This file is indexed.

/bin/blockdev-keygen is in ubiquity 2.18.7.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
#!/bin/sh
#
# usage: $0 description keytype keyfile [keybits]
#
# This handles sensitive data that must not be swapped out
# or written out to disk unencrypted.
#
# Important: before running this script the caller has
# to check for unsafe swap partitions. This is done in
# choose_method/encrypt/do_options.
#
# Assumption: This runs as part of d-i. Therefore, temp
# files outside of /target reside in a ramdisk. Process
# information (think [ "$pass" ]) is not exposed to anyone
# but the installing user.
#
# Released under the GNU GPL.
# Copyright 2005, Max Vozeler <xam@debian.org>
#

. /usr/share/debconf/confmodule

umask 077

# When changing minlen care must be taken about the
# consequences for translations, see #326482
minlen=8

passphrase_is_weak () {
	test $(printf %s "$1" | wc -c) -lt $minlen
}

get_passphrase () {
	local pass_ok

	pass_ok=0
	while [ $pass_ok -eq 0 ]; do
		templ="partman-crypto/passphrase"
		db_subst $templ DEVICE "$description"
		db_input critical $templ

		templ="partman-crypto/passphrase-again"
		db_input critical $templ

		db_go || return 1

		db_get partman-crypto/passphrase || RET=''
		pass=$RET
		if [ -z "$pass" ]; then
			db_set partman-crypto/passphrase ""
			db_set partman-crypto/passphrase-again ""
			templ="partman-crypto/passphrase-empty"
			db_fset $templ seen false
			db_input critical $templ
			db_fset partman-crypto/passphrase seen false
			db_fset partman-crypto/passphrase-again seen false
			continue
		fi

		db_get partman-crypto/passphrase-again || RET=''
		if [ "$pass" != "$RET" ]; then
			db_set partman-crypto/passphrase ""
			db_set partman-crypto/passphrase-again ""
			templ="partman-crypto/passphrase-mismatch"
			db_fset $templ seen false
			db_input critical $templ
			db_fset partman-crypto/passphrase seen false
			db_fset partman-crypto/passphrase-again seen false
			continue
		fi

		if passphrase_is_weak "$pass"; then
			templ="partman-crypto/weak_passphrase"
			db_subst $templ MINIMUM $minlen
			db_input critical $templ || true
			db_go || true
			db_get $templ || RET=''

			if [ "$RET" != true ]; then
				# user doesn't want to force weak passphrase
				db_set partman-crypto/passphrase ""
				db_set partman-crypto/passphrase-again ""
				db_fset partman-crypto/passphrase seen false
				db_fset partman-crypto/passphrase-again seen false
				continue
			fi

			db_set $templ false
			db_fset $templ seen false
		fi

		pass_ok=1
	done

	db_set partman-crypto/passphrase ""
	db_set partman-crypto/passphrase-again ""

	if [ $pass_ok -eq 1 ]; then
		echo "$pass"
	fi
}

have_entropy_plugin () {
	db_capb
	set -- $RET
	for cap; do
		if [ "$cap" = plugin-entropy ]; then
			return 0
		fi
	done
	return 1
}

# Fifo provided by cdebconf-entropy plugins
randfifo=/var/run/random.fifo

call_entropy_plugin () {
	local keybytes
	keybytes=$1

	db_capb backup align

	templ=partman-crypto/entropy
	db_fset $templ seen false
	db_subst $templ DEVICE "$description"
	db_subst $templ FIFO $randfifo
	db_subst $templ KEYSIZE "$keybytes"
	db_subst $templ SUCCESS partman-crypto/entropy-success
	db_input critical $templ
	db_go || return 1

	return 0
}

# Create a one-time random keyfile for use during install
create_random_keyfile() {
	local keyfile keybytes
	keyfile=$1
	keybytes=$2

	# Fork off file writer
	(while [ ! -p $randfifo ]; do
		 sleep 1
	 done
	 cat $randfifo > $keyfile
	) &
	writer_pid=$!

	# Call plugin to feed randfifo
	call_entropy_plugin $keybytes
	if [ $? -ne 0 ] || ! wait $writer_pid; then
		rm $keyfile
		kill $writer_pid
		return 1
	fi

	return 0
}

problem_dialog () {
	db_fset partman-crypto/keyfile-problem seen false
	db_input critical partman-crypto/keyfile-problem
	db_go || true
}

description=$1
keytype=$2
keyfile=$3
keybits=$4

if ! ([ "$description" ] && [ "$keytype" ] && [ "$keyfile" ]); then
	# bad options
	problem_dialog
	exit 1
fi

# Log available entropy
logger -t partman-crypto "kernel entropy_avail: $(cat /proc/sys/kernel/random/entropy_avail) bits"

if [ "$keytype" = random ]; then
	if ! have_entropy_plugin; then
		db_fset partman-crypto/tools_missing seen false
		db_input critical partman-crypto/tools_missing
		db_go || true
		exit 1
	fi
fi

case $keytype in
	passphrase)
		pass=$(get_passphrase)
		if [ -z "$pass" ]; then
			problem_dialog
			exit 1
		fi
		printf %s "$pass" > $keyfile
		;;

	random)
		if [ -z "$keybits" ]; then
			problem_dialog
			exit 1
		fi
		# Round keybits up to closest byte
		keybytes=$(( (keybits + 7)/8 ))
		if [ $keybytes -lt 1 ]; then
			# key size invalid
			problem_dialog
			exit 1
		fi
		if ! create_random_keyfile $keyfile $keybytes; then
			problem_dialog
			exit 1
		fi
		;;

	*)
		problem_dialog
		exit 1
		;;
esac