Beginning of social key management
This commit is contained in:
parent
8de6162e19
commit
a87f61c756
|
@ -381,6 +381,9 @@ CJDNS_PORT=
|
||||||
ENABLE_BATMAN="no"
|
ENABLE_BATMAN="no"
|
||||||
BATMAN_IPV6=
|
BATMAN_IPV6=
|
||||||
|
|
||||||
|
# social key management
|
||||||
|
ENABLE_SOCIAL_KEY_MANAGEMENT="no"
|
||||||
|
|
||||||
function show_help {
|
function show_help {
|
||||||
echo ''
|
echo ''
|
||||||
echo 'freedombone -c [configuration file]'
|
echo 'freedombone -c [configuration file]'
|
||||||
|
@ -716,6 +719,9 @@ function read_configuration {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f $CONFIGURATION_FILE ]; then
|
if [ -f $CONFIGURATION_FILE ]; then
|
||||||
|
if grep -q "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE; then
|
||||||
|
ENABLE_SOCIAL_KEY_MANAGEMENT=$(grep "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||||
|
fi
|
||||||
if grep -q "IPV6_NETWORK" $CONFIGURATION_FILE; then
|
if grep -q "IPV6_NETWORK" $CONFIGURATION_FILE; then
|
||||||
IPV6_NETWORK=$(grep "IPV6_NETWORK" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
IPV6_NETWORK=$(grep "IPV6_NETWORK" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
|
||||||
fi
|
fi
|
||||||
|
@ -1696,7 +1702,7 @@ function create_backup_script {
|
||||||
if grep -Fxq "create_backup_script" $COMPLETION_FILE; then
|
if grep -Fxq "create_backup_script" $COMPLETION_FILE; then
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
apt-get -y install rsyncrypto cryptsetup
|
apt-get -y install rsyncrypto cryptsetup ssss
|
||||||
|
|
||||||
get_mariadb_password
|
get_mariadb_password
|
||||||
get_mariadb_gnusocial_admin_password
|
get_mariadb_gnusocial_admin_password
|
||||||
|
@ -3801,14 +3807,17 @@ function backup_to_friends_servers {
|
||||||
echo -n ' echo "$NOW Starting backup to $REMOTE_SERVER" >> ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo -n ' echo "$NOW Starting backup to $REMOTE_SERVER" >> ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo "$REMOTE_BACKUPS_LOG" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo "$REMOTE_BACKUPS_LOG" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
|
|
||||||
|
if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then
|
||||||
echo " if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo " if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo " cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo " cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo ' no_of_fragments=$(ls -afq | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' no_of_fragments=$(ls -afq data* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo ' no_of_fragments=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' no_of_fragments=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo ' if [[ ${no_of_fragments} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' if [[ ${no_of_fragments} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo ' key_files=(/home/$MY_USERNAME/.gnupg_fragments/data*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' key_files=(/home/$MY_USERNAME/.gnupg_fragments/data*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo ' key_filename=${key_files[ctr]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' key_filename=${key_files[ctr]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo " mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo " mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
|
echo ' ctrb=$((ctr + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
|
echo " sed \"$ctrbq;d\" /home/$MY_USERNAME/.gnupg_fragments/shares.txt > /home/$MY_USERNAME/tempkey/.gnupg_fragments/share.txt" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo " cp $key_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo " cp $key_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo -n ' /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo -n ' /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
|
@ -3820,6 +3829,7 @@ function backup_to_friends_servers {
|
||||||
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
|
fi
|
||||||
|
|
||||||
echo -n ' rsync -ratlzv --rsh="/usr/bin/sshpass -p $REMOTE_PASSWORD ssh -p $REMOTE_SSH_PORT -o StrictHostKeyChecking=no" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo -n ' rsync -ratlzv --rsh="/usr/bin/sshpass -p $REMOTE_PASSWORD ssh -p $REMOTE_SSH_PORT -o StrictHostKeyChecking=no" ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
echo '$SERVER_DIRECTORY/backup $REMOTE_SERVER' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
echo '$SERVER_DIRECTORY/backup $REMOTE_SERVER' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
|
||||||
|
|
|
@ -37,10 +37,11 @@
|
||||||
KEY_FRAGMENTS=3
|
KEY_FRAGMENTS=3
|
||||||
MY_USERNAME=
|
MY_USERNAME=
|
||||||
MY_EMAIL_ADDRESS=
|
MY_EMAIL_ADDRESS=
|
||||||
|
PASSPHRASE=
|
||||||
|
|
||||||
function show_help {
|
function show_help {
|
||||||
echo ''
|
echo ''
|
||||||
echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address]'
|
echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address] -p [passphrase]'
|
||||||
echo ''
|
echo ''
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
@ -65,6 +66,10 @@ case $key in
|
||||||
shift
|
shift
|
||||||
MY_EMAIL_ADDRESS=$1
|
MY_EMAIL_ADDRESS=$1
|
||||||
;;
|
;;
|
||||||
|
-p|--passphrase)
|
||||||
|
shift
|
||||||
|
PASSPHRASE=$1
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
# unknown option
|
# unknown option
|
||||||
;;
|
;;
|
||||||
|
@ -113,14 +118,33 @@ cat /home/$MY_USERNAME/pubkey.txt /home/$MY_USERNAME/privkey.txt > $KEYS_FILE
|
||||||
shred -zu /home/$MY_USERNAME/privkey.txt
|
shred -zu /home/$MY_USERNAME/privkey.txt
|
||||||
shred -zu /home/$MY_USERNAME/pubkey.txt
|
shred -zu /home/$MY_USERNAME/pubkey.txt
|
||||||
|
|
||||||
|
# generate a random passphrase if one isn't supplied
|
||||||
|
if [ ! $PASSPHRASE ]; then
|
||||||
|
PASSPHRASE=$(openssl rand -base64 64)
|
||||||
|
fi
|
||||||
|
|
||||||
# encrypt the keys file with a passphrase
|
# encrypt the keys file with a passphrase
|
||||||
gpg --output $KEYS_FILE.gpg --symmetric $KEYS_FILE
|
echo "$PASSPHRASE" | gpg --passphrase-fd 0 --output $KEYS_FILE.gpg --symmetric $KEYS_FILE
|
||||||
if [ ! "$?" = "0" ]; then
|
if [ ! "$?" = "0" ]; then
|
||||||
echo "Unable to encrypt the data prior to splitting"
|
echo "Unable to encrypt the data prior to splitting"
|
||||||
exit 7352
|
exit 7352
|
||||||
fi
|
fi
|
||||||
shred -zu $KEYS_FILE
|
shred -zu $KEYS_FILE
|
||||||
|
|
||||||
|
# split the passphrase into shares
|
||||||
|
echo "$PASSPHRASE" | ssss-split -q -t $KEY_FRAGMENTS -n $KEY_FRAGMENTS > \
|
||||||
|
/home/$MY_USERNAME/.gnupg_fragments/shares.txt
|
||||||
|
|
||||||
|
# (maybe) overwrite passphrase after use
|
||||||
|
PASSPHRASE=$(openssl rand -base64 64)
|
||||||
|
|
||||||
|
# check that passphrase shares were created
|
||||||
|
if [ ! -f /home/$MY_USERNAME/.gnupg_fragments/shares.txt ]; then
|
||||||
|
echo 'Passphrase for key fragments could not be split'
|
||||||
|
shred -zu $KEYS_FILE.gpg
|
||||||
|
exit 74549
|
||||||
|
fi
|
||||||
|
|
||||||
# generate fragments
|
# generate fragments
|
||||||
GPG_KEYS_SIZE_BYTES=$(wc -c <"$KEYS_FILE.gpg")
|
GPG_KEYS_SIZE_BYTES=$(wc -c <"$KEYS_FILE.gpg")
|
||||||
GPG_BYTES_PER_FRAGMENT=$((GPG_KEYS_SIZE_BYTES / KEY_FRAGMENTS))
|
GPG_BYTES_PER_FRAGMENT=$((GPG_KEYS_SIZE_BYTES / KEY_FRAGMENTS))
|
||||||
|
|
Loading…
Reference in New Issue