#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# gpg functions
#
# License
# =======
#
# Copyright (C) 2016-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
function gpg_update_mutt {
key_username=$1
if [ ! -f /home/$key_username/.muttrc ]; then
return
fi
CURR_EMAIL_ADDRESS=$key_username@$HOSTNAME
CURR_GPG_ID=$(gpg --homedir=/home/$key_username/.gnupg --list-keys $CURR_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//')
# If the default key is specified within gpg.conf
if [ -f /home/$key_username/gpg.conf ]; then
if grep -q "default-key" /home/$key_username/gpg.conf; then
default_gpg_key=$(cat /home/$key_username/gpg.conf | grep "default-key")
if [[ "$default_gpg_key" != *'#'* ]]; then
default_gpg_key=$(cat /home/$key_username/gpg.conf | grep "default-key" | awk -F ' ' '{print $2}')
if [ ${#default_gpg_key} -gt 3 ]; then
CURR_GPG_ID=$(gpg --homedir=/home/$key_username/.gnupg --list-keys $default_gpg_key | sed -n '2p' | sed 's/^[ \t]*//')
fi
fi
fi
fi
sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc
sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc
chown $key_username:$key_username /home/$key_username/.muttrc
}
function gpg_import_public_key {
key_username=$1
key_filename=$2
gpg --homedir=/home/$key_username/.gnupg --import $key_filename
gpg_set_permissions $key_username
}
function gpg_import_private_key {
key_username=$1
key_filename=$2
gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $key_filename
gpg_set_permissions $key_username
}
function gpg_export_public_key {
key_username=$1
key_id=$2
key_filename=$3
chown -R $key_username:$key_username /home/$key_username/.gnupg
su -m root -c "gpg --homedir /home/$key_username/.gnupg --output $key_filename --armor --export $key_id" - $key_username
}
function gpg_export_private_key {
key_username=$1
key_id=$2
key_filename=$3
chown -R $key_username:$key_username /home/$key_username/.gnupg
su -m root -c "gpg --homedir=/home/$key_username/.gnupg --armor --output $key_filename --export-secret-key $key_id" - $key_username
}
function gpg_create_key {
key_username=$1
key_passphrase=$2
gpg_dir=/home/$key_username/.gnupg
echo 'Key-Type: eddsa' > /home/$key_username/gpg-genkey.conf
echo 'Key-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf
echo 'Subkey-Type: eddsa' >> /home/$key_username/gpg-genkey.conf
echo 'Subkey-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf
echo "Name-Real: $MY_NAME" >> /home/$key_username/gpg-genkey.conf
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$key_username/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$key_username/gpg-genkey.conf
cat /home/$key_username/gpg-genkey.conf
if [ $key_passphrase ]; then
echo "Passphrase: $key_passphrase" >> /home/$key_username/gpg-genkey.conf
else
echo "Passphrase: $PROJECT_NAME" >> /home/$key_username/gpg-genkey.conf
fi
chown $key_username:$key_username /home/$key_username/gpg-genkey.conf
echo $'Generating a new GPG key'
su -m root -c "gpg --homedir /home/$key_username/.gnupg --batch --full-gen-key /home/$key_username/gpg-genkey.conf" - $key_username
chown -R $key_username:$key_username /home/$key_username/.gnupg
KEY_EXISTS=$(gpg_key_exists "$key_username" "$MY_EMAIL_ADDRESS")
if [[ $KEY_EXISTS == "no" ]]; then
echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created"
exit 63621
fi
shred -zu /home/$key_username/gpg-genkey.conf
CURR_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$key_username" "$MY_EMAIL_ADDRESS")
if [ ${#CURR_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
echo $"GPG public key ID could not be obtained for $MY_EMAIL_ADDRESS"
exit 825292
fi
gpg_set_permissions $key_username
}
function gpg_delete_key {
key_username=$1
key_id=$2
chown -R $key_username:$key_username /home/$key_username/.gnupg
su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-secret-key $key_id" - $key_username
su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-key $key_id" - $key_username
}
function gpg_set_permissions {
key_username=$1
if [[ "$key_username" != 'root' ]]; then
chmod 700 /home/$key_username/.gnupg
chmod -R 600 /home/$key_username/.gnupg/*
chown -R $key_username:$key_username /home/$key_username/.gnupg
else
chmod 700 /root/.gnupg
chmod -R 600 /root/.gnupg/*
chown -R $key_username:$key_username /root/.gnupg
fi
}
function gpg_reconstruct_key {
key_username=$1
key_interactive=$2
if [ ! -d /home/$key_username/.gnupg_fragments ]; then
return
fi
cd /home/$key_username/.gnupg_fragments
no_of_shares=$(ls -afq keyshare.asc.* | wc -l)
if (( no_of_shares < 4 )); then
if [ $key_interactive ]; then
dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70
else
echo $'Not enough fragments to reconstruct the key'
fi
exit 7348
fi
gfcombine /home/$key_username/.gnupg_fragments/keyshare*
if [ ! "$?" = "0" ]; then
if [ $key_interactive ]; then
dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70
else
echo $'Unable to reconstruct the key'
fi
exit 7348
fi
KEYS_FILE=/home/$key_username/.gnupg_fragments/keyshare.asc
if [ ! -f $KEYS_FILE ]; then
if [ $key_interactive ]; then
dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70
else
echo $'Unable to reconstruct the key'
fi
exit 52852
fi
gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $KEYS_FILE
if [ ! "$?" = "0" ]; then
shred -zu $KEYS_FILE
rm -rf /home/$key_username/.tempgnupg
if [ $key_interactive ]; then
dialog --title $"Recover Encryption Keys" --msgbox $'Unable to import gpg key' 6 70
else
echo $'Unable to import gpg key'
fi
exit 96547
fi
shred -zu $KEYS_FILE
gpg_set_permissions $key_username
if [ $key_interactive ]; then
dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70
else
echo $'Key has been reconstructed'
fi
}
function gpg_agent_setup {
gpg_username=$1
if [[ $gpg_username == 'root' ]]; then
if ! grep -q 'GPG_TTY' /root/.bashrc; then
echo '' >> /root/.bashrc
echo 'GPG_TTY=$(tty)' >> /root/.bashrc
echo 'export GPG_TTY' >> /root/.bashrc
fi
if ! grep -q 'use-agent' /root/.gnupg/gpg.conf; then
echo 'use-agent' >> /root/.gnupg/gpg.conf
fi
if ! grep -q 'pinentry-mode loopback' /root/.gnupg/gpg.conf; then
echo 'pinentry-mode loopback' >> /root/.gnupg/gpg.conf
fi
if [ ! -f /root/.gnupg/gpg-agent.conf ]; then
touch /root/.gnupg/gpg-agent.conf
fi
if ! grep -q 'allow-loopback-pinentry' /root/.gnupg/gpg-agent.conf; then
echo 'allow-loopback-pinentry' >> /root/.gnupg/gpg-agent.conf
fi
echo RELOADAGENT | gpg-connect-agent
else
if ! grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then
echo '' >> /home/$gpg_username/.bashrc
echo 'GPG_TTY=$(tty)' >> /home/$gpg_username/.bashrc
echo 'export GPG_TTY' >> /home/$gpg_username/.bashrc
chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc
fi
if ! grep -q 'use-agent' /home/$gpg_username/.gnupg/gpg.conf; then
echo 'use-agent' >> /home/$gpg_username/.gnupg/gpg.conf
fi
if ! grep -q 'pinentry-mode loopback' /home/$gpg_username/.gnupg/gpg.conf; then
echo 'pinentry-mode loopback' >> /home/$gpg_username/.gnupg/gpg.conf
fi
if [ ! -f /home/$gpg_username/.gnupg/gpg-agent.conf ]; then
touch /home/$gpg_username/.gnupg/gpg-agent.conf
fi
if ! grep -q 'allow-loopback-pinentry' /home/$gpg_username/.gnupg/gpg-agent.conf; then
echo 'allow-loopback-pinentry' >> /home/$gpg_username/.gnupg/gpg-agent.conf
fi
su -c "echo RELOADAGENT | gpg-connect-agent" - $gpg_username
fi
}
function gpg_pubkey_from_email {
key_owner_username=$1
key_email_address=$2
key_id=
if [[ $key_owner_username != "root" ]]; then
key_id=$(su -c "gpg --list-keys $key_email_address" - $key_owner_username | sed -n '2p' | sed 's/^[ \t]*//')
# If the default key is specified within gpg.conf
if [ -f /home/$key_owner_username/gpg.conf ]; then
if grep -q "default-key" /home/$key_owner_username/gpg.conf; then
default_gpg_key=$(cat /home/$key_owner_username/gpg.conf | grep "default-key")
if [[ "$default_gpg_key" != *'#'* ]]; then
default_gpg_key=$(cat /home/$key_owner_username/gpg.conf | grep "default-key" | awk -F ' ' '{print $2}')
if [ ${#default_gpg_key} -gt 3 ]; then
key_id=$(su -c "gpg --list-keys $default_gpg_key" - $key_owner_username | sed -n '2p' | sed 's/^[ \t]*//')
fi
fi
fi
fi
else
key_id=$(gpg --list-keys $key_email_address | sed -n '2p' | sed 's/^[ \t]*//')
# If the default key is specified within gpg.conf
if [ -f /root/gpg.conf ]; then
if grep -q "default-key" /root/gpg.conf; then
default_gpg_key=$(cat /root/gpg.conf | grep "default-key")
if [[ "$default_gpg_key" != *'#'* ]]; then
default_gpg_key=$(cat /root/gpg.conf | grep "default-key" | awk -F ' ' '{print $2}')
if [ ${#default_gpg_key} -gt 3 ]; then
key_id=$(gpg --list-keys $default_gpg_key | sed -n '2p' | sed 's/^[ \t]*//')
fi
fi
fi
fi
fi
echo $key_id
}
function enable_email_encryption_at_rest {
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
if grep -q '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then
sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc
sed -i 's|#:0 f|:0 f|g' /home/$USERNAME/.procmailrc
fi
fi
done
if grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then
sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc
sed -i 's|#:0 f|:0 f|g' /etc/skel/.procmailrc
fi
}
function disable_email_encryption_at_rest {
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
if ! grep -q '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then
sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc
sed -i 's|:0 f|#:0 f|g' /home/$USERNAME/.procmailrc
fi
fi
done
if ! grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then
sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc
sed -i 's|:0 f|#:0 f|g' /etc/skel/.procmailrc
fi
}
# NOTE: deliberately no exit 0