diff options
Diffstat (limited to 'custom')
| -rwxr-xr-x | custom/archangel | 103 | ||||
| -rw-r--r-- | custom/lib/btrfs.sh | 90 | ||||
| -rw-r--r-- | custom/lib/config.sh | 1 |
3 files changed, 186 insertions, 8 deletions
diff --git a/custom/archangel b/custom/archangel index c887a4d..ba0c94e 100755 --- a/custom/archangel +++ b/custom/archangel @@ -117,6 +117,13 @@ gather_input() { fi fi + # Btrfs-specific validation + if [[ "$FILESYSTEM" == "btrfs" ]]; then + if [[ "$NO_ENCRYPT" != "yes" && -z "$LUKS_PASSPHRASE" ]]; then + error "Config missing required: LUKS_PASSPHRASE (or set NO_ENCRYPT=yes)" + fi + fi + # Validate filesystem choice if [[ "$FILESYSTEM" != "zfs" && "$FILESYSTEM" != "btrfs" ]]; then error "Invalid FILESYSTEM: $FILESYSTEM (must be 'zfs' or 'btrfs')" @@ -165,9 +172,8 @@ gather_input() { get_encryption_choice [[ "$NO_ENCRYPT" != "yes" ]] && get_zfs_passphrase elif [[ "$FILESYSTEM" == "btrfs" ]]; then - # Btrfs encryption (LUKS) not yet implemented - Phase 2.8 - info "Note: Btrfs encryption (LUKS) will be available in a future update." - NO_ENCRYPT="yes" + get_btrfs_encryption_choice + [[ "$NO_ENCRYPT" != "yes" ]] && get_luks_passphrase fi get_root_password @@ -545,6 +551,58 @@ get_wifi() { fi } +get_btrfs_encryption_choice() { + step "Btrfs Encryption (LUKS)" + + echo "" + echo "LUKS encryption protects your data at rest." + echo "You'll need to enter a passphrase at each boot." + echo "" + + prompt "Enable LUKS encryption? [Y/n]:" + read -p "> " encrypt_choice + + if [[ "$encrypt_choice" =~ ^[Nn]$ ]]; then + NO_ENCRYPT="yes" + warn "Encryption DISABLED - data will not be encrypted at rest" + else + NO_ENCRYPT="no" + info "LUKS encryption enabled - you'll set a passphrase next" + fi +} + +get_luks_passphrase() { + step "LUKS Encryption Passphrase" + + echo "" + echo "Choose a strong passphrase for disk encryption." + echo "You'll need this passphrase every time you boot." + echo "" + echo "IMPORTANT: If you forget this passphrase, your data is UNRECOVERABLE!" + echo "" + + while true; do + prompt "Enter LUKS encryption passphrase:" + read -rs LUKS_PASSPHRASE + echo "" + + prompt "Confirm passphrase:" + read -rs confirm + echo "" + + if [[ "$LUKS_PASSPHRASE" == "$confirm" ]]; then + if [[ ${#LUKS_PASSPHRASE} -lt 8 ]]; then + warn "Passphrase should be at least 8 characters. Try again." + else + info "Passphrase confirmed." + break + fi + else + warn "Passphrases don't match. Try again." + fi + done +} + get_encryption_choice() { step "ZFS Encryption" echo "" @@ -667,6 +725,11 @@ show_summary() { fi echo " Boot: ZFSBootMenu on all disks (redundant)" else + if [[ "$NO_ENCRYPT" == "yes" ]]; then + echo " Encryption: None" + else + echo " Encryption: LUKS2" + fi echo " Boot: GRUB + grub-btrfs (snapshot boot)" fi echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" @@ -1452,6 +1515,11 @@ print_btrfs_summary() { echo " Hostname: $HOSTNAME" echo " Timezone: $TIMEZONE" echo " Filesystem: Btrfs" + if [[ "$NO_ENCRYPT" == "yes" ]]; then + echo " Encryption: None" + else + echo " Encryption: LUKS2" + fi echo "" echo "Btrfs Snapshot Features:" echo " - Boot from any snapshot via GRUB menu" @@ -1531,15 +1599,25 @@ install_btrfs() { # Get partition references local root_part=$(get_root_partition "${SELECTED_DISKS[0]}") local efi_part=$(get_efi_partition "${SELECTED_DISKS[0]}") + local btrfs_device="$root_part" # Partition and format partition_disk "${SELECTED_DISKS[0]}" format_efi "$efi_part" - create_btrfs_volume "$root_part" + + # LUKS encryption (if enabled) + if [[ "$NO_ENCRYPT" != "yes" ]]; then + create_luks_container "$root_part" "$LUKS_PASSPHRASE" + open_luks_container "$root_part" "$LUKS_PASSPHRASE" + btrfs_device="/dev/mapper/$LUKS_MAPPER_NAME" + fi + + # Create btrfs on the device (raw partition or LUKS mapper) + create_btrfs_volume "$btrfs_device" # Create and mount subvolumes - create_btrfs_subvolumes "$root_part" - mount_btrfs_subvolumes "$root_part" + create_btrfs_subvolumes "$btrfs_device" + mount_btrfs_subvolumes "$btrfs_device" # Mount EFI mkdir -p /mnt/efi @@ -1552,7 +1630,15 @@ install_btrfs() { configure_system configure_wifi configure_ssh - generate_btrfs_fstab "$root_part" "$efi_part" + + # Configure encryption if enabled + if [[ "$NO_ENCRYPT" != "yes" ]]; then + configure_crypttab "$root_part" + configure_luks_grub "$root_part" + configure_luks_initramfs + fi + + generate_btrfs_fstab "$btrfs_device" "$efi_part" configure_btrfs_initramfs configure_grub "$efi_part" configure_snapper @@ -1565,6 +1651,9 @@ install_btrfs() { # Cleanup btrfs_cleanup + if [[ "$NO_ENCRYPT" != "yes" ]]; then + close_luks_container + fi print_btrfs_summary } diff --git a/custom/lib/btrfs.sh b/custom/lib/btrfs.sh index 7da0851..47c6f42 100644 --- a/custom/lib/btrfs.sh +++ b/custom/lib/btrfs.sh @@ -3,9 +3,12 @@ # Source this file after common.sh, config.sh, disk.sh ############################# -# Btrfs Constants +# Btrfs/LUKS Constants ############################# +# LUKS settings +LUKS_MAPPER_NAME="cryptroot" + # Mount options for btrfs subvolumes BTRFS_OPTS="noatime,compress=zstd,space_cache=v2,discard=async" @@ -25,6 +28,91 @@ BTRFS_SUBVOLS=( ) ############################# +# LUKS Functions +############################# + +create_luks_container() { + local partition="$1" + local passphrase="$2" + + step "Creating LUKS Encrypted Container" + + info "Setting up LUKS encryption on $partition..." + + # Create LUKS container + echo -n "$passphrase" | cryptsetup luksFormat --type luks2 \ + --cipher aes-xts-plain64 --key-size 512 --hash sha512 \ + --iter-time 2000 --pbkdf argon2id \ + "$partition" - \ + || error "Failed to create LUKS container" + + info "LUKS container created." +} + +open_luks_container() { + local partition="$1" + local passphrase="$2" + local name="${3:-$LUKS_MAPPER_NAME}" + + info "Opening LUKS container..." + + echo -n "$passphrase" | cryptsetup open "$partition" "$name" - \ + || error "Failed to open LUKS container" + + info "LUKS container opened as /dev/mapper/$name" +} + +close_luks_container() { + local name="${1:-$LUKS_MAPPER_NAME}" + + cryptsetup close "$name" 2>/dev/null || true +} + +configure_crypttab() { + local partition="$1" + + step "Configuring crypttab" + + local uuid + uuid=$(blkid -s UUID -o value "$partition") + + # Create crypttab entry + echo "# LUKS encrypted root" > /mnt/etc/crypttab + echo "$LUKS_MAPPER_NAME UUID=$uuid none luks,discard" >> /mnt/etc/crypttab + + info "crypttab configured for $LUKS_MAPPER_NAME" +} + +configure_luks_initramfs() { + step "Configuring Initramfs for LUKS" + + # Backup original + cp /mnt/etc/mkinitcpio.conf /mnt/etc/mkinitcpio.conf.bak + + # Add encrypt hook before filesystems + # Hooks: base udev ... keyboard keymap ... encrypt filesystems ... + sed -i 's/^HOOKS=.*/HOOKS=(base udev microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)/' \ + /mnt/etc/mkinitcpio.conf + + info "Added encrypt hook to initramfs." +} + +configure_luks_grub() { + local partition="$1" + + step "Configuring GRUB for LUKS" + + local uuid + uuid=$(blkid -s UUID -o value "$partition") + + # Add cryptdevice to GRUB cmdline + sed -i "s|^GRUB_CMDLINE_LINUX=\"|GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$uuid:$LUKS_MAPPER_NAME:allow-discards |" \ + /mnt/etc/default/grub + + info "GRUB configured with cryptdevice parameter." +} + +############################# # Btrfs Pre-flight ############################# diff --git a/custom/lib/config.sh b/custom/lib/config.sh index 38811fa..358a5f4 100644 --- a/custom/lib/config.sh +++ b/custom/lib/config.sh @@ -21,6 +21,7 @@ WIFI_SSID="" WIFI_PASSWORD="" ENCRYPTION_ENABLED=false ZFS_PASSPHRASE="" +LUKS_PASSPHRASE="" ROOT_PASSWORD="" SSH_ENABLED=false SSH_KEY="" |