From 36854a51d46e4e63a663fe3e5fa1c68385984b78 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Thu, 22 Jan 2009 22:14:22 +0000 Subject: [PATCH] sys: new luksheaders option to backup the Luks header of every Luks device --- ChangeLog | 3 ++ examples/example.sys | 16 ++++++++++- handlers/sys.helper.in | 8 +++++- handlers/sys.in | 65 +++++++++++++++++++++++++++++++++++++++++- 4 files changed, 89 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 33a51de..c5208b3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ version 0.9.7 -- UNRELEASED does not prevent mysqldump to work. . Fix the error message displayed when mysqld is not running: mysqladmin ping indeed returns 0 when authentication fails. + sys: + . New luksheaders option (default=disabled) to backup the Luks header + of every Luks device. version 0.9.6 -- July 21, 2008 backupninja changes diff --git a/examples/example.sys b/examples/example.sys index af28fd6..a4bffc4 100644 --- a/examples/example.sys +++ b/examples/example.sys @@ -1,6 +1,6 @@ # # this config file will save various reports of vital system information. -# by default, all the reports are enabled and are saved in /var/backups. +# by default, all the reports are saved in /var/backups. # # requires dpkg, debconf-utils, sfdisk, and hwinfo # @@ -25,6 +25,12 @@ # (4) hardware information. # detailed information on most important aspects of the hardware. # +# (5) the Luks header of every Luks block device, if option luksheaders +# is enabled. +# in case you (have to) scramble such a Luks header (for some time), +# and restore it later by running "dd if=luksheader.sda2.bin of=/dev/sda2" +# (MAKE SURE YOU PASS THE CORRECT DEVICE AS of= !!!) +# # here are the defaults, commented out: @@ -47,6 +53,14 @@ # hardwarefile = /var/backups/hardware.txt # dohwinfo = yes +# luksheaders = no +# NOTE: the __star__ below will be replaced by the Luks partitions found on the +# system (e.g. luksheader.sda2.bin, luksheader.sdb3.bin). If you change +# the luksheadersfile default below, be sure to include the __star__ +# replacement in the filename, or you will get one file for only one partition, +# the others being written to the same file, and then overwritten by the next. +# luksheadersfile = /var/backups/luksheader.__star__.bin + # If vservers = yes in /etc/backupninja.conf then the following variables can # be used: # vsnames = all | ... (default = all) diff --git a/handlers/sys.helper.in b/handlers/sys.helper.in index d3d99a5..48841e8 100644 --- a/handlers/sys.helper.in +++ b/handlers/sys.helper.in @@ -8,19 +8,22 @@ sys_wizard() { "packages" "list of all installed packages." on \ "partitions" "the partition table of all disks." on \ "sfdisk" "use sfdisk to get partition information." on \ - "hardware" "detailed hardware information" on + "hardware" "detailed hardware information" on \ + "luksheaders" "Luks headers of all Luks partitions." off [ $? = 1 ] && return; result="$REPLY" packages="packages = no" partitions="partitions = no" sfdisk="dosfdisk = no" hardware="hardware = no" + luksheaders="luksheaders = no" for opt in $result; do case $opt in '"packages"') packages="packages = yes";; '"partitions"') partitions="partitions = yes";; '"sfdisk"') sfdisk="dosfdisk = yes";; '"hardware"') hardware="hardware = yes";; + '"luksheaders"') luksheaders="luksheaders = yes";; esac done get_next_filename $configdirectory/10.sys @@ -29,10 +32,13 @@ $packages $partitions $sfdisk $hardware +$luksheaders + # packagesfile = /var/backups/dpkg-selections.txt # selectionsfile = /var/backups/debconfsel.txt # partitionsfile = /var/backups/partitions.__star__.txt # hardwarefile = /var/backups/hardware.txt +# luksheadersfile = /var/backups/luksheader.__star__.bin # If vservers = yes in /etc/backupninja.conf then the following variables can # be used: diff --git a/handlers/sys.in b/handlers/sys.in index f293840..de81435 100755 --- a/handlers/sys.in +++ b/handlers/sys.in @@ -1,7 +1,7 @@ # -*- mode: sh; sh-basic-offset: 3; indent-tabs-mode: nil; -*- # # this handler will save various reports of vital system information. -# by default, all the reports are enabled and are saved in /var/backups. +# by default, all the reports are saved in /var/backups. # # (1) a capture of the debconf package selection states. This file # can be used to restore the answers to debconf questions for @@ -24,6 +24,12 @@ # (4) hardware information. # write to a text file the important things which hwinfo can gleen. # +# (5) the Luks header of every Luks block device, if option luksheaders +# is enabled. +# in case you (have to) scramble such a Luks header (for some time), +# and restore it later by running "dd if=luksheader.sda2.bin of=/dev/sda2" +# (MAKE SURE YOU PASS THE CORRECT DEVICE AS of= !!!) +# if [ -f /etc/debian_version ] then @@ -82,6 +88,11 @@ getconf HWINFO `which hwinfo` getconf sfdisk_options "" getconf hwinfo_options "" +getconf CRYPTSETUP `which cryptsetup` +getconf DD `which dd` +getconf luksheaders no +getconf luksheadersfile $parentdir/luksheader.__star__.bin + getconf vsnames all # If vservers are configured, check that the ones listed in $vsnames are running. @@ -97,6 +108,19 @@ if [ $vservers_are_available = yes ]; then usevserver=yes fi +## SANITY CHECKS ######################### + +if [ "$luksheaders" == "yes" ]; then + if [ ! -x "$DD" ]; then + warning "can't find dd, skipping backup of Luks headers." + luksheaders="no" + fi + if [ ! -x "$CRYPTSETUP" ]; then + warning "can't find cryptsetup, skipping backup of Luks headers." + luksheaders="no" + fi +fi + ## PACKAGES ############################## # @@ -541,3 +565,42 @@ if [ "$partitions" == "yes" ]; then $HWINFO --disk >> $hardwarefile fi fi + +if [ "$luksheaders" == "yes" ]; then + devices=`LC_ALL=C $SFDISK -l 2>/dev/null | grep "^Disk /dev" | @AWK@ '{print $2}' | cut -d: -f1` + [ -n "$devices" ] || warning "No block device found" + targetdevices="" + for dev in $devices; do + [ -b $dev ] || continue + debug "$CRYPTSETUP isLuks $dev" + $CRYPTSETUP isLuks $dev + [ $? -eq 0 ] && targetdevices="$targetdevices $dev" + done + for dev in $targetdevices; do + label=${dev#/dev/} + label=${label//\//-} + outputfile=${luksheadersfile//__star__/$label} + # the following sizes are expressed in terms of 512-byte sectors + debug "Let us find out the Luks header size for $dev" + debug "$CRYPTSETUP luksDump \"$dev\" | grep '^Payload offset:' | @AWK@ '{print $3}'" + headersize=`$CRYPTSETUP luksDump "$dev" | grep '^Payload offset:' | @AWK@ '{print $3}'` + if [ $? -ne 0 ]; then + warning "Could not compute the size of Luks header, skipping device $dev" + continue + elif [ -z "$headersize" -o -n "`echo \"$headersize\" | sed 's/[0-9]*//g'`" ]; then + warning "The computed size of Luks header is not an integer, skipping device $dev" + continue + fi + debug "Let us backup the Luks header of device $dev" + debug "$DD if=\"${dev}\" of=\"${outputfile}\" bs=512 count=\"${headersize}\"" + output=`$DD if="${dev}" of="${outputfile}" bs=512 count="${headersize}" 2>&1` + exit_code=$? + if [ $exit_code -eq 0 ]; then + debug $output + info "The Luks header of $dev was saved to $outputfile." + else + debug $output + fatal "The Luks header of $dev could not be saved." + fi + done +fi -- 2.30.2