obel1x/fedora-OEMDRV
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b5462e47810831935ad778b5b4ff7e9677b6bfd4
fedora-OEMDRV/system_setup/mount_ecrypt_home.sh
T
Brot der Bot d1ff9e348a mount_ecrypt_home.sh: store vault key in XDG_RUNTIME_DIR instead of /var/tmp 
/var/tmp is persistent on-disk storage. The encryption key must never
be written to disk, even temporarily. Replaced all occurrences of
/var/tmp/IPAVAULTKEY.txt with ${XDG_RUNTIME_DIR}/IPAVAULTKEY, which
is a per-user tmpfs directory (/run/user/<UID>) created by
systemd-logind: guaranteed memory-only, mode 0700, wiped on logout.

Also removed the TODO comment that tracked this exact issue.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-01 16:38:24 +02:00

108 lines
4.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Will Get IPA- Vault- Entry for local File Encryption and mout the data- Directory in your Home
# If no IPA-Server is available (e.g. if no internet is available) it will Prompt the User to Enter the Key manually. ATTENTION: The Key MUST NOT BE STORED plaintext on this PC, this would be very insecure!
# If no encryption has been setup so far, it will create a new wallet and Store the Encryption to the IPA Vault.
#source $(dirname "$0")/setup_system.inc.sh
EXECDIR=$(pwd)
#Check if Directory is alread mounted
grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null
if [ $? -eq 0 ]; then
#Directory is already mounted
echo "It looks like the directory is already mounted. Not mounting again."
echo "If you want to unmount it, use: fusermount -u ${DECRYPTEDDATADIR}"
exit 0
fi
if [ ${IPAVAULTUSE} == "false" ]; then
#No encryption configured, will warn, but will continue
echo
mkdir -p ${DECRYPTEDDATADIR}
RETNO=$?
if [ ${RETNO} -eq 0 ]; then
echo "Private Directory set to ${DECRYPTEDDATADIR}"
echo "Warning: Encryption is turned off by configuration (IPAVAULTUSE is set to false)!"
echo "This makes your private data readable by anyone having access to the harddrive. Will continue, but this is not safe!"
else
echo "Error setting up Directory ${DECRYPTEDDATADIR}"
fi
ENCKEY=""
exit ${RETNO}
fi
#Test for connectivity
curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1
if [ $? -ne 0 ]; then
# Server is offline
if [ -d "${ENCRYPTEDDATADIR}" ]; then
echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
else
echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
echo "Please check your Connection/Server and retry."
exit 1
fi
else
# Server is online
#Get the Token from IPA
echo Getting the Vault ${IPAVAULTNAME}
ipa vault-retrieve ${IPAVAULTNAME} --out ${XDG_RUNTIME_DIR}/IPAVAULTKEY >/dev/null
if [ $? -ne 0 ]; then
echo "No Key found. Will try to Setup a new one."
ENCKEY=$( openssl rand -base64 24 )
echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in ${XDG_RUNTIME_DIR}/IPAVAULTKEY
if [ $? -eq 0 ]; then
echo
echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
echo
echo "The Value is: ${ENCKEY}"
echo
echo "PLEASE NOTE THAT KEY IN A SECRET PLACE NOW !!!"
echo
echo "Without that Key and in case, that the IPA- Vault is not accassible any more, all private Data will be lost!"
echo
read -n 1 -s -r -p "Press any key AFTER YOU WROTE YOUR KEY DOWN to continue"
echo
else
echo "Failed to create the Vault. Please check the Errors and try again."
ENCKEY=""
fi
else
ENCKEY=$( cat ${XDG_RUNTIME_DIR}/IPAVAULTKEY )
# echo "The Key is: ${ENCKEY}"
fi
fi
if [ "${ENCKEY}." == "." ]; then
echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
exit 2
fi
echo "Sucessfuly obtained IPA vault fileencryption key."
#Setup and use encrypted filesystem
if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then
#Key has been obtained, but no Directory was created till know
echo "First Setup of encryption: Creating new Directories now"
mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
fi
systemd-run --user --scope --unit=gocryptfs-home \
gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
RETVAL=$?
rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
cd ${EXECDIR}
if [ ${RETVAL} -eq 0 ]; then
echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
exit 0
else
echo "Errorcode ${RETVAL}"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink