- gpg --decrypt ${vm_lvm_lv}_${part}.luks |
- rule_ssh sudo cryptsetup luksHeaderRestore /dev/$vm_lvm_vg/${vm_lvm_lv}_${part}
+ mkdir -p var/sec/luks
+ rule ssh -l root ' \
+ set -e -f -u;
+ exec 2>/dev/null;
+ tmp=$(mktemp -t "luks.'"$part"'.XXXXXXXX.tmp" --dry-run);
+ cryptsetup luksHeaderBackup >/dev/null \
+ /dev/'"$vm_lvm_vg"'/'"$vm_lvm_lv"'_'"$part"' \
+ --header-backup-file "$tmp"; \
+ cat "$tmp";
+ shred >/dev/null --remove "$tmp"; \
+ ' |
+ gpg --encrypt --recipient "${gpg_recipient:-$USER@}" \
+ -o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg