resin-init: flasher: add interface to purge encryption keys

When re-flashing, make sure old encryption secrets are not available on the new system so they are not exploitable. Change-type: patch Signed-off-by: Alex Gonzalez <[email protected]>
balena-os · Nov 25, 2024 · d151198 · d151198
1 parent 6908452
commit d151198
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/resin-init-flasher b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/resin-init-flasher
@@ -58,6 +58,8 @@
 #  * balena-init-flasher-diskenc: Function hooks related to the disk encryption setup.
 #     * diskenc_setup
 #       * Generate and encrypt disk encryption keys
+#     * diskenc_purge
+#       * Wipe disk encryption keys
 #
 
 set -e
@@ -223,6 +225,11 @@ if type secureboot_setup >/dev/null 2>&1 && secureboot_setup; then
         . /usr/sbin/balena-config-defaults
 fi
 
+# Make sure old encrypted partitions are no longer usable
+if type diskenc_purge >/dev/null 2>&1 && ! diskenc_purge; then
+    fail "Failed to purge disk encryption keys"
+fi
+
 if [ "$CRYPT" = "1" ]; then
     if type diskenc_setup >/dev/null 2>&1 && ! diskenc_setup; then
         fail "Failed to setup disk encryption"