tomb

the crypto undertaker
git clone git://parazyd.org/tomb.git
Log | Files | Refs | README | LICENSE

commit bc458825336851102181c97d5a0d1fcf25ac911a
parent ec5d72ae9a707b72e9c8f031c843739554d48a27
Author: hellekin <hellekin@cepheide.org>
Date:   Fri, 20 Feb 2015 09:58:40 -0300

Merge pull request #189 from dyne/fix-163

Detect plain swaps on encrypted partition (util-linux >= 2.22) or advise user to use -f (fixes #163)
Diffstat:
Mtomb | 44+++++++++++++++++++++++---------------------
1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/tomb b/tomb @@ -278,6 +278,25 @@ _tmp_create() { return 0 } +# Check if a block device is encrypted +# Synopsis: _is_encrypted_block /path/to/block/device +# Return 0 if it is an encrypted block device +_is_encrypted_block() { + local b=$1 # Path to a block device + local s="" # lsblk option -s (if available) + + # Issue #163 + # lsblk --inverse appeared in util-linux 2.22 + # but --version is not consistent... + lsblk --help | grep -q '\-\-inverse' + [[ $? -eq 0 ]] && s="--inverse" + + sudo lsblk $s -o type -n $b 2>/dev/null \ + | egrep -q '^crypt$' + + return $? +} + # Check if swap is activated # Return 0 if NO swap is used, 1 if swap is used. # Return 1 if any of the swaps is not encrypted. @@ -293,35 +312,18 @@ _ensure_safe_swap() { swaps="$(awk '/^\// { print $1 }' /proc/swaps 2>/dev/null)" [[ -z "$swaps" ]] && return 0 # No swap partition is active + _message "An active swap partition is detected..." for s in $=swaps; do - bone=$(_sudo file $s) - if [[ "$bone" =~ "swap file" ]]; then - # It's a regular (unencrypted) swap file - r=1 - break - - elif [[ "$bone" =~ "symbolic link" ]]; then - # Might link to a block - r=1 - [[ "/dev/mapper" == "${s%/*}" ]] || { break } - is_crypt=$(_sudo dmsetup status "$s" | awk '/crypt/ {print $3}') - [[ $is_crypt == "crypt" ]] && { r=2 } - - elif [[ "$bone" =~ "block special" ]]; then - # It's a block - r=1 - is_crypt=`_sudo dmsetup status "$s" | awk '/crypt/ {print $3}'` - [[ $is_crypt == "crypt" ]] && { r=2 } || { break } - - fi + { _is_encrypted_block $s } && { r=2 } || { r=1; break } done - _message "An active swap partition is detected..." + if [[ $r -eq 2 ]]; then _success "All your swaps are belong to crypt. Good." else _warning "This poses a security risk." _warning "You can deactivate all swap partitions using the command:" _warning " swapoff -a" + _warning "[#163] I may not detect plain swaps on an encrypted volume." _warning "But if you want to proceed like this, use the -f (force) flag." fi return $r