Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 5b2c03820436e9330bb4684c0af85fe72be8675d / . / modules / ecryptfs.nix
blob: c54c93e6cf93b2d4b557ffb31f93e251e0f694a6 [file] [log] [blame]
Skyler Grey488c2ad2023-03-05 23:59:29 +0000[diff] [blame]1{ pkgs, ... }: {
Skyler Grey5b2c0382023-05-29 11:09:05 +0200[diff] [blame^]2 environment.systemPackages = with pkgs; let
3 unlock-database-script = writeScriptBin "unlock-database-encryption"
4 ''
5 if [ $UID -ne 0 ]; then
6 echo "unlock-database-encryption must be run as root"
7 exit 1
8 fi
9 ECRYPTFS_SIG=$(( stty -echo; printf "Passphrase: " 1>&2; read PASSWORD; stty echo; echo $PASSWORD; ) | ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase - | sed -nr 's/.*\[(.*)\].*/\1/p')
10
11 keyctl link @u @s
12
13 mount -i -t ecryptfs /var/db/.mongodb-encrypted/ /var/db/mongodb -o ecryptfs_sig=$ECRYPTFS_SIG,ecryptfs_fnek_sig=$ECRYPTFS_SIG,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs
14 '';
15 in
16 [
Skyler Grey488c2ad2023-03-05 23:59:29 +0000[diff] [blame]17 ecryptfs
Skyler Greycfefa662023-03-08 00:13:48 +0000[diff] [blame]18 keyutils
Skyler Grey5b2c0382023-05-29 11:09:05 +0200[diff] [blame^]19 unlock-database-script
Skyler Grey488c2ad2023-03-05 23:59:29 +0000[diff] [blame]20 ];
21}