#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # gpg functions # # License # ======= # # Copyright (C) 2016-2017 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . function gpg_update_mutt { key_username=$1 if [ ! -f /home/$key_username/.muttrc ]; then return fi CURR_EMAIL_ADDRESS=$key_username@$HOSTNAME CURR_GPG_ID=$(gpg --homedir=/home/$key_username/.gnupg --list-keys $CURR_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//') sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" /home/$key_username/.muttrc chown $key_username:$key_username /home/$key_username/.muttrc } function gpg_import_public_key { key_username=$1 key_filename=$2 gpg --homedir=/home/$key_username/.gnupg --import $key_filename gpg_set_permissions $key_username } function gpg_import_private_key { key_username=$1 key_filename=$2 gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $key_filename gpg_set_permissions $key_username } function gpg_export_public_key { key_username=$1 key_id=$2 key_filename=$3 chown -R $key_username:$key_username /home/$key_username/.gnupg su -m root -c "gpg --homedir /home/$key_username/.gnupg --output $key_filename --armor --export $key_id" - $key_username } function gpg_export_private_key { key_username=$1 key_id=$2 key_filename=$3 chown -R $key_username:$key_username /home/$key_username/.gnupg su -m root -c "gpg --homedir=/home/$key_username/.gnupg --armor --output $key_filename --export-secret-key $key_id" - $key_username } function gpg_create_key { key_username=$1 key_passphrase=$2 gpg_dir=/home/$key_username/.gnupg echo 'Key-Type: eddsa' > /home/$key_username/gpg-genkey.conf echo 'Key-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf echo 'Subkey-Type: eddsa' >> /home/$key_username/gpg-genkey.conf echo 'Subkey-Curve: Ed25519' >> /home/$key_username/gpg-genkey.conf echo "Name-Real: $MY_NAME" >> /home/$key_username/gpg-genkey.conf echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$key_username/gpg-genkey.conf echo 'Expire-Date: 0' >> /home/$key_username/gpg-genkey.conf cat /home/$key_username/gpg-genkey.conf if [ $key_passphrase ]; then echo "Passphrase: $key_passphrase" >> /home/$key_username/gpg-genkey.conf else echo "Passphrase: $PROJECT_NAME" >> /home/$key_username/gpg-genkey.conf fi chown $key_username:$key_username /home/$key_username/gpg-genkey.conf echo $'Generating a new GPG key' su -m root -c "gpg --homedir /home/$key_username/.gnupg --batch --full-gen-key /home/$key_username/gpg-genkey.conf" - $key_username chown -R $key_username:$key_username /home/$key_username/.gnupg KEY_EXISTS=$(gpg_key_exists "$key_username" "${key_username}@${HOSTNAME}") if [[ $KEY_EXISTS == "no" ]]; then echo $"A GPG key for ${key_username}@${HOSTNAME} could not be created" exit 63621 fi shred -zu /home/$key_username/gpg-genkey.conf CURR_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$key_username" "${key_username}@${HOSTNAME}") if [ ${#CURR_GPG_PUBLIC_KEY_ID} -lt 4 ]; then echo $"GPG public key ID could not be obtained for ${key_username}@${HOSTNAME}" exit 825292 fi gpg_set_permissions $key_username } function gpg_delete_key { key_username=$1 key_id=$2 chown -R $key_username:$key_username /home/$key_username/.gnupg su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-secret-key $key_id" - $key_username su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-key $key_id" - $key_username } function gpg_set_permissions { key_username=$1 if [[ "$key_username" != 'root' ]]; then chmod 700 /home/$key_username/.gnupg chmod -R 600 /home/$key_username/.gnupg/* chown -R $key_username:$key_username /home/$key_username/.gnupg else chmod 700 /root/.gnupg chmod -R 600 /root/.gnupg/* chown -R $key_username:$key_username /root/.gnupg fi } function gpg_reconstruct_key { key_username=$1 key_interactive=$2 if [ ! -d /home/$key_username/.gnupg_fragments ]; then return fi cd /home/$key_username/.gnupg_fragments no_of_shares=$(ls -afq keyshare.asc.* | wc -l) if (( no_of_shares < 4 )); then if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70 else echo $'Not enough fragments to reconstruct the key' fi exit 7348 fi gfcombine /home/$key_username/.gnupg_fragments/keyshare* if [ ! "$?" = "0" ]; then if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 else echo $'Unable to reconstruct the key' fi exit 7348 fi KEYS_FILE=/home/$key_username/.gnupg_fragments/keyshare.asc if [ ! -f $KEYS_FILE ]; then if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 else echo $'Unable to reconstruct the key' fi exit 52852 fi gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $KEYS_FILE if [ ! "$?" = "0" ]; then shred -zu $KEYS_FILE rm -rf /home/$key_username/.tempgnupg if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to import gpg key' 6 70 else echo $'Unable to import gpg key' fi exit 96547 fi shred -zu $KEYS_FILE gpg_set_permissions $key_username if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70 else echo $'Key has been reconstructed' fi } function gpg_agent_setup { gpg_username=$1 if [[ $gpg_username == 'root' ]]; then if ! grep -q 'GPG_TTY' /root/.bashrc; then echo '' >> /root/.bashrc echo 'GPG_TTY=$(tty)' >> /root/.bashrc echo 'export GPG_TTY' >> /root/.bashrc fi if ! grep -q 'use-agent' /root/.gnupg/gpg.conf; then echo 'use-agent' >> /root/.gnupg/gpg.conf fi if ! grep -q 'pinentry-mode loopback' /root/.gnupg/gpg.conf; then echo 'pinentry-mode loopback' >> /root/.gnupg/gpg.conf fi if [ ! -f /root/.gnupg/gpg-agent.conf ]; then touch /root/.gnupg/gpg-agent.conf fi if ! grep -q 'allow-loopback-pinentry' /root/.gnupg/gpg-agent.conf; then echo 'allow-loopback-pinentry' >> /root/.gnupg/gpg-agent.conf fi echo RELOADAGENT | gpg-connect-agent else if ! grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then echo '' >> /home/$gpg_username/.bashrc echo 'GPG_TTY=$(tty)' >> /home/$gpg_username/.bashrc echo 'export GPG_TTY' >> /home/$gpg_username/.bashrc chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc fi if ! grep -q 'use-agent' /home/$gpg_username/.gnupg/gpg.conf; then echo 'use-agent' >> /home/$gpg_username/.gnupg/gpg.conf fi if ! grep -q 'pinentry-mode loopback' /home/$gpg_username/.gnupg/gpg.conf; then echo 'pinentry-mode loopback' >> /home/$gpg_username/.gnupg/gpg.conf fi if [ ! -f /home/$gpg_username/.gnupg/gpg-agent.conf ]; then touch /home/$gpg_username/.gnupg/gpg-agent.conf fi if ! grep -q 'allow-loopback-pinentry' /home/$gpg_username/.gnupg/gpg-agent.conf; then echo 'allow-loopback-pinentry' >> /home/$gpg_username/.gnupg/gpg-agent.conf fi su -c "echo RELOADAGENT | gpg-connect-agent" - $gpg_username fi } function gpg_pubkey_from_email { key_owner_username=$1 key_email_address=$2 key_id= if [[ $key_owner_username != "root" ]]; then key_id=$(su -c "gpg --list-keys $key_email_address" - $key_owner_username | sed -n '2p' | sed 's/^[ \t]*//') else key_id=$(gpg --list-keys $key_email_address | sed -n '2p' | sed 's/^[ \t]*//') fi echo $key_id } function enable_email_encryption_at_rest { for d in /home/*/ ; do USERNAME=$(echo "$d" | awk -F '/' '{print $3}') if [[ $(is_valid_user "$USERNAME") == "1" ]]; then if grep -q '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc sed -i 's|#:0 f|:0 f|g' /home/$USERNAME/.procmailrc fi fi done if grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc sed -i 's|#:0 f|:0 f|g' /etc/skel/.procmailrc fi } function disable_email_encryption_at_rest { for d in /home/*/ ; do USERNAME=$(echo "$d" | awk -F '/' '{print $3}') if [[ $(is_valid_user "$USERNAME") == "1" ]]; then if ! grep -q '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc sed -i 's|:0 f|#:0 f|g' /home/$USERNAME/.procmailrc fi fi done if ! grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc sed -i 's|:0 f|#:0 f|g' /etc/skel/.procmailrc fi } # NOTE: deliberately no exit 0