#!/bin/bash # ============================================================================== # Xalogy Encrypted Drive Provisioner (SDA) - Storage Only # ============================================================================== # --- CONFIGURATION VARIABLES --- # 1. Target hardware (Always verify with 'lsblk' first!) TARGET_DISK="/dev/sda" # 2. Name of the decrypted volume (No spaces or special characters) MAPPER_NAME="secure_data" # 3. Name of the keyfile (Will be stored securely in /etc/luks-keys/) KEY_NAME="secure_data.key" # ============================================================================== # --- DO NOT EDIT BELOW THIS LINE --- # ============================================================================== KEY_DIR="/etc/luks-keys" KEY_FILE="$KEY_DIR/$KEY_NAME" echo "[*] Unlocking /tmp and /boot for package installation..." sudo mount -o remount,exec /tmp && sudo mount -o remount,rw /boot echo "[*] Updating OS and installing encryption packages..." sudo apt update && sudo apt upgrade -y && sudo apt install cryptsetup -y echo "[*] Generating secure keyfile on the encrypted OS drive..." sudo mkdir -p $KEY_DIR sudo chmod 700 $KEY_DIR sudo dd if=/dev/urandom of=$KEY_FILE bs=1024 count=4 sudo chmod 400 $KEY_FILE echo "[*] Formatting $TARGET_DISK as LUKS encrypted container..." sudo cryptsetup -q luksFormat $TARGET_DISK $KEY_FILE echo "[*] Opening LUKS container as $MAPPER_NAME..." sudo cryptsetup luksOpen $TARGET_DISK $MAPPER_NAME --key-file $KEY_FILE echo "[*] Formatting decrypted container to ext4..." sudo mkfs.ext4 -F /dev/mapper/$MAPPER_NAME echo "[*] Extracting hardware UUID..." RAW_UUID=$(sudo blkid -s UUID -o value $TARGET_DISK) # FAIL-SAFE: Abort instantly if UUID is empty if [ -z "$RAW_UUID" ]; then echo "[!] ERROR: Failed to extract UUID. Aborting to protect system files." # Re-secure partitions before aborting sudo mount -o remount,noexec /tmp && sudo mount -o remount,ro /boot exit 1 fi echo "[*] Writing UUID to /etc/crypttab..." echo "$MAPPER_NAME UUID=$RAW_UUID $KEY_FILE luks,discard" | sudo tee -a /etc/crypttab echo "[*] Reloading systemd manager configuration to clear cache warnings..." sudo systemctl daemon-reload echo "[*] Success! The drive is encrypted and mapped. Current mapper status:" sudo lsblk | grep $MAPPER_NAME echo "" echo "==============================================================================" echo "[!] STORAGE PROVISIONING COMPLETE" echo "==============================================================================" echo "[!] Drive $TARGET_DISK has been encrypted and configured to auto-unlock." echo "[!] The decrypted volume is available at: /dev/mapper/$MAPPER_NAME" echo "[!] NOTE: You must manually configure /etc/fstab to mount this volume" echo "[!] to your desired directory." echo "" echo "[!] Securing /tmp and /boot partitions prior to reboot..." sudo mount -o remount,noexec /tmp && sudo mount -o remount,ro /boot echo "[!] The server will automatically reboot in 15 seconds to apply all changes." echo "[!] Please standby. Your session will disconnect shortly." echo "==============================================================================" sleep 15 sudo reboot