Use LUKS encryption if available

scripts/backup

@@ -30,6 +30,7 @@ $ca->log_level(9);
 # of /backup. Another way might be to check all USB disks.
 my $st = stat("/backup/");
 my $base_device = $st->dev;
+my %luks_devices;
 for (glob("/backup/*")) {
     my $st = stat($_);
     my $dir_device = $st->dev;
@@ -37,7 +38,18 @@ for (glob("/backup/*")) {
     if ($base_device == $dir_device) {
         # not a mount point
         (my $basedir = $_) =~ s{^/backup/}{};
-        if (-e "/dev/disk/by-id/$basedir") {
+        if ($basedir =~ /^luks-(.*)/) {
+            my $key = $1;
+            for my $dev (glob("/dev/disk/by-id/*$key*")) {
+                my ($devbase) = $dev =~ m{([^/]+$)};
+                if (-e "/backup/keys/$devbase") {
+                    $ca->log(0, "opening /dev/disk/by-id/$devbase on $_");
+                    system("/sbin/cryptsetup", "open", $dev, $basedir, "--key-file", "/backup/keys/$devbase");
+                    $ca->log(0, "mounting /dev/mapper/$basedir on $_");
+                    system("/bin/mount", "-o", "nodev,noexec,nomand,nosuid", "/dev/mapper/$basedir", $_);
+                }
+            }
+        } elsif (-e "/dev/disk/by-id/$basedir") {
             # matching device exists
 	    $ca->log(0, "mounting /dev/disk/by-id/$basedir on $_");
             system("/bin/mount", "-o", "nodev,noexec,nomand,nosuid", "/dev/disk/by-id/$basedir", $_);
@@ -87,6 +99,10 @@ for (@backup_dirs) {
     next if $_->[0] eq $backup_dir;
     $ca->log(0, "unmounting $_->[0]");
     system("/bin/umount", $_->[0]);
+    if ($_->[0] =~ m{(luks-[^/]+)}) {
+        $ca->log(0, "closing $1");
+        system("/sbin/cryptsetup", "close", $1)
+    }
 }
 chdir($backup_dir); # prevent accidental umount
 
@@ -97,3 +113,7 @@ $ca->run();
 chdir("/");
 $ca->log(0, "unmounting $backup_dir");
 system("/bin/umount", $backup_dir);
+if ($backup_dir =~ m{(luks-[^/]+)}) {
+    $ca->log(0, "closing $1");
+    system("/sbin/cryptsetup", "close", $1)
+}