unlockgeli

#!/bin/sh
# PROVIDE: unlockgeli
# REQUIRE: netwait
# BEFORE: jail

. /etc/rc.subr

name=unlockgeli
rcvar=unlockgeli_enable

start_cmd="${name}_start"
stop_cmd=":"

load_rc_config $name
: ${unlockgeli:=no} 

unlockgeli_start()
{
	eval pools=\${$@:-${unlockgeli_pools}}
	for _g in $pools; do
		echo "Unlocking $_g pool"
		eval devs=\${unlockgeli_${_g}_devs}
		eval key=\${unlockgeli_${_g}_key}
		eval key_identityfile=\${unlockgeli_${_g}_key_identityfile}
		eval key_enc_pw=\${unlockgeli_${_g}_key_enc_pw}
		eval passphrase=\${unlockgeli_${_g}_passphrase}
		eval passphrase_identityfile=\${unlockgeli_${_g}_passphrase_identityfile}
		eval passphrase_enc_pw=\${unlockgeli_${_g}_passphrase_enc_pw}

		keytempfile=/tmp/unlockgeli.key.tmp
		pwtempfile=/tmp/unlockgeli.pw.tmp
		echo "Downloading geli key"
		scp -i ${key_identityfile} ${key} $keytempfile
		if [ "$?" -ne "0" ]; then
		    warn "Unable to download identity file ${key}"
		fi
		if [ -n "${key_enc_pw}" ]; then
			echo "Decrypting keyfile"
			mv $keytempfile ${keytempfile}.aes
			openssl enc -aes-256-cbc -a -salt -d -in ${keytempfile}.aes -out $keytempfile -k "${key_enc_pw}"
			if [ "$?" -ne "0" ]; then
			    warn "Unable to decrypt identity file ${key}"
			fi
			rm -f $keytempfile.aes
		fi
		if [ -n "${passphrase}" ]; then
			echo "Downloading geli passphrase"
			scp -i ${passphrase_identityfile} ${passphrase} $pwtempfile
			if [ "$?" -ne "0" ]; then
			    warn "Unable to download passphrase file ${passphrase}"
			fi
			if [ -n "${passphrase_enc_pw}" ]; then
				echo "Decrypting passphrase file"
				mv $pwtempfile ${pwtempfile}.aes
				openssl enc -aes-256-cbc -a -salt -d -in ${pwtempfile}.aes -out $pwtempfile -k "${passphrase_enc_pw}"
				if [ "$?" -ne "0" ]; then
				    warn "Unable to decrypt passphrase file ${passphrase}"
				fi
				rm -f $pwtempfile.aes
			fi
		fi
		for _d in ${devs}; do
			echo "Unlocking $_d"
			if [ -n "${passphrase}" ]; then
				geli attach -k $keytempfile -j $pwtempfile $_d
			else
				geli attach -k $keytempfile -p $_d
			fi
			if [ "$?" -ne "0" ]; then
			    warn "Unable to geli attach $_d"
			fi
		done
		echo "Deleting temporary key file"
		rm -fP $keytempfile
		echo "Deleting temporary passphrase file"
		rm -fP $pwtempfile

		echo "Mounting unlocked zfs volumes"
		zfs mount -a
	done
}

case $# in
1)	run_rc_command $@ ${geliunlock_list:-_ALL} ;;
*)	run_rc_command $@ ;;
esac