123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 |
- #!/usr/bin/env bash
- DEVICE="${1}"
- BACKUP_DIR="./backups"
- DATE_FIX=$(date '+%Y%m%d-%H%M%S')
- DD_OPTS="bs=512 iflag=fullblock conv=notrunc"
- TARGET_BOOT="qubes_dom0-boot"
- welcome() {
- echo "################################"
- echo "This script will encrypt an unencrypted /boot partition"
- echo "Confirmation will be asked before writing"
- echo "################################"
- }
- warning() {
- echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
- echo "The following steps may corrupt and lose your data, continue at your own risk"
- echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
- read -r
- }
- adios() {
- echo "[+] Procedure completed!"
- }
- panic() {
- echo "[*] Something went wrong in a write operation, system may be in a corrupted state. Attempting recovery"
- restore
- exit 1
- }
- restore() {
- echo "[*] Attempting to restore original partition scheme"
- dd if=${BACKUP_DIR}/mbr-${DATE_FIX}.img of=${DEVICE} bs=512 iflag=fullblock conv=notrunc status=progress
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Something went wrong restoring, hope you made a backup as advised ☠"
- fi
- }
- check_params() {
- if [[ "${1}" -ne 1 ]]; then
- echo "Usage: ./encryptboot.sh <device>"
- echo "Example: ./encryptboot.sh /dev/sda"
- exit
- fi
- }
- check_root() {
- if [[ "${EUID}" -ne 0 ]]; then
- echo "[-] This script must be run as root; re-run prefixed with sudo"
- exit 1
- fi
- }
- check_device() {
- if [[ ! -b "${DEVICE}" ]]; then
- echo "[-] Device ${DEVICE} does not exists"
- exit 1
- fi
- }
- backup_boot() {
- echo "[+] Backing up boot device"
- mkdir -p "${BACKUP_DIR}"
- dd if=${DEVICE}1 of=${BACKUP_DIR}/boot-${DATE_FIX}.img ${DD_OPTS} status=progress
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Something went wrong backing up boot partition, exiting"
- exit 1
- fi
- BOOT_HASH=$(sha256sum ${DEVICE}1 | cut -d ' ' -f 1)
- BOOT_BACKUP_HASH=$(sha256sum ${BACKUP_DIR}/boot-${DATE_FIX}.img | cut -d ' ' -f 1)
- if [[ ${BOOT_HASH} != ${BOOT_BACKUP_HASH} ]]; then
- echo "[-] Backup ${BACKUP_DIR}/boot-${DATE_FIX}.img hash is not equal to ${DEVICE}1 hash, exiting"
- exit 1
- fi
- echo "[+] Backup successful"
- }
- backup_partition_table() {
- echo "[+] Backing up partition table"
- mkdir -p "${BACKUP_DIR}"
- dd if=${DEVICE} of=${BACKUP_DIR}/mbr-${DATE_FIX}.img ${DD_OPTS} count=1
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Something went wrong backing up partition table, exiting"
- exit 1
- fi
- }
- check_headers() {
- BOOT_HEADER=$(dd if=${DEVICE}1 ${DD_OPTS} count=16 2>/dev/null | file -s -)
- LUKS_HEADER=$(dd if=${DEVICE}2 ${DD_OPTS} count=16 2>/dev/null | file -s -)
- if [[ "${BOOT_HEADER}" != *"ext4"* ]]; then
- echo "[-] ${DEVICE}1 is not an ext4 filesystem"
- exit 1
- fi
- if [[ "${LUKS_HEADER}" != *"LUKS"* ]]; then
- echo "[-] ${DEVICE}2 is not a LUKS container"
- exit
- fi
- echo "[+] Headers check completed"
- }
- get_offsets() {
- echo "[+] Getting boot partition offsets"
- START_OFFSET=$(parted -s ${DEVICE} unit s print | grep boot | tr -s ' ' | cut -d ' ' -f 3 | tr -d 's')
- END_OFFSET=$(parted -s ${DEVICE} unit s print | grep boot | tr -s ' ' | cut -d ' ' -f 4 | tr -d 's')
- if [[ "${START_OFFSET}" -le 0 ]] || [[ "${END_OFFSET}" -le 0 ]] || [[ "${END_OFFSET}" -le ${START_OFFSET} ]]; then
- echo "[-] Error parsing boot partition get_offsets"
- exit 1
- fi
- #OFFSET=$((${END_OFFSET}-${START_OFFSET}))
- OFFSET=$((${END_OFFSET}+1))
- }
- delete_partitions() {
- echo "[+] Deleting old partition scheme"
- parted "${DEVICE}" rm 1
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Something went wrong deleting boot partition"
- panic
- fi
- parted "${DEVICE}" rm 2
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Something went wrong deleting LUKS partition"
- panic
- fi
- }
- create_partition() {
- echo "[+] Creating new full disk partition"
- parted -s ${DEVICE} mkpart primary luks 0% 100%
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Something went wrong creatig the new partition"
- panic
- fi
- }
- check_offsets() {
- echo ${START_OFFSET}
- echo ${END_OFFSET}
- echo ${OFFSET}
- LUKS_HEADER=$(dd if=${DEVICE}1 ${DD_OPTS} skip=${OFFSET} seek=0 count=16 2>/dev/null | file -s -)
- if [[ "${LUKS_HEADER}" != *"LUKS"* ]]; then
- echo "[-] Luks header not found at given offset "
- exit
- fi
- }
- move_data() {
- dd if=${DEVICE}1 of=${DEVICE}1 ${DD_OPTS} skip=${OFFSET} seek=0 status=progress
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Failed moving data backwards, hope you had backups because this is most likely total corruption. MBR and boot.img backups are in ${BACKUP_DIR}"
- exit
- fi
- }
- config_luks_lvm() {
- echo "[+] Extending LVM pool"
- cryptsetup luksOpen ${DEVICE}1 qubespv
- pvresize qubespv
- echo "[+] Creating LVM boot partition"
- lvcreate -n boot -l100%FREE ${TARGET_BOOT}
- }
- restore_boot() {
- echo "[+] Copying old boot image in new encrypted LVM volume "
- dd if=${BACKUP_DIR}/boot-${DATE_FIX}.img of=/dev/mapper/${TARGET_BOOT} ${DD_OPTS} status=progress
- if [[ "${?}" -ne 0 ]]; then
- echo "[-] Failed to copy back boot.img to LVM, probably a recoverable state but needs manual intervention"
- exit
- fi
- LVM_BOOT_HASH=$(sha256sum ${TARGET_BOOT} | cut -d ' ' -f 1)
- if [[ ${BOOT_HASH} != ${LVM_BOOT_HASH} ]]; then
- echo "[-] "
- exit 1
- fi
- echo "[+] Boot partition written back successfully"
- }
- check_params "${#}"
- welcome
- check_root
- check_device
- backup_partition_table
- backup_boot
- check_headers
- get_offsets
- check_offsets
- warning
- #delete_partitions
- #create_partition
- #move_data
- #config_luks_lvm
- #restore_boot
- adios
|