#!/bin/bash # _____ _ _ # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___ # | __| _| -_| -_| . | . | | . | . | | -_| # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___| # # Freedom in the Cloud # # A script which splits a user's gpg key into fragments which # may then be shared # # To get a random fragment # get a random fragment # fragment_files=($FRAGMENTS_DIR/*) # FRAGMENT_FILE="${files[RANDOM % ${#files[@]}]}" # # License # ======= # # Copyright (C) 2015-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . PROJECT_NAME='freedombone' export TEXTDOMAIN=${PROJECT_NAME}-splitkey export TEXTDOMAINDIR="/usr/share/locale" # Dummy password to get around not being able to create a key without passphrase BACKUP_DUMMY_PASSWORD='backup' KEY_FRAGMENTS=3 MY_USERNAME= MY_EMAIL_ADDRESS= MY_NAME= PASSWORD_FILE= function show_help { echo '' echo $"${PROJECT_NAME}-splitkey -u [username] -n [number of fragments] -e [email address] --fullname [Full name]" echo '' exit 0 } while [ $# -gt 1 ] do key="$1" case $key in -h|--help) show_help ;; -u|--user) shift MY_USERNAME="$1" ;; -n|--fragments) shift KEY_FRAGMENTS=$1 ;; -e|--email) shift MY_EMAIL_ADDRESS=$1 ;; --fullname) shift MY_NAME=$1 ;; --passwordfile) shift PASSWORD_FILE=$1 ;; *) # unknown option ;; esac shift done if [ ! "$MY_USERNAME" ]; then show_help fi if [ ! -d "/home/$MY_USERNAME" ]; then echo $"User $MY_USERNAME does not exist on the system" exit 7270 fi if [ ! -d "/home/$MY_USERNAME/.gnupg" ]; then echo $'No gpg key found' exit 5393 fi if [ "$PASSWORD_FILE" ]; then if [ ! -f "$PASSWORD_FILE" ]; then echo $'Password file not found' exit 62952 fi fi FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments if [ -d "$FRAGMENTS_DIR" ]; then exit 0 fi # get the gpg key ID if [ ! "$MY_EMAIL_ADDRESS" ]; then MY_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME fi KEYID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS" - "$MY_USERNAME" | sed -n '2p' | sed 's/^[ \t]*//') if [ ${#KEYID} -lt 4 ]; then echo $"gpg key for $MY_EMAIL_ADDRESS was not found" exit 3682 fi MY_BACKUP_KEY_ID=$(gpg --list-keys "$MY_NAME (backup key)" | sed -n '2p' | sed 's/^[ \t]*//') if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then echo $"gpg backup key for '$MY_NAME' was not found" exit 58213 fi # create the key file mkdir -p "$FRAGMENTS_DIR" chown "$MY_USERNAME":"$MY_USERNAME" "$FRAGMENTS_DIR" KEYS_FILE="$FRAGMENTS_DIR/keyshare.asc" if ! gpg --output "$FRAGMENTS_DIR/pubkey.txt" --armor --export "$KEYID"; then echo $"Unable to extract public key for $KEYID" exit 7835 fi if [ ! "$PASSWORD_FILE" ]; then gpg --output "$FRAGMENTS_DIR/privkey.txt" \ --armor --export-secret-key "$KEYID" else # shellcheck disable=SC2005 echo "$(printf "%s" "$(cat "$PASSWORD_FILE")")" | \ gpg --batch --passphrase-fd 0 \ --output "$FRAGMENTS_DIR/privkey.txt" \ --armor --export-secret-key "$KEYID" fi # shellcheck disable=SC2181 if [ ! "$?" = "0" ]; then echo $"Unable to extract private key for $KEYID" exit 7823 fi if ! gpg --output "$FRAGMENTS_DIR/backup_pubkey.txt" \ --armor --export "$MY_BACKUP_KEY_ID"; then shred -zu "$FRAGMENTS_DIR/privkey.txt" echo $"Unable to extract backup public key for $MY_BACKUP_KEY_ID" exit 62928 fi echo "$BACKUP_DUMMY_PASSWORD" | \ if ! gpg --output "$FRAGMENTS_DIR/backup_privkey.txt" \ --batch --passphrase-fd 0 \ --armor --export-secret-key "$MY_BACKUP_KEY_ID"; then shred -zu "$FRAGMENTS_DIR/privkey.txt" echo $"Unable to extract backup private key for $MY_BACKUP_KEY_ID" exit 13783 fi # Ensure there aren't any permissions problems when running cat chmod +r "$FRAGMENTS_DIR/privkey.txt" chmod +r "$FRAGMENTS_DIR/backup_privkey.txt" cat "$FRAGMENTS_DIR/pubkey.txt" \ "$FRAGMENTS_DIR/privkey.txt" \ "$FRAGMENTS_DIR/backup_pubkey.txt" \ "$FRAGMENTS_DIR/backup_privkey.txt" > "$KEYS_FILE" shred -zu "$FRAGMENTS_DIR/privkey.txt" shred -zu "$FRAGMENTS_DIR/pubkey.txt" shred -zu "$FRAGMENTS_DIR/backup_privkey.txt" shred -zu "$FRAGMENTS_DIR/backup_pubkey.txt" KEY_SHARES=$((KEY_FRAGMENTS * 2)) if ! gfsplit -n "$KEY_FRAGMENTS" -m $KEY_SHARES "$KEYS_FILE"; then echo $"Unable to split the gpg key" rm -rf "$FRAGMENTS_DIR" if [ -f "$KEYS_FILE" ]; then shred -zu "$KEYS_FILE" fi exit 63028 fi shred -zu "$KEYS_FILE" # set permissions chown -R "$MY_USERNAME":"$MY_USERNAME" "$FRAGMENTS_DIR" chmod -R 600 "$FRAGMENTS_DIR" echo $"$KEY_SHARES key shares created" exit 0