#!/bin/bash # _____ _ _ # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___ # | __| _| -_| -_| . | . | | . | . | | -_| # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___| # # Freedom in the Cloud # # gpg functions # # License # ======= # # Copyright (C) 2016-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . function gpg_update_mutt { key_username="$1" if [ ! -f "/home/$key_username/.muttrc" ]; then return fi CURR_EMAIL_ADDRESS=$key_username@$HOSTNAME CURR_GPG_ID=$(gpg --homedir="/home/$key_username/.gnupg" --list-keys "$CURR_EMAIL_ADDRESS" | sed -n '2p' | sed 's/^[ \t]*//') # If the default key is specified within gpg.conf if [ -f "/home/$key_username/gpg.conf" ]; then if grep -q "default-key" "/home/$key_username/gpg.conf"; then default_gpg_key=$(grep "default-key" "/home/$key_username/gpg.conf") if [[ "$default_gpg_key" != *'#'* ]]; then default_gpg_key=$(grep "default-key" "/home/$key_username/gpg.conf" | awk -F ' ' '{print $2}') if [ ${#default_gpg_key} -gt 3 ]; then CURR_GPG_ID=$(gpg --homedir="/home/$key_username/.gnupg" --list-keys "$default_gpg_key" | sed -n '2p' | sed 's/^[ \t]*//') fi fi fi fi sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" "/home/$key_username/.muttrc" sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $CURR_GPG_ID -- -r %r -- %f\"|g" "/home/$key_username/.muttrc" chown "$key_username":"$key_username" "/home/$key_username/.muttrc" } function gpg_import_public_key { key_username="$1" key_filename="$2" gpg --homedir="/home/$key_username/.gnupg" --import "$key_filename" gpg_set_permissions "$key_username" } function gpg_import_private_key { key_username="$1" key_filename="$2" gpg --homedir="/home/$key_username/.gnupg" --allow-secret-key-import --import "$key_filename" gpg_set_permissions "$key_username" } function gpg_export_public_key { key_username="$1" key_id="$2" key_filename="$3" chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg" su -m root -c "gpg --homedir /home/$key_username/.gnupg --output $key_filename --armor --export $key_id" - "$key_username" } function gpg_export_private_key { key_username=$1 key_id=$2 key_filename=$3 chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg" su -m root -c "gpg --homedir=/home/$key_username/.gnupg --armor --output $key_filename --export-secret-key $key_id" - "$key_username" } function gpg_create_key { key_username="$1" key_passphrase="$2" gpg_dir="/home/$key_username/.gnupg" { echo 'Key-Type: eddsa'; echo 'Key-Curve: Ed25519'; echo 'Subkey-Type: eddsa'; echo 'Subkey-Curve: Ed25519'; echo "Name-Real: $MY_NAME"; echo "Name-Email: $MY_EMAIL_ADDRESS"; echo 'Expire-Date: 0'; } > "/home/$key_username/gpg-genkey.conf" cat "/home/$key_username/gpg-genkey.conf" if [ "$key_passphrase" ]; then echo "Passphrase: $key_passphrase" >> "/home/$key_username/gpg-genkey.conf" else echo "Passphrase: $PROJECT_NAME" >> "/home/$key_username/gpg-genkey.conf" fi chown "$key_username":"$key_username" "/home/$key_username/gpg-genkey.conf" echo $'Generating a new GPG key' su -m root -c "gpg --homedir /home/$key_username/.gnupg --batch --full-gen-key /home/$key_username/gpg-genkey.conf" - "$key_username" chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg" KEY_EXISTS=$(gpg_key_exists "$key_username" "$MY_EMAIL_ADDRESS") if [[ $KEY_EXISTS == "no" ]]; then echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created" exit 63621 fi rm "/home/$key_username/gpg-genkey.conf" CURR_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$key_username" "$MY_EMAIL_ADDRESS") if [ ${#CURR_GPG_PUBLIC_KEY_ID} -lt 4 ]; then echo $"GPG public key ID could not be obtained for $MY_EMAIL_ADDRESS" exit 825292 fi gpg_set_permissions "$key_username" } function gpg_delete_key { key_username="$1" key_id="$2" chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg" su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-secret-key $key_id" - "$key_username" su -c "gpg --batch --quiet --homedir=/home/$key_username/.gnupg --delete-key $key_id" - "$key_username" } function gpg_set_permissions { key_username=$1 if [[ "$key_username" != 'root' ]]; then chmod 700 "/home/$key_username/.gnupg" chmod -R 600 "/home/$key_username/.gnupg/"* printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > "/home/$key_username/.gnupg/S.dirmngr" if [ -d "/home/$key_username/.gnupg/crls.d" ]; then chmod +x "/home/$key_username/.gnupg/crls.d" fi chown -R "$key_username":"$key_username" "/home/$key_username/.gnupg" else chmod 700 /root/.gnupg chmod -R 600 /root/.gnupg/* printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > /root/.gnupg/S.dirmngr if [ -d /root/.gnupg/crls.d ]; then chmod +x /root/.gnupg/crls.d fi chown -R "$key_username":"$key_username" /root/.gnupg fi } function gpg_reconstruct_key { key_username=$1 key_interactive=$2 if [ ! -d "/home/$key_username/.gnupg_fragments" ]; then return fi cd "/home/$key_username/.gnupg_fragments" || exit 3468346 # shellcheck disable=SC2012 no_of_shares=$(ls -afq keyshare.asc.* | wc -l) if (( no_of_shares < 4 )); then if [ "$key_interactive" ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Not enough fragments to reconstruct the key' 6 70 else echo $'Not enough fragments to reconstruct the key' fi exit 7348 fi if ! gfcombine "/home/$key_username/.gnupg_fragments/keyshare*"; then if [ "$key_interactive" ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 else echo $'Unable to reconstruct the key' fi exit 7348 fi KEYS_FILE=/home/$key_username/.gnupg_fragments/keyshare.asc if [ ! -f "$KEYS_FILE" ]; then if [ "$key_interactive" ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to reconstruct the key' 6 70 else echo $'Unable to reconstruct the key' fi exit 52852 fi if ! gpg --homedir="/home/$key_username/.gnupg" --allow-secret-key-import --import "$KEYS_FILE"; then rm "$KEYS_FILE" rm -rf "/home/$key_username/.tempgnupg" if [ "$key_interactive" ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Unable to import gpg key' 6 70 else echo $'Unable to import gpg key' fi exit 96547 fi rm "$KEYS_FILE" gpg_set_permissions "$key_username" if [ "$key_interactive" ]; then dialog --title $"Recover Encryption Keys" --msgbox $'Key has been reconstructed' 6 70 else echo $'Key has been reconstructed' fi } function gpg_agent_setup { gpg_username=$1 if [[ $gpg_username == 'root' ]]; then if ! grep -q 'GPG_TTY' /root/.bashrc; then { echo ''; echo "GPG_TTY=\$(tty)"; echo 'export GPG_TTY'; } >> /root/.bashrc fi if grep -q '# use-agent' /root/.gnupg/gpg.conf; then sed -i 's|# use-agent|use-agent|g' /root/.gnupg/gpg.conf fi if ! grep -q 'use-agent' /root/.gnupg/gpg.conf; then echo 'use-agent' >> /root/.gnupg/gpg.conf fi { echo 'default-cache-ttl 300'; echo 'max-cache-ttl 999999'; echo 'allow-loopback-pinentry'; } > /root/.gnupg/gpg-agent.conf if [ -f /root/.gnupg/S.dirmngr ]; then rm /root/.gnupg/S.dirmngr fi echo RELOADAGENT | gpg-connect-agent else if ! grep -q 'GPG_TTY' "/home/$gpg_username/.bashrc"; then { echo ''; echo "GPG_TTY=\$(tty)"; echo 'export GPG_TTY'; } >> "/home/$gpg_username/.bashrc" chown "$gpg_username":"$gpg_username" "/home/$gpg_username/.bashrc" fi if grep -q '# use-agent' "/home/$gpg_username/.gnupg/gpg.conf"; then sed -i 's|# use-agent|use-agent|g' "/home/$gpg_username/.gnupg/gpg.conf" fi if ! grep -q 'use-agent' "/home/$gpg_username/.gnupg/gpg.conf"; then echo 'use-agent' >> "/home/$gpg_username/.gnupg/gpg.conf" fi if ! grep -q 'pinentry-mode loopback' "/home/$gpg_username/.gnupg/gpg.conf"; then echo 'pinentry-mode loopback' >> "/home/$gpg_username/.gnupg/gpg.conf" fi echo 'default-cache-ttl 300' > "/home/$gpg_username/.gnupg/gpg-agent.conf" echo 'max-cache-ttl 999999' >> "/home/$gpg_username/.gnupg/gpg-agent.conf" echo 'allow-loopback-pinentry' >> "/home/$gpg_username/.gnupg/gpg-agent.conf" if [ -f "/home/$gpg_username/.gnupg/S.dirmngr" ]; then rm "/home/$gpg_username/.gnupg/S.dirmngr" fi if [[ "$gpg_username" != "$USER" ]]; then su -c "echo RELOADAGENT | gpg-connect-agent" - "$gpg_username" else echo RELOADAGENT | gpg-connect-agent fi fi } function gpg_agent_enable { gpg_username=$1 if [[ $gpg_username == 'root' ]]; then return else if grep -q 'GPG_TTY' "/home/$gpg_username/.bashrc"; then sed -i '/GPG_TTY/d' "/home/$gpg_username/.bashrc" chown "$gpg_username":"$gpg_username" "/home/$gpg_username/.bashrc" fi if grep -q 'use-agent' "/home/$gpg_username/.gnupg/gpg.conf"; then sed -i '/use-agent/d' "/home/$gpg_username/.gnupg/gpg.conf" fi if grep -q 'pinentry-mode loopback' "/home/$gpg_username/.gnupg/gpg.conf"; then sed -i '/pinentry-mode loopback/d' "/home/$gpg_username/.gnupg/gpg.conf" fi if [ -f "/home/$gpg_username/.gnupg/gpg-agent.conf" ]; then rm "/home/$gpg_username/.gnupg/gpg-agent.conf" fi if [[ "$gpg_username" != "$USER" ]]; then su -c "echo RELOADAGENT | gpg-connect-agent" - "$gpg_username" else echo RELOADAGENT | gpg-connect-agent fi fi } function gpg_pubkey_from_email { key_owner_username=$1 key_email_address=$2 key_id= if [[ $key_owner_username != "root" ]]; then key_id=$(su -c "gpg --list-keys $key_email_address" - "$key_owner_username" | sed -n '2p' | sed 's/^[ \t]*//') # If the default key is specified within gpg.conf if [ -f "/home/$key_owner_username/gpg.conf" ]; then if grep -q "default-key" "/home/$key_owner_username/gpg.conf"; then default_gpg_key=$(grep "default-key" "/home/$key_owner_username/gpg.conf") if [[ "$default_gpg_key" != *'#'* ]]; then default_gpg_key=$(grep "default-key" "/home/$key_owner_username/gpg.conf" | awk -F ' ' '{print $2}') if [ ${#default_gpg_key} -gt 3 ]; then key_id=$(su -c "gpg --list-keys $default_gpg_key" - "$key_owner_username" | sed -n '2p' | sed 's/^[ \t]*//') fi fi fi fi else key_id=$(gpg --list-keys "$key_email_address" | sed -n '2p' | sed 's/^[ \t]*//') # If the default key is specified within gpg.conf if [ -f /root/gpg.conf ]; then if grep -q "default-key" /root/gpg.conf; then default_gpg_key=$(grep "default-key" /root/gpg.conf) if [[ "$default_gpg_key" != *'#'* ]]; then default_gpg_key=$(grep "default-key" /root/gpg.conf | awk -F ' ' '{print $2}') if [ ${#default_gpg_key} -gt 3 ]; then key_id=$(gpg --list-keys "$default_gpg_key" | sed -n '2p' | sed 's/^[ \t]*//') fi fi fi fi fi echo "$key_id" } function enable_email_encryption_at_rest { for d in /home/*/ ; do USERNAME=$(echo "$d" | awk -F '/' '{print $3}') if [[ $(is_valid_user "$USERNAME") == "1" ]]; then if grep -q '#| /usr/bin/gpgit.pl' "/home/$USERNAME/.procmailrc"; then sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' "/home/$USERNAME/.procmailrc" sed -i 's|#:0 f|:0 f|g' "/home/$USERNAME/.procmailrc" fi fi done if grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then sed -i 's@#| /usr/bin/gpgit.pl@| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc sed -i 's|#:0 f|:0 f|g' /etc/skel/.procmailrc fi } function disable_email_encryption_at_rest { for d in /home/*/ ; do USERNAME=$(echo "$d" | awk -F '/' '{print $3}') if [[ $(is_valid_user "$USERNAME") == "1" ]]; then if ! grep -q '#| /usr/bin/gpgit.pl' "/home/$USERNAME/.procmailrc"; then sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' "/home/$USERNAME/.procmailrc" sed -i 's|:0 f|#:0 f|g' "/home/$USERNAME/.procmailrc" fi fi done if ! grep -q '#| /usr/bin/gpgit.pl' /etc/skel/.procmailrc; then sed -i 's@| /usr/bin/gpgit.pl@#| /usr/bin/gpgit.pl@g' /etc/skel/.procmailrc sed -i 's|:0 f|#:0 f|g' /etc/skel/.procmailrc fi } # NOTE: deliberately no exit 0