Bcachefs #535
Description
@bcachefs unlock...
No luks2 required
Gpg, yubikey, tmps2
/etc/keys/dracut-rootfs.gpg or etc.. key...
$password | decryption | bcachefs unlock $plaintext /
For most users Clevis would be a nicity... for keys...
Some hackish dracut... examples...
' #!/bin/sh
Dracut module for bcachefs encrypted volumes
check() {
# Always include this module
return 0
}
depends() {
# Dependencies: bash for scripts, keyutils/crypto if needed
echo "bash keyutils"
return 0
}
install() {
# Hook pre-mount to unlock encrypted volumes before mounting /
inst_hook pre-mount 90 "$moddir/bcachefs-unlock.sh"
# Include binaries
inst_binary /usr/sbin/bcachefs
inst_binary /usr/sbin/bcachefs-unlock
inst_binary /usr/sbin/bcachefs-mount
# Include optional unlock tools
inst_binary /usr/bin/gpg
inst_binary /usr/bin/ykman
inst_binary /usr/bin/tpm2_unseal
# Include the unlock script itself
inst_script "$moddir/bcachefs-unlock.sh" '
#!/bin/sh
Unlock bcachefs root or encrypted data volume
VOL="/dev/sdX" # Replace with your actual root/data device
echo "Loading bcachefs kernel module..."
modprobe bcachefs || echo "bcachefs module already loaded"
Try TPM2 first
TPM_HANDLE=0x81010001
if command -v tpm2_unseal >/dev/null 2>&1; then
if KEY=$(tpm2_unseal -c $TPM_HANDLE 2>/dev/null); then
echo "$KEY" | bcachefs unlock "$VOL" && return 0
fi
fi
Fallback to GPG
GPG_KEY="/etc/keys/bcachefs.gpg"
if [ -f "$GPG_KEY" ] && command -v gpg >/dev/null 2>&1; then
if KEY=$(gpg --decrypt "$GPG_KEY" 2>/dev/null); then
echo "$KEY" | bcachefs unlock "$VOL" && return 0
fi
fi
Fallback to YubiKey
if command -v ykman >/dev/null 2>&1; then
if KEY=$(ykman oath code "BCACHEFS" 2>/dev/null); then
echo "$KEY" | bcachefs unlock "$VOL" && return 0
fi
fi
Interactive fallback
echo "No automated unlock succeeded, falling back to manual prompt..."
bcachefs unlock "$VOL"
' # Include drivers, filesystems, and unlock tools
add_drivers+=" bcachefs "
filesystems+=" bcachefs "
install_items+=" /usr/sbin/bcachefs /usr/sbin/bcachefs-unlock /usr/sbin/bcachefs-mount "
install_items+=" /usr/bin/gpg /usr/bin/ykman /usr/bin/tpm2_unseal "
install_items+=" /usr/lib/dracut/modules.d/90bcachefs/bcachefs-unlock.sh " '
' # Include drivers, filesystems, and unlock tools
add_drivers+=" bcachefs "
filesystems+=" bcachefs "
install_items+=" /usr/sbin/bcachefs /usr/sbin/bcachefs-unlock /usr/sbin/bcachefs-mount "
install_items+=" /usr/bin/gpg /usr/bin/ykman /usr/bin/tpm2_unseal "
install_items+=" /usr/lib/dracut/modules.d/90bcachefs/bcachefs-unlock.sh " '