From 490f5fca7fa29b48877cad56f2bb62cbefe7cb84 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 27 Oct 2016 11:14:31 +0100 Subject: [PATCH] Consolidate key recovery --- src/freedombone-config | 135 ------------------------------ src/freedombone-recoverkey | 154 ---------------------------------- src/freedombone-utils-keys | 166 +++++++++++++++++++++++++++++++++++++ 3 files changed, 166 insertions(+), 289 deletions(-) create mode 100755 src/freedombone-utils-keys diff --git a/src/freedombone-config b/src/freedombone-config index 7f3f89fe..0849c56c 100755 --- a/src/freedombone-config +++ b/src/freedombone-config @@ -920,141 +920,6 @@ function interactive_gpg_from_remote { return 0 } -function reconstruct_key { - if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then - return - fi - cd /home/$MY_USERNAME/.gnupg_fragments - no_of_shares=$(ls -afq keyshare.asc.* | wc -l) - if (( no_of_shares < 4 )); then - dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70 - exit 7348 - fi - apt-get -yq install libgfshare-bin gnupg - gfcombine /home/$MY_USERNAME/.gnupg_fragments/keyshare* - if [ ! "$?" = "0" ]; then - dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 - exit 7348 - fi - - KEYS_FILE=/home/$MY_USERNAME/.gnupg_fragments/keyshare.asc - if [ ! -f $KEYS_FILE ]; then - dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 - fi - - su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME - if [ ! "$?" = "0" ]; then - echo $'Unable to import gpg key' - shred -zu $KEYS_FILE - rm -rf /home/$MY_USERNAME/.tempgnupg - exit 9654 - fi - shred -zu $KEYS_FILE - - dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70 -} - -function interactive_gpg_from_usb { - dialog --title $"Recover Encryption Keys" \ - --msgbox $'Plug in a USB keydrive containing a copy of your full key or key fragment' 6 70 - - HOME_DIR=/home/$MY_USERNAME - GPG_LOADING="yes" - SSH_IMPORTED="no" - GPG_CTR=0 - while [[ $GPG_LOADING == "yes" ]] - do - detect_usb_drive - - if [ ! -b $USB_DRIVE ]; then - if (( GPG_CTR > 0 )); then - reconstruct_key - return 0 - fi - dialog --title $"Recover Encryption Keys" --msgbox $'No USB drive found' 6 30 - exit 739836 - fi - - GPG_USB_MOUNT='/mnt/usb' - umount -f $GPG_USB_MOUNT - if [ ! -d $GPG_USB_MOUNT ]; then - mkdir -p $GPG_USB_MOUNT - fi - - if [ -f /dev/mapper/encrypted_usb ]; then - rm -rf /dev/mapper/encrypted_usb - fi - cryptsetup luksClose encrypted_usb - cryptsetup luksOpen $USB_DRIVE encrypted_usb - if [ "$?" = "0" ]; then - USB_DRIVE=/dev/mapper/encrypted_usb - fi - mount $USB_DRIVE $GPG_USB_MOUNT - if [ ! "$?" = "0" ]; then - if (( GPG_CTR > 0 )); then - rm -rf $GPG_USB_MOUNT - reconstruct_key - return 0 - fi - dialog --title $"Recover Encryption Keys" \ - --msgbox $"There was a problem mounting the USB drive to $GPG_USB_MOUNT" 6 70 - rm -rf $GPG_USB_MOUNT - exit 74393 - fi - - if [ ! -d $GPG_USB_MOUNT/.gnupg ]; then - if [ ! -d $GPG_USB_MOUNT/.gnupg_fragments ]; then - if (( GPG_CTR > 0 )); then - umount -f $GPG_USB_MOUNT - rm -rf $GPG_USB_MOUNT - reconstruct_key - return 0 - fi - dialog --title $"Recover Encryption Keys" \ - --msgbox $"The directory $GPG_USB_MOUNT/.gnupg or $GPG_USB_MOUNT/.gnupg_fragments was not found" 6 70 - umount -f $GPG_USB_MOUNT - rm -rf $GPG_USB_MOUNT - exit 723814 - fi - fi - - if [ -d $GPG_USB_MOUNT/.gnupg ]; then - if [ ! -d $HOME_DIR/.gnupg ]; then - mkdir $HOME_DIR/.gnupg - fi - cp -r $GPG_USB_MOUNT/.gnupg/* $HOME_DIR/.gnupg - GPG_LOADING="no" - dialog --title $"Recover Encryption Keys" \ - --msgbox $"GPG Keyring loaded to $HOME_DIR" 6 70 - else - if [ ! -d $HOME_DIR/.gnupg_fragments ]; then - mkdir $HOME_DIR/.gnupg_fragments - fi - cp -r $GPG_USB_MOUNT/.gnupg_fragments/* $HOME_DIR/.gnupg_fragments - fi - - if [[ $SSH_IMPORTED == "no" ]]; then - if [ -d $GPG_USB_MOUNT/.ssh ]; then - if [ ! -d $HOME_DIR/.ssh ]; then - mkdir $HOME_DIR/.ssh - fi - cp $GPG_USB_MOUNT/.ssh/* $HOME_DIR/.ssh - dialog --title $"Recover Encryption Keys" \ - --msgbox $"ssh keys imported" 6 70 - SSH_IMPORTED="yes" - fi - fi - - umount -f $GPG_USB_MOUNT - rm -rf $GPG_USB_MOUNT - if [[ $GPG_LOADING == "yes" ]]; then - dialog --title $"Recover Encryption Keys" \ - --msgbox $"Now remove the USB drive. Insert the next drive containing a key fragment, or select Ok to finish" 6 70 - fi - GPG_CTR=$((GPG_CTR + 1)) - done -} - function interactive_gpg { GPG_CONFIGURED="no" while [[ $GPG_CONFIGURED != "yes" ]] diff --git a/src/freedombone-recoverkey b/src/freedombone-recoverkey index db5e6ecb..741999e9 100755 --- a/src/freedombone-recoverkey +++ b/src/freedombone-recoverkey @@ -108,160 +108,6 @@ fi FRAGMENTS_DIR=/home/$MY_USERNAME/.gnupg_fragments -function reconstruct_key { - if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then - return - fi - cd /home/$MY_USERNAME/.gnupg_fragments - no_of_shares=$(ls -afq keyshare.asc.* | wc -l) - if (( no_of_shares < 4 )); then - dialog --title $"Encryption keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70 - exit 7348 - fi - apt-get -yq install libgfshare-bin gnupg - gfcombine /home/$MY_USERNAME/.gnupg_fragments/keyshare* - if [ ! "$?" = "0" ]; then - dialog --title $"Encryption keys" --msgbox $'Unable to reconstruct the key' 6 70 - exit 7348 - fi - - KEYS_FILE=/home/$MY_USERNAME/.gnupg_fragments/keyshare.asc - if [ ! -f $KEYS_FILE ]; then - dialog --title $"Encryption keys" --msgbox $'Unable to reconstruct the key' 6 70 - fi - - su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME - if [ ! "$?" = "0" ]; then - echo $'Unable to import gpg key' - shred -zu $KEYS_FILE - rm -rf /home/$MY_USERNAME/.tempgnupg - exit 9654 - fi - shred -zu $KEYS_FILE - - dialog --title $"Encryption keys" --msgbox $'Key has been reconstructed' 6 70 -} - -function interactive_gpg_from_usb { - dialog --title $"Encryption keys" \ - --msgbox $'Plug in a USB drive containing a copy of your full key or key fragment' 6 70 - - HOME_DIR=/home/$MY_USERNAME - GPG_LOADING="yes" - SSH_IMPORTED="no" - GPG_CTR=0 - while [[ $GPG_LOADING == "yes" ]] - do - if [ ! -b $GPG_USB_DRIVE ]; then - GPG_USB_DRIVE='/dev/sdc1' - if [ ! -b $GPG_USB_DRIVE ]; then - GPG_USB_DRIVE='/dev/sdd1' - if [ ! -b $GPG_USB_DRIVE ]; then - if (( GPG_CTR > 0 )); then - reconstruct_key - return 0 - fi - dialog --title $"Encryption keys" --msgbox $'No USB drive found' 6 30 - exit 27852 - fi - fi - fi - - GPG_USB_MOUNT='/mnt/usb' - umount -f $GPG_USB_MOUNT - if [ ! -d $GPG_USB_MOUNT ]; then - mkdir -p $GPG_USB_MOUNT - fi - - if [ -f /dev/mapper/encrypted_usb ]; then - rm -rf /dev/mapper/encrypted_usb - fi - cryptsetup luksClose encrypted_usb - cryptsetup luksOpen $GPG_USB_DRIVE encrypted_usb - if [ "$?" = "0" ]; then - GPG_USB_DRIVE=/dev/mapper/encrypted_usb - fi - mount $GPG_USB_DRIVE $GPG_USB_MOUNT - if [ ! "$?" = "0" ]; then - if (( GPG_CTR > 0 )); then - rm -rf $GPG_USB_MOUNT - reconstruct_key - return 0 - fi - dialog --title $"Encryption keys" \ - --msgbox $"There was a problem mounting the USB drive to $GPG_USB_MOUNT" 6 70 - rm -rf $GPG_USB_MOUNT - exit 74393 - fi - - if [ ! -d $GPG_USB_MOUNT/.gnupg ]; then - if [ ! -d $GPG_USB_MOUNT/.gnupg_fragments ]; then - if (( GPG_CTR > 0 )); then - umount -f $GPG_USB_MOUNT - rm -rf $GPG_USB_MOUNT - reconstruct_key - return 0 - fi - if [[ "$GPG_USB_DRIVE" == *"sda1" ]]; then - GPG_USB_DRIVE=/dev/sdb1 - write_config_param USB_DRIVE "$GPG_USB_DRIVE" - umount -f $GPG_USB_MOUNT - rm -rf $GPG_USB_MOUNT - ${PROJECT_NAME}-recoverkey -u "$MY_USERNAME" -d sdb - exit 0 - else - dialog --title $"Encryption keys" \ - --msgbox $"The directory $GPG_USB_MOUNT/.gnupg or $GPG_USB_MOUNT/.gnupg_fragments was not found" 6 70 - umount -f $GPG_USB_MOUNT - rm -rf $GPG_USB_MOUNT - exit 723814 - fi - fi - fi - - if [ -d $GPG_USB_MOUNT/.gnupg ]; then - if [ ! -d $HOME_DIR/.gnupg ]; then - mkdir $HOME_DIR/.gnupg - fi - if [ -d $GPG_USB_MOUNT/letsencrypt ]; then - test -r $GPG_USB_MOUNT/letsencrypt - if [ $? -ne ]; then - cp -rf $GPG_USB_MOUNT/letsencrypt /etc - fi - fi - cp -r $GPG_USB_MOUNT/.gnupg/* $HOME_DIR/.gnupg - GPG_LOADING="no" - dialog --title $"Encryption keys" \ - --msgbox $"GPG Keyring loaded to $HOME_DIR" 6 70 - else - if [ ! -d $HOME_DIR/.gnupg_fragments ]; then - mkdir $HOME_DIR/.gnupg_fragments - fi - cp -r $GPG_USB_MOUNT/.gnupg_fragments/* $HOME_DIR/.gnupg_fragments - fi - - if [[ $SSH_IMPORTED == "no" ]]; then - if [ -d $GPG_USB_MOUNT/.ssh ]; then - if [ ! -d $HOME_DIR/.ssh ]; then - mkdir $HOME_DIR/.ssh - fi - cp $GPG_USB_MOUNT/.ssh/* $HOME_DIR/.ssh - dialog --title $"Encryption keys" \ - --msgbox $"ssh keys imported" 6 70 - SSH_IMPORTED="yes" - fi - fi - - umount -f $GPG_USB_MOUNT - rm -rf $GPG_USB_MOUNT - if [[ $GPG_LOADING == "yes" ]]; then - dialog --title $"Encryption keys" \ - --msgbox $"Now remove the USB drive. Insert the next drive containing a key fragment, or select Ok to finish" 6 70 - fi - GPG_CTR=$((GPG_CTR + 1)) - done -} - # if no remote backup list was given then assume recover from USB if [ ! $FRIENDS_SERVERS_LIST ]; then interactive_gpg_from_usb diff --git a/src/freedombone-utils-keys b/src/freedombone-utils-keys new file mode 100755 index 00000000..7b45bc83 --- /dev/null +++ b/src/freedombone-utils-keys @@ -0,0 +1,166 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Encryption key related functions + +# License +# ======= +# +# Copyright (C) 2015-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function reconstruct_key { + if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then + return + fi + cd /home/$MY_USERNAME/.gnupg_fragments + no_of_shares=$(ls -afq keyshare.asc.* | wc -l) + if (( no_of_shares < 4 )); then + dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70 + exit 7348 + fi + apt-get -yq install libgfshare-bin gnupg + gfcombine /home/$MY_USERNAME/.gnupg_fragments/keyshare* + if [ ! "$?" = "0" ]; then + dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 + exit 7348 + fi + + KEYS_FILE=/home/$MY_USERNAME/.gnupg_fragments/keyshare.asc + if [ ! -f $KEYS_FILE ]; then + dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 + fi + + su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME + if [ ! "$?" = "0" ]; then + echo $'Unable to import gpg key' + shred -zu $KEYS_FILE + rm -rf /home/$MY_USERNAME/.tempgnupg + exit 9654 + fi + shred -zu $KEYS_FILE + + dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70 +} + +function interactive_gpg_from_usb { + dialog --title $"Recover Encryption Keys" \ + --msgbox $'Plug in a USB keydrive containing a copy of your full key or key fragment' 6 70 + + HOME_DIR=/home/$MY_USERNAME + GPG_LOADING="yes" + SSH_IMPORTED="no" + GPG_CTR=0 + while [[ $GPG_LOADING == "yes" ]] + do + detect_usb_drive + + if [ ! -b $USB_DRIVE ]; then + if (( GPG_CTR > 0 )); then + reconstruct_key + return 0 + fi + dialog --title $"Recover Encryption Keys" --msgbox $'No USB drive found' 6 30 + exit 739836 + fi + + GPG_USB_MOUNT='/mnt/usb' + umount -f $GPG_USB_MOUNT + if [ ! -d $GPG_USB_MOUNT ]; then + mkdir -p $GPG_USB_MOUNT + fi + + if [ -f /dev/mapper/encrypted_usb ]; then + rm -rf /dev/mapper/encrypted_usb + fi + cryptsetup luksClose encrypted_usb + cryptsetup luksOpen $USB_DRIVE encrypted_usb + if [ "$?" = "0" ]; then + USB_DRIVE=/dev/mapper/encrypted_usb + fi + mount $USB_DRIVE $GPG_USB_MOUNT + if [ ! "$?" = "0" ]; then + if (( GPG_CTR > 0 )); then + rm -rf $GPG_USB_MOUNT + reconstruct_key + return 0 + fi + dialog --title $"Recover Encryption Keys" \ + --msgbox $"There was a problem mounting the USB drive to $GPG_USB_MOUNT" 6 70 + rm -rf $GPG_USB_MOUNT + exit 74393 + fi + + if [ ! -d $GPG_USB_MOUNT/.gnupg ]; then + if [ ! -d $GPG_USB_MOUNT/.gnupg_fragments ]; then + if (( GPG_CTR > 0 )); then + umount -f $GPG_USB_MOUNT + rm -rf $GPG_USB_MOUNT + reconstruct_key + return 0 + fi + dialog --title $"Recover Encryption Keys" \ + --msgbox $"The directory $GPG_USB_MOUNT/.gnupg or $GPG_USB_MOUNT/.gnupg_fragments was not found" 6 70 + umount -f $GPG_USB_MOUNT + rm -rf $GPG_USB_MOUNT + exit 723814 + fi + fi + + if [ -d $GPG_USB_MOUNT/.gnupg ]; then + if [ ! -d $HOME_DIR/.gnupg ]; then + mkdir $HOME_DIR/.gnupg + fi + cp -r $GPG_USB_MOUNT/.gnupg/* $HOME_DIR/.gnupg + GPG_LOADING="no" + dialog --title $"Recover Encryption Keys" \ + --msgbox $"GPG Keyring loaded to $HOME_DIR" 6 70 + else + if [ ! -d $HOME_DIR/.gnupg_fragments ]; then + mkdir $HOME_DIR/.gnupg_fragments + fi + cp -r $GPG_USB_MOUNT/.gnupg_fragments/* $HOME_DIR/.gnupg_fragments + fi + + if [[ $SSH_IMPORTED == "no" ]]; then + if [ -d $GPG_USB_MOUNT/.ssh ]; then + if [ ! -d $HOME_DIR/.ssh ]; then + mkdir $HOME_DIR/.ssh + fi + cp $GPG_USB_MOUNT/.ssh/* $HOME_DIR/.ssh + dialog --title $"Recover Encryption Keys" \ + --msgbox $"ssh keys imported" 6 70 + SSH_IMPORTED="yes" + fi + fi + + umount -f $GPG_USB_MOUNT + rm -rf $GPG_USB_MOUNT + if [[ $GPG_LOADING == "yes" ]]; then + dialog --title $"Recover Encryption Keys" \ + --msgbox $"Now remove the USB drive. Insert the next drive containing a key fragment, or select Ok to finish" 6 70 + fi + GPG_CTR=$((GPG_CTR + 1)) + done +} + +# NOTE: deliberately there is no "exit 0"