2011-01-12 10:38:03 +00:00
|
|
|
#!/bin/zsh
|
2010-08-22 13:04:19 +00:00
|
|
|
#
|
2011-01-13 13:37:52 +00:00
|
|
|
# Tomb, the Crypto Undertaker
|
2010-08-22 13:04:19 +00:00
|
|
|
#
|
2011-01-13 13:37:52 +00:00
|
|
|
# a tool to easily operate file encryption of private and secret data
|
2010-08-22 13:04:19 +00:00
|
|
|
#
|
2011-01-11 18:30:34 +00:00
|
|
|
# Copyleft (C) 2007-2011 Denis Roio <jaromil@dyne.org>
|
2010-08-22 13:04:19 +00:00
|
|
|
#
|
|
|
|
# This source code is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU Public License as published by
|
|
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This source code is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
# Please refer to the GNU Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU Public License along with
|
|
|
|
# this source code; if not, write to:
|
|
|
|
# Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
|
|
|
2011-01-11 18:30:34 +00:00
|
|
|
VERSION=0.9
|
|
|
|
DATE=Jan/2011
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-12 10:38:03 +00:00
|
|
|
# PATH=/usr/bin:/usr/sbin:/bin:/sbin
|
2010-08-29 12:56:53 +00:00
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
# standard output message routines
|
|
|
|
# it's always useful to wrap them, in case we change behaviour later
|
|
|
|
notice() { echo "[*] $1"; }
|
|
|
|
act() { echo " . $1"; }
|
|
|
|
error() { echo "[!] $1"; }
|
|
|
|
func() { if [ $DEBUG ]; then echo "[D] $1"; fi }
|
|
|
|
|
2010-08-29 12:56:53 +00:00
|
|
|
# which dd command to use
|
|
|
|
which dcfldd > /dev/null
|
|
|
|
if [ $? = 0 ]; then
|
|
|
|
DD="dcfldd"
|
|
|
|
else
|
|
|
|
DD=dd
|
|
|
|
fi
|
|
|
|
|
2011-01-11 18:27:30 +00:00
|
|
|
# which wipe command to use
|
|
|
|
which wipe > /dev/null
|
|
|
|
if [ $? = 0 ]; then
|
2011-01-16 22:43:45 +00:00
|
|
|
WIPE=(wipe -f -s -q)
|
2011-01-11 18:27:30 +00:00
|
|
|
else
|
2011-01-16 22:43:45 +00:00
|
|
|
WIPE=(rm -f)
|
2011-01-11 18:27:30 +00:00
|
|
|
fi
|
|
|
|
|
2011-01-12 16:02:19 +00:00
|
|
|
# usb auto detect using dmesg
|
2011-01-10 19:41:28 +00:00
|
|
|
# tested on ubuntu 10.04 - please test and patch on other systems if you can
|
|
|
|
ask_usbkey() {
|
2011-01-28 11:26:35 +00:00
|
|
|
notice "Waiting 1 minute for a usb key to connect"
|
2011-01-11 13:55:31 +00:00
|
|
|
echo -n " . please insert your usb key "
|
2011-01-28 11:26:35 +00:00
|
|
|
|
|
|
|
exec_as_user notify-send -i monmort \
|
|
|
|
-u normal -h string:App:Tomb \
|
|
|
|
-h double:Version:${VERSION} \
|
|
|
|
-t 60 \
|
|
|
|
"Insert your USB KEY" \
|
|
|
|
"Tomb is waiting 1 minute for you to insert an external key."
|
2011-01-10 19:41:28 +00:00
|
|
|
|
|
|
|
plugged=false
|
2011-01-28 11:26:35 +00:00
|
|
|
c=0
|
2011-01-10 19:41:28 +00:00
|
|
|
while [ "$plugged" != "true" ]; do
|
|
|
|
dmesg | tail -n 12 | grep -q 'new.*USB device'
|
|
|
|
if [ $? = 0 ]; then plugged=true; fi
|
|
|
|
echo -n "."
|
2011-01-28 11:26:35 +00:00
|
|
|
sleep 1
|
|
|
|
c=`expr $c + 1`
|
|
|
|
if [ $c -gt 60 ]; then
|
|
|
|
echo
|
|
|
|
error "timeout."
|
|
|
|
export usbkey_mount=none
|
|
|
|
return 1;
|
|
|
|
fi
|
2011-01-10 19:41:28 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
echo
|
2011-01-11 13:55:31 +00:00
|
|
|
echo -n " . usb key inserted, opening "
|
2011-01-10 19:41:28 +00:00
|
|
|
|
2011-01-28 11:26:35 +00:00
|
|
|
c=0
|
2011-01-10 19:41:28 +00:00
|
|
|
attached=false
|
|
|
|
while [ "$attached" != "true" ]; do
|
|
|
|
dmesg | tail -n 3| grep -q 'Attached.*removable disk'
|
|
|
|
if [ $? = 0 ]; then attached=true; fi
|
|
|
|
echo -n "."
|
2011-01-28 11:26:35 +00:00
|
|
|
sleep 1
|
|
|
|
c=`expr $c + 1`
|
|
|
|
if [ $c -gt 15 ]; then
|
|
|
|
echo
|
|
|
|
error "timeout."
|
|
|
|
export usbkey_mount=none
|
|
|
|
return 1;
|
|
|
|
fi
|
2011-01-10 19:41:28 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
# get the first partition
|
2011-01-11 18:18:02 +00:00
|
|
|
usbpart=`dmesg |tail -n 8 | grep ' sd.:' |cut -d: -f2 |tr -d ' '`
|
2011-01-11 13:55:31 +00:00
|
|
|
|
2011-01-12 16:02:19 +00:00
|
|
|
# wait that is mounted
|
2011-01-28 11:26:35 +00:00
|
|
|
c=0
|
2011-01-10 19:41:28 +00:00
|
|
|
mounted=false
|
|
|
|
while [ "$mounted" != "true" ]; do
|
2011-01-11 09:49:44 +00:00
|
|
|
cat /proc/mounts | tail -n 2 | grep -q $usbpart
|
2011-01-10 19:41:28 +00:00
|
|
|
if [ $? = 0 ]; then mounted=true; fi
|
|
|
|
echo -n "."
|
|
|
|
sleep .5
|
2011-01-28 11:26:35 +00:00
|
|
|
c=`expr $c + 1`
|
|
|
|
if [ $c -gt 30 ]; then
|
|
|
|
echo
|
|
|
|
error "timeout."
|
|
|
|
export usbkey_mount=none
|
|
|
|
return 1;
|
|
|
|
fi
|
2011-01-10 19:41:28 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
# check where it is mounted
|
|
|
|
usbmount=`cat /proc/mounts | awk -v p=$usbpart '{ if( $1 == "/dev/" p) print $2 }'`
|
|
|
|
echo
|
2011-01-11 13:55:31 +00:00
|
|
|
act "usb key mounted on $usbmount"
|
|
|
|
export usbkey_mount=$usbmount
|
2011-01-11 11:57:44 +00:00
|
|
|
return 0
|
2011-01-10 19:41:28 +00:00
|
|
|
}
|
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
# user interface (just to ask the password)
|
|
|
|
ask_password() {
|
|
|
|
|
2011-01-16 22:43:45 +00:00
|
|
|
exec_as_user xhost 2>/dev/null
|
2010-08-22 13:04:19 +00:00
|
|
|
if [ $? = 0 ]; then # we have access to the X display
|
|
|
|
|
2011-01-16 22:43:45 +00:00
|
|
|
exec_as_user which tomb-askpass
|
|
|
|
if [ $? = 0 ]; then
|
2011-01-19 11:38:19 +00:00
|
|
|
keyname=`basename $enc_key | cut -d. -f1`
|
2011-01-16 22:43:45 +00:00
|
|
|
export scolopendro="`exec_as_user tomb-askpass $keyname`"
|
|
|
|
return
|
|
|
|
elif [ -x /usr/bin/ssh-askpass ]; then # debian has this
|
|
|
|
export scolopendro="`exec_as_user ssh-askpass "Tomb: provide the password to unlock"`"
|
2010-08-22 13:04:19 +00:00
|
|
|
return
|
|
|
|
fi
|
2011-01-16 22:43:45 +00:00
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
else # we'll collect the password from commandline
|
|
|
|
|
|
|
|
act "Tomb: provide the password to unlock"
|
|
|
|
echo -n " > "
|
|
|
|
read -s scolopendro
|
|
|
|
export scolopendro
|
|
|
|
fi
|
|
|
|
|
|
|
|
# just in case we'd like to have dialog supported too:
|
|
|
|
# dialog --backtitle "This file is encrypted for privacy protection" \
|
|
|
|
# --title "Security check" --insecure \
|
|
|
|
# --passwordbox "Enter password:" 10 30 2> /var/run/.scolopendro
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2011-01-19 11:38:19 +00:00
|
|
|
# popup notification
|
|
|
|
tomb-notify() {
|
|
|
|
if [ -z $1 ]; then
|
|
|
|
exec_as_user notify-send -i monmort \
|
|
|
|
-u low -h string:App:Tomb \
|
|
|
|
-h double:Version:${VERSION} \
|
|
|
|
"Tomb version $VERSION" \
|
|
|
|
"Hi, I'm the Undertaker.
|
|
|
|
Let's start setting your Crypt?"
|
|
|
|
else
|
|
|
|
exec_as_user notify-send -i monmort ${@}
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2011-01-12 10:38:03 +00:00
|
|
|
# drop privileges
|
|
|
|
exec_as_user() {
|
|
|
|
func "executing as user '$SUDO_USER': ${(f)@}"
|
2011-01-16 22:43:45 +00:00
|
|
|
sudo -u $SUDO_USER ${@}
|
2011-01-12 10:38:03 +00:00
|
|
|
}
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
### main()
|
|
|
|
###
|
|
|
|
|
2010-08-22 17:56:29 +00:00
|
|
|
notice "Tomb - simple commandline tool for encrypted storage"
|
2011-01-11 13:55:31 +00:00
|
|
|
act "version $VERSION ($DATE) by Jaromil @ dyne.org"
|
2011-01-12 10:38:03 +00:00
|
|
|
func "invoked with args \"${(f)@}\" "
|
2010-08-23 09:48:21 +00:00
|
|
|
func "running on `date`"
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2010-08-29 12:56:53 +00:00
|
|
|
|
2011-01-12 10:38:03 +00:00
|
|
|
OPTS=`getopt -o hvs:k:S -n 'tomb' -- "$@"`
|
2010-08-22 13:04:19 +00:00
|
|
|
while true; do
|
|
|
|
case "$1" in
|
|
|
|
-h)
|
2011-01-12 10:38:03 +00:00
|
|
|
act ""
|
2011-01-30 22:25:01 +00:00
|
|
|
notice "Syntax: tomb [options] command [file] [mountpoint]"
|
2010-08-23 09:48:21 +00:00
|
|
|
act ""
|
|
|
|
notice "Options:"
|
2010-08-22 13:04:19 +00:00
|
|
|
act "-h print this help"
|
|
|
|
act "-v print out the version information for this tool"
|
2011-01-30 22:25:01 +00:00
|
|
|
act "-s size of the storage file when creating one (MB)"
|
2010-09-16 12:51:06 +00:00
|
|
|
act "-k path to the key to use for decryption"
|
2011-01-12 10:38:03 +00:00
|
|
|
act "-S acquire super user rights if possible"
|
2010-08-23 09:48:21 +00:00
|
|
|
act ""
|
|
|
|
notice "Commands:"
|
2010-08-22 13:04:19 +00:00
|
|
|
act "create create a new encrypted storage FILE and keys"
|
2011-01-28 11:26:35 +00:00
|
|
|
act "open open an existing tomb FILE on MOUNTPOINT"
|
|
|
|
act "close closes the tomb on MOUNTPOINT"
|
2010-08-22 13:04:19 +00:00
|
|
|
echo; exit 2 ;;
|
|
|
|
-v)
|
2010-08-23 09:48:21 +00:00
|
|
|
# print out the GPL license in this file
|
2011-01-12 10:38:03 +00:00
|
|
|
act ""
|
2010-08-23 09:48:21 +00:00
|
|
|
cat $0 | awk '
|
|
|
|
BEGIN { license=0 }
|
|
|
|
/^# This source/ { license=1 }
|
|
|
|
{ if(license==1) print " " $0 }
|
|
|
|
/MA 02139, USA.$/ { license=0 }
|
|
|
|
'
|
|
|
|
act ""
|
|
|
|
exit 0 ;;
|
2011-01-12 10:38:03 +00:00
|
|
|
-S) GETPRIV=true; shift 1 ;;
|
|
|
|
*) break ;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
|
|
|
id | grep root > /dev/null
|
|
|
|
if [ $? != 0 ]; then
|
|
|
|
if [ "$GETPRIV" = "true" ]; then
|
|
|
|
which gksu > /dev/null
|
|
|
|
if [ $? = 0 ]; then
|
|
|
|
act "Using gksu for root execution of 'tomb ${(f)@}'"
|
|
|
|
gksu "tomb ${(f)@}"
|
|
|
|
exit $?
|
|
|
|
fi
|
|
|
|
which sudo > /dev/null
|
|
|
|
if [ $? = 0 ]; then
|
|
|
|
act "Using sudo for root execution of 'tomb ${(f)@}'"
|
|
|
|
sudo "tomb ${(f)@}"
|
|
|
|
exit $?
|
|
|
|
fi
|
|
|
|
exit 1
|
|
|
|
else
|
2011-01-30 10:37:50 +00:00
|
|
|
error "This program must be run as root to produce results"
|
2011-01-12 10:38:03 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
# now process the real options
|
|
|
|
OPTS=`getopt -o hvs:k:S -n 'tomb' -- "$@"`
|
|
|
|
while true; do
|
|
|
|
case "$1" in
|
2010-08-22 13:04:19 +00:00
|
|
|
-s) SIZE=$2; shift 2 ;;
|
|
|
|
-k) KEY=$2; shift 2 ;;
|
|
|
|
--) shift; break ;;
|
2011-01-19 11:54:43 +00:00
|
|
|
*) CMD=$1;
|
|
|
|
FILE=$2; MOUNT=$3; # compat with old args
|
|
|
|
CMD2=${2}; CMD3=${3}; break ;;
|
2010-08-22 13:04:19 +00:00
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
2010-09-16 12:51:06 +00:00
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
if [ -z $CMD ]; then
|
|
|
|
error "first argument missing, use -h for help"
|
2011-01-19 11:54:43 +00:00
|
|
|
tomb-notify
|
2010-08-22 13:04:19 +00:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2011-01-12 10:38:03 +00:00
|
|
|
|
2010-09-16 12:51:06 +00:00
|
|
|
|
2010-08-22 14:44:35 +00:00
|
|
|
func "command: $CMD for file $FILE"
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
tombdir=${HOME}/.tomb
|
|
|
|
tombtab=${tombdir}/fstab
|
|
|
|
if ! [ -r ${tombtab} ]; then
|
|
|
|
act "creating tomb filesystem tab in your home"
|
2011-01-30 22:25:01 +00:00
|
|
|
mkdir -m 0700 -p ${HOME}/.tomb
|
2011-01-12 10:38:03 +00:00
|
|
|
echo "# entombed filesystem information, see man tomb (TODO)" > ${tombtab}
|
2010-08-22 13:04:19 +00:00
|
|
|
echo "# format here is similar to the system wide fstab" >> ${tombtab}
|
|
|
|
echo "# <file system> <mount point> <type> <options> <key>" >> ${tombtab}
|
|
|
|
fi
|
2011-01-13 13:37:52 +00:00
|
|
|
|
2010-08-22 14:44:35 +00:00
|
|
|
create_tomb() {
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-30 22:25:01 +00:00
|
|
|
if [ -e "$FILE" ]; then
|
|
|
|
error "$FILE exists already. I'm not digging here."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2011-01-28 11:26:35 +00:00
|
|
|
notice "Creating a new tomb"
|
2010-08-22 13:04:19 +00:00
|
|
|
if [ -z $SIZE ]; then
|
2010-08-29 12:56:53 +00:00
|
|
|
if [ $MOUNT ]; then
|
|
|
|
SIZE=$MOUNT
|
|
|
|
else
|
2011-01-28 11:26:35 +00:00
|
|
|
act "No size specified, summoning the Tomb Undertaker to guide us in the creation."
|
|
|
|
tomb-open &
|
|
|
|
disown
|
|
|
|
exit 0
|
2010-08-29 12:56:53 +00:00
|
|
|
fi
|
2010-08-22 13:04:19 +00:00
|
|
|
fi
|
2011-01-28 11:26:35 +00:00
|
|
|
|
|
|
|
# make sure the file has a .tomb extension
|
|
|
|
FILE="${FILE%\.*}.tomb"
|
|
|
|
|
2011-01-30 22:25:01 +00:00
|
|
|
SIZE_4k=`expr $SIZE \* 1000 / 4`
|
2011-01-28 11:26:35 +00:00
|
|
|
act "Generating ${FILE} of ${SIZE}Mb (${SIZE_4k} blocks of 4Kb)"
|
|
|
|
# TODO: use dd_rescue
|
2010-08-29 12:56:53 +00:00
|
|
|
$DD if=/dev/urandom bs=4k count=${SIZE_4k} of=${FILE}
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
if [ $? = 0 -a -e ${FILE} ]; then
|
2010-08-29 12:56:53 +00:00
|
|
|
act "OK: `ls -lh ${FILE}`"
|
2010-08-22 13:04:19 +00:00
|
|
|
else
|
2011-01-28 11:26:35 +00:00
|
|
|
error "Error creating the tomb ${FILE}, operation aborted."
|
|
|
|
exit 1
|
2010-08-22 13:04:19 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
mkdir -p /tmp/tomb
|
|
|
|
|
|
|
|
modprobe dm-crypt
|
|
|
|
modprobe aes-i586
|
|
|
|
|
|
|
|
nstloop=`losetup -f` # get the number for next loopback device
|
|
|
|
losetup -f ${FILE} # allocates the next loopback for our file
|
2010-08-29 12:56:53 +00:00
|
|
|
keytmp=`tempfile`
|
2010-08-22 13:04:19 +00:00
|
|
|
act "Generating secret key..."
|
2011-01-13 13:37:52 +00:00
|
|
|
act "this operation takes time, keep using this computer on other tasks,"
|
|
|
|
act "once done you will be asked to choose a password for your tomb."
|
|
|
|
cat /dev/urandom | dd bs=1 count=256 of=${keytmp}
|
2010-08-29 12:56:53 +00:00
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
notice "Setup your secret key file ${FILE}.gpg"
|
2011-01-19 11:38:19 +00:00
|
|
|
tomb-notify "The Tomb key is being forged:" "please set your password."
|
2010-08-29 12:56:53 +00:00
|
|
|
# here user is prompted for key password
|
|
|
|
gpg -o "${FILE}.gpg" --no-options --openpgp -c -a ${keytmp}
|
2010-08-22 13:04:19 +00:00
|
|
|
while [ $? = 2 ]; do
|
2010-08-29 12:56:53 +00:00
|
|
|
gpg -o "${FILE}.gpg" --no-options --openpgp -c -a ${keytmp}
|
2010-08-22 13:04:19 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
act "formatting Luks mapped device"
|
|
|
|
# dm-crypt only supports sha1
|
|
|
|
# but we can use aes-cbc-essiv with sha256 for better security
|
|
|
|
# see http://clemens.endorphin.org/LinuxHDEncSettings
|
2010-08-29 12:56:53 +00:00
|
|
|
cryptsetup --batch-mode \
|
|
|
|
--cipher aes-cbc-essiv:sha256 --key-size 256 \
|
|
|
|
luksFormat ${nstloop} ${keytmp}
|
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
if ! [ $? = 0 ]; then
|
|
|
|
act "operation aborted."
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
2010-08-29 12:56:53 +00:00
|
|
|
cryptsetup --key-file ${keytmp} --cipher aes luksOpen ${nstloop} tomb.tmp
|
2011-01-16 22:43:45 +00:00
|
|
|
${WIPE[@]} ${keytmp}
|
2011-01-13 13:37:52 +00:00
|
|
|
|
|
|
|
notice "Your tomb is ready on ${FILE} and secured with key ${FILE}.gpg"
|
|
|
|
act "Would you like to save the key on an external usb device?"
|
|
|
|
act "This is recommended for safety:"
|
|
|
|
act "always keep the key in a different place than the door!"
|
2011-01-29 13:26:44 +00:00
|
|
|
act "If you answer yes, you'll need a USB KEY now: (y/n)"
|
2011-01-19 11:38:19 +00:00
|
|
|
tomb-notify "Tomb has forged a key." "Would you like to save it on USB?"
|
2011-01-13 13:37:52 +00:00
|
|
|
echo -n " > "
|
|
|
|
read -q
|
|
|
|
if [ $? = 0 ]; then
|
|
|
|
ask_usbkey
|
2011-01-28 11:26:35 +00:00
|
|
|
if ! [ -e ${usbkey_mount} ]; then
|
2011-01-13 13:37:52 +00:00
|
|
|
error "cannot save the key in a separate place, move it yourself later."
|
|
|
|
else
|
2011-01-30 22:25:01 +00:00
|
|
|
mkdir -m 0700 -p ${usbkey_mount}/.tomb
|
2011-01-13 13:37:52 +00:00
|
|
|
cp -v ${FILE}.gpg ${usbkey_mount}/.tomb/
|
|
|
|
chmod -R go-rwx ${usbkey_mount}/.tomb
|
2011-01-16 22:43:45 +00:00
|
|
|
${WIPE[@]} ${FILE}.gpg
|
2011-01-13 13:37:52 +00:00
|
|
|
fi
|
2011-01-11 11:57:44 +00:00
|
|
|
fi
|
2010-08-29 12:56:53 +00:00
|
|
|
# cryptsetup luksDump ${nstloop}
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-11 11:57:44 +00:00
|
|
|
act "formatting your Tomb with Ext4 filesystem"
|
|
|
|
|
2011-01-28 11:26:35 +00:00
|
|
|
mkfs.ext4 -q -F -j -L "${FILE%\.*}-`hostname`" /dev/mapper/tomb.tmp
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
if [ $? = 0 ]; then
|
2011-01-11 11:57:44 +00:00
|
|
|
act "OK, encrypted storage succesfully formatted"
|
2010-08-22 13:04:19 +00:00
|
|
|
else
|
2011-01-11 11:57:44 +00:00
|
|
|
act "error formatting Tomb"
|
2010-08-22 13:04:19 +00:00
|
|
|
fi
|
|
|
|
|
2010-08-29 12:56:53 +00:00
|
|
|
sync
|
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
cryptsetup luksClose tomb.tmp
|
|
|
|
losetup -d ${nstloop}
|
|
|
|
|
|
|
|
notice "done creating $FILE encrypted storage (using Luks dm-crypt AES/SHA256)"
|
2011-01-19 11:38:19 +00:00
|
|
|
tomb-notify "The Tomb is ready!" "We will now open your new Tomb for the first time."
|
2011-01-13 13:37:52 +00:00
|
|
|
tomb mount $FILE
|
2010-08-22 13:04:19 +00:00
|
|
|
}
|
|
|
|
|
2010-08-22 14:44:35 +00:00
|
|
|
|
|
|
|
mount_tomb() {
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
if [ -z $KEY ]; then
|
2010-08-29 12:56:53 +00:00
|
|
|
enc_key="`basename ${FILE}.gpg`"
|
2010-08-22 13:04:19 +00:00
|
|
|
else
|
|
|
|
enc_key="$KEY"
|
|
|
|
fi
|
|
|
|
|
|
|
|
notice "mounting $FILE on mountpoint $MOUNT"
|
|
|
|
if [ -z $MOUNT ]; then
|
2011-01-13 13:37:52 +00:00
|
|
|
MOUNT=/media/`basename ${FILE}`
|
|
|
|
act "mountpoint not specified, using default: $MOUNT"
|
2011-01-12 16:02:19 +00:00
|
|
|
mkdir -p $MOUNT
|
|
|
|
elif ! [ -x $MOUNT ]; then
|
2010-08-22 13:04:19 +00:00
|
|
|
error "mountpoint $MOUNT doesn't exist"
|
2011-01-13 13:37:52 +00:00
|
|
|
exit 1
|
2010-08-22 13:04:19 +00:00
|
|
|
fi
|
|
|
|
|
2011-01-11 09:49:44 +00:00
|
|
|
# check if key file is present
|
|
|
|
if ! [ -r "${enc_key}" ]; then
|
|
|
|
error "encryption key ${enc_key} not found on disk"
|
|
|
|
error "use -k option to specify which key to use"
|
|
|
|
error "or provide a usb key, or press ctrl-c to abort"
|
2011-01-11 11:57:44 +00:00
|
|
|
ask_usbkey
|
|
|
|
# returns usbkey_mount, now check if the key is there
|
|
|
|
if [ -r ${usbkey_mount}/.tomb/${enc_key} ]; then
|
2011-01-11 13:55:31 +00:00
|
|
|
enc_key=${usbkey_mount}/.tomb/${enc_key}
|
|
|
|
notice "key found on ${enc_key}"
|
2011-01-11 11:57:44 +00:00
|
|
|
else
|
2011-01-11 09:49:44 +00:00
|
|
|
error "key is missing."
|
2011-01-11 11:57:44 +00:00
|
|
|
exit 1
|
2011-01-11 09:49:44 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
nstloop=`losetup -f`
|
|
|
|
losetup -f ${FILE}
|
|
|
|
|
|
|
|
act "check for a valid LUKS encrypted device"
|
|
|
|
cryptsetup isLuks ${nstloop}
|
2011-01-11 09:49:44 +00:00
|
|
|
if [ $? != 0 ]; then
|
|
|
|
# is it a LUKS encrypted nest? see cryptsetup(1)
|
|
|
|
error "$FILE is not a valid Luks encrypted storage file"
|
2011-01-13 13:37:52 +00:00
|
|
|
exit 1
|
2011-01-11 09:49:44 +00:00
|
|
|
fi
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
|
2011-01-11 09:49:44 +00:00
|
|
|
modprobe dm-crypt
|
|
|
|
modprobe aes-i586
|
|
|
|
|
|
|
|
# save date of mount in minutes since 1970
|
|
|
|
mapdate="`date +%s`"
|
|
|
|
mapdate="`echo ${mapdate}/60 | bc -l | cut -d. -f1`"
|
|
|
|
|
|
|
|
mapper="tomb.`basename $FILE | cut -d. -f1`.$mapdate.`basename $nstloop`"
|
|
|
|
|
|
|
|
notice "Password is required for key ${enc_key}"
|
|
|
|
for c in 1 2 3; do
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-11 09:49:44 +00:00
|
|
|
ask_password
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-11 09:49:44 +00:00
|
|
|
echo "${scolopendro}" \
|
|
|
|
| gpg --passphrase-fd 0 --no-tty --no-options \
|
|
|
|
-d "${enc_key}" 2>/dev/null \
|
|
|
|
| cryptsetup --key-file - luksOpen ${nstloop} ${mapper}
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-11 09:49:44 +00:00
|
|
|
unset scolopendro
|
|
|
|
|
|
|
|
if [ -r /dev/mapper/${mapper} ]; then
|
|
|
|
break; # password was correct
|
2010-08-22 13:04:19 +00:00
|
|
|
fi
|
|
|
|
|
2011-01-11 09:49:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
if ! [ -r /dev/mapper/${mapper} ]; then
|
|
|
|
error "failure mounting the encrypted file"
|
|
|
|
losetup -d ${nstloop}
|
2011-01-19 11:38:19 +00:00
|
|
|
exit 1
|
2011-01-11 09:49:44 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
act "encrypted storage filesystem check"
|
2011-01-13 21:35:32 +00:00
|
|
|
fsck -p -C0 /dev/mapper/${mapper}
|
2011-01-11 09:49:44 +00:00
|
|
|
|
2011-01-13 21:35:32 +00:00
|
|
|
mount -o rw,noatime,nodev /dev/mapper/${mapper} ${MOUNT}
|
2011-01-30 22:25:01 +00:00
|
|
|
|
|
|
|
# Ensure the user can write the disk
|
|
|
|
ME=${SUDO_USER:-$(whoami)}
|
|
|
|
chmod 0750 ${MOUNT}
|
|
|
|
chown $(id -u $ME):$(id -g $ME) ${MOUNT}
|
2011-01-11 09:49:44 +00:00
|
|
|
|
|
|
|
notice "encrypted storage $FILE succesfully mounted on $MOUNT"
|
2011-01-19 11:38:19 +00:00
|
|
|
( exec_as_user tomb-status ${mapper} ${FILE} ${MOUNT} ) &
|
2011-01-16 22:43:45 +00:00
|
|
|
disown
|
2011-01-19 11:38:19 +00:00
|
|
|
exit 0
|
2010-08-22 13:04:19 +00:00
|
|
|
}
|
|
|
|
|
2010-08-22 14:44:35 +00:00
|
|
|
umount_tomb() {
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2010-08-22 14:44:35 +00:00
|
|
|
if [ -z $FILE ]; then
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-30 22:25:01 +00:00
|
|
|
how_many_tombs=$(2>/dev/null (ls /dev/mapper/tomb.* | wc -w))
|
2010-08-22 14:44:35 +00:00
|
|
|
if [ $how_many_tombs = 0 ]; then
|
2011-01-12 10:38:03 +00:00
|
|
|
error "there is no open tomb to be closed"
|
2011-01-13 13:37:52 +00:00
|
|
|
exit 0
|
2010-08-22 14:44:35 +00:00
|
|
|
elif [ $how_many_tombs = 1 ]; then
|
2011-01-30 22:25:01 +00:00
|
|
|
mapper=`ls /dev/mapper/tomb.* 2>/dev/null`
|
2010-08-22 14:44:35 +00:00
|
|
|
FILE=`mount | grep $mapper | awk '{print $3}'`
|
2010-08-25 18:17:53 +00:00
|
|
|
else
|
|
|
|
error "too many tombs mounted, please specify which to unmount:"
|
2011-01-30 22:25:01 +00:00
|
|
|
ls /dev/mapper/tomb.*
|
2011-01-13 13:37:52 +00:00
|
|
|
exit 1
|
2010-08-22 13:04:19 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
else
|
|
|
|
|
2011-01-13 13:37:52 +00:00
|
|
|
if [ -r $FILE ]; then
|
|
|
|
mapper=$FILE
|
|
|
|
elif [ -r /dev/mapper/${FILE} ]; then
|
|
|
|
mapper=/dev/mapper/${FILE}
|
|
|
|
else
|
2010-08-25 18:17:53 +00:00
|
|
|
error "tomb not found: $FILE"
|
2011-01-30 22:25:01 +00:00
|
|
|
error "please specify an existing /dev/mapper/tomb.*"
|
|
|
|
ls /dev/mapper/tomb.*
|
2011-01-13 13:37:52 +00:00
|
|
|
exit 1
|
2010-08-25 18:17:53 +00:00
|
|
|
fi
|
2011-01-13 13:37:52 +00:00
|
|
|
# FILE=`mount | grep $mapper | awk '{print $3}'`
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
fi
|
|
|
|
|
2011-01-13 13:37:52 +00:00
|
|
|
# if [ "$mapper" = "" ]; then
|
|
|
|
# error "$FILE is not mounted"
|
|
|
|
# return
|
|
|
|
# fi
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-13 13:37:52 +00:00
|
|
|
# mapper=`basename $mapper`
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-13 13:37:52 +00:00
|
|
|
# if ! [ -r /dev/mapper/${mapper} ]; then
|
|
|
|
# error "tomb doesn't seems to be mounted:"
|
|
|
|
# error "${mapper} is not present in /dev/mapper"
|
|
|
|
# exit 1
|
|
|
|
# fi
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-13 13:37:52 +00:00
|
|
|
basemap=`basename $mapper`
|
2011-01-13 21:35:32 +00:00
|
|
|
tombname=`echo ${basemap} | cut -d. -f2`
|
|
|
|
|
|
|
|
errno=`umount ${mapper}`
|
|
|
|
if ! [ $? = 0 ]; then
|
2011-01-19 11:38:19 +00:00
|
|
|
tomb-notify "Tomb '$tombname' is too busy." \
|
2011-01-13 21:35:32 +00:00
|
|
|
"Close all applications and file managers, then try again."
|
|
|
|
exit 1
|
|
|
|
fi
|
2010-08-22 13:04:19 +00:00
|
|
|
|
2011-01-13 13:37:52 +00:00
|
|
|
cryptsetup luksClose $basemap
|
2010-08-22 13:04:19 +00:00
|
|
|
if ! [ $? = 0 ]; then
|
2011-01-13 13:37:52 +00:00
|
|
|
error "error occurred in cryptsetup luksClose ${basemap}"
|
2011-01-13 21:35:32 +00:00
|
|
|
exit 1
|
2010-08-22 13:04:19 +00:00
|
|
|
fi
|
|
|
|
|
2011-01-13 13:37:52 +00:00
|
|
|
losetup -d "/dev/`echo $basemap | cut -d. -f4`"
|
2010-08-22 14:44:35 +00:00
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
# echo ${nstloop} | grep loop 1>/dev/null 2>/dev/null
|
|
|
|
# # if it's a loopback then we need to do losetup -d
|
|
|
|
# if [ $? = 0 ]; then
|
|
|
|
# losetup -d ${nstloop}
|
|
|
|
# if ! [ $? = 0 ]; then
|
|
|
|
# error "error occurred in losetup -d ${nstloop}"
|
|
|
|
# exit 0
|
|
|
|
# fi
|
|
|
|
# fi
|
|
|
|
|
2010-08-23 09:48:21 +00:00
|
|
|
notice "crypt storage ${mapper} unmounted"
|
2011-01-19 11:38:19 +00:00
|
|
|
tomb-notify "Tomb closed: $tombname" "Your bones will Rest In Peace."
|
2011-01-13 21:35:32 +00:00
|
|
|
exit 0
|
2010-08-22 13:04:19 +00:00
|
|
|
}
|
2011-01-12 16:02:19 +00:00
|
|
|
|
|
|
|
# install mime-types, bells and whistles for the desktop
|
|
|
|
# see http://developers.sun.com/solaris/articles/integrating_gnome.html
|
|
|
|
# and freedesktop specs
|
|
|
|
install() {
|
2011-01-19 11:38:19 +00:00
|
|
|
|
|
|
|
# TODO: distro package deps (for binary)
|
|
|
|
# debian: zsh, cryptsetup, libgtk2.0-0, libnotify-bin
|
2011-01-12 16:02:19 +00:00
|
|
|
act "updating mimetypes..."
|
|
|
|
cat <<EOF > /tmp/dyne-tomb.xml
|
|
|
|
<?xml version="1.0"?>
|
|
|
|
<mime-info xmlns='http://www.freedesktop.org/standards/shared-mime-info'>
|
|
|
|
<mime-type type="application/x-tomb-volume">
|
|
|
|
<comment>Tomb encrypted volume</comment>
|
|
|
|
<glob pattern="*.tomb"/>
|
|
|
|
</mime-type>
|
|
|
|
<mime-type type="application/x-tomb-key">
|
|
|
|
<comment>Tomb crypto key</comment>
|
|
|
|
<glob pattern="*.tomb.gpg"/>
|
|
|
|
</mime-type>
|
|
|
|
</mime-info>
|
|
|
|
EOF
|
|
|
|
xdg-mime install /tmp/dyne-tomb.xml
|
|
|
|
xdg-icon-resource install --context mimetypes --size 32 monmort.xpm monmort
|
|
|
|
xdg-icon-resource install --size 32 monmort.xpm dyne-monmort
|
2011-01-13 13:37:52 +00:00
|
|
|
|
2011-01-12 16:02:19 +00:00
|
|
|
rm /tmp/dyne-tomb.xml
|
2011-01-13 13:37:52 +00:00
|
|
|
|
2011-01-12 16:02:19 +00:00
|
|
|
act "updating desktop..."
|
|
|
|
cat <<EOF > /usr/share/applications/tomb.desktop
|
|
|
|
[Desktop Entry]
|
|
|
|
Version=1.0
|
|
|
|
Type=Application
|
|
|
|
Name=Tomb crypto undertaker
|
|
|
|
GenericName=Crypto undertaker
|
|
|
|
Comment=Keep your bones safe
|
|
|
|
Exec=tomb-open %U
|
|
|
|
TryExec=tomb-open
|
|
|
|
Icon=monmort.xpm
|
2011-01-13 13:37:52 +00:00
|
|
|
Terminal=false
|
2011-01-12 16:02:19 +00:00
|
|
|
Categories=Utility;Security;Archiving;Filesystem;
|
|
|
|
MimeType=application/x-tomb-volume;
|
2011-01-29 13:45:03 +00:00
|
|
|
X-AppInstall-Package=tomb
|
2011-01-12 16:02:19 +00:00
|
|
|
EOF
|
2011-01-13 13:37:52 +00:00
|
|
|
update-desktop-database
|
2011-01-12 16:02:19 +00:00
|
|
|
|
|
|
|
act "updating menus..."
|
|
|
|
cat <<EOF > /etc/menu/tomb
|
|
|
|
?package(tomb):command="tomb" icon="/usr/share/pixmaps/monmort.xpm" needs="cryptsetup" \
|
|
|
|
section="Applications/Accessories" title="Tomb" hints="Crypto" \
|
|
|
|
hotkey="Tomb"
|
|
|
|
EOF
|
|
|
|
update-menus
|
|
|
|
|
|
|
|
act "updating mime info..."
|
|
|
|
cat <<EOF > /usr/share/mime-info/tomb.keys
|
|
|
|
# actions for encrypted tomb storage
|
|
|
|
application/x-tomb-volume:
|
|
|
|
open=tomb-open %f
|
|
|
|
view=tomb-open %f
|
|
|
|
icon-filename=monmort.xpm
|
|
|
|
short_list_application_ids_for_novice_user_level=tomb
|
|
|
|
EOF
|
|
|
|
cat <<EOF > /usr/share/mime-info/tomb.mime
|
|
|
|
# mime type for encrypted tomb storage
|
|
|
|
application/x-tomb-volume
|
|
|
|
ext: tomb
|
|
|
|
|
|
|
|
application/x-tomb-key
|
|
|
|
ext: tomb.gpg
|
|
|
|
EOF
|
|
|
|
cat <<EOF > /usr/lib/mime/packages/tomb
|
2011-01-13 13:37:52 +00:00
|
|
|
application/x-tomb-volume; tomb-open '%s'; priority=8
|
2011-01-12 16:02:19 +00:00
|
|
|
EOF
|
|
|
|
update-mime
|
|
|
|
|
|
|
|
act "updating application entry..."
|
|
|
|
|
|
|
|
cat <<EOF > /usr/share/application-registry/tomb.applications
|
|
|
|
tomb
|
|
|
|
command=tomb-open
|
|
|
|
name=Tomb - Crypto Undertaker
|
|
|
|
can_open_multiple_files=false
|
|
|
|
expects_uris=false
|
2011-01-13 13:37:52 +00:00
|
|
|
requires_terminal=false
|
2011-01-12 16:02:19 +00:00
|
|
|
mime-types=application/x-tomb-volume,application/x-tomb-key
|
|
|
|
EOF
|
2011-01-13 13:37:52 +00:00
|
|
|
act "Tomb is now installed."
|
2011-01-12 16:02:19 +00:00
|
|
|
}
|
2010-08-22 13:04:19 +00:00
|
|
|
|
|
|
|
case "$CMD" in
|
2010-08-22 14:44:35 +00:00
|
|
|
create) create_tomb ;;
|
2011-01-12 16:02:19 +00:00
|
|
|
|
2010-08-22 14:44:35 +00:00
|
|
|
mount) mount_tomb ;;
|
2011-01-12 10:38:03 +00:00
|
|
|
open) mount_tomb ;;
|
2011-01-12 16:02:19 +00:00
|
|
|
|
2010-08-22 14:44:35 +00:00
|
|
|
umount) umount_tomb ;;
|
|
|
|
unmount) umount_tomb ;;
|
2011-01-12 10:38:03 +00:00
|
|
|
close) umount_tomb ;;
|
2011-01-12 16:02:19 +00:00
|
|
|
|
|
|
|
install) install ;;
|
|
|
|
|
|
|
|
status) tomb-status ;;
|
2011-01-19 11:54:43 +00:00
|
|
|
notify) tomb-notify $CMD2 $CMD3 ;;
|
2011-01-12 16:02:19 +00:00
|
|
|
|
2010-08-22 13:04:19 +00:00
|
|
|
*) error "command \"$CMD\" not recognized"
|
|
|
|
act "try -h for help"
|
2011-01-13 13:37:52 +00:00
|
|
|
break
|
2010-08-22 13:04:19 +00:00
|
|
|
;;
|
|
|
|
esac
|
2011-01-13 13:37:52 +00:00
|
|
|
|
2011-01-19 11:38:19 +00:00
|
|
|
exit 0
|