l: init ecrypt
This commit is contained in:
parent
4ce8f6e130
commit
3ce3820553
108
lass/5pkgs/ecrypt/default.nix
Normal file
108
lass/5pkgs/ecrypt/default.nix
Normal file
@ -0,0 +1,108 @@
|
||||
{ pkgs, lib }:
|
||||
|
||||
#usage: ecrypt mount /var/crypted /var/unencrypted
|
||||
pkgs.writers.writeDashBin "ecrypt" ''
|
||||
set -euf
|
||||
set -x
|
||||
|
||||
PATH=${lib.makeBinPath (with pkgs; [
|
||||
coreutils
|
||||
ecryptfs
|
||||
gnused
|
||||
gnugrep
|
||||
jq
|
||||
mount
|
||||
keyutils
|
||||
umount
|
||||
])}
|
||||
|
||||
# turn echo back on if killed
|
||||
trap 'stty echo' INT
|
||||
|
||||
case "$1" in
|
||||
init)
|
||||
shift
|
||||
mkdir -p "$1" "$2"
|
||||
|
||||
# abort if src or dest are not empty
|
||||
if [ -e "$1"/.cfg.json ]; then
|
||||
echo 'source dir is already configured, aborting'
|
||||
exit 1
|
||||
elif ls -1qA "$2" | grep -q .; then
|
||||
echo 'destination dir is not empty, aborting'
|
||||
exit 1
|
||||
else
|
||||
stty -echo
|
||||
printf "passphrase: "
|
||||
read passphrase
|
||||
stty echo
|
||||
sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
|
||||
mount -t ecryptfs \
|
||||
-o ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
|
||||
"$1" "$2"
|
||||
|
||||
# add sig to json state file
|
||||
jq -n --arg sig "$sig" '{ "sig": $sig }' > "$1"/.cfg.json
|
||||
fi
|
||||
;;
|
||||
|
||||
mount)
|
||||
shift
|
||||
if ! [ -e "$1"/.cfg.json ]; then
|
||||
echo '.cfg.json missing in src'
|
||||
exit 1
|
||||
fi
|
||||
old_sig=$(cat "$1"/.cfg.json | jq -r .sig)
|
||||
|
||||
# check if key is already in keyring, otherwise add it
|
||||
|
||||
if keyctl list @u | grep -q "$old_sig"; then
|
||||
echo 'pw already saved'
|
||||
else
|
||||
stty -echo
|
||||
printf "passphrase: "
|
||||
read passphrase
|
||||
stty echo
|
||||
new_sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
|
||||
|
||||
# check if passphrase matches sig
|
||||
if [ "$old_sig" != "$new_sig" ]; then
|
||||
echo 'passphrase does not match sig, bailing out'
|
||||
new_keyid=$(keyctl list @u | grep "$new_sig" | sed 's/\([0-9]*\).*/\1/')
|
||||
keyctl revoke "$new_keyid"
|
||||
keyctl unlink "$new_keyid"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
sig=$old_sig
|
||||
keyid=$(keyctl list @u | grep "$sig" | sed 's/\([0-9]*\).*/\1/')
|
||||
if (ls -1qA "$2" | grep -q .); then
|
||||
echo 'destination is not empty, bailing out'
|
||||
exit 1
|
||||
else
|
||||
mount -i -t ecryptfs \
|
||||
-o ecryptfs_passthrough=no,verbose=no,ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
|
||||
"$1" "$2"
|
||||
fi
|
||||
;;
|
||||
|
||||
unmount)
|
||||
shift
|
||||
|
||||
sig=$(cat "$1"/.cfg.json | jq -r .sig)
|
||||
keyid=$(keyctl list @u | grep "$sig" | sed 's/\s*\([0-9]*\).*/\1/')
|
||||
|
||||
umount "$2" || :
|
||||
keyctl revoke "$keyid"
|
||||
keyctl unlink "$keyid"
|
||||
;;
|
||||
|
||||
*)
|
||||
echo 'usage:
|
||||
ecrypt init /tmp/src/ /tmp/dst/
|
||||
ecrypt mount /tmp/src/ /tmp/dst/
|
||||
ecrypt unmount /tmp/src/ /tmp/dst/
|
||||
'
|
||||
esac
|
||||
''
|
Loading…
Reference in New Issue
Block a user