freedombone/src/freedombone-splitkey

#!/bin/bash
#  _____               _           _
# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
#                              Freedom in the Cloud
#
# A script which splits a user's gpg key into fragments which
# may then be shared
#
# To get a random fragment
# get a random fragment
#     fragment_files=($FRAGMENTS_DIR/*)
#     FRAGMENT_FILE="${files[RANDOM % ${#files[@]}]}"
#
# License
# =======
#
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-splitkey
export TEXTDOMAINDIR="/usr/share/locale"

# Dummy password to get around not being able to create a key without passphrase
BACKUP_DUMMY_PASSWORD='backup'

KEY_FRAGMENTS=3
MY_USERNAME=
MY_EMAIL_ADDRESS=
MY_NAME=
PASSWORD_FILE=

function show_help {
    echo ''
    echo $"${PROJECT_NAME}-splitkey -u [username] -n [number of fragments] -e [email address] --fullname [Full name]"
    echo ''
    exit 0
}

while [ $# -gt 1 ]
do
key="$1"

case $key in
    -h|--help)
    show_help
    ;;
    -u|--user)
    shift
    MY_USERNAME="$1"
    ;;
    -n|--fragments)
    shift
    KEY_FRAGMENTS=$1
    ;;
    -e|--email)
    shift
    MY_EMAIL_ADDRESS=$1
    ;;
    --fullname)
    shift
    MY_NAME=$1
    ;;
    --passwordfile)
    shift
    PASSWORD_FILE=$1
    ;;
    *)
    # unknown option
    ;;
esac
shift
done

if [ ! "$MY_USERNAME" ]; then
    show_help
fi
if [ ! -d "/home/$MY_USERNAME" ]; then
    echo $"User $MY_USERNAME does not exist on the system"
    exit 7270
fi

if [ ! -d "/home/$MY_USERNAME/.gnupg" ]; then
    echo $'No gpg key found'
    exit 5393
fi

if [ "$PASSWORD_FILE" ]; then
    if [ ! -f "$PASSWORD_FILE" ]; then
        echo $'Password file not found'
        exit 62952
    fi
fi

FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments
if [ -d "$FRAGMENTS_DIR" ]; then
    exit 0
fi

# get the gpg key ID
if [ ! "$MY_EMAIL_ADDRESS" ]; then
    MY_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME
fi

KEYID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS" - "$MY_USERNAME" | sed -n '2p' | sed 's/^[ \t]*//')
if [ ${#KEYID} -lt 4 ]; then
    echo $"gpg key for $MY_EMAIL_ADDRESS was not found"
    exit 3682
fi

MY_BACKUP_KEY_ID=$(gpg --list-keys "$MY_NAME (backup key)" | sed -n '2p' | sed 's/^[ \t]*//')
if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
    echo $"gpg backup key for '$MY_NAME' was not found"
    exit 58213
fi

# create the key file
mkdir -p "$FRAGMENTS_DIR"
chown "$MY_USERNAME":"$MY_USERNAME" "$FRAGMENTS_DIR"
KEYS_FILE="$FRAGMENTS_DIR/keyshare.asc"
if ! gpg --output "$FRAGMENTS_DIR/pubkey.txt" --armor --export "$KEYID"; then
    echo $"Unable to extract public key for $KEYID"
    exit 7835
fi
if [ ! "$PASSWORD_FILE" ]; then
    gpg --output "$FRAGMENTS_DIR/privkey.txt" \
        --armor --export-secret-key "$KEYID"
else
    # shellcheck disable=SC2005
    echo "$(printf "%s" "$(cat "$PASSWORD_FILE")")" | \
        gpg --batch --passphrase-fd 0 \
        --output "$FRAGMENTS_DIR/privkey.txt" \
        --armor --export-secret-key "$KEYID"
fi
# shellcheck disable=SC2181
if [ ! "$?" = "0" ]; then
    echo $"Unable to extract private key for $KEYID"
    exit 7823
fi
if ! gpg --output "$FRAGMENTS_DIR/backup_pubkey.txt" \
    --armor --export "$MY_BACKUP_KEY_ID"; then
    shred -zu "$FRAGMENTS_DIR/privkey.txt"
    echo $"Unable to extract backup public key for $MY_BACKUP_KEY_ID"
    exit 62928
fi
echo "$BACKUP_DUMMY_PASSWORD" | \
if ! gpg --output "$FRAGMENTS_DIR/backup_privkey.txt" \
        --batch --passphrase-fd 0 \
        --armor --export-secret-key "$MY_BACKUP_KEY_ID"; then
    shred -zu "$FRAGMENTS_DIR/privkey.txt"
    echo $"Unable to extract backup private key for $MY_BACKUP_KEY_ID"
    exit 13783
fi

# Ensure there aren't any permissions problems when running cat
chmod +r "$FRAGMENTS_DIR/privkey.txt"
chmod +r "$FRAGMENTS_DIR/backup_privkey.txt"

cat "$FRAGMENTS_DIR/pubkey.txt" \
    "$FRAGMENTS_DIR/privkey.txt" \
    "$FRAGMENTS_DIR/backup_pubkey.txt" \
    "$FRAGMENTS_DIR/backup_privkey.txt" > "$KEYS_FILE"
shred -zu "$FRAGMENTS_DIR/privkey.txt"
shred -zu "$FRAGMENTS_DIR/pubkey.txt"
shred -zu "$FRAGMENTS_DIR/backup_privkey.txt"
shred -zu "$FRAGMENTS_DIR/backup_pubkey.txt"

KEY_SHARES=$((KEY_FRAGMENTS * 2))
if ! gfsplit -n "$KEY_FRAGMENTS" -m $KEY_SHARES "$KEYS_FILE"; then
    echo $"Unable to split the gpg key"
    rm -rf "$FRAGMENTS_DIR"
    if [ -f "$KEYS_FILE" ]; then
        shred -zu "$KEYS_FILE"
    fi
    exit 63028
fi
shred -zu "$KEYS_FILE"

# set permissions
chown -R "$MY_USERNAME":"$MY_USERNAME" "$FRAGMENTS_DIR"
chmod -R 600 "$FRAGMENTS_DIR"

echo $"$KEY_SHARES key shares created"

exit 0