#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # gpg functions # # License # ======= # # Copyright (C) 2016-2017 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . function gpg_delete_key { key_username=$1 key_id=$2 su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-secret-key $key_id" - $key_username su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-key $key_id" - $key_username } function gpg_set_permissions { key_username=$1 if [[ "$key_username" != 'root' ]]; then chmod 700 /home/$key_username/.gnupg chmod -R 600 /home/$key_username/.gnupg/* chown -R $key_username:$key_username /home/$key_username/.gnupg else chmod 700 /root/.gnupg chmod -R 600 /root/.gnupg/* chown -R $key_username:$key_username /root/.gnupg fi } function gpg_reconstruct_key { key_username=$1 key_interactive=$2 if [ ! -d /home/$key_username/.gnupg_fragments ]; then return fi cd /home/$key_username/.gnupg_fragments no_of_shares=$(ls -afq keyshare.asc.* | wc -l) if (( no_of_shares < 4 )); then if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70 else echo $'Not enough fragments to reconstruct the key' fi exit 7348 fi gfcombine /home/$key_username/.gnupg_fragments/keyshare* if [ ! "$?" = "0" ]; then if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 else echo $'Unable to reconstruct the key' fi exit 7348 fi KEYS_FILE=/home/$key_username/.gnupg_fragments/keyshare.asc if [ ! -f $KEYS_FILE ]; then if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 else echo $'Unable to reconstruct the key' fi exit 52852 fi gpg --homedir=/home/$key_username/.gnupg --allow-secret-key-import --import $KEYS_FILE if [ ! "$?" = "0" ]; then shred -zu $KEYS_FILE rm -rf /home/$key_username/.tempgnupg if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to import gpg key' 6 70 else echo $'Unable to import gpg key' fi exit 96547 fi shred -zu $KEYS_FILE gpg_set_permissions $key_username if [ $key_interactive ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70 else echo $'Key has been reconstructed' fi } function gpg_agent_setup { gpg_username=$1 if [[ $gpg_username == 'root' ]]; then if ! grep -q 'GPG_TTY' /root/.bashrc; then echo '' >> /root/.bashrc echo 'GPG_TTY=$(tty)' >> /root/.bashrc echo 'export GPG_TTY' >> /root/.bashrc fi if ! grep -q 'use-agent' /root/.gnupg/gpg.conf; then echo 'use-agent' >> /root/.gnupg/gpg.conf fi if ! grep -q 'pinentry-mode loopback' /root/.gnupg/gpg.conf; then echo 'pinentry-mode loopback' >> /root/.gnupg/gpg.conf fi if [ ! -f /root/.gnupg/gpg-agent.conf ]; then touch /root/.gnupg/gpg-agent.conf fi if ! grep -q 'allow-loopback-pinentry' /root/.gnupg/gpg-agent.conf; then echo 'allow-loopback-pinentry' >> /root/.gnupg/gpg-agent.conf fi echo RELOADAGENT | gpg-connect-agent else if ! grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then echo '' >> /home/$gpg_username/.bashrc echo 'GPG_TTY=$(tty)' >> /home/$gpg_username/.bashrc echo 'export GPG_TTY' >> /home/$gpg_username/.bashrc chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc fi if ! grep -q 'use-agent' /home/$gpg_username/.gnupg/gpg.conf; then echo 'use-agent' >> /home/$gpg_username/.gnupg/gpg.conf fi if ! grep -q 'pinentry-mode loopback' /home/$gpg_username/.gnupg/gpg.conf; then echo 'pinentry-mode loopback' >> /home/$gpg_username/.gnupg/gpg.conf fi if [ ! -f /home/$gpg_username/.gnupg/gpg-agent.conf ]; then touch /home/$gpg_username/.gnupg/gpg-agent.conf fi if ! grep -q 'allow-loopback-pinentry' /home/$gpg_username/.gnupg/gpg-agent.conf; then echo 'allow-loopback-pinentry' >> /home/$gpg_username/.gnupg/gpg-agent.conf fi su -c "echo RELOADAGENT | gpg-connect-agent" - $gpg_username fi } function gpg_pubkey_from_email { key_owner_username=$1 key_email_address=$2 key_id= if [[ $key_owner_username != "root" ]]; then key_id=$(su -c "gpg --list-keys $key_email_address" - $key_owner_username | sed -n '2p' | sed 's/^[ \t]*//') else key_id=$(gpg --list-keys $key_email_address | sed -n '2p' | sed 's/^[ \t]*//') fi echo $key_id } function enable_email_encryption_at_rest { for d in /home/*/ ; do USERNAME=$(echo "$d" | awk -F '/' '{print $3}') if [[ $(is_valid_user "$USERNAME") == "1" ]]; then if grep '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc sed -i 's|#:0 f|:0 f|g' /home/$USERNAME/.procmailrc fi fi done if grep '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc sed -i 's|#:0 f|:0 f|g' /etc/skel/.procmailrc fi } function disable_email_encryption_at_rest { for d in /home/*/ ; do USERNAME=$(echo "$d" | awk -F '/' '{print $3}') if [[ $(is_valid_user "$USERNAME") == "1" ]]; then if ! grep '#| /usr/bin/gpgit.pl' /home/$USERNAME/.procmailrc; then sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /home/$USERNAME/.procmailrc sed -i 's|:0 f|#:0 f|g' /home/$USERNAME/.procmailrc fi fi done if ! grep '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc sed -i 's|:0 f|#:0 f|g' /etc/skel/.procmailrc fi } # NOTE: deliberately no exit 0