3 ### unlock-root KEY-FILE
10 *) echo >&2 "Usage: $0 KEY-FILE"; exit 16 ;;
13 ## Some preflight checks.
14 if [ ! -x /usr/bin/gpg ]; then
15 echo >&2 "$0: can't find GnuPG executable"
19 ## Arrange to have somewhere for the key token.
22 ## Now we try to find a token.
28 ## Wait for a different device to be inserted. The first time through,
29 ## we'll accept any device.
32 ## If there's a token already inserted then go with that.
33 if info=$(blkid -o full -t LABEL=keys); then
37 *) lastuuid=$UUID; break ;;
43 ## Otherwise we could be here for a while.
45 t) echo >&2 -n "Waiting for key token..."; prompt=nil ;;
53 ## Mount the device somewhere.
54 mount -o ro -t ext2 UUID="$UUID" /mnt/keys
56 ## If we have the key file, then we're done.
57 if [ -f /mnt/keys/"$keyfile".gpg ]; then
59 ## Update the eyecandy, such as it is.
61 nil) >&2 echo " ok"; prompt=t ;;
64 ## Get GnuPG to decrypt the key. The enormous `gpg' rune is taken from
65 ## the cryptsetup `decrypt_gnupg' script. The here-document prevents
66 ## the key ending up in a ps(1) listing, though the expected use-case is
67 ## to run this script from an initramfs so there won't be anyone
70 key=$(/lib/cryptsetup/askpass "Enter passphrase for key $1: ")
71 case "$key" in "") break ;; esac
72 if /usr/bin/gpg -q --batch --no-options --no-mdc-warning \
73 --no-random-seed-file --no-default-keyring \
74 --keyring /dev/null --secret-keyring /dev/null \
75 --trustdb-name /dev/null --passphrase-fd 0 --decrypt \
76 /mnt/keys/"$keyfile".gpg <<EOF
83 ## Unmount the filesystem.
86 ## If we did anything, stop.
87 case "$win" in t) break ;; esac