#!/bin/bash
#
# Copyright (C) 2020  Johannes Kepler University Linz, Institute of Networks and Security
# Copyright (C) 2020  CDL Digidow <https://www.digidow.eu/>
#
# Licensed under the EUPL, Version 1.2 or – as soon they will be approved by
# the European Commission - subsequent versions of the EUPL (the "Licence").
# You may not use this work except in compliance with the Licence.
#
# You should have received a copy of the European Union Public License along
# with this program.  If not, you may obtain a copy of the Licence at:
# <https://joinup.ec.europa.eu/software/page/eupl>
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the Licence is distributed on an "AS IS" basis,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the Licence for the specific language governing permissions and
# limitations under the Licence.
#

set -e

CRYPTFS=/dev/nvme0n1p3

echo "creating secret key"
mkdir -p /root/keys
tpm2_getrandom 32 -o /root/keys/fde-secret.bin
chmod 600 /root/keys/fde-secret.bin
cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin

# /usr/sbin/update-luks-tpm.sh #not reqired before reboot