freedombone/src/freedombone-recoverkey

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# A script which recovers a user's gpg key from a number of fragments

# License
# =======
#
# Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-recoverkey
export TEXTDOMAINDIR="/usr/share/locale"

FRIENDS_SERVERS_LIST=
MY_USERNAME=
GPG_USB_DRIVE='sdb1'

function show_help {
    echo ''
    echo $"${PROJECT_NAME}-recoverkey -u [username] -d [drive]"
    echo $'                       -l [friends servers list filename]'
    echo ''
    exit 0
}

while [[ $# > 1 ]]
do
    key="$1"

    case $key in
        -h|--help)
            show_help
            ;;
        -u|--user)
            shift
            MY_USERNAME="$1"
            ;;
        # backup list filename
        # typically /home/$USER/backup.list
        -l|--list)
            shift
            FRIENDS_SERVERS_LIST="$1"
            ;;
        -d|--drive)
            shift
            GPG_USB_DRIVE=/dev/${1}1
            ;;
        *)
            # unknown option
            ;;
    esac
    shift
done

if [ ! $MY_USERNAME ]; then
    show_help
fi
if [ ! -d /home/$MY_USERNAME ]; then
    echo $"User $MY_USERNAME does not exist on the system"
    exit 7270
fi

if [ ! $MY_USERNAME ]; then
    echo $'No username given'
    exit 3578
fi
if [ ! -d /home/$MY_USERNAME ]; then
    echo $"User $MY_USERNAME does not exist on the system"
    exit 7270
fi

FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments

function reconstruct_key {
    if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then
        return
    fi
    cd /home/$MY_USERNAME/.gnupg_fragments
    no_of_shares=$(ls -afq keyshare.asc.* | wc -l)
    if (( no_of_shares < 4 )); then
        dialog --title $"Encryption keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70
        exit 7348
    fi
    apt-get -y install libgfshare-bin gnupg
    gfcombine /home/$MY_USERNAME/.gnupg_fragments/keyshare*
    if [ ! "$?" = "0" ]; then
        dialog --title $"Encryption keys" --msgbox $'Unable to reconstruct the key' 6 70
        exit 7348
    fi

    KEYS_FILE=/home/$MY_USERNAME/.gnupg_fragments/keyshare.asc
    if [ ! -f $KEYS_FILE ]; then
        dialog --title $"Encryption keys" --msgbox $'Unable to reconstruct the key' 6 70
    fi

    su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME
    if [ ! "$?" = "0" ]; then
        echo $'Unable to import gpg key'
        shred -zu $KEYS_FILE
        rm -rf /home/$MY_USERNAME/.tempgnupg
        exit 9654
    fi
    shred -zu $KEYS_FILE

    dialog --title $"Encryption keys" --msgbox $'Key has been reconstructed' 6 70
}

function interactive_gpg_from_usb {
    dialog --title $"Encryption keys" \
           --msgbox $'Plug in a USB drive containing a copy of your full key or key fragment' 6 70

    HOME_DIR=/home/$MY_USERNAME
    GPG_LOADING="yes"
    SSH_IMPORTED="no"
    GPG_CTR=0
    while [[ $GPG_LOADING == "yes" ]]
    do
        if [ ! -b $GPG_USB_DRIVE ]; then
            GPG_USB_DRIVE='/dev/sdc1'
            if [ ! -b $GPG_USB_DRIVE ]; then
                GPG_USB_DRIVE='/dev/sdd1'
                if [ ! -b $GPG_USB_DRIVE ]; then
                    if (( GPG_CTR > 0 )); then
                        reconstruct_key
                        return 0
                    fi
                    dialog --title $"Encryption keys" --msgbox $'No USB drive found' 6 30
                    exit 27852
                fi
            fi
        fi

        GPG_USB_MOUNT='/mnt/usb'
        umount -f $GPG_USB_MOUNT
        if [ ! -d $GPG_USB_MOUNT ]; then
            mkdir -p $GPG_USB_MOUNT
        fi

        if [ -f /dev/mapper/encrypted_usb ]; then
            rm -rf /dev/mapper/encrypted_usb
        fi
        cryptsetup luksClose encrypted_usb
        cryptsetup luksOpen $GPG_USB_DRIVE encrypted_usb
        if [ "$?" = "0" ]; then
            GPG_USB_DRIVE=/dev/mapper/encrypted_usb
        fi
        mount $GPG_USB_DRIVE $GPG_USB_MOUNT
        if [ ! "$?" = "0" ]; then
            if (( GPG_CTR > 0 )); then
                rm -rf $GPG_USB_MOUNT
                reconstruct_key
                return 0
            fi
            dialog --title $"Encryption keys" \
                   --msgbox $"There was a problem mounting the USB drive to $GPG_USB_MOUNT" 6 70
            rm -rf $GPG_USB_MOUNT
            exit 74393
        fi

        if [ ! -d $GPG_USB_MOUNT/.gnupg ]; then
            if [ ! -d $GPG_USB_MOUNT/.gnupg_fragments ]; then
                if (( GPG_CTR > 0 )); then
                    umount -f $GPG_USB_MOUNT
                    rm -rf $GPG_USB_MOUNT
                    reconstruct_key
                    return 0
                fi
                dialog --title $"Encryption keys" \
                       --msgbox $"The directory $GPG_USB_MOUNT/.gnupg or $GPG_USB_MOUNT/.gnupg_fragments was not found" 6 70
                umount -f $GPG_USB_MOUNT
                rm -rf $GPG_USB_MOUNT
                exit 723814
            fi
        fi

        if [ -d $GPG_USB_MOUNT/.gnupg ]; then
            if [ ! -d $HOME_DIR/.gnupg ]; then
                mkdir $HOME_DIR/.gnupg
            fi
            cp -r $GPG_USB_MOUNT/.gnupg/* $HOME_DIR/.gnupg
            GPG_LOADING="no"
            dialog --title $"Encryption keys" \
                   --msgbox $"GPG Keyring loaded to $HOME_DIR" 6 70
        else
            if [ ! -d $HOME_DIR/.gnupg_fragments ]; then
                mkdir $HOME_DIR/.gnupg_fragments
            fi
            cp -r $GPG_USB_MOUNT/.gnupg_fragments/* $HOME_DIR/.gnupg_fragments
        fi

        if [[ $SSH_IMPORTED == "no" ]]; then
            if [ -d $GPG_USB_MOUNT/.ssh ]; then
                if [ ! -d $HOME_DIR/.ssh ]; then
                    mkdir $HOME_DIR/.ssh
                fi
                cp $GPG_USB_MOUNT/.ssh/* $HOME_DIR/.ssh
                dialog --title $"Encryption keys" \
                       --msgbox $"ssh keys imported" 6 70
                SSH_IMPORTED="yes"
            fi
        fi

        umount -f $GPG_USB_MOUNT
        rm -rf $GPG_USB_MOUNT
        if [[ $GPG_LOADING == "yes" ]]; then
            dialog --title $"Encryption keys" \
                   --msgbox $"Now remove the USB drive. Insert the next drive containing a key fragment, or select Ok to finish" 6 70
        fi
        GPG_CTR=$((GPG_CTR + 1))
    done
}

# if no remote backup list was given then assume recover from USB
if [ ! $FRIENDS_SERVERS_LIST ]; then
    interactive_gpg_from_usb
    exit 0
fi

# obtain shares/fragments from remote locations
if [ $FRIENDS_SERVERS_LIST ]; then
    # For each remote server
    while read remote_server
    do
        # Get the server and its password
        # Format is:
        #   username@domain:/home/username <port number> <ssh password>
        REMOTE_SERVER=$(echo "${remote_server}" | awk -F ' ' '{print $1}')
        if [ $REMOTE_SERVER ]; then
            REMOTE_SSH_PORT=$(echo "${remote_server}" | awk -F ' ' '{print $2}')
            REMOTE_PASSWORD=$(echo "${remote_server}" | awk -F ' ' '{print $3}')

            # create a directory if it doesn't exist
            if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then
                mkdir -p /home/$MY_USERNAME/.gnupg_fragments
            fi

            echo -n $"Starting key retrieval from $REMOTE_SERVER..."
            /usr/bin/sshpass -p $REMOTE_PASSWORD \
                             scp -r -P $REMOTE_SSH_PORT $REMOTE_SERVER/.gnupg_fragments/* /home/$MY_USERNAME/.gnupg_fragments
            if [ ! "$?" = "0" ]; then
                echo $'FAILED'
            else
                echo $'Ok'
            fi
        fi
    done < $FRIENDS_SERVERS_LIST
fi

# was a directory created?
if [ ! -d $FRAGMENTS_DIR ]; then
    echo $'No fragments have been recovered, so the key cannot be recovered'
    exit 7483
fi

# was anything downloaded?
cd $FRAGMENTS_DIR
no_of_shares=$(ls -afq keyshare.asc.* | wc -l)
if (( no_of_shares == 0 )); then
    echo $'No key fragments were retrieved'
    exit 76882
fi

# set permissions on the fragments
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg_fragments

# decrypt the file
KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
cd $FRAGMENTS_DIR
gfcombine $KEYS_FILE.*

if [ ! -f $KEYS_FILE ]; then
    echo $'Unable to decrypt key. This may mean that not enough fragments are available'
    exit 6283
fi

echo $'Key fragments recombined'

# import the gpg key
su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME
if [ ! "$?" = "0" ]; then
    echo $'Unable to import gpg key'
    shred -zu $KEYS_FILE
    exit 3682
fi
shred -zu $KEYS_FILE
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
chmod -R 600 /home/$MY_USERNAME/.gnupg

echo $'GPG key was recovered'

exit 0