|
|
@@ -308,7 +308,22 @@ function create_backup_script {
|
|
308
|
308
|
apt-get -y --force-yes install duplicity gnupg
|
|
309
|
309
|
|
|
310
|
310
|
if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then
|
|
311
|
|
- MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
|
311
|
+ MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
|
312
|
+ fi
|
|
|
313
|
+
|
|
|
314
|
+ # make sure that the root user has access to your gpg public key
|
|
|
315
|
+ if [ $MY_GPG_PUBLIC_KEY_ID ]; then
|
|
|
316
|
+ if [ ! $MY_GPG_PUBLIC_KEY ]; then
|
|
|
317
|
+ MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg
|
|
|
318
|
+ fi
|
|
|
319
|
+ # This is a compromise. backup needs access to things which the user
|
|
|
320
|
+ # doesn't have access to, but also needs to be able to encrypt as the user
|
|
|
321
|
+ # Perhaps there is some better way to do this.
|
|
|
322
|
+ su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
|
|
|
323
|
+ su -c "gpg --output ~/temp_private_key.txt --armor --export-secret-key $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
|
|
|
324
|
+ gpg --import $MY_GPG_PUBLIC_KEY
|
|
|
325
|
+ gpg --allow-secret-key-import --import /home/$MY_USERNAME/temp_private_key.txt
|
|
|
326
|
+ shred -zu /home/$MY_USERNAME/temp_private_key.txt
|
|
312
|
327
|
fi
|
|
313
|
328
|
|
|
314
|
329
|
echo '#!/bin/bash' > /usr/bin/$BACKUP_SCRIPT_NAME
|
|
|
@@ -397,9 +412,12 @@ function create_backup_script {
|
|
397
|
412
|
echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
398
|
413
|
|
|
399
|
414
|
echo 'echo "Cleaning up backup files"' >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
400
|
|
- echo "duplicity --force cleanup file://$USB_MOUNT/backup" >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
|
415
|
+ echo -n 'duplicity --encrypt-key $GPG_KEY --force cleanup '
|
|
|
416
|
+ echo "file://$USB_MOUNT/backup" >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
|
417
|
+
|
|
401
|
418
|
echo 'echo "Removing old backups"' >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
402
|
|
- echo "duplicity --force remove-all-but-n-full 2 file://$USB_MOUNT/backup" >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
|
419
|
+ echo -n 'duplicity --encrypt-key $GPG_KEY --force remove-all-but-n-full 2 '
|
|
|
420
|
+ echo "file://$USB_MOUNT/backup" >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
403
|
421
|
|
|
404
|
422
|
echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
405
|
423
|
echo '# Remove temporary files' >> /usr/bin/$BACKUP_SCRIPT_NAME
|
|
|
@@ -1611,7 +1629,7 @@ function configure_gpg {
|
|
1611
|
1629
|
# if gpg keys directory was previously imported from usb
|
|
1612
|
1630
|
if [[ $GPG_KEYS_IMPORTED == "yes" && -d /home/$MY_USERNAME/.gnupg ]]; then
|
|
1613
|
1631
|
sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" /home/$MY_USERNAME/.gnupg/gpg.conf
|
|
1614
|
|
- MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
|
1632
|
+ MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
1615
|
1633
|
echo 'configure_gpg' >> $COMPLETION_FILE
|
|
1616
|
1634
|
return
|
|
1617
|
1635
|
fi
|
|
|
@@ -1648,7 +1666,7 @@ function configure_gpg {
|
|
1648
|
1666
|
su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME
|
|
1649
|
1667
|
# for security ensure that the private key file doesn't linger around
|
|
1650
|
1668
|
shred -zu $MY_GPG_PRIVATE_KEY
|
|
1651
|
|
- MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
|
1669
|
+ MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
1652
|
1670
|
else
|
|
1653
|
1671
|
# Generate a GPG key
|
|
1654
|
1672
|
echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
|
|
|
@@ -1661,7 +1679,7 @@ function configure_gpg {
|
|
1661
|
1679
|
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
|
|
1662
|
1680
|
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
|
|
1663
|
1681
|
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
|
|
1664
|
|
- MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
|
1682
|
+ MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
|
|
1665
|
1683
|
MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg
|
|
1666
|
1684
|
su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
|
|
1667
|
1685
|
fi
|
Bob Mottram
11 years ago