+ # Holds just a single file, rarely written, so
+ # use ext2, like was often used for the /boot partition.
+ # This exists because grub can only persist data to a non-cow fs.
+ # And we use persisting a var in grub to do a one time boot.
+ # We could pass the data on the kernel command line and persist it
+ # to grubenv after booting, but that relies on the boot always succeeding.
+ # This is just a bit more robust, and it could work for booting
+ # into ipxe which can't persist data, if we ever got that working.
+ mkfs.ext2 $(grub_extdev)
+ # when we move to newer than trisquel 8, we can remove
+ # --type luks1. We can also check on cryptsetup --help | less /compil
+ # to see about the other settings. Default in debian 9 is luks2.
+ # You can convert from luks2 to luks 1 by adding a temporary key:
+ # cryptsetup luksAddKey --pbkdf pbkdf2
+ # then remove the new format keys with cryptsetup luksRemoveKey
+ # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp.
+ yes YES | cryptsetup luksFormat $(rootdev) $luks_file \
+ --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+ yes "$lukspw" | \
+ cryptsetup luksAddKey --key-file $luks_file \
+ $(rootdev) || [[ $? == 141 ]]
+ # background: Keyfile and password are treated just
+ # like 2 ways to input a passphrase, so we don't actually need to have
+ # different contents of keyfile and passphrase, but it makes some
+ # security sense to a really big randomly generated passphrase
+ # as much as possible, so we have both.
+ #
+ # This would remove the keyfile.
+ # yes 'test' | cryptsetup luksRemoveKey /dev/... \
+ # /key/file || [[ $? == 141 ]]
+
+ cryptsetup luksOpen $(rootdev) $(root-cryptname) \
+ --key-file $luks_file
+
+ if [[ $SPECIAL_DISK ]]; then
+ exit 0
+ fi
+ done
+ ls -la /dev/btrfs-control # this was probably for debugging...
+ sleep 1
+ bpart $(for dev in ${devs[@]}; do root-cryptdev; done)
+ bpart ${boot_devs[@]}
+else
+ for dev in ${devs[@]}; do
+ if [[ -e /dev/mapper/$(root-cryptname) ]]; then
+ continue
+ fi
+ cryptsetup luksOpen $(rootdev) $(root-cryptname) \
+ --key-file $luks_file
+ done
+ sleep 1
+fi
+
+
+if $wipe && [[ $DISTRO != debianstretch_bootstrap ]]; then
+ # bootstrap distro doesn't use separate encrypted root.
+ mount -o subvolid=0 $first_root_crypt /mnt
+ # systemd creates subvolumes we want to delete.
+ s=($(btrfs subvolume list --sort=-path /mnt |
+ sed -rn "s#^.*path\s*(root_$DISTRO/\S+)\s*\$#\1#p"))
+ for subvol in ${s[@]}; do btrfs subvolume delete /mnt/$subvol; done
+ btrfs subvolume set-default 0 /mnt
+ [[ ! -e /mnt/root_$DISTRO ]] || btrfs subvolume delete /mnt/root_$DISTRO
+
+ ## create subvols ##
+ cd /mnt
+
+ btrfs subvolume create root_$DISTRO
+
+ # could set default subvol like this, but no reason to.
+ # btrfs subvolume set-default \
+ # $(btrfs subvolume list . | grep "root_$DISTRO$" | awk '{print $2}') .
+
+ # no cow on the root filesystem. it's setup is fully scripted,
+ # if it's messed up, we will just recreated it,
+ # and we can get better perf with this.
+ # I can't remember exactly why, but this is preferable to mounting with
+ # -o nodatacow, I think because subvolumes inherit that.
+ chattr -Rf +C root_$DISTRO
+ cd /
+ umount /mnt