#!/bin/sh
# SPDX-FileCopyrightText: 2020 Harald Sitter <sitter@kde.org>
# SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL

# Simplified cryptsetup heavily relying on cryptsetup-initramfs.
# https://github.com/calamares/calamares/wiki/Deploy-LUKS
# https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

set -ex

if [ ! -f /crypto_keyfile.bin ]; then
  # noop when not doing an ecrypted installation
  exit 0
fi

# Replaces grubcfg by simply opting into disk encryption. Since calamares only supports
# full disk encryption (unlike ubuntu by default) we need to let grub be encrypted as well.
echo 'GRUB_ENABLE_CRYPTODISK=y' > /etc/default/grub.d/00_calamares.cfg

# Since the initrd contains the keyfile in a full disk encryption setup it must not
# be world readable. This is also set by calamares, but better safe than sorry I should think.
echo 'UMASK=0077' > /etc/initramfs-tools/conf.d/00_calamares-neon-hardening.conf
