206 lines
5.2 KiB
Bash
Executable File
206 lines
5.2 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# .---. . .
|
|
# | | |
|
|
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
|
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
|
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
|
#
|
|
# Freedom in the Cloud
|
|
#
|
|
# A script which splits a user's gpg key into fragments which
|
|
# may then be shared
|
|
|
|
# To get a random fragment
|
|
# get a random fragment
|
|
# fragment_files=($FRAGMENTS_DIR/*)
|
|
# FRAGMENT_FILE="${files[RANDOM % ${#files[@]}]}"
|
|
|
|
# License
|
|
# =======
|
|
#
|
|
# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
PROJECT_NAME='freedombone'
|
|
|
|
export TEXTDOMAIN=${PROJECT_NAME}-splitkey
|
|
export TEXTDOMAINDIR="/usr/share/locale"
|
|
|
|
# Dummy password to get around not being able to create a key without passphrase
|
|
BACKUP_DUMMY_PASSWORD='backup'
|
|
|
|
KEY_FRAGMENTS=3
|
|
MY_USERNAME=
|
|
MY_EMAIL_ADDRESS=
|
|
MY_NAME=
|
|
PASSWORD_FILE=
|
|
|
|
function show_help {
|
|
echo ''
|
|
echo $"${PROJECT_NAME}-splitkey -u [username] -n [number of fragments] -e [email address] --fullname [Full name]"
|
|
echo ''
|
|
exit 0
|
|
}
|
|
|
|
while [[ $# > 1 ]]
|
|
do
|
|
key="$1"
|
|
|
|
case $key in
|
|
-h|--help)
|
|
show_help
|
|
;;
|
|
-u|--user)
|
|
shift
|
|
MY_USERNAME="$1"
|
|
;;
|
|
-n|--fragments)
|
|
shift
|
|
KEY_FRAGMENTS=$1
|
|
;;
|
|
-e|--email)
|
|
shift
|
|
MY_EMAIL_ADDRESS=$1
|
|
;;
|
|
--fullname)
|
|
shift
|
|
MY_NAME=$1
|
|
;;
|
|
--passwordfile)
|
|
shift
|
|
PASSWORD_FILE=$1
|
|
;;
|
|
*)
|
|
# unknown option
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
if [ ! $MY_USERNAME ]; then
|
|
show_help
|
|
fi
|
|
if [ ! -d /home/$MY_USERNAME ]; then
|
|
echo $"User $MY_USERNAME does not exist on the system"
|
|
exit 7270
|
|
fi
|
|
|
|
if [ ! -d /home/$MY_USERNAME/.gnupg ]; then
|
|
echo $'No gpg key found'
|
|
exit 5393
|
|
fi
|
|
|
|
if [ $PASSWORD_FILE ]; then
|
|
if [ ! -f $PASSWORD_FILE ]; then
|
|
echo $'Password file not found'
|
|
exit 62952
|
|
fi
|
|
fi
|
|
|
|
FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments
|
|
if [ -d $FRAGMENTS_DIR ]; then
|
|
exit 0
|
|
fi
|
|
|
|
# get the gpg key ID
|
|
if [ ! $MY_EMAIL_ADDRESS ]; then
|
|
MY_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
|
|
fi
|
|
|
|
KEYID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS" - $MY_USERNAME | sed -n '2p' | sed 's/^[ \t]*//')
|
|
if [ ${#KEYID} -lt 4 ]; then
|
|
echo $"gpg key for $MY_EMAIL_ADDRESS was not found"
|
|
exit 3682
|
|
fi
|
|
|
|
MY_BACKUP_KEY_ID=$(gpg --list-keys "$MY_NAME (backup key)" | sed -n '2p' | sed 's/^[ \t]*//')
|
|
if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
|
|
echo $"gpg backup key for '$MY_NAME' was not found"
|
|
exit 58213
|
|
fi
|
|
|
|
# create the key file
|
|
mkdir -p $FRAGMENTS_DIR
|
|
chown $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR
|
|
KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
|
|
gpg --output $FRAGMENTS_DIR/pubkey.txt --armor --export $KEYID
|
|
if [ ! "$?" = "0" ]; then
|
|
echo $"Unable to extract public key for $KEYID"
|
|
exit 7835
|
|
fi
|
|
if [ ! $PASSWORD_FILE ]; then
|
|
gpg --output $FRAGMENTS_DIR/privkey.txt \
|
|
--armor --export-secret-key $KEYID
|
|
else
|
|
echo "$(printf `cat $PASSWORD_FILE`)" | \
|
|
gpg --batch --passphrase-fd 0 \
|
|
--output $FRAGMENTS_DIR/privkey.txt \
|
|
--armor --export-secret-key $KEYID
|
|
fi
|
|
if [ ! "$?" = "0" ]; then
|
|
echo $"Unable to extract private key for $KEYID"
|
|
exit 7823
|
|
fi
|
|
gpg --output $FRAGMENTS_DIR/backup_pubkey.txt \
|
|
--armor --export $MY_BACKUP_KEY_ID
|
|
if [ ! "$?" = "0" ]; then
|
|
shred -zu $FRAGMENTS_DIR/privkey.txt
|
|
echo $"Unable to extract backup public key for $MY_BACKUP_KEY_ID"
|
|
exit 62928
|
|
fi
|
|
echo "$BACKUP_DUMMY_PASSWORD" | \
|
|
gpg --output $FRAGMENTS_DIR/backup_privkey.txt \
|
|
--batch --passphrase-fd 0 \
|
|
--armor --export-secret-key $MY_BACKUP_KEY_ID
|
|
if [ ! "$?" = "0" ]; then
|
|
shred -zu $FRAGMENTS_DIR/privkey.txt
|
|
echo $"Unable to extract backup private key for $MY_BACKUP_KEY_ID"
|
|
exit 13783
|
|
fi
|
|
|
|
# Ensure there aren't any permissions problems when running cat
|
|
chmod +r $FRAGMENTS_DIR/privkey.txt
|
|
chmod +r $FRAGMENTS_DIR/backup_privkey.txt
|
|
|
|
cat $FRAGMENTS_DIR/pubkey.txt \
|
|
$FRAGMENTS_DIR/privkey.txt \
|
|
$FRAGMENTS_DIR/backup_pubkey.txt \
|
|
$FRAGMENTS_DIR/backup_privkey.txt > $KEYS_FILE
|
|
shred -zu $FRAGMENTS_DIR/privkey.txt
|
|
shred -zu $FRAGMENTS_DIR/pubkey.txt
|
|
shred -zu $FRAGMENTS_DIR/backup_privkey.txt
|
|
shred -zu $FRAGMENTS_DIR/backup_pubkey.txt
|
|
|
|
KEY_SHARES=$((KEY_FRAGMENTS * 2))
|
|
gfsplit -n $KEY_FRAGMENTS -m $KEY_SHARES $KEYS_FILE
|
|
if [ ! "$?" = "0" ]; then
|
|
echo $"Unable to split the gpg key"
|
|
rm -rf $FRAGMENTS_DIR
|
|
if [ -f $KEYS_FILE ]; then
|
|
shred -zu $KEYS_FILE
|
|
fi
|
|
exit 63028
|
|
fi
|
|
shred -zu $KEYS_FILE
|
|
|
|
# set permissions
|
|
chown -R $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR
|
|
chmod -R 600 $FRAGMENTS_DIR
|
|
|
|
echo $"$KEY_SHARES key shares created"
|
|
|
|
exit 0
|