Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 45489981b685fdf0bd22d90b58ae2946e6b3ed9a / . / modules / common / ecryptfs.nix
blob: dd85ca9886ea9f146af5eadbb89f36c8a7e02dcc [file] [log] [blame]
Skyler Grey488c2ad2023-03-05 23:59:29 +0000[diff] [blame]1{ pkgs, ... }: {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]2 environment.systemPackages = with pkgs;
3 let
4 unlock-database-script = writeScriptBin "unlock-database-encryption" ''
Skyler Grey5b2c0382023-05-29 11:09:05 +0200[diff] [blame]5 if [ $UID -ne 0 ]; then
6 echo "unlock-database-encryption must be run as root"
7 exit 1
8 fi
9 ECRYPTFS_SIG=$(( stty -echo; printf "Passphrase: " 1>&2; read PASSWORD; stty echo; echo $PASSWORD; ) | ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase - | sed -nr 's/.*\[(.*)\].*/\1/p')
10
11 keyctl link @u @s
12
13 mount -i -t ecryptfs /var/db/.mongodb-encrypted/ /var/db/mongodb -o ecryptfs_sig=$ECRYPTFS_SIG,ecryptfs_fnek_sig=$ECRYPTFS_SIG,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs
14 '';
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]15 in [ ecryptfs keyutils unlock-database-script ];
Skyler Grey488c2ad2023-03-05 23:59:29 +0000[diff] [blame]16}