Fixing gpg backups
This commit is contained in:
parent
b277b5e570
commit
0aee39ae8a
|
@ -143,7 +143,7 @@ echo 'Subkey-Length: 4096' >> /home/$ADD_USERNAME/gpg-genkey.conf
|
||||||
echo "Name-Real: $ADD_USERNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf
|
echo "Name-Real: $ADD_USERNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf
|
||||||
echo "Name-Email: $ADD_USERNAME@$HOSTNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf
|
echo "Name-Email: $ADD_USERNAME@$HOSTNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf
|
||||||
echo 'Expire-Date: 0' >> /home/$ADD_USERNAME/gpg-genkey.conf
|
echo 'Expire-Date: 0' >> /home/$ADD_USERNAME/gpg-genkey.conf
|
||||||
echo "Passphrase: ''" >> /home/$ADD_USERNAME/gpg-genkey.conf
|
echo "Passphrase: $NEW_USER_PASSWORD" >> /home/$ADD_USERNAME/gpg-genkey.conf
|
||||||
chown $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/gpg-genkey.conf
|
chown $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/gpg-genkey.conf
|
||||||
su -m root -c "gpg --homedir /home/$ADD_USERNAME/.gnupg --batch --full-gen-key /home/$ADD_USERNAME/gpg-genkey.conf" - $ADD_USERNAME
|
su -m root -c "gpg --homedir /home/$ADD_USERNAME/.gnupg --batch --full-gen-key /home/$ADD_USERNAME/gpg-genkey.conf" - $ADD_USERNAME
|
||||||
chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.gnupg
|
chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.gnupg
|
||||||
|
|
|
@ -1480,6 +1480,7 @@ function configure_imap_client_certs {
|
||||||
}
|
}
|
||||||
|
|
||||||
function create_gpg_subkey {
|
function create_gpg_subkey {
|
||||||
|
# Note: currently not used
|
||||||
if [ ! -d /etc/exim4 ]; then
|
if [ ! -d /etc/exim4 ]; then
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
@ -1508,7 +1509,7 @@ function create_gpg_subkey {
|
||||||
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo "Name-Comment: $GPG_KEY_USAGE" >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo "Name-Comment: $GPG_KEY_USAGE" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo "Passphrase: ''" >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo "Passphrase: $PROJECT_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
|
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
|
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
|
||||||
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
|
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
|
||||||
|
@ -1624,7 +1625,11 @@ function configure_gpg {
|
||||||
echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo "Passphrase: ''" >> /home/$MY_USERNAME/gpg-genkey.conf
|
if [ -f $IMAGE_PASSWORD_FILE ]; then
|
||||||
|
echo "Passphrase: $(printf `cat $IMAGE_PASSWORD_FILE`)" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
|
else
|
||||||
|
echo "Passphrase: $PROJECT_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
|
fi
|
||||||
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
|
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo $'Generating a new GPG key'
|
echo $'Generating a new GPG key'
|
||||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
|
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
|
||||||
|
|
|
@ -31,6 +31,9 @@
|
||||||
# whether a given site is being suspended during backup
|
# whether a given site is being suspended during backup
|
||||||
SUSPENDED_SITE=
|
SUSPENDED_SITE=
|
||||||
|
|
||||||
|
# Dummy password used for the backup key
|
||||||
|
BACKUP_DUMMY_PASSWORD='backup'
|
||||||
|
|
||||||
function suspend_site {
|
function suspend_site {
|
||||||
# suspends a given website
|
# suspends a given website
|
||||||
SUSPENDED_SITE="$1"
|
SUSPENDED_SITE="$1"
|
||||||
|
@ -48,6 +51,22 @@ function restart_site {
|
||||||
SUSPENDED_SITE=
|
SUSPENDED_SITE=
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function backup_create_password {
|
||||||
|
BACKUP_PASSWORD_FILE=$(mktemp /tmp/fileXXXXX)
|
||||||
|
# Note: this doesn't need to be secure, it's just a way of
|
||||||
|
# getting around the forced interactivity of the gpg agent
|
||||||
|
echo -n "$BACKUP_DUMMY_PASSWORD" > $BACKUP_PASSWORD_FILE
|
||||||
|
}
|
||||||
|
|
||||||
|
function backup_remove_password {
|
||||||
|
if [ ! $BACKUP_PASSWORD_FILE ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
if [ -f $BACKUP_PASSWORD_FILE ]; then
|
||||||
|
shred -zu $BACKUP_PASSWORD_FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
function configure_backup_key {
|
function configure_backup_key {
|
||||||
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
||||||
return
|
return
|
||||||
|
@ -59,6 +78,8 @@ function configure_backup_key {
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
backup_create_password
|
||||||
|
|
||||||
# Generate a GPG key for backups
|
# Generate a GPG key for backups
|
||||||
BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
|
BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
|
||||||
if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
|
if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
|
||||||
|
@ -70,16 +91,16 @@ function configure_backup_key {
|
||||||
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
|
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo "Passphrase: ''" >> /home/$MY_USERNAME/gpg-genkey.conf
|
|
||||||
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
|
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo $'Backup key does not exist. Creating it.'
|
echo $'Backup key does not exist. Creating it.'
|
||||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
|
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --passphrase-fd $BACKUP_PASSWORD_FILE --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
|
||||||
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
|
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
|
||||||
|
|
||||||
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
|
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
|
||||||
echo $'Checking that the Backup key was created'
|
echo $'Checking that the Backup key was created'
|
||||||
BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
|
BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
|
||||||
if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
|
if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
|
||||||
|
backup_remove_password
|
||||||
echo $'Backup key could not be created'
|
echo $'Backup key could not be created'
|
||||||
exit 43382
|
exit 43382
|
||||||
fi
|
fi
|
||||||
|
@ -89,12 +110,14 @@ function configure_backup_key {
|
||||||
echo "Backup key: $MY_BACKUP_KEY_ID"
|
echo "Backup key: $MY_BACKUP_KEY_ID"
|
||||||
MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key
|
MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key
|
||||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME
|
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME
|
||||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
|
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --passphrase-fd $BACKUP_PASSWORD_FILE --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
|
||||||
if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then
|
if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then
|
||||||
|
backup_remove_password
|
||||||
echo 'Public backup key could not be exported'
|
echo 'Public backup key could not be exported'
|
||||||
exit 36829
|
exit 36829
|
||||||
fi
|
fi
|
||||||
if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then
|
if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then
|
||||||
|
backup_remove_password
|
||||||
echo 'Private backup key could not be exported'
|
echo 'Private backup key could not be exported'
|
||||||
exit 29235
|
exit 29235
|
||||||
fi
|
fi
|
||||||
|
@ -105,6 +128,7 @@ function configure_backup_key {
|
||||||
|
|
||||||
shred -zu ${MY_BACKUP_KEY}_public.asc
|
shred -zu ${MY_BACKUP_KEY}_public.asc
|
||||||
shred -zu ${MY_BACKUP_KEY}_private.asc
|
shred -zu ${MY_BACKUP_KEY}_private.asc
|
||||||
|
backup_remove_password
|
||||||
|
|
||||||
mark_completed $FUNCNAME
|
mark_completed $FUNCNAME
|
||||||
}
|
}
|
||||||
|
@ -258,10 +282,10 @@ function backup_directory_to_usb {
|
||||||
mkdir -p $USB_MOUNT/backup/${2}
|
mkdir -p $USB_MOUNT/backup/${2}
|
||||||
fi
|
fi
|
||||||
set_obnam_client_name
|
set_obnam_client_name
|
||||||
obnam force-lock -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam force-lock -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
|
||||||
obnam backup -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam backup -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
|
||||||
if [[ $ENABLE_BACKUP_VERIFICATION == "yes" ]]; then
|
if [[ $ENABLE_BACKUP_VERIFICATION == "yes" ]]; then
|
||||||
obnam verify -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam verify -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
|
||||||
if [ ! "$?" = "0" ]; then
|
if [ ! "$?" = "0" ]; then
|
||||||
umount $USB_MOUNT
|
umount $USB_MOUNT
|
||||||
rm -rf $USB_MOUNT
|
rm -rf $USB_MOUNT
|
||||||
|
@ -274,7 +298,7 @@ function backup_directory_to_usb {
|
||||||
exit 683252
|
exit 683252
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
obnam forget --keep=30d -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam forget --keep=30d -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID
|
||||||
if [ ! "$?" = "0" ]; then
|
if [ ! "$?" = "0" ]; then
|
||||||
umount $USB_MOUNT
|
umount $USB_MOUNT
|
||||||
rm -rf $USB_MOUNT
|
rm -rf $USB_MOUNT
|
||||||
|
@ -308,7 +332,7 @@ function restore_directory_from_usb {
|
||||||
mkdir ${1}
|
mkdir ${1}
|
||||||
fi
|
fi
|
||||||
set_obnam_client_name
|
set_obnam_client_name
|
||||||
obnam restore -r $USB_MOUNT/backup/${2} --to ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam restore -r $USB_MOUNT/backup/${2} --to ${1}
|
||||||
}
|
}
|
||||||
|
|
||||||
function restore_directory_from_friend {
|
function restore_directory_from_friend {
|
||||||
|
@ -326,7 +350,7 @@ function restore_directory_from_friend {
|
||||||
mkdir ${1}
|
mkdir ${1}
|
||||||
fi
|
fi
|
||||||
set_obnam_client_name
|
set_obnam_client_name
|
||||||
obnam restore -r $SERVER_DIRECTORY/backup/${2} --to ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam restore -r $SERVER_DIRECTORY/backup/${2} --to ${1}
|
||||||
}
|
}
|
||||||
|
|
||||||
function backup_database_to_usb {
|
function backup_database_to_usb {
|
||||||
|
@ -365,10 +389,10 @@ function backup_directory_to_friend {
|
||||||
mkdir -p $SERVER_DIRECTORY/backup/${2}
|
mkdir -p $SERVER_DIRECTORY/backup/${2}
|
||||||
fi
|
fi
|
||||||
set_obnam_client_name
|
set_obnam_client_name
|
||||||
obnam force-lock -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam force-lock -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
|
||||||
obnam backup -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam backup -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
|
||||||
if [[ $ENABLE_VERIFICATION == "yes" ]]; then
|
if [[ $ENABLE_VERIFICATION == "yes" ]]; then
|
||||||
obnam verify -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam verify -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
|
||||||
if [ ! "$?" = "0" ]; then
|
if [ ! "$?" = "0" ]; then
|
||||||
if [[ ${1} == "/root/temp"* || ${1} == *"tempbackup" ]]; then
|
if [[ ${1} == "/root/temp"* || ${1} == *"tempbackup" ]]; then
|
||||||
shred -zu /root/temp${2}/*
|
shred -zu /root/temp${2}/*
|
||||||
|
@ -381,7 +405,7 @@ function backup_directory_to_friend {
|
||||||
exit 953
|
exit 953
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
obnam forget --keep=30d -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID}
|
echo "$BACKUP_DUMMY_PASSWORD" | obnam forget --keep=30d -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID}
|
||||||
if [ ! "$?" = "0" ]; then
|
if [ ! "$?" = "0" ]; then
|
||||||
if [[ ${1} == "/root/temp"* || ${1} == *"tempbackup" ]]; then
|
if [[ ${1} == "/root/temp"* || ${1} == *"tempbackup" ]]; then
|
||||||
shred -zu /root/temp${2}/*
|
shred -zu /root/temp${2}/*
|
||||||
|
|
Loading…
Reference in New Issue