index : archinstall32 | |
Archlinux32 installer | gitolite user |
summaryrefslogtreecommitdiff |
-rw-r--r-- | archinstall/lib/installer.py | 35 |
diff --git a/archinstall/lib/installer.py b/archinstall/lib/installer.py index 07de94e0..2629c0f7 100644 --- a/archinstall/lib/installer.py +++ b/archinstall/lib/installer.py @@ -8,7 +8,7 @@ import pathlib import subprocess import glob from .disk import get_partitions_in_use, Partition -from .general import SysCommand +from .general import SysCommand, generate_password from .hardware import has_uefi, is_vm, cpu_vendor from .locale_helpers import verify_keyboard_layout, verify_x11_keyboard_layout from .disk.helpers import get_mount_info @@ -187,18 +187,35 @@ class Installer: mountpoints[partition['mountpoint']] = partition for mountpoint in sorted(mountpoints.keys()): - if mountpoints[mountpoint].get('encrypted', False): - loopdev = storage.get('ENC_IDENTIFIER', 'ai') + 'loop' - if not (password := mountpoints[mountpoint].get('!password', None)): - raise RequirementError(f"Missing mountpoint {mountpoint} encryption password in layout: {mountpoints[mountpoint]}") + partition = mountpoints[mountpoint] + + if partition.get('encrypted', False): + loopdev = f"{storage.get('ENC_IDENTIFIER', 'ai')}{pathlib.Path(partition['mountpoint']).name}loop" + if not (password := partition.get('!password', None)): + raise RequirementError(f"Missing mountpoint {mountpoint} encryption password in layout: {partition}") + + with (luks_handle := luks2(partition['device_instance'], loopdev, password, auto_unmount=False)) as unlocked_device: + if partition.get('generate-encryption-key-file'): + if not (cryptkey_dir := pathlib.Path(f"{self.target}/etc/cryptsetup-keys.d")).exists(): + cryptkey_dir.mkdir(parents=True, exist_ok=True) + + # Once we store the key as ../xyzloop.key systemd-cryptsetup can automatically load this key + # if we name the device to "xyzloop". + encryption_key_path = f"/etc/cryptsetup-keys.d/{pathlib.Path(partition['mountpoint']).name}loop.key" + with open(f"{self.target}{encryption_key_path}", "w") as keyfile: + keyfile.write(generate_password(length=512)) + + os.chmod(encryption_key_path, 0o400) + + luks_handle.add_key(pathlib.Path(f"{self.target}{encryption_key_path}"), password=password) + luks_handle.crypttab(self, encryption_key_path, options=["luks", "key-slot=1"]) - with luks2(mountpoints[mountpoint]['device_instance'], loopdev, password, auto_unmount=False) as unlocked_device: log(f"Mounting {mountpoint} to {self.target}{mountpoint} using {unlocked_device}", level=logging.INFO) unlocked_device.mount(f"{self.target}{mountpoint}") else: - log(f"Mounting {mountpoint} to {self.target}{mountpoint} using {mountpoints[mountpoint]['device_instance']}", level=logging.INFO) - mountpoints[mountpoint]['device_instance'].mount(f"{self.target}{mountpoint}") + log(f"Mounting {mountpoint} to {self.target}{mountpoint} using {partition['device_instance']}", level=logging.INFO) + partition['device_instance'].mount(f"{self.target}{mountpoint}") time.sleep(1) try: @@ -206,7 +223,7 @@ class Installer: except DiskError: raise DiskError(f"Target {self.target}{mountpoint} never got mounted properly (unable to get mount information using findmnt).") - if (subvolumes := mountpoints[mountpoint].get('btrfs', {}).get('subvolumes', {})): + if (subvolumes := partition.get('btrfs', {}).get('subvolumes', {})): for name, location in subvolumes.items(): create_subvolume(self, location) mount_subvolume(self, location) |