device' ($id)"
+	cryptsetup open --type luks2 \
+			--key-file '-' \
+			"$device" "${uuid,,}" \
+				<<< "$luks_key" \
+		|| die "Could not open luks header on '$device' ($id)"
 }
 
 disk_format() {

scripts/internal_config.sh

@@ -13,6 +13,8 @@ ROOT_MOUNTPOINT="$TMP_DIR/root"
 GENTOO_INSTALL_REPO_BIND="$TMP_DIR/bind"
 # Mountpoint for the script files for access from chroot
 UUID_STORAGE_DIR="$TMP_DIR/uuids"
+# Backup dir for luks headers
+LUKS_HEADER_BACKUP_DIR="$TMP_DIR/luks-headers"
 
 # Flag to track usage of raid (needed to check for mdadm existence)
 USED_RAID=false

scripts/utils.sh

@@ -146,6 +146,10 @@ get_device_by_mdadm_uuid() {
 	echo -n "${DISK_MDADM_UUID_TO_DEVICE[${1,,}]}"
 }
 
+get_device_by_luks_uuid() {
+	echo -n "/dev/mapper/${1,,}"
+}
+
 load_or_generate_uuid() {
 	local uuid
 	local uuid_file="$UUID_STORAGE_DIR/$1"