#!/bin/sh -e # ecryptfs-setup-swap # Copyright (C) 2008 Canonical Ltd. # # Authors: Dustin Kirkland # Patched by: Eric Scott (31 Jan 2015) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # The cryptswap setup used here follows a guide published at: # * http://ubuntumagnet.com/2007/11/creating-encrypted-swap-file-ubuntu-using-cryptsetup TEXTDOMAIN="ecryptfs-utils" error() { echo `gettext "ERROR:"` "$@" 1>&2 exit 1 } info() { echo `gettext "INFO:"` "$@" } warn() { echo `gettext "WARNING:"` "$@" 1>&2 } usage() { echo echo `gettext "Usage:"` echo " $0 [-f|--force] [-n|--no-reload]" echo exit 1 } # Handle command line options FORCE=0 while [ ! -z "$1" ]; do case "$1" in -f|--force) FORCE=1 shift 1 ;; -n|--no-reload) NO_RELOAD=1 shift 1 ;; *) usage ;; esac done # Ensure that cryptsetup is available [ -x /sbin/cryptsetup ] || error `gettext "Please install"` "'cryptsetup'" # Ensure that we're running with root privileges [ -w /etc/passwd ] || error `gettext "This program must be run with 'sudo', or as root"` # Count swap spaces available if [ $(grep -c "^/" /proc/swaps) -eq 0 ]; then mem=$(grep "^MemTotal:" /proc/meminfo | awk '{print $2}') swapsize=$((4*$mem)) info "You do not currently have any swap space defined." echo echo `gettext "You can create a swap file by doing:"` echo " $ sudo dd if=/dev/zero of=/swapfile count=$swapsize" echo " $ sudo mkswap /swapfile" echo " $ sudo swapon /swapfile" echo echo `gettext "And then re-run"` "$0" echo exit 0 fi swaps=$(grep "^/" /proc/swaps | awk '{print $1}') filtered_swaps=$( for swap in $swaps; do # Make sure this is swap space if [ "$(blkid -o value -s TYPE $swap)" != "swap" ]; then warn "[$swap]" `gettext "does not appear to be swap space, skipping."` continue fi if [ "${swap#/dev/ram}" != "$swap" ] || [ "${swap#/dev/zram}" != "$swap" ]; then warn "[$swap]" `gettext "is a RAM device, skipping."` continue fi # Check if this swap space is already setup for encryption if /sbin/dmsetup table "$swap" 2>/dev/null | grep -qs " crypt "; then warn "[$swap]" `gettext "already appears to be encrypted, skipping."` continue fi base=$(basename "$swap") if grep -qs "^$base.*swap.*cipher" /etc/crypttab 2>/dev/null; then warn "[$swap]" `gettext "already has an entry in /etc/crypttab, skipping."` continue fi if grep -qs "$swap" /etc/initramfs-tools/conf.d/cryptroot 2>/dev/null; then warn "[$swap]" `gettext "already has an entry in /etc/crypttab, skipping."` continue fi echo $swap done ) swaps="$filtered_swaps" if [ -z "$swaps" ]; then warn "There were no usable swap devices to be encrypted. Exiting." exit 0 fi ########################################################################## # Warn the user about breaking hibernate mode if [ "$FORCE" != 1 ]; then echo echo `gettext "WARNING:"` echo `gettext "An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format."` echo echo `gettext "HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!"` echo echo `gettext "NOTE: Your suspend/resume capabilities will not be affected."` echo echo -n `gettext "Do you want to proceed with encrypting your swap?"` "[y/N]: " CONFIRM=`head -n1` echo if [ "$CONFIRM" != "y" -a "$CONFIRM" != "Y" ]; then echo info `gettext "Aborting."` echo exit 0 fi fi ########################################################################## i=0 for swap in $swaps; do info `gettext "Setting up swap:"` "[$swap]" uuid=$(blkid -o value -s UUID $swap) for target in "UUID=$uuid" $swap; do if [ -n "$target" ] && grep -qs "^$target " /etc/fstab; then sed -i "s:^$target :\#$target :" /etc/fstab warn "Commented out your unencrypted swap from /etc/fstab" fi done while :; do i=$((i+1)) [ -e "/dev/mapper/cryptswap$i" ] || break done #Before Patch: # Add crypttab entry #echo "cryptswap$i UUID=$uuid /dev/urandom swap,cipher=aes-cbc-essiv:sha256" >> /etc/crypttab # Add fstab entry #echo "/dev/mapper/cryptswap$i none swap sw 0 0" >> /etc/fstab #After Patch: # Add crypttab entry echo "cryptswap$i UUID=$uuid /dev/urandom swap,cipher=aes-cbc-essiv:sha256,offset=6,noauto" >> /etc/crypttab # Add fstab entry echo "/dev/mapper/cryptswap$i none swap sw,noauto 0 0" >> /etc/fstab # Auto-mount encrypted swap echo "start on started mountall" > /etc/init/cryptswap$i.conf echo "script" >> /etc/init/cryptswap$i.conf echo " /sbin/cryptdisks_start cryptswap$i" >> /etc/init/cryptswap$i.conf echo " /sbin/swapon /dev/mapper/cryptswap$i" >> /etc/init/cryptswap$i.conf echo "end script" >> /etc/init/cryptswap$i.conf #End of Patch done if [ "$NO_RELOAD" != 1 ]; then # Turn swap off swapoff -a # Restart cryptdisks /etc/init.d/cryptdisks restart # Turn the swap on swapon -a fi info `gettext "Successfully setup encrypted swap!"`