Trés clairement, ça manque d'explications, mais au moins, l'essentiel y est. Ce script est une réponse très personnelle à la question: comment avoir une partition cryptée sur mon ordinateur portable, avec la clé de décryptage placée sur ma clé USB...
Le script principal
à placer dans /etc/init.d
# mountcrypto.sh Mount crypted filesystems.
#
# Version: @(#)mountcrypto.sh 0.99 17-Mar-2003 olivier@guerrier.com
# based on: @(#)mountall.sh 2.85-9 23-Dec-2003 miquels@cistron.nl
#
. /etc/default/rcS
. /etc/init.d/bootclean.sh
if [ ! -f /etc/mountcrypto.conf ]; then
[ "$VERBOSE" != no ] && \
echo "Configuration file not found! exiting !"
exit 1
fi
. /etc/mountcrypto.conf
LOSETUP=/sbin/losetup
if [ ! -x $LOSETUP ]; then
[ "$VERBOSE" != no ] && \
echo "losetup ($LOSETUP) not found! exiting !"
exit 1
fi
#
# Mount crypted filesystems in /etc/mountcrypto.conf.
#
[ "$VERBOSE" != no ] && echo "Mounting crypted filesystems..."
COUNT=$(($COUNT-1))
[ $COUNT -lt 0 ] && exit 0
for i in $(seq 0 $COUNT) ;
do
# mounting removable device containing the key
if [ "${KDEV[$i]}" != "" ] && [ "${KMNT[$i]}" != "" ]; then
OPT=""
[ "${KFST[$i]}" != "" ] && OPT="-t ${KFST[$i]}"
mount $OPT ${KDEV[$i]} ${KMNT[$i]} 2> /dev/null
fi
# if the key is found, set up loop device
if [ -f "${KMNT[$i]}${KFKEY[$i]}" ]; then
$LOSETUP "${KLOOP[$i]}" &> /dev/null
case "$PIPESTATUS" in
0)
[ "$VERBOSE" != no ] && \
echo "Device ${KLOOP[$i]} already used, skipping !"
;;
1)
OPT="-p 0"
[ "${KALGO[$i]}" != "" ] && OPT="$OPT -e ${KALGO[$i]}"
[ "${KBITS[$i]}" != "" ] && OPT="$OPT -k ${KBITS[$i]}"
[ "${KOFFS[$i]}" != "" ] && OPT="$OPT -o ${KOFFS[$i]}"
[ "${KNHAS[$i]}" != "" ] && OPT="$OPT -N"
cat "${KMNT[$i]}${KFKEY[$i]}" |
$LOSETUP $OPT "${KLOOP[$i]}" "${KCRYP[$i]}"
fsck "${KLOOP[$i]}"
mount "${KLOOP[$i]}"
;;
*)
[ "$VERBOSE" != no ] && \
echo "Unable to set up device ${KLOOP[$i]}, skipping !"
;;
esac
else
[ "$VERBOSE" != no ] && \
echo "Key for device ${KLOOP[$i]} not found, skipping !"
fi
# unmounting removable device
if [ "${KDEV[$i]}" != "" ] && [ "${KMNT[$i]}" != "" ]; then
umount ${KMNT[$i]} &> /dev/null
fi
done
exit
Un exemple de fichier de configuration
à personnaliser et à placer dans /etc
# configuration file to mount crypted filesystems
# with secret key stored on removable media like usbkey
# used by /etc/init.d/mountcrypto.sh
# how many crypted filesystems ? 0=none
# COUNT=0
# KDEV is the removable device containing the key.
# if blank, no mount operation will be performed.
# (you're probably crazy, or using something like
# supermount (if so yes you are crazy :))
#KDEV[0]=/dev/sda1
# KMNT is the directory to mount the above device.
# left empty *only* if KDEV[] is also blank.
#KMNT[0]=/mnt/
# KFST is the expected filesystem's type.
# If blank, mount will try to autodetect it.
#KFST[0]=vfat
# KFKEY is a one line file containing the passphrase.
#KFKEY[0]=$(uname -n).key
# KCRYP is the crypted device or file to be mounted.
#KCRYP=/dev/hdxn
# KLOOP is the loop block device to set up.
# if KLOOP is found in /etc/fstab, it will be mounted.
#KLOOP[0]=/dev/loop0
# KALGO is the cryptographic algorithm to use
#KALGO[0]=aes
# KBITS is the number of bits to use in key
#KBITS[0]=256
# KOFFS tell if the data start should be moved offset bytes
# into the specified file or device.
# left blank unless you know what you are doing
#KOFFS[0]=
# KNHAS tell if the password should not be run through a hash
# function. left blank unless you know what you are doing, set
# to 1 if you are sure.
#KNHAS[0]=
# Example
COUNT=1
KDEV[0]=/dev/sda2
KMNT[0]=/mnt/usbkey
KFST[0]=ext2
KFKEY[0]=/usr/share/keys/$(uname -n).key
KCRYP[0]=/dev/hda3
KLOOP[0]=/dev/loop0
KALGO[0]=aes
KBITS[0]=256
KOFFS[0]=
KNHAS[0]=
Installation
Sous debian, la commande suivante fait ce qu'il faut pour placer le script dans la séquence de boot.
# update-rc.d mountcrypto.sh start 46 S .