#!/bin/bash # ═══════════════════════════════════════════════════════════════ # HOOK 0170: Alfred Linux — Full-Disk Encryption (FDE) Support # # Enables LUKS full-disk encryption via Calamares installer. # Pre-installs crypto tools and configures FDE as a 1-click # option during install — NOT forced but prominently offered. # # BUILD: v4.0+ (RC8+) # ═══════════════════════════════════════════════════════════════ set -e echo "╔═══════════════════════════════════════════════════════════╗" echo "║ [0170] Full-Disk Encryption (LUKS) Support ║" echo "╚═══════════════════════════════════════════════════════════╝" # ═══════════════════════════════════════════════════ # 1. INSTALL CRYPTOGRAPHIC PACKAGES # ═══════════════════════════════════════════════════ echo "[FDE-01] Installing encryption packages..." apt-get install -y --no-install-recommends \ cryptsetup \ cryptsetup-initramfs \ keyutils \ libblockdev-crypto3 \ 2>/dev/null || apt-get install -y --no-install-recommends \ cryptsetup \ cryptsetup-initramfs \ keyutils \ 2>/dev/null || true # ═══════════════════════════════════════════════════ # 2. CONFIGURE LUKS DEFAULTS # ═══════════════════════════════════════════════════ echo "[FDE-02] Configuring LUKS defaults for strong encryption..." mkdir -p /etc/cryptsetup-initramfs/ cat > /etc/cryptsetup-initramfs/conf-hook << 'CRYPTINIT' CRYPTSETUP=yes KEYFILE_PATTERN=/etc/luks/*.keyfile ASKPASS=y CRYPTINIT # Strong LUKS defaults for new volumes mkdir -p /etc/default/ if [ ! -f /etc/default/cryptsetup ]; then cat > /etc/default/cryptsetup << 'CRYPTDEFAULT' # Alfred Linux — strong LUKS2 defaults CRYPTDISKS_MOUNT="" CRYPTDISKS_CHECK=blkid CRYPTDEFAULT fi # ═══════════════════════════════════════════════════ # 3. CALAMARES FDE MODULE # ═══════════════════════════════════════════════════ echo "[FDE-03] Configuring Calamares for LUKS encryption..." CALA_DIR="/etc/calamares" CALA_MOD="${CALA_DIR}/modules" mkdir -p "${CALA_MOD}" # Set LUKS encryption module defaults cat > "${CALA_MOD}/luksopenswaphookcfg.conf" 2>/dev/null << 'LUKSSWAP' || true --- configFilePath: /etc/openswap.conf LUKSSWAP # Partition module — offer encryption checkbox if [ -f "${CALA_MOD}/partition.conf" ]; then # Ensure encryption options are present if ! grep -q 'enableLuksAutomatedPartitioning' "${CALA_MOD}/partition.conf"; then cat >> "${CALA_MOD}/partition.conf" << 'PARTCRYPT' # Alfred Linux — FDE enabled by default in guided installer enableLuksAutomatedPartitioning: true PARTCRYPT fi else cat > "${CALA_MOD}/partition.conf" << 'PARTCONF' --- efiSystemPartition: "/boot/efi" efiSystemPartitionSize: 512M enableLuksAutomatedPartitioning: true defaultFileSystemType: "ext4" PARTCONF fi # ═══════════════════════════════════════════════════ # 4. FDE HELPER TOOL # ═══════════════════════════════════════════════════ echo "[FDE-04] Installing encryption helper tool..." cat > /usr/local/bin/alfred-encrypt-status << 'ENCSTATUS' #!/bin/bash echo "" echo "╔════════════════════════════════════════════════════╗" echo "║ Alfred Linux — Encryption Status ║" echo "╚════════════════════════════════════════════════════╝" echo "" echo "── LUKS Volumes ──" if command -v lsblk &>/dev/null; then LUKS_FOUND=false while IFS= read -r line; do if echo "$line" | grep -q "crypt"; then echo " $line" LUKS_FOUND=true fi done < <(lsblk -o NAME,TYPE,SIZE,FSTYPE,MOUNTPOINT 2>/dev/null) if [ "$LUKS_FOUND" = false ]; then echo " No LUKS encrypted volumes detected." echo " To encrypt during install: choose 'Encrypt system' in installer." fi fi echo "" echo "── Crypto Support ──" command -v cryptsetup &>/dev/null && echo " cryptsetup: installed ($(cryptsetup --version 2>/dev/null))" || echo " cryptsetup: NOT installed" [ -d /sys/module/dm_crypt ] && echo " dm-crypt: loaded" || echo " dm-crypt: not loaded" echo "" ENCSTATUS chmod +x /usr/local/bin/alfred-encrypt-status echo "╔═══════════════════════════════════════════════════════════╗" echo "║ [0170] FDE Support — COMPLETE ║" echo "║ ✓ LUKS tools installed (cryptsetup, initramfs hooks) ║" echo "║ ✓ Strong LUKS2 defaults configured ║" echo "║ ✓ Calamares FDE checkbox enabled ║" echo "║ ✓ alfred-encrypt-status tool installed ║" echo "╚═══════════════════════════════════════════════════════════╝"