#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # A script which splits a user's gpg key into fragments which # may then be shared # To get a random fragment # get a random fragment # fragment_files=($FRAGMENTS_DIR/*) # FRAGMENT_FILE="${files[RANDOM % ${#files[@]}]}" # License # ======= # # Copyright (C) 2015-2016 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . PROJECT_NAME='freedombone' export TEXTDOMAIN=${PROJECT_NAME}-splitkey export TEXTDOMAINDIR="/usr/share/locale" # Dummy password to get around not being able to create a key without passphrase BACKUP_DUMMY_PASSWORD='backup' KEY_FRAGMENTS=3 MY_USERNAME= MY_EMAIL_ADDRESS= MY_NAME= PASSWORD_FILE= function show_help { echo '' echo $"${PROJECT_NAME}-splitkey -u [username] -n [number of fragments] -e [email address] --fullname [Full name]" echo '' exit 0 } while [[ $# > 1 ]] do key="$1" case $key in -h|--help) show_help ;; -u|--user) shift MY_USERNAME="$1" ;; -n|--fragments) shift KEY_FRAGMENTS=$1 ;; -e|--email) shift MY_EMAIL_ADDRESS=$1 ;; --fullname) shift MY_NAME=$1 ;; --passwordfile) shift PASSWORD_FILE=$1 ;; *) # unknown option ;; esac shift done if [ ! $MY_USERNAME ]; then show_help fi if [ ! -d /home/$MY_USERNAME ]; then echo $"User $MY_USERNAME does not exist on the system" exit 7270 fi if [ ! -d /home/$MY_USERNAME/.gnupg ]; then echo $'No gpg key found' exit 5393 fi if [ $PASSWORD_FILE ]; then if [ ! -f $PASSWORD_FILE ]; then echo $'Password file not found' exit 62952 fi fi FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments if [ -d $FRAGMENTS_DIR ]; then exit 0 fi # get the gpg key ID if [ ! $MY_EMAIL_ADDRESS ]; then MY_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME fi KEYID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS" - $MY_USERNAME | sed -n '2p' | sed 's/^[ \t]*//') if [ ${#KEYID} -lt 4 ]; then echo $"gpg key for $MY_EMAIL_ADDRESS was not found" exit 3682 fi MY_BACKUP_KEY_ID=$(gpg --list-keys "$MY_NAME (backup key)" | sed -n '2p' | sed 's/^[ \t]*//') if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then echo $"gpg backup key for '$MY_NAME' was not found" exit 58213 fi # create the key file mkdir -p $FRAGMENTS_DIR chown $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc gpg --output $FRAGMENTS_DIR/pubkey.txt --armor --export $KEYID if [ ! "$?" = "0" ]; then echo $"Unable to extract public key for $KEYID" exit 7835 fi if [ ! $PASSWORD_FILE ]; then gpg --output $FRAGMENTS_DIR/privkey.txt \ --armor --export-secret-key $KEYID else echo "$(printf `cat $PASSWORD_FILE`)" | \ gpg --batch --passphrase-fd 0 \ --output $FRAGMENTS_DIR/privkey.txt \ --armor --export-secret-key $KEYID fi if [ ! "$?" = "0" ]; then echo $"Unable to extract private key for $KEYID" exit 7823 fi gpg --output $FRAGMENTS_DIR/backup_pubkey.txt \ --armor --export $MY_BACKUP_KEY_ID if [ ! "$?" = "0" ]; then echo $"Unable to extract backup public key for $MY_BACKUP_KEY_ID" exit 62928 fi echo '$BACKUP_DUMMY_PASSWORD' | \ gpg --output $FRAGMENTS_DIR/backup_privkey.txt \ --batch --passphrase-fd 0 \ --armor --export-secret-key $MY_BACKUP_KEY_ID if [ ! "$?" = "0" ]; then echo $"Unable to extract backup private key for $MY_BACKUP_KEY_ID" exit 13783 fi cat $FRAGMENTS_DIR/pubkey.txt \ $FRAGMENTS_DIR/privkey.txt \ $FRAGMENTS_DIR/backup_pubkey.txt \ $FRAGMENTS_DIR/backup_privkey.txt > $KEYS_FILE shred -zu $FRAGMENTS_DIR/privkey.txt shred -zu $FRAGMENTS_DIR/pubkey.txt shred -zu $FRAGMENTS_DIR/backup_privkey.txt shred -zu $FRAGMENTS_DIR/backup_pubkey.txt KEY_SHARES=$((KEY_FRAGMENTS * 2)) gfsplit -n $KEY_FRAGMENTS -m $KEY_SHARES $KEYS_FILE if [ ! "$?" = "0" ]; then echo $"Unable to split the gpg key" rm -rf $FRAGMENTS_DIR if [ -f $KEYS_FILE ]; then shred -zu $KEYS_FILE fi exit 63028 fi shred -zu $KEYS_FILE # set permissions chown -R $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR chmod -R 600 $FRAGMENTS_DIR echo $"$KEY_SHARES key shares created" exit 0