unbrot/fedora-OEMDRV
1
0
Fork 0
forked from obel1x/fedora-OEMDRV
Code Pull Requests Activity
Files
9e02483f048068ab731b3ede0961fabb5967a499
fedora-OEMDRV/system_setup/mount_ecrypt_home.sh
T
Daniel Pätzold f48c656997 First Commit
2026-01-02 11:24:52 +01:00

95 lines
3.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Will Get IPA- Vault- Entry for local File Encryption and mout the data- Directory in your Home
# If no IPA-Server is available (e.g. if no internet is available) it will Prompt the User to Enter the Key manually. ATTENTION: The Key MUST NOT BE STORED plaintext on this PC, this would be very insecure!
# If no encryption has been setup so far, it will create a new wallet and Store the Encryption to the IPA Vault.
source ./setup_system.conf
EXECDIR=$(pwd)
#Check if Directory is alread mounted
grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null
if [ $? -eq 0 ]; then
#Directory is already mounted
echo "It looks like the directory is already mounted. Not mounting again."
echo "If you want to unmount it, use: fusermount -u ${DECRYPTEDDATADIR}"
exit 0
fi
#Test for connectivity
curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1
if [ $? -ne 0 ]; then
# Server is offline
if [ -d "${ENCRYPTEDDATADIR}" ]; then
echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
else
echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
echo "Please check your Connection/Server and retry."
exit 1
fi
else
# Server is online
#Get the Token from IPA
echo Getting the Vault ${IPAVAULTNAME}
ipa vault-retrieve ${IPAVAULTNAME} --out /var/tmp/IPAVAULTKEY.txt >/dev/null #TODO: Instead of /var/tmp use tmpfs for more security
if [ $? -ne 0 ]; then
echo "No Key found."
fi
if [ $? -ne 0 ]; then
echo "No Key found. Will try to Setup a new one."
ENCKEY=$( openssl rand -base64 24 )
echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard
if [ $? -eq 0 ]; then
ipa vault-archive "${IPAVAULTNAME}" --in /var/tmp/IPAVAULTKEY.txt
fi
if [ $? -eq 0 ]; then
echo
echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
echo
echo "The Value is: ${ENCKEY}"
echo
echo "PLEASE NOTE THAT KEY IN A SECRET PLACE NOW !!!"
echo
echo "Without that Key and in case, that the IPA- Vault is not accassible any more, all private Data will be lost!"
echo
read -n 1 -s -r -p "Press any key AFTER YOU WROTE YOUR KEY DOWN to continue"
echo
else
echo "Failed to create the Vault. Please check the Errors and try again."
fi
else
ENCKEY=$( cat /var/tmp/IPAVAULTKEY.txt )
# echo "The Key is: ${ENCKEY}"
fi
fi
if [ "${ENCKEY}." == "." ]; then
echo "Some Error while fetching your Credentials. This should not happen. Quit."
rm /var/tmp/IPAVAULTKEY.txt
exit 2
fi
#Setup and use encrypted filesystem
if [ ! -d "${DECRYPTEDDATADIR}" ]; then
#Key has been obtained, but no Directory was created till know
echo "First Setup of encryption: Creating new Directories now"
mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
gocryptfs -init -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
fi
gocryptfs -noprealloc -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
RETVAL=$?
rm /var/tmp/IPAVAULTKEY.txt
cd ${EXECDIR}
if [ ${RETVAL} -eq 0 ]; then
echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
exit 0
else
echo "Errorcode ${RETAVAL}"
exit 1
fi
View Git Blame Copy Permalink