From 94af83c1c8446ef1a564cff8aec5487afa47693e Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Sat, 24 Jan 2026 05:33:13 -0600 Subject: Phase 2.8: Add LUKS encryption for btrfs - Add LUKS functions to btrfs.sh (create/open/close container) - Add crypttab configuration for boot - Add encrypt hook to mkinitcpio HOOKS - Add cryptdevice parameter to GRUB cmdline - Add get_btrfs_encryption_choice and get_luks_passphrase prompts - Add LUKS_PASSPHRASE to config variables - Update show_summary and print_btrfs_summary for encryption status - Add btrfs-luks.conf test config VM test pending. --- custom/lib/btrfs.sh | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 89 insertions(+), 1 deletion(-) (limited to 'custom/lib/btrfs.sh') diff --git a/custom/lib/btrfs.sh b/custom/lib/btrfs.sh index 7da0851..47c6f42 100644 --- a/custom/lib/btrfs.sh +++ b/custom/lib/btrfs.sh @@ -3,9 +3,12 @@ # Source this file after common.sh, config.sh, disk.sh ############################# -# Btrfs Constants +# Btrfs/LUKS Constants ############################# +# LUKS settings +LUKS_MAPPER_NAME="cryptroot" + # Mount options for btrfs subvolumes BTRFS_OPTS="noatime,compress=zstd,space_cache=v2,discard=async" @@ -24,6 +27,91 @@ BTRFS_SUBVOLS=( "@var_lib_docker:/var/lib/docker::" ) +############################# +# LUKS Functions +############################# + +create_luks_container() { + local partition="$1" + local passphrase="$2" + + step "Creating LUKS Encrypted Container" + + info "Setting up LUKS encryption on $partition..." + + # Create LUKS container + echo -n "$passphrase" | cryptsetup luksFormat --type luks2 \ + --cipher aes-xts-plain64 --key-size 512 --hash sha512 \ + --iter-time 2000 --pbkdf argon2id \ + "$partition" - \ + || error "Failed to create LUKS container" + + info "LUKS container created." +} + +open_luks_container() { + local partition="$1" + local passphrase="$2" + local name="${3:-$LUKS_MAPPER_NAME}" + + info "Opening LUKS container..." + + echo -n "$passphrase" | cryptsetup open "$partition" "$name" - \ + || error "Failed to open LUKS container" + + info "LUKS container opened as /dev/mapper/$name" +} + +close_luks_container() { + local name="${1:-$LUKS_MAPPER_NAME}" + + cryptsetup close "$name" 2>/dev/null || true +} + +configure_crypttab() { + local partition="$1" + + step "Configuring crypttab" + + local uuid + uuid=$(blkid -s UUID -o value "$partition") + + # Create crypttab entry + echo "# LUKS encrypted root" > /mnt/etc/crypttab + echo "$LUKS_MAPPER_NAME UUID=$uuid none luks,discard" >> /mnt/etc/crypttab + + info "crypttab configured for $LUKS_MAPPER_NAME" +} + +configure_luks_initramfs() { + step "Configuring Initramfs for LUKS" + + # Backup original + cp /mnt/etc/mkinitcpio.conf /mnt/etc/mkinitcpio.conf.bak + + # Add encrypt hook before filesystems + # Hooks: base udev ... keyboard keymap ... encrypt filesystems ... + sed -i 's/^HOOKS=.*/HOOKS=(base udev microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)/' \ + /mnt/etc/mkinitcpio.conf + + info "Added encrypt hook to initramfs." +} + +configure_luks_grub() { + local partition="$1" + + step "Configuring GRUB for LUKS" + + local uuid + uuid=$(blkid -s UUID -o value "$partition") + + # Add cryptdevice to GRUB cmdline + sed -i "s|^GRUB_CMDLINE_LINUX=\"|GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$uuid:$LUKS_MAPPER_NAME:allow-discards |" \ + /mnt/etc/default/grub + + info "GRUB configured with cryptdevice parameter." +} + ############################# # Btrfs Pre-flight ############################# -- cgit v1.2.3