free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use libgfshare for key splitting

This commit is contained in:
Bob Mottram 2015-07-02 21:43:17 +01:00
parent 7b6cd7ad38
commit 02bd649d8a
4 changed files with 37 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
man/freedombone-splitkey.1.gz
View File

Binary file not shown.

24
src/freedombone
View File

@ -1702,7 +1702,7 @@ function create_backup_script {
if grep -Fxq "create_backup_script" $COMPLETION_FILE; then if grep -Fxq "create_backup_script" $COMPLETION_FILE; then
return return
fi fi
apt-get -y install rsyncrypto cryptsetup ssss apt-get -y install rsyncrypto cryptsetup libgfshare-bin
get_mariadb_password get_mariadb_password
get_mariadb_gnusocial_admin_password get_mariadb_gnusocial_admin_password
@ -3782,7 +3782,7 @@ function backup_to_friends_servers {
# we just need to rsync it to each friend # we just need to rsync it to each friend
echo '# For each remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo '# For each remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo 'ctr=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo 'ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo 'while read remote_server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo 'while read remote_server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo 'do' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo 'do' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' # Get the server and its password' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' # Get the server and its password' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
@ -3810,22 +3810,20 @@ function backup_to_friends_servers {
if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then
echo " if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' no_of_fragments=$(ls -afq data* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' no_of_shares=$(ls -afq keyshare* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' no_of_fragments=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' no_of_shares=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' if [[ ${no_of_fragments} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' if [[ ${no_of_shares} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' key_files=(/home/$MY_USERNAME/.gnupg_fragments/data*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' share_files=(/home/$MY_USERNAME/.gnupg_fragments/keyshare*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' key_filename=${key_files[ctr]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' share_filename=${key_files[ctr_share]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' ctrb=$((ctr + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " cp $share_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments/data" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " sed \"$ctrbq;d\" /home/$MY_USERNAME/.gnupg_fragments/shares.txt > /home/$MY_USERNAME/tempkey/.gnupg_fragments/share.txt" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " cp $key_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo -n ' /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo -n ' /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo " rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' ctr=$((ctr + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' ctr_share=$((ctr_share + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' if [[ ${ctr} >= ${no_of_fragments} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' if [[ ${ctr_share} >= ${no_of_shares} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' ctr=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME

29
src/freedombone-recoverkey
View File

@ -76,30 +76,17 @@ if [ ! -d $FRAGMENTS_DIR ]; then
exit 7483 exit 7483
fi fi
# join the fragments
if [ ! -d /home/$MY_USERNAME/.tempgnupg ]; then
mkdir /home/$MY_USERNAME/.tempgnupg
fi
KEYS_FILE=/home/$MY_USERNAME/.tempgnupg/tempfile.asc
cat $FRAGMENTS_DIR/data* > $KEYS_FILE.gpg
if [ ! "$?" = "0" ]; then
echo 'Unable to find key fragments'
exit 8727
fi
# decrypt the file # decrypt the file
cd /home/$MY_USERNAME/.tempgnupg KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
gpg -d $KEYS_FILE.gpg -o $KEYS_FILE cd $FRAGMENTS_DIR
if [ ! "$?" = "0" ]; then gfcombine $KEYS_FILE.*
echo 'Unable to decrypt data. This may mean that not enough fragments are available'
if [ ! -f $KEYS_FILE ]; then
echo 'Unable to decrypt key. This may mean that not enough fragments are available'
exit 6283 exit 6283
fi fi
shred -zu $KEYS_FILE.gpg
if [ ! -f $KEYS_FILE ]; then echo 'Key fragments recombined'
echo 'Unable to find decrypted key file. This may mean that not enough fragments are available'
exit 8358
fi
echo 'Key fragments decrypted'
# import the gpg key # import the gpg key
su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME

63
src/freedombone-splitkey
View File

@ -37,11 +37,10 @@
KEY_FRAGMENTS=3 KEY_FRAGMENTS=3
MY_USERNAME= MY_USERNAME=
MY_EMAIL_ADDRESS= MY_EMAIL_ADDRESS=
PASSPHRASE=
function show_help { function show_help {
echo '' echo ''
echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address] -p [passphrase]' echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address]'
echo '' echo ''
exit 0 exit 0
} }
@ -66,10 +65,6 @@ case $key in
shift shift
MY_EMAIL_ADDRESS=$1 MY_EMAIL_ADDRESS=$1
;; ;;
-p|--passphrase)
shift
PASSPHRASE=$1
;;
*) *)
# unknown option # unknown option
;; ;;
@ -103,60 +98,38 @@ KEYID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - \
$MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
# create the key file # create the key file
KEYS_FILE=/home/$MY_USERNAME/tempdatafile.asc mkdir -p $FRAGMENTS_DIR
gpg --output /home/$MY_USERNAME/pubkey.txt --armor --export $KEYID KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
gpg --output $FRAGMENTS_DIR/pubkey.txt --armor --export $KEYID
if [ ! "$?" = "0" ]; then if [ ! "$?" = "0" ]; then
echo "Unable to extract public key for $KEYID" echo "Unable to extract public key for $KEYID"
exit 7835 exit 7835
fi fi
gpg --output /home/$MY_USERNAME/privkey.txt --armor --export-secret-key $KEYID gpg --output $FRAGMENTS_DIR/privkey.txt --armor --export-secret-key $KEYID
if [ ! "$?" = "0" ]; then if [ ! "$?" = "0" ]; then
echo "Unable to extract private key for $KEYID" echo "Unable to extract private key for $KEYID"
exit 7823 exit 7823
fi fi
cat /home/$MY_USERNAME/pubkey.txt /home/$MY_USERNAME/privkey.txt > $KEYS_FILE cat $FRAGMENTS_DIR/pubkey.txt $FRAGMENTS_DIR/privkey.txt > $KEYS_FILE
shred -zu /home/$MY_USERNAME/privkey.txt shred -zu $FRAGMENTS_DIR/privkey.txt
shred -zu /home/$MY_USERNAME/pubkey.txt shred -zu $FRAGMENTS_DIR/pubkey.txt
# generate a random passphrase if one isn't supplied KEY_SHARES=$((KEY_FRAGMENTS * 2))
if [ ! $PASSPHRASE ]; then gfsplit -n $KEY_FRAGMENTS -m $KEY_SHARES $KEYS_FILE
PASSPHRASE="$(openssl rand -base64 100)"
fi
# encrypt the keys file with a passphrase
echo "$PASSPHRASE" | gpg --passphrase-fd 0 --output $KEYS_FILE.gpg --symmetric $KEYS_FILE
if [ ! "$?" = "0" ]; then if [ ! "$?" = "0" ]; then
echo "Unable to encrypt the data prior to splitting" echo "Unable to split the gpg key"
exit 7352 rm -rf $FRAGMENTS_DIR
if [ -f $KEYS_FILE ]; then
shred -zu $KEYS_FILE
fi
exit 63028
fi fi
shred -zu $KEYS_FILE shred -zu $KEYS_FILE
# split the passphrase into shares # set permissions
echo "$PASSPHRASE" | ssss-split -q -t $KEY_FRAGMENTS -n $KEY_FRAGMENTS > \
/home/$MY_USERNAME/.gnupg_fragments/shares.txt
# (maybe) overwrite passphrase after use
PASSPHRASE="$(openssl rand -base64 100)"
# check that passphrase shares were created
if [ ! -f /home/$MY_USERNAME/.gnupg_fragments/shares.txt ]; then
echo 'Passphrase for key fragments could not be split'
shred -zu $KEYS_FILE.gpg
exit 74549
fi
# generate fragments
GPG_KEYS_SIZE_BYTES=$(wc -c <"$KEYS_FILE.gpg")
GPG_BYTES_PER_FRAGMENT=$((GPG_KEYS_SIZE_BYTES / KEY_FRAGMENTS))
GPG_BYTES_PER_FRAGMENT=$((GPG_BYTES_PER_FRAGMENT + 1))
mkdir -p $FRAGMENTS_DIR
split --bytes=$GPG_BYTES_PER_FRAGMENT $KEYS_FILE.gpg $FRAGMENTS_DIR/data
chown -R $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR chown -R $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR
chmod -R 600 $FRAGMENTS_DIR chmod -R 600 $FRAGMENTS_DIR
# delete the keys file echo "$KEY_SHARES key shares created"
shred -zu $KEYS_FILE.gpg
echo "$KEY_FRAGMENTS key fragments created"
exit 0 exit 0