#!/bin/sh # SPDX-FileCopyrightText: Daniel Pätzold # SPDX-License-Identifier: AGPL-3.0-or-later # # Will Get IPA- Vault- Entry for local File Encryption and mout the data- Directory in your Home # If no IPA-Server is available (e.g. if no internet is available) it will Prompt the User to Enter the Key manually. ATTENTION: The Key MUST NOT BE STORED plaintext on this PC, this would be very insecure! # If no encryption has been setup so far, it will create a new wallet and Store the Encryption to the IPA Vault. source $(dirname "$0")/setup_system.inc.sh EXECDIR=$(pwd) #Check if Directory is alread mounted grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null if [ $? -eq 0 ]; then #Directory is already mounted echo "It looks like the directory is already mounted. Not mounting again." echo "If you want to unmount it, use: fusermount -u ${DECRYPTEDDATADIR}" exit 0 fi #Test for connectivity curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1 if [ $? -ne 0 ]; then # Server is offline if [ -d "${ENCRYPTEDDATADIR}" ]; then echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists." read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt else echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue." echo "Please check your Connection/Server and retry." exit 1 fi else # Server is online #Get the Token from IPA echo Getting the Vault ${IPAVAULTNAME} ipa vault-retrieve ${IPAVAULTNAME} --out /var/tmp/IPAVAULTKEY.txt >/dev/null #TODO: Instead of /var/tmp use tmpfs for more security if [ $? -ne 0 ]; then echo "No Key found. Will try to Setup a new one." ENCKEY=$( openssl rand -base64 24 ) echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in /var/tmp/IPAVAULTKEY.txt if [ $? -eq 0 ]; then echo echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}" echo echo "The Value is: ${ENCKEY}" echo echo "PLEASE NOTE THAT KEY IN A SECRET PLACE NOW !!!" echo echo "Without that Key and in case, that the IPA- Vault is not accassible any more, all private Data will be lost!" echo read -n 1 -s -r -p "Press any key AFTER YOU WROTE YOUR KEY DOWN to continue" echo else echo "Failed to create the Vault. Please check the Errors and try again." ENCKEY="" fi else ENCKEY=$( cat /var/tmp/IPAVAULTKEY.txt ) # echo "The Key is: ${ENCKEY}" fi fi if [ "${ENCKEY}." == "." ]; then echo "Some Error while fetching your Credentials. This should not happen. Quit." rm /var/tmp/IPAVAULTKEY.txt exit 2 fi #Setup and use encrypted filesystem if [ ! -d "${DECRYPTEDDATADIR}" ]; then #Key has been obtained, but no Directory was created till know echo "First Setup of encryption: Creating new Directories now" mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs gocryptfs -init -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null fi gocryptfs -noprealloc -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null RETVAL=$? rm /var/tmp/IPAVAULTKEY.txt cd ${EXECDIR} if [ ${RETVAL} -eq 0 ]; then echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}" exit 0 else echo "Errorcode ${RETAVAL}" exit 1 fi