unbrot/fedora-OEMDRV
1
0
Fork 0
forked from obel1x/fedora-OEMDRV
Code Pull Requests Activity
Files
3e8a4a57b022bca69dc68a9ef568cf9abd30d81d
fedora-OEMDRV/system_setup/mount_ecrypt_home.sh
T
Daniel unbrot Pätzold 3e8a4a57b0 mount_ecrypt_home: run gocryptfs in foreground to fix premature ExecStop 
Without -fg, gocryptfs forks to background and the parent exits,
causing systemd to consider the service done and immediately call
ExecStop (fusermount -u). With -fg, gocryptfs stays as the tracked
service process so ExecStop only fires on explicit service stop at
logout.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-07 17:55:28 +02:00

118 lines
5.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Will Get IPA- Vault- Entry for local File Encryption and mout the data- Directory in your Home
# If no IPA-Server is available (e.g. if no internet is available) it will Prompt the User to Enter the Key manually. ATTENTION: The Key MUST NOT BE STORED plaintext on this PC, this would be very insecure!
# If no encryption has been setup so far, it will create a new wallet and Store the Encryption to the IPA Vault.
#source $(dirname "$0")/setup_system.inc.sh
EXECDIR=$(pwd)
#Check if Directory is alread mounted
grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null
if [ $? -eq 0 ]; then
#Directory is already mounted
echo "It looks like the directory is already mounted. Not mounting again."
echo "If you want to unmount it, use: fusermount -u ${DECRYPTEDDATADIR}"
exit 0
fi
if [ ${IPAVAULTUSE} == "false" ]; then
#No encryption configured, will warn, but will continue
echo
mkdir -p ${DECRYPTEDDATADIR}
RETNO=$?
if [ ${RETNO} -eq 0 ]; then
echo "Private Directory set to ${DECRYPTEDDATADIR}"
echo "Warning: Encryption is turned off by configuration (IPAVAULTUSE is set to false)!"
echo "This makes your private data readable by anyone having access to the harddrive. Will continue, but this is not safe!"
else
echo "Error setting up Directory ${DECRYPTEDDATADIR}"
fi
ENCKEY=""
exit ${RETNO}
fi
#Test for connectivity
curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1
if [ $? -ne 0 ]; then
# Server is offline
if [ -d "${ENCRYPTEDDATADIR}" ]; then
echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
else
echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
echo "Please check your Connection/Server and retry."
exit 1
fi
else
# Server is online
#Get the Token from IPA
echo Getting the Vault ${IPAVAULTNAME}
ipa vault-retrieve ${IPAVAULTNAME} --out ${XDG_RUNTIME_DIR}/IPAVAULTKEY >/dev/null
if [ $? -ne 0 ]; then
echo "No Key found. Will try to Setup a new one."
ENCKEY=$( openssl rand -base64 24 )
echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in ${XDG_RUNTIME_DIR}/IPAVAULTKEY
if [ $? -eq 0 ]; then
echo
echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
echo
echo "The Value is: ${ENCKEY}"
echo
echo "PLEASE NOTE THAT KEY IN A SECRET PLACE NOW !!!"
echo
echo "Without that Key and in case, that the IPA- Vault is not accassible any more, all private Data will be lost!"
echo
read -n 1 -s -r -p "Press any key AFTER YOU WROTE YOUR KEY DOWN to continue"
echo
else
echo "Failed to create the Vault. Please check the Errors and try again."
ENCKEY=""
fi
else
ENCKEY=$( cat ${XDG_RUNTIME_DIR}/IPAVAULTKEY )
# echo "The Key is: ${ENCKEY}"
fi
fi
if [ "${ENCKEY}." == "." ]; then
echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
exit 2
fi
echo "Sucessfuly obtained IPA vault fileencryption key."
#Setup and use encrypted filesystem
if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then
#Key has been obtained, but no Directory was created till know
echo "First Setup of encryption: Creating new Directories now"
mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
fi
systemd-run --user --unit=gocryptfs-home \
--property="ExecStop=/usr/bin/fusermount -u ${DECRYPTEDDATADIR}" \
--property=KillMode=none \
--property=TimeoutStopSec=30 \
gocryptfs -fg -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
RETVAL=$?
# Service starts asynchronously - wait for the FUSE mount to appear before removing
# the passfile, otherwise gocryptfs may not have read it yet
_t=0
while [ "${_t}" -lt 10 ] && ! grep -q "${DECRYPTEDDATADIR}" /proc/mounts 2>/dev/null; do
sleep 1
_t=$((_t + 1))
done
rm -f ${XDG_RUNTIME_DIR}/IPAVAULTKEY
cd ${EXECDIR}
if [ ${RETVAL} -eq 0 ]; then
echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
exit 0
else
echo "Errorcode ${RETVAL}"
exit 1
fi
View Git Blame Copy Permalink