4 files changed, 89 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 33a51de..c5208b3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,9 @@ version 0.9.7 -- UNRELEASED
 	   does not prevent mysqldump to work.
 	 . Fix the error message displayed when mysqld is not running:
 	   mysqladmin ping indeed returns 0 when authentication fails.
+	sys:
+	 . New luksheaders option (default=disabled) to backup the Luks header
+	   of every Luks device.
 
 version 0.9.6 -- July 21, 2008
     backupninja changes
diff --git a/examples/example.sys b/examples/example.sys
index af28fd6..a4bffc4 100644
--- a/examples/example.sys
+++ b/examples/example.sys
@@ -1,6 +1,6 @@
 #
 # this config file will save various reports of vital system information.
-# by default, all the reports are enabled and are saved in /var/backups.
+# by default, all the reports are saved in /var/backups.
 #
 # requires dpkg, debconf-utils, sfdisk, and hwinfo
 #
@@ -25,6 +25,12 @@
 # (4) hardware information. 
 #     detailed information on most important aspects of the hardware.
 #
+# (5) the Luks header of every Luks block device, if option luksheaders
+#     is enabled.
+#     in case you (have to) scramble such a Luks header (for some time),
+#     and restore it later by running "dd if=luksheader.sda2.bin of=/dev/sda2"
+#     (MAKE SURE YOU PASS THE CORRECT DEVICE AS of= !!!)
+#
 
 # here are the defaults, commented out:
 
@@ -47,6 +53,14 @@
 # hardwarefile = /var/backups/hardware.txt
 # dohwinfo = yes
 
+# luksheaders = no
+# NOTE: the __star__ below will be replaced by the Luks partitions found on the
+# system (e.g. luksheader.sda2.bin, luksheader.sdb3.bin). If you change 
+# the luksheadersfile default below, be sure to include the __star__ 
+# replacement in the filename, or you will get one file for only one partition,
+# the others being written to the same file, and then overwritten by the next.
+# luksheadersfile = /var/backups/luksheader.__star__.bin
+
 # If vservers = yes in /etc/backupninja.conf then the following variables can
 # be used:
 # vsnames = all | <vserver1> <vserver2> ... (default = all)
diff --git a/handlers/sys.helper.in b/handlers/sys.helper.in
index d3d99a5..48841e8 100644
--- a/handlers/sys.helper.in
+++ b/handlers/sys.helper.in
@@ -8,19 +8,22 @@ sys_wizard() {
        "packages" "list of all installed packages." on \
        "partitions" "the partition table of all disks." on  \
        "sfdisk" "use sfdisk to get partition information." on \
-       "hardware" "detailed hardware information" on
+       "hardware" "detailed hardware information" on \
+       "luksheaders" "Luks headers of all Luks partitions." off
    [ $? = 1 ] && return;    
    result="$REPLY"
    packages="packages = no"
    partitions="partitions = no"
    sfdisk="dosfdisk = no"
    hardware="hardware = no"
+   luksheaders="luksheaders = no"
    for opt in $result; do
       case $opt in
         '"packages"') packages="packages = yes";;
         '"partitions"') partitions="partitions = yes";;
         '"sfdisk"') sfdisk="dosfdisk = yes";;
         '"hardware"') hardware="hardware = yes";;
+        '"luksheaders"') luksheaders="luksheaders = yes";;
       esac
    done
    get_next_filename $configdirectory/10.sys
@@ -29,10 +32,13 @@ $packages
 $partitions
 $sfdisk
 $hardware
+$luksheaders
+
 # packagesfile = /var/backups/dpkg-selections.txt
 # selectionsfile = /var/backups/debconfsel.txt
 # partitionsfile = /var/backups/partitions.__star__.txt
 # hardwarefile = /var/backups/hardware.txt
+# luksheadersfile = /var/backups/luksheader.__star__.bin
 
 # If vservers = yes in /etc/backupninja.conf then the following variables can
 # be used:
diff --git a/handlers/sys.in b/handlers/sys.in
index f293840..de81435 100755
--- a/handlers/sys.in
+++ b/handlers/sys.in
@@ -1,7 +1,7 @@
 # -*- mode: sh; sh-basic-offset: 3; indent-tabs-mode: nil; -*-
 #
 # this handler will save various reports of vital system information.
-# by default, all the reports are enabled and are saved in /var/backups.
+# by default, all the reports are saved in /var/backups.
 #
 # (1) a capture of the debconf package selection states. This file
 #     can be used to restore the answers to debconf questions for
@@ -24,6 +24,12 @@
 # (4) hardware information. 
 #     write to a text file the important things which hwinfo can gleen.
 #
+# (5) the Luks header of every Luks block device, if option luksheaders
+#     is enabled.
+#     in case you (have to) scramble such a Luks header (for some time),
+#     and restore it later by running "dd if=luksheader.sda2.bin of=/dev/sda2"
+#     (MAKE SURE YOU PASS THE CORRECT DEVICE AS of= !!!)
+#
 
 if [ -f /etc/debian_version ]
 then
@@ -82,6 +88,11 @@ getconf HWINFO `which hwinfo`
 getconf sfdisk_options ""
 getconf hwinfo_options ""
 
+getconf CRYPTSETUP `which cryptsetup`
+getconf DD `which dd`
+getconf luksheaders no
+getconf luksheadersfile $parentdir/luksheader.__star__.bin
+
 getconf vsnames all
 
 # If vservers are configured, check that the ones listed in $vsnames are running.
@@ -97,6 +108,19 @@ if [ $vservers_are_available = yes ]; then
    usevserver=yes
 fi
 
+## SANITY CHECKS #########################
+
+if [ "$luksheaders" == "yes" ]; then
+   if [ ! -x "$DD" ]; then
+      warning "can't find dd, skipping backup of Luks headers."
+      luksheaders="no"
+   fi
+   if [ ! -x "$CRYPTSETUP" ]; then
+      warning "can't find cryptsetup, skipping backup of Luks headers."
+      luksheaders="no"
+   fi
+fi
+
 ## PACKAGES ##############################
 
 #
@@ -541,3 +565,42 @@ if [ "$partitions" == "yes" ]; then
       $HWINFO --disk >> $hardwarefile
    fi
 fi
+
+if [ "$luksheaders" == "yes" ]; then
+   devices=`LC_ALL=C $SFDISK -l 2>/dev/null | grep "^Disk /dev" | @AWK@ '{print $2}' | cut -d: -f1`
+   [ -n "$devices" ] || warning "No block device found"
+   targetdevices=""
+   for dev in $devices; do
+      [ -b $dev ] || continue
+      debug "$CRYPTSETUP isLuks $dev"
+      $CRYPTSETUP isLuks $dev
+      [ $? -eq 0 ] && targetdevices="$targetdevices $dev"
+   done
+   for dev in $targetdevices; do
+      label=${dev#/dev/}
+      label=${label//\//-}
+      outputfile=${luksheadersfile//__star__/$label}
+      # the following sizes are expressed in terms of 512-byte sectors
+      debug "Let us find out the Luks header size for $dev"
+      debug "$CRYPTSETUP luksDump \"$dev\" | grep '^Payload offset:' | @AWK@ '{print $3}'"
+      headersize=`$CRYPTSETUP luksDump "$dev" | grep '^Payload offset:' | @AWK@ '{print $3}'`
+      if [ $? -ne 0 ]; then
+         warning "Could not compute the size of Luks header, skipping device $dev"
+         continue
+      elif [ -z "$headersize" -o -n "`echo \"$headersize\" | sed 's/[0-9]*//g'`" ]; then
+         warning "The computed size of Luks header is not an integer, skipping device $dev"
+         continue
+      fi
+      debug "Let us backup the Luks header of device $dev"
+      debug "$DD if=\"${dev}\" of=\"${outputfile}\" bs=512 count=\"${headersize}\""
+      output=`$DD if="${dev}" of="${outputfile}" bs=512 count="${headersize}" 2>&1`
+      exit_code=$?
+      if [ $exit_code -eq 0 ]; then
+         debug $output
+         info "The Luks header of $dev was saved to $outputfile."
+      else
+         debug $output
+         fatal "The Luks header of $dev could not be saved."
+      fi
+   done
+fi