#!/bin/bash

# When using the Arch Linux mkinitcpio encrypt if the file /crypto_keyfile.bin
# exists in the initramfs then it will be used to attempt unlocking.
# 1. dd if=/dev/urandom of=/crypto_keyfile.bin bs=1 count=512
# 2. Add /crypto_keyfile.bin to FILES in /etc/mkinitcpio.conf
# 3. mkinitcpio -p linux
# 4. systemctl enable disable-crypto_keyfiles@$(systemd-escape /dev/disk/by-id/xxx).service
# 5. Run this script when you want to reboot without a passphrase


crypto_keyfile="/crypto_keyfile.bin"
reboot_cmd="${1:-sudo reboot}"

if [ ! -f "$crypto_keyfile" ]; then
    echo "Failed to find $crypto_keyfile"
    exit 1
fi

readarray -t devnames < <(
    find \
        /etc/systemd/system/basic.target.wants/ \
        -maxdepth 1 \
        -name 'disable-crypto_keyfile@*' \
        -printf '%f\0' \
    | xargs -0 -n1 systemd-escape -u --instance
)

if [ ${#devnames[@]} = 0 ]; then
    echo "Failed to find your encrypted device. You must have disable-crypto_keyfile@.service enabled."
    exit 1
fi

echo -n "Enter password for devices: "
read -r -s pw
echo ""
for devname in "${devnames[@]}"; do
    echo "Adding key to $devname"
    sudo cryptsetup luksAddKey "$devname" "$crypto_keyfile" --key-slot 7 <<EOF
${pw}
EOF
done

$reboot_cmd