mapfile -t lines < <(awk '! /swap/ {print $2,$1}' /tmp/fai/crypttab )
for l in "${lines[@]}"; do cryptsetup luksOpen $l; done
-# or alternatively, to avoid typing it many times:
-read -r lukspw; for l in "${lines[@]}"; do yes "$lukspw" | cryptsetup luksOpen $l; done
potentially useful later:
sed 's#/root/keyscript,#decrypt_keyctl,#;s/$/,noauto/' /tmp/fai/crypttab >/etc/crypttab
-d Create data partition instead of root partition. Meant for use with -s.
It creates a single lvm pv/vg/lv called "data".
+-k Exit after wiping one disk. Created this to fix an lvm naming conflict.
+
-m Create root/data partition with maximum size instead of the 1tb limit. Meant for use with -s.
-s SPECIAL_DISK For use outside of fai. A base disk name like
skip_o=false
data_part=false
+wipe_only=false
max_size=false
do_special_disk_prompt=true
-temp=$(getopt -l help hc:dms:w:y "$@") || usage 1
+temp=$(getopt -l help hc:dkms:w:y "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
data_part=true
skip_o=true
;;
+ -k) wipe_only=true ;;
-m) max_size=true ;;
-s) special_disk="$2"; shift ;;
-w) swap_mib="$2"; shift ;;
# # note, corresponding changes in /b/ds/keyscript-{on,off}
if ifclass demohost; then
- lukspw=x
+ luks_file2=/tmp/luks_file2
+ echo -n x >$luks_file2
elif [[ -e $luks_dir/$HOSTNAME ]]; then
- lukspw=$(cat $luks_dir/$HOSTNAME)
+ luks_file2=$luks_dir/$HOSTNAME
else
- lukspw=$(cat $luks_dir/iank)
+ luks_file2=$luks_dir/iank
fi
if $mkroot2; then
luks_file=$luks_dir/host-amy
- lukspw=$(cat $luks_dir/amy)
+ luks_file2=$luks_dir/amy
fi
}
# https://wiki.archlinux.org/title/Advanced_Format#NVMe_solid_state_drives
# and if sector arg was not given, that can be fixed. First, check that it is 1mib aligned,
# eg. parted -m /dev/mapper/crypt-vgnvme-WD_BLACK_SN850X_8000GB_245244802091-root unit MiB print
- # Then cryptsetup reencrypt --sector-size 4096 device
- if [[ $luksdev == *nvme* ]]; then
- sector_arg="--sector-size 4096"
+ # Then cryptsetup reencrypt --sector-size 4096 device.
+ # -s 256 because according to cryptsetup benchmark, it gives
+ # us about 9% faster encryption on the cpu. Default is 512.
+ # tm_d4_ssd is a usb nvme device.
+ if [[ ${luksdev,,} == *nvme* || ${luksdev,,} == tm_d4_ssd ]]; then
+ sector_arg="--sector-size 4096 -s 256"
fi
- yes YES | cryptsetup luksFormat $sector_arg $luksdev $luks_file || [[ $? == 141 ]]
- yes "$lukspw" | \
- cryptsetup luksAddKey --key-file $luks_file \
- $luksdev || [[ $? == 141 ]]
+ cryptsetup luksFormat -q $sector_arg $luksdev $luks_file
+ cryptsetup luksAddKey --key-file $luks_file $luksdev $luks_file2
# background: Keyfile and password are treated just
# like 2 ways to input a passphrase, so we don't actually need to have
# different contents of keyfile and passphrase, but it makes some
lvmwipe "${short_devs[@]}"
devwipe "${devs[@]}"
fi
+ if $wipe_only; then
+ echo "Got -k & wipe is finished so exiting"
+ exit 0
+ fi
### end wipefs
mkdir /mnt/nocow/{t,user}
if ! $skip_o; then
- bpart ${o_devs[@]}
+ bpart ${o_devs[@]}
fi
fi
bpart ${boot_devs[@]}
iankelling.org / git / automated-distro-installer / commitdiff