README

This folder was created to store external luks headers, without which
the encrypted disks CAN NOT BE OPENED.

Losing such headers means DATA ON ENCRYPTED DISKS WILL BE LOST. So
backup them in other places.

Also this stores some minor backup of metadata like the layout of
partition tables.

Also what commands I ran (if I remember) so that I can more easily
setup the same stuff on other disks.

Also scripts to mount and unmount the disks. Which I in practice I
won't use since /etc/crypttab and automount is more convenient.

But mostly the headers. Which, if you don't know, will result in DATA
LOSS if you don't backup them in other places.

PS: the essential headers are in external-luks-headers/ with extension
.luks-header, but there's also copy in each device's directory. In the
future I may store metadata of encrypted luks devices with embedded
header (the default), but their headers won't be stored on
external-luks-headers/. There will be a backup of the header on its
own directory, with extension .luks-header-backup.

The header on external-luks-headers/ is purposefully not symlinked to
the copy in each directory, to provide a measure of protection against
data corruption... perhaps.

(There's also parity files on parity/ as another measure against
bitrot; they are generated with ./gen-parity. Run ./check-parity to
check and ./repair-from-parity to repair any damage)
```

luksclose.sh

#!/bin/bash
[[ $# -lt 1 ]] && { cat $0; exit 1; }

dir=$(dirname $0)

if [[ -d $dir/$1 ]]; then
    header=$(echo $dir/${1%/}/*.luks-header)
elif [[ -f $(echo $dir/*/*-$1.luks-header) ]]; then
    header=$(echo $dir/*/*-$1.luks-header)
else
    >&2 echo I dont know $1
    exit 1
fi

name=$(basename $(dirname $header))

shopt -s nullglob

for f in $name/encrypted-{ext4,btrfs}-*.device; do
    if [[ -b $f ]] && findmnt -S $f > /dev/null; then
        umount $f
    else
        echo Device not found or not mounted: $f
    fi
done


vgchange -an $name > /dev/null
cryptsetup close $name-vault

luksopen.sh

#!/bin/bash
[[ $# -lt 1 ]] || [[ $1 == -h ]] && { cat $0; exit 1; } # that's your help

dir=$(dirname $(realpath $0))

if [[ -d $dir/$1 ]]; then
    header=$(echo $dir/${1%/}/*.luks-header)
elif [[ -f $(echo $dir/*/*-$1.luks-header) ]]; then
    header=$(echo $dir/*/*-$1.luks-header)
else
    >&2 echo I dont know $1
    exit 1
fi

id="$(sed -r 's@.*/[^-]+-(.+)\.luks-header$@\1@' <<< $header)"

name=$(basename $(dirname $header))

cryptsetup luksOpen /dev/disk/by-*/$id --header $header $name-vault || exit 1

shopt -s nullglob

timeout=3
retry=true

while [[ timeout -gt 0 ]] && [[ $retry ]]; do
    retry=
    for mountpoint in $name/encrypted-{ext4,btrfs}-*.mount-point; do
        mountdevice=$(sed 's/.mount-point$/.device/' <<< $mountpoint)
        mountopt=$(sed 's/.mount-point$/.mount-opt/' <<< $mountpoint)
        if [[ -b $mountdevice ]] && ! findmnt -S $mountdevice > /dev/null; then
            mount $mountdevice $mountpoint $(< $mountopt)
        else
            echo Waiting for device $mountdevice ...
            retry=true
        fi
    done
    let timeout--
    sleep 1
done

The parity tools are in another gist:

https://gist.github.com/dlight/4ad32ea0a3737a7977f2b13977d5ce04