Add mkinitcpio hook for decryption over SSH

Adds the zfsencryptssh hook to allow the user to decrypt a ZFS root filesystem remotely via SSH, early in the boot process. Sourced from the archzfs project.
2025-08-07 05:38:31 +02:00 · 2024-09-26 03:05:51 -07:00
parent 89c049a534
commit a67696a9bd
3 changed files with 51 additions and 5 deletions
--- a/zfs.initcpio.zfsencryptssh.install
+++ b/zfs.initcpio.zfsencryptssh.install
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+make_etc_passwd() {
+    echo 'root:x:0:0:root:/root:/bin/zfsdecrypt_shell' >> "${BUILDROOT}"/etc/passwd
+    echo '/bin/zfsdecrypt_shell' > "${BUILDROOT}"/etc/shells
+}
+
+make_zfsdecrypt_shell() {
+    decrypt_shell='#!/bin/sh
+if [ -f "/.encryptionroot" ]; then
+    # source zfs hook functions
+    . /hooks/zfs
+    # decrypt bootfs
+    zfs_decrypt_fs "$(cat /.encryptionroot)"
+    # kill pending decryption attempt to allow the boot process to continue
+    killall zfs
+else
+    echo "ZFS is not ready yet. Please wait!"
+fi'
+    printf '%s' "$decrypt_shell" > "${BUILDROOT}"/bin/zfsdecrypt_shell
+    chmod a+x "${BUILDROOT}"/bin/zfsdecrypt_shell
+}
+
+build ()
+{
+    make_etc_passwd
+    make_zfsdecrypt_shell
+}
+
+help ()
+{
+    cat<<HELPEOF
+This hook is meant to be used in conjunction with mkinitcpio-dropbear, 
+mkinitcpio-netconf and/or mkinitcpio-ppp. This will provide a way to unlock 
+your encrypted ZFS root filesystem remotely.
+HELPEOF
+}
+
+# vim: set ts=4 sw=4 ft=sh et: