Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- ################################################################################
- # Helper script to install an encrypted Linux Mint system (full disk encryption
- # using LUKS/LVM)
- #
- # Tested on the following Linux Mint versions:
- # - Linux Mint 14 Nadia (Cinnamon 32/64bit)
- # - Linux Mint 14 Nadia (MATE 32/64bit)
- #
- # Usage:
- # 1) Boot a Linux Mint LiveCD/DVD/USB.
- # ATTENTION: Make sure you choose the correct language! This prevents issues
- # with keyboard layouts and your encryption passphrase.
- # 3) Make sure this script is executable.
- # 3) Call this script with root privileges. (sudo)
- #
- # LICENSE: This file is open source software (OSS) licensed under the GPLv2 and
- # may be copied under certain conditions. See the links below for
- # details.
- #
- # Author: Corey Hinshaw <hinshaw.25@osu.edu>
- # Original author: Andreas Haerter <development@andreas-haerter.com>
- # License: GPLv2 (http://www.gnu.org/licenses/gpl2.html)
- # Version: 2012-11-28
- ################################################################################
- # Size of boot partition in MB
- SIZE_BOOT="256"
- clear
- echo "###############################################################################"
- echo "# Helper script to install an encrypted Linux Mint system (full disk encryption"
- echo "# using LUKS/LVM)"
- echo "# Found system: $(lsb_release -ds)"
- echo "#"
- echo "# Note:"
- echo "# - System must have an active internet connection."
- echo "#"
- echo "# ATTENTION: THIS SCRIPT WILL ERASE ALL DATA ON THE TARGET DEVICE!"
- echo "# ENSURE THAT IMPORTANT DATA HASN BEEN BACKED UP."
- echo "# USE AT YOUR OWN RISK!"
- echo "###############################################################################"
- if [ $(id -u) -ne 0 ]
- then
- echo ""
- echo "ERROR: Must be run as root." 1>&2
- read -n1 -r -p "Press any key to exit..."
- exit 1
- fi
- wget -q --tries=10 --timeout=5 http://www.google.com -O /tmp/index.google &> /dev/null
- if [ ! -s /tmp/index.google ]; then
- echo ""
- echo "ERROR: No internet connection detected." 1>&2
- read -n1 -r -p "Press any key to exit..."
- exit 1
- fi
- echo ""
- echo "Note: You will be prompted before data on target drive is erased."
- echo -n "Start setup now? [y|n]: "
- read INPUT
- if [ ! "${INPUT}" == "y" ] &&
- [ ! "${INPUT}" == "Y" ]
- then
- echo "Operation cancelled by user."
- exit 0
- fi
- echo ""
- echo ""
- echo "###############################################################################"
- echo "# Select target storage device"
- echo "###############################################################################"
- echo "Enter the storage device on which the operating system will be installed."
- echo "(ALL DATA ON THIS DEVICE WILL BE ERASED!)"
- echo ""
- echo "Note:"
- echo "- IDE disks are often adressed as '/dev/hd[a-z]' ('/dev/hda'=1st disk,"
- echo " '/dev/hdb'=2nd disk, '/dev/hdc'=3rd disk etc.)."
- echo "- SATA disks are often adressed as '/dev/sd[a-z]' ('/dev/sda'=1st disk,"
- echo " '/dev/sdb'=2nd, '/dev/sdc'=3rd disk etc.)."
- echo ""
- echo -n "Show system disks? [y|n]: "
- read INPUT
- if [ "${INPUT}" == "y" ] ||
- [ "${INPUT}" == "Y" ]
- then
- echo ""
- echo "DETECTED BLOCK DEVICES:"
- lsblk
- fi
- echo ""
- echo -n "Which device should be used? "
- read DEVICE_TARGET
- DEVICE_TARGET_OK="n"
- while [ ! "${DEVICE_TARGET_OK}" == "y" ] &&
- [ ! "${DEVICE_TARGET_OK}" == "Y" ]
- do
- if [ "${DEVICE_TARGET}" != "" ]
- then
- echo -n "You typed '${DEVICE_TARGET}'. Is this correct? [y|n]: "
- read DEVICE_TARGET_OK
- fi
- if [ "${DEVICE_TARGET_OK}" == "y" ] ||
- [ "${DEVICE_TARGET_OK}" == "Y" ]
- then
- break 1
- else
- echo -n "Which device should be used? "
- read DEVICE_TARGET
- continue 1
- fi
- done
- let SCR_PHYMEMKB=`cat /proc/meminfo | grep MemTotal | awk '{print $2}'`
- let SCR_PHYMEM=`echo "${SCR_PHYMEMKB} / 1024" | bc`
- let SCR_RECMEM=`echo "(${SCR_PHYMEM} * 1.3 + 0.5) / 1" | bc`
- echo ""
- echo ""
- echo "###############################################################################"
- echo "# Define swap space"
- echo "###############################################################################"
- echo "Please enter the desired size for your swap partition."
- echo "This script requires a minimal value of 256MB for swap, anything lower will not"
- echo "be accepted. Enter the size in MB, digits only (e.g. 5200 for 5,200 MB)."
- echo ""
- echo "Installed memory: ${SCR_PHYMEM} MB"
- echo "Recommended swap: ${SCR_RECMEM} MB"
- echo ""
- echo "NOTE: Remaining free space (=space not allocated by '/boot' and swap) will"
- echo " be used for '/'. A summary will be shown after all needed values are"
- echo " defined."
- echo ""
- echo -n "Size (in MB) of your swap partition? "
- read SIZE_SWAP
- SIZE_SWAP_OK="n"
- while [ ! "${SIZE_SWAP_OK}" == "y" ] &&
- [ ! "${SIZE_SWAP_OK}" == "Y" ]
- do
- if [ "${SIZE_SWAP}" != "" ] &&
- [ ${SIZE_SWAP} -gt 255 ]
- then
- echo -n "You typed '${SIZE_SWAP}'. Is this correct? [y|n]: "
- read SIZE_SWAP_OK
- fi
- if [ "${SIZE_SWAP_OK}" == "y" ] ||
- [ "${SIZE_SWAP_OK}" == "Y" ]
- then
- break 1
- else
- echo -n "Size (in MB) of your swap partition? "
- read SIZE_SWAP
- continue 1
- fi
- done
- unset SIZE_SWAP_OK
- echo ""
- echo ""
- echo "###############################################################################"
- echo "# Encryption strength"
- echo "###############################################################################"
- echo "Using 'aes-xts-plain' with a 256bit key for XTS and AES is recommended on newer"
- echo "machines. However, on older hardware, a 128bit key may be a better choice."
- echo "Enter the desired key size in bits, digits only (e.g. 256 for 256bit)."
- echo ""
- echo "Recommended:"
- echo "- Single core/slower machine: 128"
- echo "- Dual core and above: 256"
- echo ""
- echo -n "XTS/AES key size (128 or 256)? "
- read KEYSIZE
- KEYSIZE_OK="n"
- while [ ! "${KEYSIZE_OK}" == "y" ] &&
- [ ! "${KEYSIZE_OK}" == "Y" ]
- do
- if [ "${KEYSIZE}" == "128" ] ||
- [ "${KEYSIZE}" == "256" ]
- then
- echo -n "You typed '${KEYSIZE}'. Is this correct? [y|n]: "
- read KEYSIZE_OK
- fi
- if [ "${KEYSIZE_OK}" == "y" ] ||
- [ "${KEYSIZE_OK}" == "Y" ]
- then
- break 1
- else
- echo -n "XTS/AES key size (128 or 256)? "
- read KEYSIZE
- continue 1
- fi
- done
- unset KEYSIZE_OK
- echo ""
- echo ""
- echo "###############################################################################"
- echo "# Create recovery files"
- echo "###############################################################################"
- echo "Backing up the LUKS header and creating a recovery passphrase allows you to"
- echo "recover your encrypted data in the event you forget your passphrase or the"
- echo "storage device becomes corrupted."
- echo ""
- echo "Selecting yes will create two files in the current working directory."
- echo "- LUKS-header.bin: Binary backup of the LUKS header"
- echo "- LUKS-keys.txt: Text file containing the master key and recovery passphrase"
- echo ""
- echo -n "Create encryption recovery files? [y|n]: "
- read CREATE_BACKUP
- if [ "${CREATE_BACKUP}" == "y" ] ||
- [ "${CREATE_BACKUP}" == "Y" ]
- then
- CREATE_BACKUP='YES'
- else
- CREATE_BACKUP='NO'
- fi
- echo ""
- echo ""
- echo "###############################################################################"
- echo "# Shred '${DEVICE_TARGET}'"
- echo "###############################################################################"
- echo "This will fill the target device with random data prior to setting up the"
- echo "encrypted partitions. This ensures that any data previously stored on the disk"
- echo "cannot be recovered."
- echo ""
- echo "Note:"
- echo "- This may take a long time"
- echo ""
- echo -n "Shred '${DEVICE_TARGET}' before encrypting it? [y|n]: "
- read SHRED_DEVICE
- if [ "${SHRED_DEVICE}" == "y" ] ||
- [ "${SHRED_DEVICE}" == "Y" ]
- then
- SHRED_DEVICE='YES'
- else
- SHRED_DEVICE='NO'
- fi
- echo ""
- echo ""
- echo "###############################################################################"
- echo "# Start setup?"
- echo "###############################################################################"
- echo "Target device: ${DEVICE_TARGET}"
- echo "Key size: ${KEYSIZE}bit"
- echo "Size of '/boot': ${SIZE_BOOT}MB"
- echo "Size of 'swap': ${SIZE_SWAP}MB"
- echo "Size of '/': 100% of the remaining space not used by '/boot' and swap."
- echo "Recovery files? ${CREATE_BACKUP}"
- echo "Shred device? ${SHRED_DEVICE}"
- echo ""
- echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
- echo "! ATTENTION: ALL DATA ON '${DEVICE_TARGET}' WILL BE ERASED!"
- echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
- echo -n "Start setup now? [y|n]: "
- read INPUT
- if [ ! "${INPUT}" == "y" ] &&
- [ ! "${INPUT}" == "Y" ]
- then
- echo "Operation cancelled by user."
- exit 0
- fi
- echo ""
- echo ""
- echo "Installing additional packages and kernel modules..."
- apt-get install --yes lvm2 cryptsetup
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not install needed software packages." 1>&2
- exit 1
- fi
- modprobe dm-crypt
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not load dm_crypt kernel module." 1>&2
- exit 1
- fi
- echo "Additional software has been installed."
- if [ "${SHRED_DEVICE}" == "YES" ]
- then
- echo ""
- echo ""
- echo "Shredding target device... THIS MAY TAKE SEVERAL HOURS!"
- echo ""
- sudo shred -vn 1 ${DEVICE_TARGET}
- if [ $? -ne 0 ]
- then
- echo -e "ERROR: Overwriting disk with random data failed." 1>&2
- exit 1
- fi
- echo "Shredding disk complete."
- fi
- echo ""
- echo ""
- echo "Creating initial partitions on ${DEVICE_TARGET}..."
- parted --script ${DEVICE_TARGET} mklabel gpt
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create partition label." 1>&2
- exit 1
- fi
- parted --script -a optimal ${DEVICE_TARGET} mkpart primary 0% ${SIZE_BOOT}MB
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create boot partition." 1>&2
- exit 1
- fi
- parted --script -a optimal ${DEVICE_TARGET} mkpart primary ${SIZE_BOOT}MB 100%
- if [ $? -ne 0 ]
- then
- echo "Could not create main partition." 1>&2
- exit 1
- fi
- echo "Finished creating partitions."
- echo ""
- echo ""
- echo "Initializing encryption..."
- let LUKSKEYSIZE=${KEYSIZE}+${KEYSIZE}
- #using while loops because the user may enter long, complicated passwords...
- if [ "${CREATE_BACKUP}" == "YES" ]
- then
- RECOVERY_KEY="`< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c20`"
- echo ${RECOVERY_KEY} > LUKS-keys.txt
- echo ${RECOVERY_KEY} | cryptsetup -q --cipher aes-xts-plain --key-size ${LUKSKEYSIZE} luksFormat ${DEVICE_TARGET}2
- echo ${RECOVERY_KEY} | cryptsetup luksAddKey ${DEVICE_TARGET}2 --key-slot=2 LUKS-keys.txt
- echo ""
- echo "Select your encryption passphrase for '${DEVICE_TARGET}2'."
- cryptsetup luksAddKey ${DEVICE_TARGET}2 --key-file=LUKS-keys.txt
- echo ${RECOVERY_KEY} | cryptsetup luksKillSlot ${DEVICE_TARGET}2 2
- echo ${RECOVERY_KEY} | cryptsetup luksOpen ${DEVICE_TARGET}2 system
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not open encrypted partition." 1>&2
- exit 1
- fi
- echo ${RECOVERY_KEY} | cryptsetup luksHeaderBackup ${DEVICE_TARGET}2 --header-backup-file=LUKS-header.bin
- chmod 644 LUKS-header.bin
- echo "`echo ${RECOVERY_KEY} | cryptsetup luksDump ${DEVICE_TARGET}2 --dump-master-key`" > LUKS-keys.txt
- echo "" >> LUKS-keys.txt
- echo "Recovery passphrase: ${RECOVERY_KEY}" >> LUKS-keys.txt
- echo "cryptsetup was succesful, crypto-device '${DEVICE_TARGET}2' was created."
- echo ""
- echo "Recovery data saved to LUKS-keys.txt and LUKS-header.bin"
- else
- DO=1
- while [ $? -ne 0 ] ||
- [ ${DO} -ne 0 ]
- do
- DO=0
- cryptsetup -q --cipher aes-xts-plain --key-size ${LUKSKEYSIZE} --verify-passphrase luksFormat ${DEVICE_TARGET}2
- done
- echo "cryptsetup was succesful, crypto-device '${DEVICE_TARGET}2' was created."
- echo ""
- echo "Unlocking the newly created crypto-device for system insrtallation."
- echo "Please enter the passphrase again."
- DO=1
- while [ $? -ne 0 ] ||
- [ ${DO} -ne 0 ]
- do
- DO=0
- cryptsetup luksOpen ${DEVICE_TARGET}2 system
- done
- unset DO
- fi
- echo ""
- echo "Encrypted partion has been created and unlocked."
- echo ""
- echo ""
- echo "Configuring LVM and creating file systems..."
- pvcreate /dev/mapper/system
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create physical volume." 1>&2
- exit 1
- fi
- vgcreate vg /dev/mapper/system
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create volume group." 1>&2
- exit 1
- fi
- lvcreate -L ${SIZE_SWAP}M -n swap vg
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create logical volume 'swap'." 1>&2
- exit 1
- fi
- lvcreate -l 100%FREE -n root vg
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create logical volume 'root'." 1>&2
- exit 1
- fi
- mkfs.ext2 ${DEVICE_TARGET}1
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create filesystem on boot partition." 1>&2
- exit 1
- fi
- mkfs.ext4 /dev/vg/root
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not create filesystem on root volume on '/dev/vg/root'." 1>&2
- exit 1
- fi
- mkswap -L swap /dev/vg/swap
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not initialize swap space on '/dev/vg/swap'." 1>&2
- exit 1
- fi
- echo "Finished creating LVM layout and file systems."
- echo ""
- echo "NOTE: You can choose other filesystems later. This is just to"
- echo " prevent problems with the graphical installer."
- clear
- echo "###############################################################################"
- echo "# Starting operating system installer"
- echo "###############################################################################"
- echo "We will now launch the graphical installer. Please follow the on-screen prompts."
- echo ""
- echo "You will have to specify partitions manually. Make sure that:"
- echo "- '${DEVICE_TARGET}1' is attached to the mount point '/boot'"
- echo " and will be formatted as EXT3 (recommended) or EXT2"
- echo ""
- echo "- '/dev/mapper/vg-root' is attached to the mount point '/'"
- echo " and will be formatted as EXT4 (recommended) or another filesystem"
- echo ""
- echo "- '/dev/mapper/vg-swap' is initialized as swap space"
- echo ""
- echo "- The boot loader is installed on ${DEVICE_TARGET}"
- echo ""
- echo ""
- echo "ATTENTION: DO NOT REBOOT AFTER THE INSTALLATION HAS FINISHED! CHOOSE"
- echo " 'Continue Testing'!"
- read -sp "Press [Enter] to continue."
- echo ""
- echo ""
- echo "Starting the graphical installer. Please wait..."
- echo "NOTE: Do NOT close this terminal!"
- sudo ubiquity --desktop %k gtk_ui > /dev/null 2>&1
- if [ $? -ne 0 ]
- then
- echo ""
- echo "GNOME UI installer exited with an error."
- echo "Trying KDE interface instead...."
- echo ""
- sudo ubiquity kde_ui > /dev/null 2>&1
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not run graphical OS installer." 1>&2
- exit 1
- fi
- fi
- echo ""
- sleep 2 #give system some time...
- echo "Installation of the OS is complete. Please wait..."
- sleep 8 #give system some time...
- echo ""
- echo ""
- echo "Configuring the newly installed operating system..."
- echo "NOTE: You can probably ignore /etc/crypttab and language warnings."
- echo ""
- mount /dev/mapper/vg-root /mnt
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not mount /dev/mapper/vg-root" 1>&2
- exit 1
- fi
- mount ${DEVICE_TARGET}1 /mnt/boot
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not mount ${DEVICE_TARGET}1" 1>&2
- exit 1
- fi
- mount -o bind /dev /mnt/dev
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not mount /dev" 1>&2
- exit 1
- fi
- mount -t proc proc /mnt/proc
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not mount /proc" 1>&2
- exit 1
- fi
- mount -t sysfs sys /mnt/sys
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not mount /sys" 1>&2
- exit 1
- fi
- cp /etc/resolv.conf /mnt/etc/resolv.conf
- if [ $? -ne 0 ]
- then
- echo "ERROR: Could not copy resolv.conf" 1>&2
- exit 1
- fi
- chroot /mnt /bin/bash << EOF
- apt-get install --yes cryptsetup lvm2
- echo "system UUID=$(ls -l /dev/disk/by-uuid | grep $(basename ${DEVICE_TARGET}2) | cut -d ' ' -f 9) none luks" >> /etc/crypttab
- update-initramfs -u -k all
- exit
- EOF
- if [ $? -ne 0 ]
- then
- echo "ERROR: Configuration of new operating system failed. The system may not boot!" 1>&2
- exit 1
- fi
- echo "OS configuration complete."
- echo ""
- echo ""
- echo "###############################################################################"
- echo "# Boot-time graphics fix"
- echo "###############################################################################"
- echo "Some graphics cards may prevent the passphrase prompt from rendering."
- echo -n "Try to fix this problem? [y|n]: "
- read INPUT
- if [ "${INPUT}" == "y" ] ||
- [ "${INPUT}" == "Y" ]
- then
- echo "Attempting to resolve boot-time graphics issues. (May not work for all systems)"
- chroot /mnt sed -i -e "s/ \\\\\$vt_handoff//" /etc/grub.d/10_linux
- chroot /mnt update-grub
- if [ $? -ne 0 ]
- then
- echo "Graphics fix may not have been correctly applied." 1>&2
- fi
- fi
- echo "If your system reboots to a black screen, try typing the passphrase and"
- echo "press [Enter]."
- umount /mnt/sys
- umount /mnt/proc
- umount /mnt/dev
- umount /mnt/boot
- umount /mnt
- echo ""
- echo ""
- echo "Success! Installation to encrypted drive finished."
- if [ "${CREATE_BACKUP}" == "YES" ]
- then
- echo "Remember to copy your recovery files to a secure location!"
- fi
- echo ""
- read -n1 -r -p "Press any key to reboot the system..."
- echo ""
- reboot
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement