obel1x/fedora-OEMDRV
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
488f04d3878653dbc615925edc68154e145197a4
fedora-OEMDRV/system_setup/mount_ecrypt_home.sh
T
Daniel Pätzold 488f04d387 Moved local dir to /opt/sys_config 
Improved error logging and added function handling calls with log and return values
Improved check for matching sudo rule
2026-03-15 12:44:14 +01:00

106 lines
4.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Will Get IPA- Vault- Entry for local File Encryption and mout the data- Directory in your Home
# If no IPA-Server is available (e.g. if no internet is available) it will Prompt the User to Enter the Key manually. ATTENTION: The Key MUST NOT BE STORED plaintext on this PC, this would be very insecure!
# If no encryption has been setup so far, it will create a new wallet and Store the Encryption to the IPA Vault.
source $(dirname "$0")/setup_system.inc.sh
EXECDIR=$(pwd)
#Check if Directory is alread mounted
grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null
if [ $? -eq 0 ]; then
#Directory is already mounted
echo "It looks like the directory is already mounted. Not mounting again."
echo "If you want to unmount it, use: fusermount -u ${DECRYPTEDDATADIR}"
exit 0
fi
if [ ${IPAVAULTUSE} == "false" ]; then
#No encryption configured, will warn, but will continue
echo "Warning: Encryption is turned off by configuration (IPAVAULTUSE is set to false)!"
echo "This makes your private data readable by anyone having access to the harddrive. Will continue, but this is not safe!"
echo
mkdir -p ${DECRYPTEDDATADIR}
RETNO=$?
if [ ${RETNO} -eq 0 ]; then
echo "Private Directory set to ${DECRYPTEDDATADIR}"
else
echo "Error setting up Directory ${DECRYPTEDDATADIR}"
fi
ENCKEY=""
exit ${RETNO}
fi
#Test for connectivity
curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1
if [ $? -ne 0 ]; then
# Server is offline
if [ -d "${ENCRYPTEDDATADIR}" ]; then
echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
else
echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
echo "Please check your Connection/Server and retry."
exit 1
fi
else
# Server is online
#Get the Token from IPA
echo Getting the Vault ${IPAVAULTNAME}
ipa vault-retrieve ${IPAVAULTNAME} --out /var/tmp/IPAVAULTKEY.txt >/dev/null #TODO: Instead of /var/tmp use tmpfs for more security
if [ $? -ne 0 ]; then
echo "No Key found. Will try to Setup a new one."
ENCKEY=$( openssl rand -base64 24 )
echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in /var/tmp/IPAVAULTKEY.txt
if [ $? -eq 0 ]; then
echo
echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
echo
echo "The Value is: ${ENCKEY}"
echo
echo "PLEASE NOTE THAT KEY IN A SECRET PLACE NOW !!!"
echo
echo "Without that Key and in case, that the IPA- Vault is not accassible any more, all private Data will be lost!"
echo
read -n 1 -s -r -p "Press any key AFTER YOU WROTE YOUR KEY DOWN to continue"
echo
else
echo "Failed to create the Vault. Please check the Errors and try again."
ENCKEY=""
fi
else
ENCKEY=$( cat /var/tmp/IPAVAULTKEY.txt )
# echo "The Key is: ${ENCKEY}"
fi
fi
if [ "${ENCKEY}." == "." ]; then
echo "Some Error while fetching your Credentials. This should not happen. Quit."
rm /var/tmp/IPAVAULTKEY.txt
exit 2
fi
#Setup and use encrypted filesystem
if [ ! -d "${DECRYPTEDDATADIR}" ]; then
#Key has been obtained, but no Directory was created till know
echo "First Setup of encryption: Creating new Directories now"
mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
gocryptfs -init -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
fi
gocryptfs -noprealloc -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
RETVAL=$?
rm /var/tmp/IPAVAULTKEY.txt
cd ${EXECDIR}
if [ ${RETVAL} -eq 0 ]; then
echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
exit 0
else
echo "Errorcode ${RETAVAL}"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink