Prohibit use of unencrypted USB storage

61-usbstorage-policy.rules

# Match disks and partitions with non-null FS type which is not crypto_LUKS
ACTION=="add",ENV{ID_BUS}=="usb",ENV{DEVTYPE}=="disk",ENV{ID_FS_TYPE}!="",ENV{ID_FS_TYPE}!="crypto_LUKS",GOTO="deauth_device"
ACTION=="add",ENV{ID_BUS}=="usb",ENV{DEVTYPE}=="partition",ENV{ID_FS_TYPE}!="",ENV{ID_FS_TYPE}!="crypto_LUKS",GOTO="deauth_device"

# Nothing matched; skip deauthorization step
GOTO="eof"

# Deauthorize entire device if any other FS type than crypto_LUKS detected
LABEL="deauth_device"
RUN+="/usr/bin/logger -t 61-usbstorage-policy.rules -p kern.info -- '$env{ID_FS_TYPE} on $env{DEVPATH}'" 
RUN+="/usr/bin/logger -t 61-usbstorage-policy.rules -p kern.info -- 'Will deauthorize entire USB device.'" 
RUN+="/usr/sbin/udev-deauth $env{DEVPATH}"
RUN+="/usr/bin/logger -t 61-usbstorage-policy.rules -p kern.info -- 'Please use LUKS encrypted storage.'" 

LABEL="eof"

udev-deauth

#!/bin/bash
me="$(basename "$0")"
function out(){
	logger -t "${me}" -p kern.info
}
if [[ -t 0 ]]
then
	printf "Not for interactive execution.\n" 
	exit 1
fi

printf -v dev "/sys%s" "${1}"
printf "Deauthorization requested for: %s\n" "${dev}" | out

# Walk up the device tree until we find the usb parent device.
cd "${dev}"
while [[ "$(pwd)" !=  '/' ]]
do
	if [[ -e authorized ]]
	then
		printf "USB parent device is: %s" "$(pwd)" | out
		printf 0 > authorized
		printf "Done." | out
		exit
	else
		cd ..
	fi
done
printf "Failed to deauthorize (parent device disappeared in progress?): %s\n" "${dev}" | out