| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337 |
- #!/bin/bash
- #
- # .---. . .
- # | | |
- # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
- # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
- # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
- #
- # Freedom in the Cloud
- #
- # A script which recovers a user's gpg key from a number of fragments
-
- # License
- # =======
- #
- # Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU Affero General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU Affero General Public License for more details.
- #
- # You should have received a copy of the GNU Affero General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
-
- PROJECT_NAME='freedombone'
-
- export TEXTDOMAIN=${PROJECT_NAME}-recoverkey
- export TEXTDOMAINDIR="/usr/share/locale"
-
- source $PROJECT_INSTALL_DIR/${PROJECT_NAME}-vars
-
- # include utils which allow function_check, go and drive mount
- UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
- for f in $UTILS_FILES
- do
- source $f
- done
-
- read_config_param USB_DRIVE
-
- FRIENDS_SERVERS_LIST=
- MY_USERNAME=
- if [ $USB_DRIVE ]; then
- GPG_USB_DRIVE=$USB_DRIVE
- else
- GPG_USB_DRIVE='/dev/sdb1'
- fi
-
- function show_help {
- echo ''
- echo $"${PROJECT_NAME}-recoverkey -u [username] -d [drive]"
- echo $' -l [friends servers list filename]'
- echo ''
- exit 0
- }
-
- while [[ $# > 1 ]]
- do
- key="$1"
-
- case $key in
- -h|--help)
- show_help
- ;;
- -u|--user)
- shift
- MY_USERNAME="$1"
- ;;
- # backup list filename
- # typically /home/$USER/backup.list
- -l|--list)
- shift
- FRIENDS_SERVERS_LIST="$1"
- ;;
- -d|--drive)
- shift
- GPG_USB_DRIVE=/dev/${1}1
- ;;
- *)
- # unknown option
- ;;
- esac
- shift
- done
-
- if [ ! $MY_USERNAME ]; then
- show_help
- fi
- if [ ! -d /home/$MY_USERNAME ]; then
- echo $"User $MY_USERNAME does not exist on the system"
- exit 7270
- fi
-
- if [ ! $MY_USERNAME ]; then
- echo $'No username given'
- exit 3578
- fi
- if [ ! -d /home/$MY_USERNAME ]; then
- echo $"User $MY_USERNAME does not exist on the system"
- exit 7270
- fi
-
- FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments
-
- function reconstruct_key {
- if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then
- return
- fi
- cd /home/$MY_USERNAME/.gnupg_fragments
- no_of_shares=$(ls -afq keyshare.asc.* | wc -l)
- if (( no_of_shares < 4 )); then
- dialog --title $"Encryption keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70
- exit 7348
- fi
- apt-get -y install libgfshare-bin gnupg
- gfcombine /home/$MY_USERNAME/.gnupg_fragments/keyshare*
- if [ ! "$?" = "0" ]; then
- dialog --title $"Encryption keys" --msgbox $'Unable to reconstruct the key' 6 70
- exit 7348
- fi
-
- KEYS_FILE=/home/$MY_USERNAME/.gnupg_fragments/keyshare.asc
- if [ ! -f $KEYS_FILE ]; then
- dialog --title $"Encryption keys" --msgbox $'Unable to reconstruct the key' 6 70
- fi
-
- su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME
- if [ ! "$?" = "0" ]; then
- echo $'Unable to import gpg key'
- shred -zu $KEYS_FILE
- rm -rf /home/$MY_USERNAME/.tempgnupg
- exit 9654
- fi
- shred -zu $KEYS_FILE
-
- dialog --title $"Encryption keys" --msgbox $'Key has been reconstructed' 6 70
- }
-
- function interactive_gpg_from_usb {
- dialog --title $"Encryption keys" \
- --msgbox $'Plug in a USB drive containing a copy of your full key or key fragment' 6 70
-
- HOME_DIR=/home/$MY_USERNAME
- GPG_LOADING="yes"
- SSH_IMPORTED="no"
- GPG_CTR=0
- while [[ $GPG_LOADING == "yes" ]]
- do
- if [ ! -b $GPG_USB_DRIVE ]; then
- GPG_USB_DRIVE='/dev/sdc1'
- if [ ! -b $GPG_USB_DRIVE ]; then
- GPG_USB_DRIVE='/dev/sdd1'
- if [ ! -b $GPG_USB_DRIVE ]; then
- if (( GPG_CTR > 0 )); then
- reconstruct_key
- return 0
- fi
- dialog --title $"Encryption keys" --msgbox $'No USB drive found' 6 30
- exit 27852
- fi
- fi
- fi
-
- GPG_USB_MOUNT='/mnt/usb'
- umount -f $GPG_USB_MOUNT
- if [ ! -d $GPG_USB_MOUNT ]; then
- mkdir -p $GPG_USB_MOUNT
- fi
-
- if [ -f /dev/mapper/encrypted_usb ]; then
- rm -rf /dev/mapper/encrypted_usb
- fi
- cryptsetup luksClose encrypted_usb
- cryptsetup luksOpen $GPG_USB_DRIVE encrypted_usb
- if [ "$?" = "0" ]; then
- GPG_USB_DRIVE=/dev/mapper/encrypted_usb
- fi
- mount $GPG_USB_DRIVE $GPG_USB_MOUNT
- if [ ! "$?" = "0" ]; then
- if (( GPG_CTR > 0 )); then
- rm -rf $GPG_USB_MOUNT
- reconstruct_key
- return 0
- fi
- dialog --title $"Encryption keys" \
- --msgbox $"There was a problem mounting the USB drive to $GPG_USB_MOUNT" 6 70
- rm -rf $GPG_USB_MOUNT
- exit 74393
- fi
-
- if [ ! -d $GPG_USB_MOUNT/.gnupg ]; then
- if [ ! -d $GPG_USB_MOUNT/.gnupg_fragments ]; then
- if (( GPG_CTR > 0 )); then
- umount -f $GPG_USB_MOUNT
- rm -rf $GPG_USB_MOUNT
- reconstruct_key
- return 0
- fi
- if [[ "$GPG_USB_DRIVE" == *"sda1" ]]; then
- GPG_USB_DRIVE=/dev/sdb1
- write_config_param USB_DRIVE "$GPG_USB_DRIVE"
- umount -f $GPG_USB_MOUNT
- rm -rf $GPG_USB_MOUNT
- ${PROJECT_NAME}-recoverkey -u "$MY_USERNAME" -d sdb
- exit 0
- else
- dialog --title $"Encryption keys" \
- --msgbox $"The directory $GPG_USB_MOUNT/.gnupg or $GPG_USB_MOUNT/.gnupg_fragments was not found" 6 70
- umount -f $GPG_USB_MOUNT
- rm -rf $GPG_USB_MOUNT
- exit 723814
- fi
- fi
- fi
-
- if [ -d $GPG_USB_MOUNT/.gnupg ]; then
- if [ ! -d $HOME_DIR/.gnupg ]; then
- mkdir $HOME_DIR/.gnupg
- fi
- cp -r $GPG_USB_MOUNT/.gnupg/* $HOME_DIR/.gnupg
- GPG_LOADING="no"
- dialog --title $"Encryption keys" \
- --msgbox $"GPG Keyring loaded to $HOME_DIR" 6 70
- else
- if [ ! -d $HOME_DIR/.gnupg_fragments ]; then
- mkdir $HOME_DIR/.gnupg_fragments
- fi
- cp -r $GPG_USB_MOUNT/.gnupg_fragments/* $HOME_DIR/.gnupg_fragments
- fi
-
- if [[ $SSH_IMPORTED == "no" ]]; then
- if [ -d $GPG_USB_MOUNT/.ssh ]; then
- if [ ! -d $HOME_DIR/.ssh ]; then
- mkdir $HOME_DIR/.ssh
- fi
- cp $GPG_USB_MOUNT/.ssh/* $HOME_DIR/.ssh
- dialog --title $"Encryption keys" \
- --msgbox $"ssh keys imported" 6 70
- SSH_IMPORTED="yes"
- fi
- fi
-
- umount -f $GPG_USB_MOUNT
- rm -rf $GPG_USB_MOUNT
- if [[ $GPG_LOADING == "yes" ]]; then
- dialog --title $"Encryption keys" \
- --msgbox $"Now remove the USB drive. Insert the next drive containing a key fragment, or select Ok to finish" 6 70
- fi
- GPG_CTR=$((GPG_CTR + 1))
- done
- }
-
- # if no remote backup list was given then assume recover from USB
- if [ ! $FRIENDS_SERVERS_LIST ]; then
- interactive_gpg_from_usb
- exit 0
- fi
-
- # obtain shares/fragments from remote locations
- if [ $FRIENDS_SERVERS_LIST ]; then
- # For each remote server
- while read remote_server
- do
- # Get the server and its password
- # Format is:
- # username@domain:/home/username <port number> <ssh password>
- REMOTE_SERVER=$(echo "${remote_server}" | awk -F ' ' '{print $1}')
- if [ $REMOTE_SERVER ]; then
- REMOTE_SSH_PORT=$(echo "${remote_server}" | awk -F ' ' '{print $2}')
- REMOTE_PASSWORD=$(echo "${remote_server}" | awk -F ' ' '{print $3}')
-
- # create a directory if it doesn't exist
- if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then
- mkdir -p /home/$MY_USERNAME/.gnupg_fragments
- fi
-
- echo -n $"Starting key retrieval from $REMOTE_SERVER..."
- /usr/bin/sshpass -p $REMOTE_PASSWORD \
- scp -r -P $REMOTE_SSH_PORT $REMOTE_SERVER/.gnupg_fragments/* /home/$MY_USERNAME/.gnupg_fragments
- if [ ! "$?" = "0" ]; then
- echo $'FAILED'
- else
- echo $'Ok'
- fi
- fi
- done < $FRIENDS_SERVERS_LIST
- fi
-
- # was a directory created?
- if [ ! -d $FRAGMENTS_DIR ]; then
- echo $'No fragments have been recovered, so the key cannot be recovered'
- exit 7483
- fi
-
- # was anything downloaded?
- cd $FRAGMENTS_DIR
- no_of_shares=$(ls -afq keyshare.asc.* | wc -l)
- if (( no_of_shares == 0 )); then
- echo $'No key fragments were retrieved'
- exit 76882
- fi
-
- # set permissions on the fragments
- chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg_fragments
-
- # decrypt the file
- KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
- cd $FRAGMENTS_DIR
- gfcombine $KEYS_FILE.*
-
- if [ ! -f $KEYS_FILE ]; then
- echo $'Unable to decrypt key. This may mean that not enough fragments are available'
- exit 6283
- fi
-
- echo $'Key fragments recombined'
-
- # import the gpg key
- su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME
- if [ ! "$?" = "0" ]; then
- echo $'Unable to import gpg key'
- shred -zu $KEYS_FILE
- exit 3682
- fi
- shred -zu $KEYS_FILE
- chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
- chmod -R 600 /home/$MY_USERNAME/.gnupg
-
- echo $'GPG key was recovered'
-
- exit 0
|
