Initial commit

6 files changed, 99 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..8e21886ebe8a
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,19 @@
+pkgbase = mkinitcpio-shredkeyfiles
+	pkgdesc = mkinitcpio hook to shred keyfiles during the boot
+	pkgver = 0.0.0
+	pkgrel = 1
+	url = https://aur.archlinux.org/packages/mkinitcpio-shredkeyfiles/
+	install = usage.install
+	arch = any
+	license = unknown
+	depends = mkinitcpio
+	backup = etc/encrypt2.conf
+	source = encrypt2.hook
+	source = encrypt2.install
+	source = encrypt2.conf
+	md5sums = ac1b3ad839f3461bd3bc967c58a804be
+	md5sums = 6c4f19ba9a331e5b40825f7857bb40cd
+	md5sums = 50030f303d861649cfdc9f2ce7d9bb75
+
+pkgname = mkinitcpio-shredkeyfiles
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..77d1d6352ed9
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,26 @@
+# Maintainer: Jenya Sovetkin <e.sovetkin@gmail.com>
+pkgname=mkinitcpio-shredkeyfiles
+pkgver=0.0.0
+pkgrel=1
+pkgdesc="mkinitcpio hook to shred keyfiles during the boot"
+arch=(any)
+license=('unknown')
+url="https://aur.archlinux.org/packages/mkinitcpio-shredkeyfiles/"
+depends=(mkinitcpio)
+install="usage.install"
+backup=('etc/encrypt2.conf')
+source=('encrypt2.hook'
+        'encrypt2.install'
+        'encrypt2.conf')
+md5sums=('ac1b3ad839f3461bd3bc967c58a804be'
+         '6c4f19ba9a331e5b40825f7857bb40cd'
+         '50030f303d861649cfdc9f2ce7d9bb75')
+
+package() {  
+  install -Dm 644 encrypt2.hook \
+     "${pkgdir}/usr/lib/initcpio/hooks/encrypt2"
+  install -Dm 644 encrypt2.install \
+     "${pkgdir}/usr/lib/initcpio/install/encrypt2"
+  install -Dm 644 encrypt2.conf \
+     "${pkgdir}/etc/encrypt2.conf"
+}
diff --git a/encrypt2.conf b/encrypt2.conf
new file mode 100644
index 000000000000..c728e3a1b6f0
--- /dev/null
+++ b/encrypt2.conf
@@ -0,0 +1,7 @@
+# beware of the CoW filesystem attribute on the cryptkey_device. If
+# the feature is on, then keyfiles might not be securely deleted.
+
+# device with keyfiles on
+cryptkey_device=/dev/disk/by-uuid/765d9f71-5eab-4030-93f3-5de35825329d
+# list of keyfiles
+keyfiles=("keyfile-cryptroot" "keyfile-lenovo-cryptroot")
diff --git a/encrypt2.hook b/encrypt2.hook
new file mode 100644
index 000000000000..a70f5ff654a5
--- /dev/null
+++ b/encrypt2.hook
@@ -0,0 +1,20 @@
+run_hook ()
+{
+    source encrypt2.conf
+    echo "Waiting 10 seconds for device $cryptkey_device ..."
+    sleep 10
+    
+    mkdir encrypt2_device
+    mount $cryptkey_device encrypt2_device &> /dev/null
+
+    cat encrypt2_file.list | while read keyfile; do
+        dd  if=/dev/urandom of="encrypt2_device/$keyfile" \
+            bs=1024 count=2 &> /dev/null
+        dd  if=/dev/urandom of="encrypt2_device/$keyfile" \
+            bs=1024 count=2 &> /dev/null
+        dd  if=/dev/urandom of="encrypt2_device/$keyfile" \
+            bs=1024 count=2 &> /dev/null
+    done
+    
+    umount encrypt2_device &> /dev/null
+}
diff --git a/encrypt2.install b/encrypt2.install
new file mode 100644
index 000000000000..34d5c373c749
--- /dev/null
+++ b/encrypt2.install
@@ -0,0 +1,22 @@
+build ()
+{
+    grep "cryptkey_device=" /etc/encrypt2.conf  > "$BUILDROOT/encrypt2.conf"
+
+    source "/etc/encrypt2.conf"
+
+    if [ -e "$BUILDROOT/encrypt2_file.list" ]; then
+       rm "$BUILDROOT/encrypt2_file.list"
+    fi 
+
+    for keyfile in ${keyfiles[@]}; do
+        echo $keyfile >> "$BUILDROOT/encrypt2_file.list"
+    done
+
+    add_runscript
+}
+help ()
+{
+cat<<HELPEOF
+  Shreds keyfiles on boot
+HELPEOF
+}
\ No newline at end of file
diff --git a/usage.install b/usage.install
new file mode 100644
index 000000000000..ecc404968bdf
--- /dev/null
+++ b/usage.install
@@ -0,0 +1,5 @@
+post_install() {
+	echo ""
+	echo "Don't forget to add the encrypt2 before encrypt in your /etc/mkinitcpio.conf and run mkinitcpio -p linux..."
+	echo ""
+}