#!/bin/bash # Copyright 2017 Christopher Jay Cox # Mainly meant for CentOS, but might be of use on other rpm based distros # This merely outputs the commands... so you pipe it to shell or save output # and run that as a script. # # Call this using a list of simple block storage device names, that is, you'd # say sda instead of /dev/sda. # # End result is a /dev/mapper/sda_crypt (or whatever your block device as parm # is). You can then place that device under LVM for example. # check for cryptsetup installed, install it and check if ! rpm -q cryptsetup >/dev/null 2>&1; then yum -y install cryptsetup fi if ! rpm -q cryptsetup >/dev/null 2>&1; then echo 'crypsetup install fail' >&2 exit 1 fi for disk in $*;do cat </root/keyfile fi rc=0 if [ ! -b /dev/${disk} ]; then echo '# Disk [/dev/${disk}] not found!' >&2 rc=1 fi if [ \$rc -eq 0 ]; then if [ -b /dev/mapper/${disk}_crypt ]; then echo '# Encrypted disk [/dev/mapper/${disk}_crypt] present, skipping...' else if [ ! -d /etc/sysconfig/crypto ]; then echo '# Creating /etc/sysconfig/crypto area to hold key files.' mkdir /etc/sysconfig/crypto || exit 2 else chattr -R -i /etc/sysconfig/crypto chmod 0700 /etc/sysconfig/crypto chmod 0600 /etc/sysconfig/crypto/* fi dd bs=512 count=4 if=/dev/urandom of=/etc/sysconfig/crypto/luks-keyfile-${disk} iflag=fullblock cryptsetup --key-file /root/keyfile luksFormat /dev/${disk} uuid=\`blkid | grep LUKS | sed -n 's;^/dev/${disk}:[ ]*UUID=\"\([^\"]*\)\".*;\\1;p'\` echo 'No checking is done to make sure /etc/crypttab is sane without duplicates' echo "${disk}_crypt UUID=\$uuid /etc/sysconfig/crypto/luks-keyfile-${disk} luks" >>/etc/crypttab chmod 0500 /etc/sysconfig/crypto chmod 0400 /etc/sysconfig/crypto/* chattr -R +i /etc/sysconfig/crypto cryptsetup --key-file /root/keyfile luksAddKey /dev/${disk} /etc/sysconfig/crypto/luks-keyfile-${disk} cryptsetup --key-file /root/keyfile luksOpen /dev/${disk} ${disk}_crypt fi fi HERE done