#!/usr/bin/env zsh # # Tomb, the Crypto Undertaker # # A commandline tool to easily operate encryption of secret data # # {{{ License # Copyright (C) 2007-2024 Dyne.org Foundation # # Tomb is designed, written and maintained by Denis Roio # # Please refer to the AUTHORS file for more information. # # This source code is free software; you can redistribute it and/or # modify it under the terms of the GNU Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This source code is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Please refer # to the GNU Public License for more details. # # You should have received a copy of the GNU Public License along with # this source code; if not, , see . # }}} - License # {{{ Global variables typeset VERSION="2.11.0" typeset DATE="Jul/2024" typeset TOMBEXEC=$0 typeset TMPDIR=${${TMPPREFIX%/*}:-/tmp} # TODO: configure which tmp dir to use from a cli flag # Tomb is using some global variables set by the shell: # TMPPREFIX, UID, GID, PATH, TTY, USERNAME # You can grep 'global variable' to see where they are used. # Keep a reference of the original command line arguments typeset -a OLDARGS for arg in "${(@)argv}"; do OLDARGS+=("$arg"); done # Special command requirements typeset -a DD WIPE PINENTRY SUDO DD=(dd) WIPE=(rm -f) # load zsh regex module zmodload zsh/mapfile zmodload -F zsh/stat b:zstat # make sure variables aren't exported unsetopt allexport # Flag optional commands if available (see _ensure_dependencies()) typeset -i KDF=1 typeset -i STEGHIDE=1 typeset -i CLOAKIFY=1 typeset -i DECLOAKIFY=1 typeset -i RESIZER=1 typeset -i RECOLL=1 typeset -i QRENCODE=1 typeset -i LSOF=1 typeset -i ACL=1 typeset -i ARGON2=1 # Default mount options typeset MOUNTOPTS="rw,noatime,nodev" # Makes glob matching case insensitive unsetopt CASE_MATCH typeset -AH OPTS # Command line options (see main()) # Command context (see _whoami()) typeset -H _USER # Running username typeset -Hi _UID # Running user identifier typeset -Hi _GID # Running user group identifier typeset -H _TTY # Connected input terminal # Tomb context (see is_valid_tomb()) typeset -H TOMBPATH # Full path to the tomb typeset -H TOMBDIR # Directory where the tomb is typeset -H TOMBFILE # File name of the tomb typeset -H TOMBNAME # Name of the tomb # Tomb secrets typeset -H TOMBKEY # Encrypted key contents (see forge_key(), recover_key()) typeset -H TOMBKEYFILE # Key file (ditto) typeset -H TOMBSECRET # Raw deciphered key (see forge_key(), gpg_decrypt()) typeset -H TOMBPASSWORD # Raw tomb passphrase (see gen_key(), ask_key_password()) typeset -H TOMBTMP # Filename of secure temp just created (see _tmp_create()) typeset -aH TOMBTMPFILES # Keep track of temporary files typeset -aH TOMBLOOPDEVS # Keep track of used loop devices typeset -A TOMBFILESSTAT # Keep track of access date attributes typeset _MSG_FD_OVERRIDE # if set, _msg will write to this file descriptor # Make sure sbin is in PATH (man zshparam) path+=( /sbin /usr/sbin ) # For gettext export TEXTDOMAIN=tomb # }}} # {{{ Safety functions # Wrap sudo with a more visible message or apply user-supplied alternative to sudo _sudo() { if option_is_set --sudo; then pescmd=`option_value --sudo` case `basename $pescmd` in "doas"|"sup"|"sud"|"pkexec") command -v $pescmd > /dev/null || _failure "$pescmd executable not found" _verbose "Super user execution using $pescmd" ${pescmd} ${@} return $? ;; "skip"|"none") _verbose "Super user execution skipped (SUID caller)" ${@} return $? ;; *) _failure "Super user execution not supported: ::1 sudo::" "`option_value --sudo`" ;; esac else if [[ "`id -u`" = "0" ]]; then _verbose "Super user execution skipped (SUID caller)" ${@} return $? elif command -v sudo 1>/dev/null 2>/dev/null; then local msg="[sudo] Enter password for user ::1 user:: to gain superuser privileges" command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$msg")" msg=${(S)msg//::1*::/$USER} [[ -n "$SUDO_ASKPASS" ]] && local sudo_askpass="--askpass" sudo $sudo_askpass -p " $msg " ${@} return $? elif command -v doas 1>/dev/null 2>/dev/null; then local msg="Enter password for user ::1 user:: to gain superuser privileges" command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$msg")" msg=${(S)msg//::1*::/$USER} doas ${@} return $? else _failure "No way found to escalate privileges to super user." fi fi } # Cleanup anything sensitive before exiting. _endgame() { option_value_contains -o ro || { # Restore access time of sensitive files [[ -z $TOMBFILESSTAT ]] || _restore_stat } # Prepare some random material to overwrite vars local rr="$RANDOM" while [[ ${#rr} -lt 500 ]]; do rr+="$RANDOM" done # Ensure no information is left in unallocated memory TOMBPATH="$rr"; unset TOMBPATH TOMBDIR="$rr"; unset TOMBDIR TOMBFILE="$rr"; unset TOMBFILE TOMBNAME="$rr"; unset TOMBNAME TOMBKEY="$rr"; unset TOMBKEY TOMBKEYFILE="$rr"; unset TOMBKEYFILE TOMBSECRET="$rr"; unset TOMBSECRET TOMBPASSWORD="$rr"; unset TOMBPASSWORD # Clear temporary files for f in $TOMBTMPFILES; do ${=WIPE} "$f" done unset TOMBTMPFILES # Clear information regarding loop devices # No need for an explicit detach as cryptsetup # sets the AUTOCLEAR flag unset TOMBLOOPDEVS } # Trap functions for the _endgame event TRAPINT() { _endgame INT; } TRAPEXIT() { _endgame EXIT; } TRAPHUP() { _endgame HUP; } TRAPQUIT() { _endgame QUIT; } TRAPABRT() { _endgame ABORT; } TRAPKILL() { _endgame KILL; } TRAPPIPE() { _endgame PIPE; } TRAPTERM() { _endgame TERM; } TRAPSTOP() { _endgame STOP; } _is_found() { # returns 0 if binary is found in path [[ -z $1 ]] && return 1 command -v "$1" 1>/dev/null 2>/dev/null return $? } # Track access and modification time of tomb files. # $1: file to track # date format: seconds since Epoch # stat format: : _track_stat() { local file="$1" local stat=$(stat --format="%X:%Y" "$file") TOMBFILESSTAT+=("$file" "$stat") } # Restore files stats _restore_stat() { local file stat for file stat in "${(@kv)TOMBFILESSTAT}"; do stats=("${(@s.:.)stat}") _verbose "Restoring access and modification time for ::1 file::" $file [[ -z "${stats[1]}" ]] || touch -a --date="@${stats[1]}" "$file" [[ -z "${stats[2]}" ]] || touch -m --date="@${stats[2]}" "$file" done } # Identify the running user # Set global variables _UID, _GID, _TTY, and _USER, either from the # command line, -U, -G, -T, respectively, or from the environment. # Also update USERNAME and HOME to maintain consistency. _whoami() { # Set username from UID or environment _USER=$SUDO_USER [[ -z $_USER ]] && { _USER=$USERNAME } [[ -z $_USER ]] && { _USER=$(id -un) } [[ -z $_USER ]] && { _failure "Failing to identify the user who is calling us" } # Get GID from option -G or the environment option_is_set -G \ && _GID=$(option_value -G) || _GID=$(id -g $_USER) # Get UID from option -U or the environment option_is_set -U \ && _UID=$(option_value -U) || _UID=$(id -u $_USER) _verbose "Identified caller: ::1 username:: (::2 UID:::::3 GID::)" $_USER $_UID $_GID # Update USERNAME accordingly if possible # [[ $EUID == 0 && $_USER != $USERNAME ]] && { # _verbose "Updating USERNAME from '::1 USERNAME::' to '::2 _USER::')" $USERNAME $_USER # USERNAME=$_USER # } # Force HOME to _USER's HOME if necessary local home=`_get_home $_USER` [[ $home == $HOME ]] || { _verbose "Updating HOME to match user's: ::1 home:: (was ::2 HOME::)" \ $home $HOME HOME=$home } # Get connecting TTY from option -T or the environment option_is_set -T && _TTY=$(option_value -T) [[ -z $_TTY ]] && _TTY=$TTY } # Provide a random filename in shared memory _tmp_create() { [[ -d "$TMPDIR" ]] || { # we create the tempdir with the sticky bit on _sudo mkdir -m 1777 "$TMPDIR" [[ $? == 0 ]] || _failure "Fatal error creating the temporary directory: ::1 temp dir::" "$TMPDIR" } # We're going to add one more $RANDOM for each time someone complains # about this being too weak of a random. tfile="${TMPDIR}/$RANDOM$RANDOM$RANDOM$RANDOM" # Temporary file umask 066 [[ $? == 0 ]] || { _failure "Fatal error setting the permission umask for temporary files" } [[ -r "$tfile" ]] && { _failure "Someone is messing up with us trying to hijack temporary files." } touch "$tfile" [[ $? == 0 ]] || { _failure "Fatal error creating a temporary file: ::1 temp file::" "$tfile" } _verbose "Created tempfile: ::1 temp file::" "$tfile" TOMBTMP="$tfile" TOMBTMPFILES+=("$tfile") return 0 } # Check if a *block* device is encrypted # Check if a *block* device is a zram device # Synopsis: _is_zramswap /path/to/block/device # Return 0 if it is a zramswap # Return 1 if it is not a zramswap _is_zramswap() { local b=$1 # Path to a block device # check if device b is a zram block device zramctl --raw -o NAME | grep "^$b" >/dev/null return $? } # Check if a zram device uses the writeback feature that writes data onto a disk # Synopsis: _zramswap_uses_writeback /path/to/block/device # Return 0 if the zram device writes to disk # Return 1 if the zram device does not write to disk _zramswap_uses_writeback() { local b=$1 # Path to a block device local m="" # major device number local n="" # minor device number read n m < <(stat -c '%T %t' $b) # get major and minor device number in hex printf -v m %d $((16#$m)) # get major device number in decimal printf -v n %d $((16#$n)) # get minor device number in decimal if grep '^none$' "/sys/dev/block/$m:$n/backing_dev" > /dev/null; then return 1 fi return 0 } # Check if a *block* device is a zram device # Synopsis: _is_zramswap /path/to/block/device # Return 0 if it is a zramswap # Return 1 if it is not a zramswap _is_zramswap() { local b=$1 # Path to a block device zramctl --raw -o NAME | grep "^$b" >/dev/null # @todo How to do this without zramctl? # - device node major is dynamically allocated to zram0 # - in /sys/ there seems to be no file identifying a zram device return $? } # Check if a zram device uses the writeback feature that writes data onto a disk # Synopsis: _zramswap_uses_writeback /path/to/block/device # Return 0 if the zram device writes to disk # Return 1 if the zram device does not write to disk _zramswap_uses_writeback() { local b=$1 # Path to a block device local m="" # major device number local n="" # minor device number read n m < <(stat -c '%T %t' $b) # get major and minor device number in hex printf -v m %d $((16#$m)) # get major device number in decimal printf -v n %d $((16#$n)) # get minor device number in decimal if grep '^none$' "/sys/dev/block/$m:$n/backing_dev" > /dev/null; then return 1 fi return 0 } # Synopsis: _is_encrypted_block /path/to/block/device # Return 0 if it is an encrypted block device _is_encrypted_block() { local b=$1 # Path to a block device local s="" # lsblk option -s (if available) # Issue #163 # lsblk --inverse appeared in util-linux 2.22 # but --version is not consistent... lsblk --help | grep -Fq -- --inverse [[ $? -eq 0 ]] && s="--inverse" _sudo lsblk $s -o type -n $b 2>/dev/null \ | grep -Eq '^crypt$' return $? } # Check if swap is activated # Return 0 if NO swap is used, 1 if swap is used. # Return 1 if any of the swaps is not encrypted. # Return 2 if swap(s) is(are) used, but ALL encrypted or zramswap without writeback to disk. # Use _check_swap in functions. It will call this function and # exit if unsafe swap is present. _ensure_safe_swap() { local -i r=1 # Return code: 0 no swap, 1 unsafe swap, 2 encrypted local -a swaps # List of swap partitions local bone is_crypt swaps="$(awk '/^\// { print $1 }' /proc/swaps 2>/dev/null)" [[ -z "$swaps" ]] && return 0 # No swap partition is active _message "An active swap partition is detected..." for s in $=swaps; do if _is_encrypted_block $s; then r=2; elif _is_zramswap $s; then if _zramswap_uses_writeback $s; then # We're dealing with unencrypted stuff written to disk. # Maybe it lives on an encrypted filesystem anyway. # @todo verify it's actually written to an encrypted FS # Well, no: bail out. _message "Found zramswap with writeback enabled." r=1; break; else _message "Found zramswap without writeback to disk." r=2 fi else # We're dealing with unencrypted stuff written to disk. # Maybe it lives on an encrypted filesystem anyway. # @todo: verify it's actually on an encrypted FS (see #163 and !189) # Well, no: bail out. r=1; break; fi done if [[ $r -eq 2 ]]; then _success "The undertaker found that all swap partitions are encrypted. Good." else _warning "This poses a security risk." _warning "You can deactivate all swap partitions using the command:" _warning " swapoff -a" _warning "[#163] I may not detect plain swaps on an encrypted volume." _warning "But if you want to proceed like this, use the -f (force) flag." fi return $r } # Wrapper to allow encrypted swap and remind the user about possible # data leaks to disk if swap is on, which shouldn't be ignored. It could # be run once in main(), but as swap evolves, it's better to run it # whenever swap may be needed. # Exit if unencrypted swap is active on the system. _check_swap() { if ! option_is_set -f && ! option_is_set --ignore-swap; then _ensure_safe_swap case $? in 0|2) # No, or encrypted swap return 0 ;; *) # Unencrypted swap _failure "Operation aborted." ;; esac fi } pinentry_assuan_getpass() { # simply prints out commands for pinentry's stdin to activate the # password dialog cat < ..foo_bar_baz TOMBNAME=${${TOMBFILE// /_}%.*} # use the entire filename if the previous transformation returns # an empty string. This handles the corner case of tomb being # hidden files (starting with a dot) and have no extension (only # one dot in string) TOMBNAME=${TOMBNAME:-${TOMBFILE}} [[ -z $TOMBNAME ]] && _failure "Tomb won't work without a TOMBNAME." # checks if Tomb already mounted (or we cannot alter it) local maphash=`realpath $TOMBPATH | sha256sum` lo_check # fills TOMBLOOP with next loop if available TOMBMAPPER="tomb.$TOMBNAME.${maphash[(w)1]}.`basename $TOMBLOOP`" local mounted_tombs=(`list_tomb_mounts`) local usedmapper for t in ${mounted_tombs}; do usedmapper=`basename "${t[(ws:;:)1]}"` [[ "${usedmapper%.*}" == "${TOMBMAPPER%.*}" ]] && _failure "Tomb file already in use: ::1 tombname::" $TOMBPATH done _verbose "Mapper: ::1 mapper::" $TOMBMAPPER _verbose "tomb file is not currently in use" _message "Valid tomb file found: ::1 tomb path::" $TOMBPATH return 0 } # $1 is the tomb file which needs a loop device lo_check() { tpath="$1" # check if we have support for loop mounting TOMBLOOP=`_sudo losetup -f` [[ $? = 0 ]] || { _warning "Loop mount of volumes is not possible on this machine, this error" _warning "often occurs on VPS and kernels that don't provide the loop module." _warning "It is impossible to use Tomb on this machine under these conditions." _failure "Operation aborted." } [[ "$tpath" == "" ]] && return 0 TOMBLOOPDEVS+=("$TOMBLOOP") # add to array of lodevs used return 0 } # eventually used for debugging dump_secrets() { print "TOMBPATH: $TOMBPATH" print "TOMBNAME: $TOMBNAME" print "TOMBKEY len: ${#TOMBKEY}" print "TOMBKEYFILE: $TOMBKEYFILE" print "TOMBSECRET len: ${#TOMBSECRET}" print "TOMBPASSWORD: $TOMBPASSWORD" print "TOMBTMPFILES: ${(@)TOMBTMPFILES}" print "TOMBLOOPDEVS: ${(@)TOMBLOOPDEVS}" } # }}} # {{{ Commandline interaction usage() { _print "Syntax: tomb [options] command [arguments]" echo _print "Commands:" echo _print " // Creation:" _print " dig create a new empty TOMB file of size -s in MiB" _print " forge create a new KEY file and set its password" _print " lock installs a lock on a TOMB to use it with KEY" echo _print " // Operations on tombs:" _print " open open an existing TOMB (-k KEY file or - for stdin)" _print " index update the search indexes of tombs" _print " search looks for filenames matching text patterns" _print " list list of open TOMBs and information on them" _print " ps list of running processes inside open TOMBs" _print " close close a specific TOMB (or 'all')" _print " slam slam a TOMB killing all programs using it" [[ $RESIZER == 1 ]] && { _print " resize resize a TOMB to a new size -s (can only grow)" } echo _print " // Operations on keys:" _print " passwd change the password of a KEY (needs old pass)" _print " setkey change the KEY locking a TOMB (needs old key and pass)" echo [[ $QRENCODE == 1 ]] && { _print " // Backup on paper:" _print " engrave makes a QR code of a KEY to be saved on paper" echo } [[ $STEGHIDE == 1 || $CLOAKIFY == 1 || $DECLOAKIFY == 1 ]] && { _print " // Steganography:" [[ $STEGHIDE == 1 ]] && { _print " bury hide a KEY inside a JPEG image (for use with -k)" _print " exhume extract a KEY from a JPEG image (prints to stdout)" } [[ $CLOAKIFY == 1 ]] && { _print " cloak transform a KEY into TEXT using CIPHER (for use with -k)" } [[ $DECLOAKIFY == 1 ]] && { _print " uncloak extract a KEY from a TEXT using CIPHER (prints to stdout)" } echo } _print "Options:" echo _print " -s size of the tomb file when creating/resizing one (in MiB)" _print " -k path to the key to be used ('-k -' to read from stdin)" _print " -n don't launch the execution hooks found in tomb" _print " -p preserve the ownership of all files in tomb" _print " -o options passed to commands: open, lock, forge (see man)" _print " -f force operation (i.e. even if swap is active)" _print " -g use a GnuPG key to encrypt a tomb key" _print " -r provide GnuPG recipients (separated by comma)" _print " -R provide GnuPG hidden recipients (separated by comma)" _print " --sudo super user exec alternative to sudo (doas or none)" [[ $KDF == 1 ]] || [[ $ARGON2 == 1 ]] && { _print " --kdf forge keys armored against dictionary attacks (pbkdf2, argon2)" _print " --kdfiter Number of iterations (meaning depending on KDF algorithm) (pbkdf2, argon2)" } [[ $ARGON2 == 1 ]] && { _print " --kdfmem memory to be used (argon2)" _print " --kdfpar number of threads (argon2)" } echo _print " -h print this help" _print " -v print version, license and list of available ciphers" _print " -q run quietly without printing information" _print " -D print debugging information at runtime" echo _print "For more information on Tomb read the manual: man tomb" _print "Please report bugs on ." } # Check whether a commandline option is set. # # Synopsis: option_is_set -flag [out] # # First argument is the commandline flag (e.g., "-s"). # If the second argument is present and set to 'out', print out the # result: either 'set' or 'unset' (useful for if conditions). # # Return 0 if is set, 1 otherwise option_is_set() { local -i r # the return code (0 = set, 1 = unset) [[ -n ${(k)OPTS[$1]} ]]; r=$? [[ $2 == "out" ]] && { [[ $r == 0 ]] && { print 'set' } || { print 'unset' } } return $r; } # Print the option value matching the given flag # Unique argument is the commandline flag (e.g., "-s"). option_value() { print -n - "${OPTS[$1]}" } # check if the option value contains a string between commas option_value_contains() { local opt="${OPTS[$1]}" local str="$2" for i in ${(s:,:)opt}; do [[ "$i" == "$2" ]] && return 0 done return 1 } # Messaging function with pretty coloring function _msg() { local msg="$2" local i command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$2")" for i in {3..${#}}; do msg=${(S)msg//::$(($i - 2))*::/$*[$i]} done local command="print -P" local progname="${TOMBEXEC##*/}" local pchars="" local pcolor="normal" local fd=2 local -i returncode case "$1" in inline) command+=" -n"; pchars=" > "; pcolor="yellow" ;; message) pchars=" . "; pcolor="white" ;; verbose) pchars="[D]"; pcolor="blue" ;; success) pchars="(*)"; pcolor="green" ;; warning) pchars="[W]"; pcolor="yellow" ;; failure) pchars="[E]"; pcolor="red" returncode=1 ;; print) progname="" fd=1 ;; *) pchars="[F]"; pcolor="red" msg="Developer oops! Usage: _msg MESSAGE_TYPE \"MESSAGE_CONTENT\"" returncode=127 ;; esac [[ -n $_MSG_FD_OVERRIDE ]] && fd=$_MSG_FD_OVERRIDE if [[ -t $fd ]]; then [[ -n "$progname" ]] && progname="$fg[magenta]$progname$reset_color" [[ -n "$pchars" ]] && pchars="$fg_bold[$pcolor]$pchars$reset_color" msg="$fg[$pcolor]$msg$reset_color" fi ${=command} "${progname}" "${pchars}" "${msg}" >&$fd return $returncode } function _message() { local notice="message" [[ "$1" = "-n" ]] && shift && notice="inline" option_is_set -q || _msg "$notice" $@ return 0 } function _verbose() { option_is_set -D && _msg verbose $@ return 0 } function _success() { option_is_set -q || _msg success $@ return 0 } function _warning() { option_is_set -q || _msg warning $@ return 1 } function _failure() { typeset -i exitcode=${exitv:-1} option_is_set -q || _msg failure $@ # be sure we forget the secrets we were told exit $exitcode } function _print() { option_is_set -q || _msg print $@ return 0 } _list_optional_tools() { typeset -a _deps _deps=(gettext dcfldd shred steghide) _deps+=(resize2fs tomb-kdb-pbkdf2 argon2 qrencode recoll unoconv lsof setfacl) for d in $_deps; do _print "`which $d`" done return 0 } # Check program dependencies # # Tomb depends on system utilities that must be present, and other # functionality that can be provided by various programs according to # what's available on the system. If some required commands are # missing, bail out. _ensure_dependencies() { # Check for required programs for req in cryptsetup gpg mkfs.ext4 e2fsck; do command -v $req 1>/dev/null 2>/dev/null || { _failure "Missing required dependency ::1 command::. Please install it." $req; } done # Check for pinentry or at least pinentry-tty (which has no alias) if ! command -v pinentry 1>/dev/null 2>/dev/null; then if ! command -v pinentry-tty 1>/dev/null 2>/dev/null; then _failure "Missing required dependency ::1 command::. Please install it." pinentry fi fi # Ensure system binaries are available in the PATH path+=(/sbin /usr/sbin) # zsh magic # use pkexec in place of sudo if found in path and polkitd is running # command -v pkexec 1>/dev/null 2>/dev/null # [[ $? == 0 ]] && ps ax | grep '[p]olkitd' 1>/dev/null 2>/dev/null && { # SUDO=(pkexec) } # [[ "$SUDO" == "sudo" ]] && { # command -v sudo 1>/dev/null 2>/dev/null || # _failure "No privilege escalation tool found, not even sudo" # } # Which dd command to use command -v dcfldd 1>/dev/null 2>/dev/null && DD=(dcfldd statusinterval=1) # Which wipe command to use command -v shred 1>/dev/null 2>/dev/null && WIPE=(shred -f -u) # Check for lsof for slamming tombs command -v lsof 1>/dev/null 2>/dev/null || LSOF=0 # Check for steghide command -v steghide 1>/dev/null 2>/dev/null || STEGHIDE=0 # Check for cloakify command -v cloakify 1>/dev/null 2>/dev/null || CLOAKIFY=0 # Check for decloakify command -v decloakify 1>/dev/null 2>/dev/null || DECLOAKIFY=0 # Check for resize command -v resize2fs 1>/dev/null 2>/dev/null || RESIZER=0 # Check for KDF auxiliary tools command -v tomb-kdb-pbkdf2 1>/dev/null 2>/dev/null || KDF=0 # Check for ARGON2 KDF auxiliary tools command -v argon2 1>/dev/null 2>/dev/null || ARGON2=0 # Check for Recoll file content indexer command -v recoll 1>/dev/null 2>/dev/null || RECOLL=0 # Check for QREncode for paper backups of keys command -v qrencode 1>/dev/null 2>/dev/null || QRENCODE=0 # Check for acl/setfacl for setting ACL at the mount location command -v setfacl 1>/dev/null 2>/dev/null || ACL=0 } # }}} - Commandline interaction # {{{ Key operations # $@ is the list of all the recipient used to encrypt a tomb key is_valid_recipients() { typeset -a recipients recipients=($@) trusted=(m f u w s) _verbose "is_valid_recipients" # All the keys ID must be valid (the public keys must be present in the database) for gpg_id in ${recipients[@]}; do trust="$(gpg --with-colons --batch --list-keys "$gpg_id" 2> /dev/null | awk 'BEGIN { FS=":" } /^pub/ { print $2; exit}')" [[ "${trust}" == "" ]] && { _warning "Not a valid GPG key ID: ::1 gpgid:: " $gpg_id return 1 } [[ ${trusted[(r)$trust]} != $trust ]] && { _warning "The key ::1 gpgid:: is not trusted enough" $gpg_id return 1 } done # At least one private key must be present # for gpg_id in ${recipients[@]}; do # gpg --with-colons --batch --list-secret-keys "$gpg_id" &> /dev/null # [[ $? = 0 ]] && { # return 0 # } # done return 0 } # $@ is the list of all the recipient used to encrypt a tomb key # Print the recipient arg to be used in gpg. _recipients_arg() { local arg="$1"; shift typeset -a recipients recipients=($@) for gpg_id in ${recipients[@]}; do print -R -n "$arg $gpg_id " done return 0 } # $1 is a GPG key recipient # Print the fingerprint of the GPG key _gpg_fingerprint() { gpg --with-colons --fingerprint "$1" | awk 'BEGIN { FS=":" } /^fpr/ { print $10; exit }' } _gpg_uid() { gpg --with-colons --list-key "$1" | awk 'BEGIN { FS=":" } /^uid/ { print $10; exit}' } # helpers to retrieve data from passwd using getent _get_username() { getent passwd ${1} | awk -F: '{print $1}' } _get_home() { getent passwd ${1} | awk -F: '{print $6}' } # $1 is the encrypted key contents we are checking is_valid_key() { local key="$1" # Unique argument is an encrypted key to test _verbose "is_valid_key" [[ -z $key ]] && key=$TOMBKEY [[ "$key" = "cleartext" ]] && { { option_is_set --unsafe } || { _warning "cleartext key from stdin selected: this is unsafe." exitv=127 _failure "please use --unsafe if you really want to do this." } _warning "received key in cleartext from stdin (unsafe mode)" return 0 } [[ -z $key ]] && { _warning "is_valid_key() called without an argument." return 1 } # If the key file is an image don't check file header [[ -r $TOMBKEYFILE ]] \ && [[ $(file $TOMBKEYFILE) =~ "JP.G" ]] \ && { _message "Key is an image, it might be valid." return 0 } [[ $KDF == 1 ]] && { ! option_is_set -g } && { option_is_set --kdf } && { _head="${key[(f)1]}" [[ $_head =~ '^_KDF_' ]] || { _warning "Key is missing KDF header." return 1 } } [[ $key =~ "BEGIN PGP" ]] && { _message "Key is valid." return 0 } return 1 } # $1 is a string containing an encrypted key recover_key() { local key="${1}" # Unique argument is an encrypted key _warning "Attempting key recovery." _head="${key[(f)1]}" # take the first line TOMBKEY="" # Reset global variable [[ $_head =~ "^_KDF_" ]] && TOMBKEY+="$_head\n" TOMBKEY+="-----BEGIN PGP MESSAGE-----\n" TOMBKEY+="$key\n" TOMBKEY+="-----END PGP MESSAGE-----\n" return 0 } # Retrieve the tomb key from the file specified from the command line, # or from stdin if -k - was selected. Run validity checks on the # file. On success, return 0 and print out the full path of the key. # Set global variables TOMBKEY and TOMBKEYFILE. _load_key() { local keyfile="$1" # Unique argument is an optional keyfile [[ -z $keyfile ]] && keyfile=$(option_value -k) [[ -z $keyfile ]] && { _failure "This operation requires a key file to be specified using the -k option." } while true; do [[ $keyfile == "-" ]] && { _verbose "load_key reading from stdin." _message "Waiting for the key to be piped from stdin... " TOMBKEYFILE=stdin TOMBKEY=$(cat) break; } [[ $keyfile == "cleartext" ]] && { _verbose "load_key reading SECRET from stdin" _message "Waiting for the key to be piped from stdin... " TOMBKEYFILE=cleartext TOMBKEY=cleartext TOMBSECRET=$(cat) break; } _verbose "load_key argument: ::1 key file::" $keyfile [[ -r $keyfile ]] || _failure "Key not found, specify one using -k." _track_stat "$keyfile" TOMBKEYFILE=$keyfile TOMBKEY="${mapfile[$TOMBKEYFILE]}" break done _verbose "load_key: ::1 key::" $TOMBKEYFILE [[ -z $TOMBKEY ]] && { # something went wrong, there is no key to load # this occurs especially when piping from stdin and aborted _failure "Key not found, specify one using -k." } is_valid_key $TOMBKEY || { _warning "The key seems invalid or its format is not known by this version of Tomb." recover_key $TOMBKEY } # Declared TOMBKEYFILE (path) # Declared TOMBKEY (contents) return 0 } # takes two args just like get_lukskey # prints out the decrypted content # contains tweaks for different gpg versions # support both symmetric and asymmetric encryption gpg_decrypt() { # fix for gpg 1.4.11 where the --status-* options don't work ;^/ local gpgver=$(gpg --version --no-permission-warning | awk '/^gpg/ {print $3}') local gpgpass="$1\n$TOMBKEY" local tmpres ret typeset -a gpgopt gpgpopt=(--batch --no-tty --passphrase-fd 0 --no-options) { option_is_set -g } && { gpgpass="$TOMBKEY" gpgpopt=(--yes) # GPG option '--try-secret-key' exist since GPG 2.1 { option_is_set -R } && { autoload -U is-at-least && is-at-least "2.1" $gpgver } && { typeset -a recipients recipients=(${(s:,:)$(option_value -R)}) { is_valid_recipients $recipients } || { _failure "You set an invalid GPG ID." } gpgpopt+=(`_recipients_arg "--try-secret-key" $recipients`) } } [[ $gpgver == "1.4.11" ]] && { _verbose "GnuPG is version 1.4.11 - adopting status fix." TOMBSECRET=`print - "$gpgpass" | \ gpg --decrypt ${gpgpopt[@]}` ret=$? unset gpgpass return $ret } _tmp_create tmpres=$TOMBTMP TOMBSECRET=`print - "$gpgpass" | \ gpg --decrypt ${gpgpopt[@]} \ --status-fd 2 --no-mdc-warning --no-permission-warning \ --no-secmem-warning 2> $tmpres` unset gpgpass ret=1 for i in ${(f)"$(cat $tmpres)"}; do _verbose "$i" [[ "$i" =~ "DECRYPTION_OKAY" ]] && ret=0; done return $ret } # Gets a key file and a password, prints out the decoded contents to # be used directly by Luks as a cryptographic key get_lukskey() { # $1 is the password _verbose "get_lukskey" _password="$1" firstline="${TOMBKEY[(f)1]}" # key is KDF encoded if [[ $firstline =~ '^_KDF_' ]]; then kdf_hash="${firstline[(ws:_:)2]}" _verbose "KDF: ::1 kdf::" "$kdf_hash" case "$kdf_hash" in "pbkdf2sha1") kdf_salt="${firstline[(ws:_:)3]}" kdf_ic="${firstline[(ws:_:)4]}" kdf_len="${firstline[(ws:_:)5]}" _message "Unlocking KDF key protection (::1 kdf::)" $kdf_hash _verbose "KDF salt: $kdf_salt" _verbose "KDF ic: $kdf_ic" _verbose "KDF len: $kdf_len" _password=$(tomb-kdb-pbkdf2 $kdf_salt $kdf_ic $kdf_len 2>/dev/null <<<$_password) ;; "argon2") kdf_salt="${firstline[(ws:_:)3]}" kdf_ic="${firstline[(ws:_:)4]}" kdf_mem="${firstline[(ws:_:)5]}" kdf_par="${firstline[(ws:_:)6]}" # ToDo also parse kdf_len? _message "Unlocking KDF key protection (::1 kdf::)" $kdf_hash _verbose "KDF salt: $kdf_salt" _verbose "KDF ic: $kdf_ic" _verbose "KDF mem: $kdf_mem" _verbose "KDF # threads: $kdf_par" _password=$(argon2 $kdf_salt -m $kdf_mem -t $kdf_ic -p $kdf_par -l 64 -r 2>/dev/null <<<$_password) ;; *) _failure "No suitable program for KDF ::1 program::." $pbkdf_hash unset _password return 1 ;; esac # key needs to be exhumed from an image elif [[ -r $TOMBKEYFILE && $(file $TOMBKEYFILE) =~ "JP.G" ]]; then if option_is_set -g; then # When using a GPG key, the tomb key is buried using a steganography password if option_is_set --tomb-pwd; then _password="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 tomb pass::" $_password else _password=$(ask_password "Insert password to exhume key from $imagefile") [[ $? != 0 ]] && { _warning "User aborted password dialog." return 1 } fi exhume_key $TOMBKEYFILE "$_password" unset _password else exhume_key $TOMBKEYFILE "$_password" fi fi gpg_decrypt "$_password" # Save decrypted contents into $TOMBSECRET ret="$?" _verbose "get_lukskey returns ::1::" $ret return $ret } # This function asks the user for the password to use the key it tests # it against the return code of gpg on success returns 0 and saves # the password in the global variable $TOMBPASSWORD ask_key_password() { [[ -z "$TOMBKEYFILE" ]] && { _failure "Internal error: ask_key_password() called before _load_key()." } [[ "$TOMBKEYFILE" = "cleartext" ]] && { _verbose "no password needed, using secret bytes from stdin" return 0 } if option_is_set -g; then _verbose "no password needed, using GPG key" get_lukskey return $? fi _message "A password is required to use key ::1 key::" $TOMBKEYFILE passok=0 tombpass="" if [[ -z $1 ]]; then for c in 1 2 3; do if [[ $c == 1 ]]; then tombpass=$(ask_password "Insert password to: $TOMBKEYFILE") else tombpass=$(ask_password "Insert password to: $TOMBKEYFILE (attempt $c)") fi [[ $? = 0 ]] || { _warning "User aborted password dialog." return 1 } get_lukskey "$tombpass" [[ $? = 0 ]] && { passok=1; _message "Password OK." break; } done else # if a second argument is present then the password is already known tombpass="$1" _verbose "ask_key_password with tombpass: ::1 tomb pass::" $tombpass get_lukskey "$tombpass" [[ $? = 0 ]] && { passok=1; _message "Password OK." } fi [[ $passok == 1 ]] || return 1 TOMBPASSWORD=$tombpass return 0 } # call cryptsetup with arguments using the currently known secret # echo flags eliminate newline and disable escape (BSD_ECHO) _cryptsetup() { if option_is_set -q; then print -R -n - "$TOMBSECRET" | _sudo cryptsetup --type luks1 --key-file - ${@} 2> /dev/null else print -R -n - "$TOMBSECRET" | _sudo cryptsetup --type luks1 --key-file - ${@} fi return $? } # change tomb key password change_passwd() { local tmpnewkey lukskey c tombpass tombpasstmp _check_swap # Ensure swap is secure, if any _load_key # Try loading key from option -k and set TOMBKEYFILE { option_is_set -g } && { _message "Commanded to change GnuPG key for tomb key ::1 key::" $TOMBKEYFILE } || { _message "Commanded to change password for tomb key ::1 key::" $TOMBKEYFILE } _tmp_create tmpnewkey=$TOMBTMP if option_is_set --tomb-old-pwd; then local tomboldpwd="`option_value --tomb-old-pwd`" _verbose "tomb-old-pwd = ::1 old pass::" $tomboldpwd ask_key_password "$tomboldpwd" else ask_key_password fi [[ $? == 0 ]] || _failure "No valid password supplied." { option_is_set -g } && { _success "Changing GnuPG key for ::1 key file::" $TOMBKEYFILE } || { _success "Changing password for ::1 key file::" $TOMBKEYFILE } # Here $TOMBSECRET contains the key material in clear { option_is_set --tomb-pwd } && { local tombpwd="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 new pass::" $tombpwd gen_key "$tmpnewkey" "$tombpwd" } || { gen_key "$tmpnewkey" } { is_valid_key "${mapfile[$tmpnewkey]}" } || { _failure "Error: the newly generated keyfile does not seem valid." } # Copy the new key as the original keyfile name cp -f "${tmpnewkey}" $TOMBKEYFILE { option_is_set -g } && { _success "Your GnuPG key was successfully changed" } || { _success "Your passphrase was successfully updated." } return 0 } # takes care to encrypt a key # honored options: --kdf --tomb-pwd -o -g -r gen_key() { # $1 key file # $2 the password to use; if not set ask user # -o is the --cipher-algo to use (string taken by GnuPG) local algopt="`option_value -o`" local algo="${algopt:-AES256}" local gpgpass opt local recipients_opt typeset -a gpgopt # here user is prompted for key password tombpass="" tombpasstmp="" if option_is_set -g; then gpgopt=(--encrypt) if option_is_set -r || option_is_set -R; then typeset -a recipients if option_is_set -r; then recipients=(${(s:,:)$(option_value -r)}) recipients_opt="--recipient" else recipients=(${(s:,:)$(option_value -R)}) recipients_opt="--hidden-recipient" fi is_valid_recipients $recipients || { _failure "You set an invalid GPG ID." } _warning "You are going to encrypt a tomb key with ::1 nrecipients:: recipient(s)." ${#recipients} _warning "It is your responsibility to check these fingerprints." _warning "The fingerprints are:" for gpg_id in ${recipients[@]}; do _warning " `_gpg_fingerprint "$gpg_id"` :: `_gpg_uid "$gpg_id"`" done gpgopt+=(`_recipients_arg "$recipients_opt" $recipients`) else _message "No recipient specified, using default GPG key." gpgopt+=("--default-recipient-self") fi # Set gpg inputs and options gpgpass="$TOMBSECRET" opt='' else if [ "$2" = "" ]; then while true; do # 3 tries to write two times a matching password tombpass=`ask_password "Type the new password to secure your key"` if [[ $? != 0 ]]; then _failure "User aborted." fi if [ -z $tombpass ]; then _failure "You set empty password, which is not possible." fi tombpasstmp=$tombpass tombpass=`ask_password "Type the new password to secure your key (again)"` if [[ $? != 0 ]]; then _failure "User aborted." fi if [ "$tombpasstmp" = "$tombpass" ]; then break; fi unset tombpasstmp unset tombpass done else tombpass="$2" _verbose "gen_key takes tombpass from CLI argument: ::1 tomb pass::" $tombpass fi header="" [[ $KDF == 1 ]] || [[ $ARGON2 == 1 ]] && { { option_is_set --kdf } && { # KDF is a key strengthening technique against brute forcing # see: https://github.com/dyne/Tomb/issues/82 # Two KDF are currently supported: # * pbkdf2 (time restrictive) # * argon2 (memory, parallelismn restrictive and through those time) # --kdfiter takes one integer value as parameter # argon2: # of iterations (default of 3); # pbkdf2: calculates # of iterations to reach this as time cost in seconds itertime="`option_value --kdfiter`" itertime=${itertime:-3} # Generating salt (either via tomb-kdb-pbkdf2 or a shell fallback) if $(command -v tomb-kdb-pbkdf2-gensalt 1>/dev/null 2>/dev/null); then kdfsalt=`tomb-kdb-pbkdf2-gensalt` else kdfsalt=$(LC_CTYPE=C tr -cd 'a-f0-9' < /dev/random | head -c 64) fi _message "kdf salt: ::1 kdfsalt::" $kdfsalt # --kdf takes one parameter: what KDF kdftype="`option_value --kdf`" case ${kdftype} in pbkdf2) local -i microseconds microseconds=$(( itertime * 1000000 )) _success "Using pbkdf2 as KDF" _message "iteration time: ::1 microseconds::" $microseconds pbkdf2_iter=`tomb-kdb-pbkdf2-getiter $microseconds` _message "iterations: ::1 pbkdf2_iter::" $pbkdf2_iter # We use a length of 64bytes = 512bits (more than needed!?) tombpass=`tomb-kdb-pbkdf2 $kdfsalt $pbkdf2_iter 64 <<<"${tombpass}"` header="_KDF_pbkdf2sha1_${kdfsalt}_${pbkdf2_iter}_64\n" ;; argon2) _success "Using Argon2 as KDF" _message "iterations: ::1 kdfiterations::" $itertime kdfmem="`option_value --kdfmem`" kdfmem=${kdfmem:-18} _message "memory used: 2^::1 kdfmemory::" $kdfmem kdfpar="`option_value --kdfpar`" kdfpar=${kdfpar:-1} _message "parallelismn: ::1 kdfparallel::" $kdfpar tombpass=`argon2 $kdfsalt -m $kdfmem -t $itertime -p $kdfpar -l 64 -r <<<"${tombpass}"` header="_KDF_argon2_${kdfsalt}_${itertime}_${kdfmem}_${kdfpar}_64\n" ;; *) _warning "unrecognized KDF ::1::" $kdftype _warning "key won\'t be protected via a KDF implementation" _warning "only pbkdf2 and argon2 are valid arguments" ;; esac } } print $header >> "$1" # Set gpg inputs and options gpgpass="${tombpass}\n$TOMBSECRET" gpgopt=(--passphrase-fd 0 --symmetric --no-options) opt='-n' fi _tmp_create local tmpres=$TOMBTMP print $opt - "$gpgpass" \ | gpg --openpgp --force-mdc --cipher-algo ${algo} \ --batch --no-tty ${gpgopt} \ --status-fd 2 -o - --armor 2> $tmpres >> "$1" unset gpgpass # check result of gpg operation for i in ${(f)"$(cat $tmpres)"}; do _verbose "$i" done # print -n "${tombpass}" \ # | gpg --openpgp --force-mdc --cipher-algo ${algo} \ # --batch --no-options --no-tty --passphrase-fd 0 --status-fd 2 \ # -o - -c -a ${lukskey} TOMBPASSWORD="$tombpass" # Set global variable unset tombpass unset tombpasstmp } # prints an array of ciphers available in gnupg (to encrypt keys) list_gnupg_ciphers() { # On gpg1 and gpg2 line 10 always point to available ciphers. # Print those until the next section is found ciphers=(`gpg --version | awk ' BEGIN { ciphers=0 } NR==11 { gsub(/,/,""); sub(/^.*:/,""); print; ciphers=1; next } /^.*:/ { ciphers=0 } { if(ciphers==0) { next } else { gsub(/,/,""); print; } } '`) print "${ciphers}" return 1 } # Steganographic function to bury a key inside an image. # Requires steghide(1) to be installed bury_key() { _load_key # Try loading key from option -k and set TOMBKEY imagefile=$PARAM [[ "`file $imagefile`" =~ "JPEG" ]] || { _warning "Encode failed: ::1 image file:: is not a jpeg image." $imagefile return 1 } _success "Encoding key ::1 tomb key:: inside image ::2 image file::" $TOMBKEY $imagefile { option_is_set -g } && { _message "Using GnuPG Key ID" } || { _message "Please confirm the key password for the encoding" } # We ask the password and test if it is the same encoding the # base key, to insure that the same password is used for the # encryption and the steganography. This is a standard enforced # by Tomb, but it isn't strictly necessary (and having different # password would enhance security). Nevertheless here we prefer # usability. # However, steganography cannot be done with GPG key. Therefore, # if using a GPG key, we test if the user can decrypt the tomb # with its key and we ask for a steganography password. { option_is_set --tomb-pwd } && { ! option_is_set -g } && { local tombpwd="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 tomb pass::" $tombpwd ask_key_password "$tombpwd" } || { ask_key_password } [[ $? != 0 ]] && { _warning "Wrong password/GnuPG ID supplied." _failure "You shall not bury a key whose password is unknown to you." } if option_is_set -g && option_is_set --tomb-pwd; then TOMBPASSWORD="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 tomb pass::" $TOMBPASSWORD elif option_is_set -g; then tombpass="" tombpasstmp="" while true; do # 3 tries to write two times a matching password tombpass=`ask_password "Type a password to bury your key"` if [[ $? != 0 ]]; then _failure "User aborted." fi if [ -z $tombpass ]; then _failure "You set empty password, which is not possible." fi tombpasstmp=$tombpass tombpass=`ask_password "Type a password to bury your key (again)"` if [[ $? != 0 ]]; then _failure "User aborted." fi if [ "$tombpasstmp" = "$tombpass" ]; then break; fi unset tombpasstmp unset tombpass done TOMBPASSWORD="$tombpass" fi # We omit armor strings since having them as constants can give # ground to effective attacks on steganography print - "$TOMBKEY" | awk ' /^-----/ {next} /^Version/ {next} {print $0}' \ | steghide embed --embedfile - --coverfile ${imagefile} \ -p $TOMBPASSWORD -z 9 -e serpent cbc if [ $? != 0 ]; then _warning "Encoding error: steghide reports problems." res=1 else _success "Tomb key encoded successfully into image ::1 image file::" $imagefile res=0 fi return $res } # mandatory 1st arg: the image file where key is supposed to be # optional 2nd arg: the password to use (same as key, internal use) # optional 3rd arg: the key where to save the result (- for stdout) exhume_key() { [[ -z $1 ]] && { _failure "Exhume failed, no image specified" } local imagefile="$1" # The image file where to look for the key local tombpass="$2" # (Optional) the password to use (internal use) local destkey="$3" # (Optional) the key file where to save the # result (- for stdout) local r=1 # Return code (default: fail) # write all messages to stderr to avoid polluting stdout _MSG_FD_OVERRIDE=2 # Ensure the image file is a readable JPEG [[ ! -r $imagefile ]] && { _failure "Exhume failed, image file not found: ::1 image file::" "${imagefile:-none}" } [[ ! $(file "$imagefile") =~ "JP.G" ]] && { _failure "Exhume failed: ::1 image file:: is not a jpeg image." $imagefile } # When a password is passed as argument then always print out # the exhumed key on stdout without further checks (internal use) [[ -n "$tombpass" ]] && { TOMBKEY=$(steghide extract -sf $imagefile -p $tombpass -xf -) [[ $? != 0 ]] && { _failure "Wrong password or no steganographic key found" } recover_key $TOMBKEY return 0 } # Ensure we have a valid destination for the key [[ -z $destkey ]] && { option_is_set -k } && destkey=$(option_value -k) [[ -z $destkey ]] && { destkey="-" # No key was specified: fallback to stdout _message "printing exhumed key on stdout" } # Bail out if destination exists, unless -f (force) was passed [[ $destkey != "-" && -s $destkey ]] && { _warning "File exists: ::1 tomb key::" $destkey { option_is_set -f } && { _warning "Use of --force selected: overwriting." rm -f $destkey } || { _warning "Make explicit use of --force to overwrite." _failure "Refusing to overwrite file. Operation aborted." } } _message "Trying to exhume a key out of image ::1 image file::" $imagefile { option_is_set --tomb-pwd } && { tombpass=$(option_value --tomb-pwd) _verbose "tomb-pwd = ::1 tomb pass::" $tombpass } || { [[ -n $TOMBPASSWORD ]] && tombpass=$TOMBPASSWORD } || { tombpass=$(ask_password "Insert password to exhume key from $imagefile") [[ $? != 0 ]] && { _warning "User aborted password dialog." return 1 } } # Extract the key from the image steghide extract -sf $imagefile -p ${tombpass} -xf $destkey r=$? # Report to the user [[ "$destkey" = "-" ]] && destkey="stdout" [[ $r == 0 ]] && { _success "Key successfully exhumed to ::1 key::." $destkey } || { _warning "Nothing found in ::1 image file::" $imagefile } unset _MSG_FD_OVERRIDE return $r } # Steganographic function to transform a key into harmless-looking text # using a cipher # Requires cloakify to be installed # # mandatory 1st arg: the cipher to use # optional 2nd arg: the output file where to save the result (none for stdout) cloakify_key() { _load_key # Try loading key from option -k and set TOMBKEY local cipher="$1" # The cipher to use local destfile="$2" # (Optional) the output file where to save the # result (none for stdout) [[ -r "${cipher}" ]] || _failure "Cloak cipher file not found, see tomb/extras/cloak/ciphers" _success "Encoding key ::1 tomb key:: using cipher ::2 cipher file::" $TOMBKEYFILE $cipher # Ensure we have a valid destination for the cloaked key [[ -z $destfile ]] && { destfile="/dev/stdout" # No file was specified: fallback to stdout _message "printing cloaked key on stdout" } # Bail out if destination exists, unless -f (force) was passed [[ $destfile != "/dev/stdout" && -s $destfile ]] && { _warning "File exists: ::1 output file::" $destfile { option_is_set -f } && { _warning "Use of --force selected: overwriting." rm -f $destfile } || { _warning "Make explicit use of --force to overwrite." _failure "Refusing to overwrite file. Operation aborted." } } # Cipher the key cloakify -i $TOMBKEYFILE -c $cipher >$destfile if [ $? != 0 ]; then _warning "Encoding error: cloakify reports problems." res=1 else _success "Tomb key encoded successfully" res=0 fi return $res } # mandatory 1st arg: the text file where key is supposed to be # mandatory 2nd arg: the cipher to use # optional 3rd arg: the key where to save the result (none for stdout) decloakify_key() { [[ -z $1 ]] && { _failure "Uncloak failed, no text file specified" } [[ -z $2 ]] && { _failure "Uncloak failed, no cipher file specified" } local textfile="$1" # The text file where to look for the key local cipher="$2" # The cipher to use local destkey="$3" # (Optional) the key file where to save the # result (none for stdout) local r=1 # Return code (default: fail) # write all messages to stderr to avoid polluting stdout _MSG_FD_OVERRIDE=2 # Ensure the text file is readable [[ ! -r $textfile ]] && { _failure "Uncloak failed, text file not found: ::1 text file::" "${textfile:-none}" } # Ensure the cipher file is readable [[ ! -r $cipher ]] && { _failure "Uncloak failed, cipher file not found: ::1 cipher file::" "${cipher:-none}" } # Ensure we have a valid destination for the key [[ -z $destkey ]] && { option_is_set -k } && destkey=$(option_value -k) [[ -z $destkey ]] && { # No key was specified: fallback to stdout _message "printing uncloaked key on stdout" } # Bail out if destination exists, unless -f (force) was passed [[ $destkey != "/dev/stdout" && -s $destkey ]] && { _warning "File exists: ::1 tomb key::" $destkey { option_is_set -f } && { _warning "Use of --force selected: overwriting." rm -f $destkey } || { _warning "Make explicit use of --force to overwrite." _failure "Refusing to overwrite file. Operation aborted." } } # Extract the key from the text file if [[ -z "$destkey" ]]; then decloakify -i "${textfile}" -c "${cipher}" else decloakify -i "${textfile}" -c "${cipher}" -o "${destkey}" fi r=$? # Report to the user [[ -z "$destkey" ]] && destkey="stdout" [[ $r == 0 ]] && { _success "Key successfully uncloaked to ::1 key::." $destkey } || { _warning "Nothing found in ::1 text file::" $textfile } unset _MSG_FD_OVERRIDE return $r } # Produces a printable image of the key contents so a backup on paper # can be made and hidden in books etc. engrave_key() { _load_key # Try loading key from option -k and set TOMBKEYFILE local keyname=$(basename $TOMBKEYFILE) local pngname="$keyname.qr.png" _success "Rendering a printable QRCode for key: ::1 tomb key file::" $TOMBKEYFILE # we omit armor strings to save space awk '/^-----/ {next}; /^Version/ {next}; {print $0}' $TOMBKEYFILE \ | qrencode --size 4 --level H --casesensitive -o $pngname [[ $? != 0 ]] && { _failure "QREncode reported an error." } _success "Operation successful:" # TODO: only if verbose and/or not silent ls -lh $pngname file $pngname } # }}} - Key handling # {{{ Create # Since version 1.5.3, tomb creation is a three-step process that replaces create_tomb(): # # * dig a .tomb (the large file) using /dev/urandom (takes some minutes at least) # # * forge a .key (the small file) using /dev/random (good entropy needed) # # * lock the .tomb file with the key, binding the key to the tomb (requires dm_crypt format) # Step one - Dig a tomb # # Synopsis: dig_tomb /path/to/tomb -s sizemebibytes # # It will create an empty file to be formatted as a loopback # filesystem. Initially the file is filled with random data taken # from /dev/urandom to improve overall tomb's security and prevent # some attacks aiming at detecting how much data is in the tomb, or # which blocks in the filesystem contain that data. dig_tomb() { # $1 arg is path to tomb # Require the specification of the size of the tomb (-s) in MiB local -i tombsize=$(option_value -s) _message "Commanded to dig tomb ::1 tomb path::" $tombpath [[ ! -z $1 ]] || _failure "Missing path to tomb" [[ -n "$tombsize" ]] || _failure "Size argument missing, use -s" [[ $tombsize == <-> ]] || _failure "Size must be an integer (mebibytes)" [[ $tombsize -ge 10 ]] || _failure "Tombs can't be smaller than 10 mebibytes" [[ -e $1 ]] && { _warning "A tomb exists already. I'm not digging here:" ls -lh $1 return 1 } _success "Creating a new tomb in ::1 tomb path::" $1 _message "Generating ::1 tomb file:: of ::2 size::MiB" $1 $tombsize touch "$1" [[ $? = 0 ]] || { _warning "Error creating the tomb ::1 tomb path::" $1 _failure "Operation aborted." } # Ensure that file permissions are safe even if interrupted [[ -n $SUDO_USER ]] && chown ${_UID}:${_GID} "$1" chmod 0600 $1 _verbose "Data dump using ::1:: from /dev/urandom" ${DD[1]} ${=DD} if=/dev/urandom bs=1048576 count=$tombsize of=$1 ls -lh "$1" _success "Done digging ::1 tomb name::" $1 _message "Your tomb is not yet ready, you need to forge a key and lock it:" _message "tomb forge ::1 tomb path::.key" $1 _message "tomb lock ::1 tomb path:: -k ::1 tomb path::.key" $1 return 0 } # Step two -- Create a detached key to lock a tomb with # # Synopsis: forge_key [destkey|-k destkey] [-o cipher] [-r|-R gpgid] # # Arguments: # -k path to destination keyfile # -o Use an alternate algorithm # -r GPG recipients to be used # forge_key() { # can be specified both as simple argument or using -k local destkey="$1" { option_is_set -k } && { destkey=$(option_value -k) } local algo="AES256" # Default encryption algorithm [[ -z "$destkey" ]] && { _failure "A filename needs to be specified using -k to forge a new key." } # _message "Commanded to forge key ::1 key::" $destkey _check_swap # Ensure the available memory is safe to use # Ensure GnuPG won't exit with an error before first run local gpghome=${GNUPGHOME:-$HOME/.gnupg} [[ -r $gpghome/pubring.gpg ]] || { mkdir -p -m 0700 $gpghome touch $gpghome/pubring.gpg } # Do not overwrite any files accidentally [[ -r "$destkey" ]] && { ls -lh $destkey _failure "Forging this key would overwrite an existing file. Operation aborted." } touch $destkey [[ $? == 0 ]] || { _warning "Cannot generate encryption key." _failure "Operation aborted." } chmod 0600 $destkey # Update algorithm if it was passed on the command line with -o { option_is_set -o } && algopt="$(option_value -o)" [[ -n "$algopt" ]] && algo=$algopt _message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" \ $destkey $algo [[ $KDF == 1 ]] && { ! option_is_set -g } && { _message "Using KDF to protect the key password" } TOMBKEYFILE="$destkey" # Set global variable _warning "This operation takes time. Keep using this computer on other tasks." _warning "Once done you will be asked to choose a password for your tomb." _warning "To make it faster you can move the mouse around." _warning "If you are on a server, you can use an Entropy Generation Daemon." # Use /dev/urandom as the entropy source, unless --use-random is specified local random_source=/dev/urandom { option_is_set --use-random } && random_source=/dev/random _verbose "Data dump using ::1:: from ::2 source::" ${DD[1]} $random_source TOMBSECRET=$(${=DD} bs=1 count=512 if=$random_source) [[ $? == 0 ]] || { _warning "Cannot generate encryption key." _failure "Operation aborted." } # Here the global variable TOMBSECRET contains the naked secret { option_is_set -g } && { _success "Using GnuPG key(s) to encrypt your key: ::1 tomb key::" $TOMBKEYFILE } || { _success "Choose the password of your key: ::1 tomb key::" $TOMBKEYFILE } _message "(You can also change it later using 'tomb passwd'.)" # _user_file $TOMBKEYFILE tombname="$TOMBKEYFILE" # XXX ??? # the gen_key() function takes care of the new key's encryption { option_is_set --tomb-pwd } && { local tombpwd="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 new pass::" $tombpwd gen_key $TOMBKEYFILE "$tombpwd" } || { gen_key $TOMBKEYFILE } # load the key contents (set global variable) TOMBKEY="${mapfile[$TOMBKEYFILE]}" # this does a check on the file header is_valid_key $TOMBKEY || { _warning "The key does not seem to be valid." _warning "Dumping contents to screen:" print "${mapfile[$TOMBKEY]}" _warning "--" rm -f ${TOMBKEYFILE} _failure "Operation aborted." } [[ -n $SUDO_USER ]] && chown ${_UID}:${_GID} "$TOMBKEYFILE" _message "Done forging ::1 key file::" $TOMBKEYFILE _success "Your key is ready:" ls -lh $TOMBKEYFILE } # Step three -- Lock tomb # # Synopsis: tomb_lock file.tomb file.tomb.key [-o cipher] [-r gpgid] # # Lock the given tomb with the given key file, in fact formatting the # loopback volume as a LUKS device. # Default cipher 'aes-xts-plain64'can be overridden with -o lock_tomb_with_key() { # old default was aes-cbc-essiv:sha256 # Override with -o # for more alternatives refer to cryptsetup(8) local cipher="aes-xts-plain64" local tombpath="$1" # First argument is the path to the tomb [[ -n $tombpath ]] || { _warning "No tomb specified for locking." _warning "Usage: tomb lock file.tomb -k file.tomb.key" return 1 } is_valid_tomb $tombpath _message "Commanded to lock tomb ::1 tomb file::" $TOMBFILE [[ -f $TOMBPATH ]] || { _failure "There is no tomb here. You have to dig it first." } _verbose "Tomb found: ::1 tomb path::" $TOMBPATH local filesystem=ext4 option_is_set --filesystem && { filesystem=`option_value --filesystem` local tombsize=`stat --format '%s' $tombpath` case $filesystem in ext3|ext4) ;; ext3maxinodes|ext4maxinodes) ;; btrfs) if [[ $tombsize -lt 114294784 ]]; then _failure "Filesystem ::1 filesystem:: not supported on tombs smaller than ::2 size::" \ $filesystem "114MB" fi ;; btrfsmixedmode) if [[ $tombsize -lt 18874368 ]]; then _failure "Filesystem ::1 filesystem:: not supported on tombs smaller than ::2 size::" \ $filesystem "18MB" fi ;; *) _failure "Filesystem not supported: ::1 filesystem::" $filesystem return 1 ;; esac _success "Selected filesystem type $filesystem." } lo_check "$TOMBPATH" _message "Checking if the tomb is empty (we never step on somebody else's bones)." _sudo cryptsetup isLuks ${TOMBPATH} if [ $? = 0 ]; then # is it a LUKS encrypted nest? then bail out and avoid reformatting it _warning "The tomb was already locked with another key." _failure "Operation aborted. I cannot lock an already locked tomb. Go dig a new one." else _message "Fine, this tomb seems empty." fi _load_key # Try loading key from option -k and set TOMBKEYFILE # the encryption cipher for a tomb can be set when locking using -c { option_is_set -o } && algopt="$(option_value -o)" [[ -n "$algopt" ]] && cipher=$algopt _message "Locking using cipher: ::1 cipher::" $cipher # get the pass from the user and check it if option_is_set --tomb-pwd; then tomb_pwd="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 tomb pass::" $tomb_pwd ask_key_password "$tomb_pwd" else ask_key_password fi [[ $? == 0 ]] || _failure "No valid password supplied." _success "Locking ::1 tomb file:: with ::2 tomb key file::" $TOMBFILE $TOMBKEYFILE _message "Formatting Luks mapped device." _cryptsetup --batch-mode \ --cipher ${cipher} --hash sha512 --key-size 512 --key-slot 0 \ luksFormat ${TOMBPATH} [[ $? == 0 ]] || { _warning "cryptsetup luksFormat returned an error." _failure "Operation aborted." } _cryptsetup --cipher ${cipher} --hash sha512 luksOpen ${TOMBPATH} tomb.tmp [[ $? == 0 ]] || { _warning "cryptsetup luksOpen returned an error." _failure "Operation aborted." } _message "Formatting your Tomb with $filesystem filesystem." case $filesystem in ext3|ext4) _sudo mkfs.${filesystem} -q -F -j -L $TOMBNAME /dev/mapper/tomb.tmp ;; ext3maxinodes|ext4maxinodes) # TODO: cover with test filesystem=${filesystem:0:4} _sudo mkfs.${filesystem} -q -F -j -i 1024 -b 1024 -L $TOMBNAME /dev/mapper/tomb.tmp ;; btrfs) # TODO: cover with test _sudo mkfs.${filesystem} -q -L $TOMBNAME /dev/mapper/tomb.tmp ;; btrfsmixedmode) # TODO: cover with test filesystem=${filesystem:0:5} _sudo mkfs.${filesystem} -q -M -L $TOMBNAME /dev/mapper/tomb.tmp ;; esac [[ $? == 0 ]] || { _warning "Tomb format returned an error." _sudo cryptsetup luksClose tomb.tmp _failure "Your tomb ::1 tomb file:: may be corrupted." $TOMBFILE } # Sync _sudo cryptsetup luksClose tomb.tmp _message "Done locking ::1 tomb name:: using Luks dm-crypt ::2 cipher::" $TOMBNAME $cipher _success "Your tomb is ready in ::1 tomb path:: and secured with key ::2 tomb key::" \ $TOMBPATH $TOMBKEYFILE return 0 } # This function changes the key that locks a tomb change_tomb_key() { local tombkey="$1" # Path to the tomb's key file local tombpath="$2" # Path to the tomb _message "Commanded to reset key for tomb ::1 tomb path::" $tombpath [[ -z "$tombpath" ]] && { _warning "Command 'setkey' needs two arguments: the old key file and the tomb." _warning "I.e: tomb -k new.tomb.key old.tomb.key secret.tomb" _failure "Execution aborted." } _check_swap is_valid_tomb $tombpath lo_check "$TOMBPATH" _sudo cryptsetup isLuks ${TOMBPATH} # is it a LUKS encrypted nest? we check one more time [[ $? == 0 ]] || { _failure "Not a valid LUKS encrypted volume: ::1 volume::" $TOMBPATH } _load_key $tombkey # Try loading given key and set TOMBKEY # TOMBKEYFILE local oldkey=$TOMBKEY local oldkeyfile=$TOMBKEYFILE # we have everything, prepare to mount _success "Changing lock on tomb ::1 tomb name::" $TOMBNAME _message "Old key: ::1 old key::" $oldkeyfile # load the old key if option_is_set --tomb-old-pwd; then tomb_old_pwd="`option_value --tomb-old-pwd`" _verbose "tomb-old-pwd = ::1 old pass::" $tomb_old_pwd ask_key_password "$tomb_old_pwd" else ask_key_password fi [[ $? == 0 ]] || { _failure "No valid password supplied for the old key." } old_secret=$TOMBSECRET # luksOpen the tomb (not really mounting, just on the loopback) print -R -n - "$old_secret" | _sudo cryptsetup --key-file - \ luksOpen ${TOMBPATH} ${TOMBMAPPER} [[ $? == 0 ]] || _failure "Unexpected error in luksOpen." _load_key # Try loading new key from option -k and set TOMBKEYFILE _message "New key: ::1 key file::" $TOMBKEYFILE if option_is_set --tomb-pwd; then tomb_new_pwd="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 tomb pass::" $tomb_new_pwd ask_key_password "$tomb_new_pwd" else ask_key_password fi [[ $? == 0 ]] || { _failure "No valid password supplied for the new key." } _tmp_create tmpnewkey=$TOMBTMP print -R -n - "$TOMBSECRET" >> $tmpnewkey print -R -n - "$old_secret" | _sudo cryptsetup --key-file - \ luksChangeKey "$TOMBPATH" "$tmpnewkey" [[ $? == 0 ]] || _failure "Unexpected error in luksChangeKey." _sudo cryptsetup luksClose "${TOMBMAPPER}" || _failure "Unexpected error in luksClose." _success "Successfully changed key for tomb: ::1 tomb file::" $TOMBFILE _message "The new key is: ::1 new key::" $TOMBKEYFILE return 0 } # }}} - Creation # {{{ Open _update_control_file() { # make sure a control file exists, gives it user ownership # and replaces it with new contents # stdin = contents # $1 = path to control file # $2 = contents [[ -z $2 ]] && return 1 _sudo touch "$1" _sudo chown ${_UID}:${_GID} "$1" print "$2" > "$1" _verbose "updated control file $1 = $2" } _detect_filesystem() { local device=$1 _verbose "detecting filesystem of ::1 device::" $device print "`lsblk -in -o FSTYPE $device`" } # $1 = tombfile $2(optional) = mountpoint mount_tomb() { [[ -n "$1" ]] || _failure "No tomb name specified for opening." _message "Commanded to open tomb ::1 tomb name::" $1 _check_swap is_valid_tomb $1 _track_stat "$TOMBPATH" _load_key # Try loading new key from option -k and set TOMBKEYFILE local tombmount="$2" [[ -z "$tombmount" ]] && { tombmount="/media/$TOMBNAME" [[ -d /media ]] || { # no /media found, adopting /run/media/$USER to match behaviour # of tools following the notion to mount in that location (like udisks2) local runmedia="/run/media/$_USER" tombmount="$runmedia/$TOMBNAME" } _message "Mountpoint not specified, using default: ::1 mount point::" "$tombmount" } _success "Opening ::1 tomb file:: on ::2 mount point::" $TOMBNAME "$tombmount" # check if the mountpoint is already used mounted_tombs=(`list_tomb_mounts`) for t in ${mounted_tombs}; do usedmount=${t[(ws:;:)2]} [[ "$usedmount" == "$tombmount" ]] && _failure "Mountpoint already in use: ::1 mount point::" "$tombmount" done lo_check "$TOMBPATH" _sudo cryptsetup isLuks ${TOMBPATH} || { # is it a LUKS encrypted nest? see cryptsetup(1) _failure "::1 tomb file:: is not a valid Luks encrypted storage file." $TOMBFILE } _message "This tomb is a valid LUKS encrypted device." local luksdump="`_sudo cryptsetup luksDump ${TOMBPATH}`" local tombdump=(`print $luksdump | awk ' /^Cipher name/ {print $3} /^Cipher mode/ {print $3} /^Hash spec/ {print $3}'`) _message "Cipher is \"::1 cipher::\" mode \"::2 mode::\" hash \"::3 hash::\"" $tombdump[1] $tombdump[2] $tombdump[3] local slotwarn=`print $luksdump | awk ' BEGIN { zero=0 } /^Key slot 0/ { zero=1 } /^Key slot.*ENABLED/ { if(zero==1) print "WARN" }'` [[ "$slotwarn" == "WARN" ]] && { _warning "Multiple key slots are enabled on this tomb. Beware: there can be a backdoor." } _verbose "Tomb key: ::1 key file::" $TOMBKEYFILE # take the name only, strip extensions _verbose "Tomb name: ::1 tomb name:: (to be engraved)" $TOMBNAME { option_is_set --tomb-pwd } && { ! option_is_set -g } && { tomb_pwd="`option_value --tomb-pwd`" _verbose "tomb-pwd = ::1 tomb pass::" $tomb_pwd ask_key_password "$tomb_pwd" } || { ask_key_password } [[ $? == 0 ]] || _failure "No valid password supplied." _cryptsetup luksOpen ${TOMBPATH} ${TOMBMAPPER} [[ $? = 0 ]] || { _failure "Failure mounting the encrypted file." } # array: [ cipher, keysize, loopdevice ] local tombstat=(`_sudo cryptsetup status ${TOMBMAPPER} | awk ' /cipher:/ {print $2} /keysize:/ {print $2} /device:/ {print $2}'`) _success "Success unlocking tomb ::1 tomb name::" $TOMBNAME _verbose "Key size is ::1 size:: for cipher ::2 cipher::" $tombstat[2] $tombstat[1] local filesystem=`_detect_filesystem /dev/mapper/${TOMBMAPPER}` _message "Filesystem detected: ::1 filesystem::" $filesystem # TODO: check if FS is supported, else close luks _verbose "Tomb engraved as ::1 tomb name::" $TOMBNAME if option_value_contains -o ro; then _message "Skipping filesystem checks in read-only" else _message "Checking filesystem via ::1::" $tombstat[3] case $filesystem in ext3|ext4) if option_is_set -q; then _sudo fsck -p -C0 /dev/mapper/${TOMBMAPPER} > /dev/null else _sudo fsck -p -C0 /dev/mapper/${TOMBMAPPER} fi # TODO: btrfs filesystem label [|] [] _sudo tune2fs -L $TOMBNAME /dev/mapper/${TOMBMAPPER} > /dev/null ;; btrfs) _sudo btrfs check /dev/mapper/${TOMBMAPPER} _sudo btrfs filesystem label /dev/mapper/${TOMBMAPPER} ${TOMBNAME} ;; esac fi # we need root from here on _sudo mkdir -p "$tombmount" # set ACL on /run/media/$_USER/ to match behaviour (see #461) # tmpfs -> it doesn't know acl/noacl mount options -> no check [[ $ACL == 1 ]] && [[ -s $runmedia ]] && { _sudo setfacl -m u:"$_USER":r-x "$runmedia" } # Default mount options are overridden with the -o switch local oldmountopts { option_is_set -o } && { oldmountopts=$MOUNTOPTS # TODO: safety check MOUNTOPTS coming from user MOUNTOPTS="$(option_value -o)" } # default btrfs compression zstd:1 (oportunistic according to pre-compression heuristics) # see: https://btrfs.readthedocs.io/en/latest/Compression.html#pre-compression-heuristics [[ "$filesystem" = "btrfs" ]] && { MOUNTOPTS="$MOUNTOPTS,compress=zstd:1" } # safe_mount_options && _sudo mount -o $MOUNTOPTS /dev/mapper/${TOMBMAPPER} "${tombmount}" # Clean up if the mount failed [[ $? == 0 ]] || { _warning "Error mounting ::1 mapper:: on ::2 tombmount::" $TOMBMAPPER "$tombmount" [[ $oldmountopts != $MOUNTOPTS ]] && \ _warning "Are mount options '::1 mount options::' valid?" $MOUNTOPTS # TODO: move cleanup to _endgame() [[ -d "$tombmount" ]] && _sudo rmdir "$tombmount" [[ -e /dev/mapper/$TOMBMAPPER ]] && _sudo cryptsetup luksClose $TOMBMAPPER _failure "Cannot mount ::1 tomb name::" $TOMBNAME } _success "Success opening ::1 tomb file:: on ::2 mount point::" $TOMBFILE "$tombmount" local tombtty tombhost tombuid tombuser # print out when it was opened the last time, by whom and where [[ -r "${tombmount}/.last" ]] && { tombsince=$(cat "${tombmount}/.last") tombsince=$(date --date=@$tombsince +%c) tombtty=$(cat "${tombmount}/.tty") tombhost=$(cat "${tombmount}/.host") tomblast=$(cat "${tombmount}/.last") tombuid=$(cat "${tombmount}/.uid" | tr -d ' ') tombuser=`_get_username $tombuid` _message "Last visit by ::1 user::(::2 tomb build::) from ::3 tty:: on ::4 host::" $tombuser $tombuid $tombtty $tombhost _message "on date ::1 date::" $tombsince [[ -r "${tombmount}"/.cleanexit ]] || _message "the door was slammed or shutdown called before umount." } # write down the UID and TTY that opened the tomb option_value_contains -o ro || { _update_control_file "${tombmount}/.uid" $_UID _update_control_file "${tombmount}/.tty" $_TTY # also the hostname if command -v hostname >/dev/null; then _update_control_file "${tombmount}/.host" `hostname` elif [[ -r /etc/hostname ]]; then _update_control_file "${tombmount}/.host" $(cat /etc/hostname) else _update_control_file "${tombmount}/.host" localhost fi # and the "last time opened" information # in minutes since 1970, this is printed at next open _update_control_file "${tombmount}/.last" `date +%s` # human readable: date --date=@"`cat .last`" +%c } # process bind-hooks (mount -o bind of directories) # and exec-hooks (execute on open) option_is_set -n || { exec_safe_bind_hooks "${tombmount}" exec_safe_func_hooks open "${tombmount}" } # Changes ownership to current user. This facilitates a lot # usability by single users. If a Tomb is opened read-only or it # is "multiuser" and contains ACL "by convention" using UNIX # ownership that needs to be preserved, then this behavior can be # deactivated using -p local dochown=true option_value_contains -o ro && dochown=false option_is_set -p && dochown=false $dochown && _sudo chown -R ${_UID}:${_GID} "${tombmount}" return 0 } ## HOOKS EXECUTION # # Execution of code inside a tomb may present a security risk, e.g., # if the tomb is shared or compromised, an attacker could embed # malicious code. When in doubt, open the tomb with the -n switch in # order to skip this feature and verify the files mount-hooks and # bind-hooks inside the tomb yourself before letting them run. # Mount files and directories from the tomb to the current user's HOME. # # Synopsis: exec_safe_bind_hooks /path/to/mounted/tomb # # This can be a security risk if you share tombs with untrusted people. # In that case, use the -n switch to turn off this feature. exec_safe_bind_hooks() { local mnt="$1" # First argument is the mount point of the tomb # Default mount options are overridden with the -o switch [[ -n ${(k)OPTS[-o]} ]] && MOUNTOPTS=${OPTS[-o]} # No HOME set? Note: this should never happen again. [[ -z $HOME ]] && { _warning "How pitiful! A tomb, and no HOME." return 1 } [[ -z $mnt || ! -d $mnt ]] && { _warning "Cannot exec bind hooks without a mounted tomb." return 1 } [[ -r "$mnt/bind-hooks" ]] || { _verbose "bind-hooks not found in ::1 mount point::" $mnt return 0 } typeset -Al maps # Maps of files and directories to mount typeset -al mounted # Track already mounted files and directories # better parsing for bind hooks checks for two separated words on # each line, using zsh word separator array subscript _bindhooks="${mapfile[${mnt}/bind-hooks]}" for h in ${(f)_bindhooks}; do h=${h//\\ /__ESC_SPACE__} s="${h[(w)1]}" d="${h[(w)2]}" s=${s//__ESC_SPACE__/ } d=${d//__ESC_SPACE__/ } [[ -z $s ]] && { _warning "bind-hooks file is broken"; return 1 } [[ -z $d ]] && { _warning "bind-hooks file is broken"; return 1 } maps+=($s $d) _verbose "bind-hook found: $s -> $d" done unset _bindhooks for dir in ${(k)maps}; do [[ "${dir[1]}" == "/" || "${dir[1,2]}" == ".." ]] && { _warning "bind-hooks map format: local/to/tomb local/to/\$HOME" continue } [[ "${${maps[$dir]}[1]}" == "/" || "${${maps[$dir]}[1,2]}" == ".." ]] && { _warning "bind-hooks map format: local/to/tomb local/to/\$HOME. Rolling back" for dir in ${mounted}; do _sudo umount $dir; done return 0 } while true; do [[ ! -r "$mnt/$dir" ]] && { _warning "bind-hook source not found in tomb, skipping ::1 mount point::/::2 subdir::" $mnt $dir break; } [[ ! -r "$HOME/${maps[$dir]}" ]] && { _warning "bind-hook target not existent, skipping ::1 home::/::2 subdir::" $HOME ${maps[$dir]} break; } _sudo mount -o bind,$MOUNTOPTS \ $mnt/$dir $HOME/${maps[$dir]} \ && mounted+=("$HOME/${maps[$dir]}") break done done } # Execute automated actions configured in the tomb. # # Synopsis: exec_safe_func_hooks /path/to/mounted/tomb # # If an executable file named 'exec-hooks' is found inside the tomb, # run it as a user. This might need a dialog for security on what is # being run, however we expect you know well what is inside your tomb. # If you're mounting an untrusted tomb, be safe and use the -n switch # to verify what it would run if you let it. This feature opens the # possibility to make encrypted executables. exec_safe_func_hooks() { local mnt mnt="$2" # Only run if post-hooks has the executable bit set [[ -x $mnt/exec-hooks ]] && { _success "Exec hook: ::1 exec hook:: ::2 action::" \ "${mnt}/exec-hooks" "$1" # here call two actions: open or close. Synopsis: # $1 $2 $3 $4 $5 # open "$tombmount" # close "$tombmount" "$tombname" "$tombloop" "$TOMBMAPPER" $mnt/exec-hooks "$1" "$2" "$3" "$4" "$5" return $? } return 0 } # }}} - Tomb open # {{{ List # list all tombs mounted in a readable format # $1 is optional, to specify a tomb list_tombs() { local tombname tombmount tombfs tombfsopts tombloop local ts tombtot tombused tombavail tombpercent tombp tombsince local tombtty tombhost tombuid tombuser # list all open tombs mounted_tombs=(`list_tomb_mounts $1`) [[ ${#mounted_tombs} == 0 ]] && { _failure "I can't see any open tomb, may they all rest in peace." } for t in ${mounted_tombs}; do mapper=`basename ${t[(ws:;:)1]}` tombname=${t[(ws:;:)5]} tombmount="${t[(ws:;:)2]}" tombfs=${t[(ws:;:)3]} tombfsopts=${t[(ws:;:)4]} tombloop=${mapper[(ws:.:)4]} # calculate tomb size ts=`df -hP /dev/mapper/$mapper | awk "/mapper/"' { print $2 ";" $3 ";" $4 ";" $5 }'` tombtot=${ts[(ws:;:)1]} tombused=${ts[(ws:;:)2]} tombavail=${ts[(ws:;:)3]} tombpercent=${ts[(ws:;:)4]} tombp=${tombpercent%%%} # obsolete way to get the last open date from /dev/mapper # which doesn't work when tomb filename contain dots # tombsince=`date --date=@${mapper[(ws:.:)3]} +%c` # find out who opens it from where [[ -r "${tombmount}/.tty" ]] && { tombsince=$(cat "${tombmount}/.last") tombsince=$(date --date=@$tombsince +%c) tombtty=$(cat "${tombmount}/.tty") tombhost=$(cat "${tombmount}/.host") tombuid=$(cat "${tombmount}/.uid" | tr -d ' ') tombuser=`_get_username $tombuid` } { option_is_set --get-mountpoint } && { print "$tombmount"; continue } _message "::1 tombname:: open on ::2 tombmount:: using ::3 tombfsopts::" \ $tombname "$tombmount" $tombfsopts _verbose "::1 tombname:: attached to /dev/::2 tombloop:: device" $tombname $tombloop _message "::1 tombname:: open since ::2 tombsince::" $tombname $tombsince [[ -z "$tombtty" ]] || { _message "::1 tombname:: open by ::2 tombuser:: from ::3 tombtty:: on ::4 tombhost::" \ $tombname $tombuser $tombtty $tombhost } _message "::1 tombname:: size ::2 tombtot:: of which ::3 tombused:: (::5 tombpercent::%) is used: ::4 tombavail:: free " \ $tombname $tombtot $tombused $tombavail $tombpercent [[ ${tombp} -ge 90 ]] && { _warning "::1 tombname:: warning: your tomb is almost full!" $tombname } # Now check hooks mounted_hooks=(`list_tomb_binds "$mapper"`) for h in ${mounted_hooks}; do _message "::1 tombname:: hooks ::2 hookdest::" \ $tombname ${h[(ws:;:)2]} done done return 0 } # Print out an array of mounted tombs (internal use) # Format is semi-colon separated list of attributes # if 1st arg is supplied, then list only that tomb # # String positions in the semicolon separated array: # # 1. full mapper path # # 2. mountpoint # # 3. filesystem type # # 4. mount options # # 5. tomb name list_tomb_mounts() { # execute in subshell to avoid ZSH non-POSIX behaviour if globbing doesn't match something ( for dev in /dev/mapper/tomb*$1.*; do findmnt --source ${dev} -rnvo SOURCE,TARGET,FSTYPE,OPTIONS,LABEL \ | awk ' BEGIN { main="" } { if(main==$1) next; print $1 ";" $2 ";" $3 ";(" $4 ");[" $5 "]" main=$1 } ' done ) 2>/dev/null } # list_tomb_binds # print out an array of mounted bind hooks (internal use) # format is semi-colon separated list of attributes # needs two arguments: name of tomb whose hooks belong # mount tomb list_tomb_binds() { [[ -z "$1" ]] && { _failure "Internal error: list_tomb_binds called without argument." } # ignore the first line of the result for the respective source (mapper), # as this will be the canonical first mount (aka main mount) findmnt --source=/dev/mapper/"$1" -rno SOURCE,TARGET,FSTYPE,OPTIONS,LABEL \ | awk ' FNR==1 {next} { print $1 ";" $2 ";" $3 ";(" $4 ");[" $5 "]" } ' } # }}} - Tomb list # {{{ Index and search # index files in all tombs for search # $1 is optional, to specify a tomb index_tombs() { mounted_tombs=(`list_tomb_mounts $1`) [[ ${#mounted_tombs} == 0 ]] && { # Considering one tomb [[ -n "$1" ]] && { _failure "There seems to be no open tomb engraved as [::1::]" $1 } # Or more _failure "I can't see any open tomb, may they all rest in peace." } _success "Creating and updating search indexes." # # start the LibreOffice document converter if installed # { command -v unoconv 1>/dev/null 2>/dev/null } && { # unoconv -l 2>/dev/null & # _verbose "unoconv listener launched." # sleep 1 } for t in ${mounted_tombs}; do mapper=`basename ${t[(ws:;:)1]}` tombname=${t[(ws:;:)5]} tombmount="${t[(ws:;:)2]}" [[ -r "${tombmount}/.noindex" ]] && { _message "Skipping ::1 tomb name:: (.noindex found)." $tombname continue } { command -v updatedb 1>/dev/null 2>/dev/null } && { updatedbver=`updatedb --version | grep '^updatedb'` if [[ "$updatedbver" =~ "GNU findutils" ]]; then _warning "Cannot use GNU findutils for index/search commands." # elif [[ "$updatedbver" =~ "locate" ]]; then # _warning "Index command needs 'mlocate/plocate' to be installed." else _message "Indexing ::1 tomb name:: filenames..." $tombname _verbose "$updatedbver" updatedb -l 0 -o "${tombmount}/.updatedb" -U "${tombmount}" fi } # here we use recoll to index file contents [[ $RECOLL == 1 ]] && { _message "Indexing ::1 tomb name:: contents..." $tombname rm -f "${tombmount}/recoll.conf" _message "Generating a new search index configuration: ::1 recoll conf::" "${tombmount}/recoll.conf" mkdir -p "${tombmount}/.recoll" cat < "${tombmount}/recoll.conf" topdirs = ${tombmount} cachedir = ${tombmount}/.recoll EOF recollindex -c "${tombmount}" } _message "Search index updated." done return 0 } search_tombs() { { command -v locate 1>/dev/null 2>/dev/null } || { _failure "Cannot index tombs on this system: updatedb (mlocate/plocate) not installed." } updatedbver=`updatedb --version | grep '^updatedb'` [[ "$updatedbver" =~ "GNU findutils" ]] && { _warning "Cannot use GNU findutils for index/search commands." } [[ "$updatedbver" =~ "locate" ]] || { _failure "Index command needs 'mlocate/plocate' to be installed." } _verbose "$updatedbver" # list all open tombs mounted_tombs=(`list_tomb_mounts`) [[ ${#mounted_tombs} == 0 ]] && { _failure "I can't see any open tomb, may they all rest in peace." } _success "Searching for: ::1::" ${(f)@} for t in ${mounted_tombs}; do _verbose "Checking for index: ::1::" ${t} mapper=`basename ${t[(ws:;:)1]}` tombname=${t[(ws:;:)5]} tombmount="${t[(ws:;:)2]}" [[ -r "${tombmount}/.updatedb" ]] && { # Use mlocate/plocate to search hits on filenames _message "Searching filenames in tomb ::1 tomb name::" $tombname locate -d "${tombmount}/.updatedb" -e -i "${(f)@}" _message "Matches found: ::1 matches::" \ $(locate -d "${tombmount}/.updatedb" -e -i -c ${(f)@}) # Use recoll to search over contents [[ $RECOLL == 1 && -r "$tombmount/recoll.conf" ]] && { _message "Searching contents in tomb ::1 tomb name::" $tombname recollq -c "${tombmount}" ${@} } } || { _warning "Skipping tomb ::1 tomb name::: not indexed." $tombname _warning "Run 'tomb index' to create indexes." } done _message "Search completed." return 0 } # }}} - Index and search # {{{ Resize # resize tomb file size resize_tomb() { local tombpath="$1" # First argument is the path to the tomb _message "Commanded to resize tomb ::1 tomb name:: to ::2 size:: mebibytes." $1 $OPTS[-s] [[ -z "$1" ]] && _failure "No tomb name specified for resizing." [[ ! -r "$1" ]] && _failure "Cannot find ::1::" $1 local newtombsize="`option_value -s`" [[ -z "$newtombsize" ]] && { _failure "Aborting operations: new size was not specified, use -s" } is_valid_tomb $tombpath _load_key # Try loading new key from option -k and set TOMBKEYFILE if option_is_set --tomb-pwd; then local tomb_pwd="`option_value --tomb-pwd`" # _verbose "tomb-pwd = ::1 tomb pass::" $tomb_pwd ask_key_password "$tomb_pwd" else ask_key_password fi [[ $? == 0 ]] || _failure "No valid password supplied." local oldtombsize=$(( `stat -c %s "$TOMBPATH" 2>/dev/null` / 1048576 )) local delta="" # New tomb size must be specified [[ -n "$newtombsize" ]] || { _failure "You must specify the new size of ::1 tomb name::" $TOMBNAME } # New tomb size must be an integer [[ $newtombsize == <-> ]] || _failure "Size is not an integer." # Tombs can only grow in size if [[ "$newtombsize" -gt "$oldtombsize" ]]; then delta="$(( $newtombsize - $oldtombsize ))" _verbose "delta growth: +${delta}M" [[ "$delta" -gt "150" ]] || _failure "The growth in size must be greater than 150MiB" _message "Generating ::1 tomb file:: of ::2 size::MiB" $TOMBFILE $newtombsize _verbose "Data dump using ::1:: from /dev/urandom" ${DD[1]} ${=DD} if=/dev/urandom bs=1048576 count=${delta} >> $TOMBPATH [[ $? == 0 ]] || { _failure "Error creating the extra resize ::1 size::, operation aborted." \ $tmp_resize } # If same size this allows to re-launch resize if pinentry expires # so that it will continue resizing without appending more space. # Resizing the partition to the file size cannot harm data anyway. elif [[ "$newtombsize" = "$oldtombsize" ]]; then _message "Tomb seems resized already, operating filesystem stretch" else _failure "The new size must be greater than old tomb size." fi lo_check "$TOMBPATH" _message "opening tomb" _cryptsetup luksOpen ${TOMBPATH} ${TOMBMAPPER} || { _failure "Failure mounting the encrypted file." } _sudo cryptsetup resize "${TOMBMAPPER}" || { _failure "cryptsetup failed to resize ::1 mapper::" $TOMBMAPPER } filesystem=`_detect_filesystem /dev/mapper/${TOMBMAPPER}` _message "Filesystem detected: ::1 filesystem::" $filesystem case $filesystem in ext3|ext4) _sudo e2fsck -p -f /dev/mapper/${TOMBMAPPER} || { _sudo cryptsetup luksClose "${TOMBMAPPER}" _failure "e2fsck failed to check ::1 mapper::" $TOMBMAPPER } _sudo resize2fs /dev/mapper/${TOMBMAPPER} || { _sudo cryptsetup luksClose "${TOMBMAPPER}" _failure "resize2fs failed to resize ::1 mapper::" $TOMBMAPPER } ;; btrfs) _sudo btrfs check /dev/mapper/${TOMBMAPPER} || { _sudo cryptsetup luksClose "${TOMBMAPPER}" _failure "filesystem check failed on ::1 mapper::" $TOMBMAPPER } # btrfs requires mounting before resize local mp=$HOME/${TOMBNAME}.tomb.resize mkdir -p ${mp} _sudo mount /dev/mapper/${TOMBMAPPER} ${mp} sudo btrfs filesystem show /dev/mapper/${TOMBMAPPER} | awk '/devid/{print $2}' | read -r devid _verbose "BTRFS devid detected: $devid" _verbose "btrfs filesystem resize ${devid}:max ${mp}" _sudo btrfs filesystem resize ${devid}:max ${mp} || { _sudo umount ${mp} _sudo cryptsetup luksClose "${TOMBMAPPER}" rmdir ${mp} _failure "filesystem resize failed on ::1 mapper::" $TOMBMAPPER } _sudo umount ${mp} _sudo cryptsetup luksClose "${TOMBMAPPER}" rmdir ${mp} ;; # TODO: report error on unrecognized filesystem esac # close and free the loop device _sudo cryptsetup luksClose "${TOMBMAPPER}" return 0 } # }}} # {{{ Close umount_tomb() { local tombs how_many_tombs local pathmap mapper tombname tombmount loopdev local ans pidk pname if [ "$1" = "all" ]; then mounted_tombs=(`list_tomb_mounts`) else mounted_tombs=(`list_tomb_mounts $1`) fi [[ ${#mounted_tombs} == 0 ]] && { _failure "There is no open tomb to be closed." } [[ ${#mounted_tombs} -gt 1 && -z "$1" ]] && { _warning "Too many tombs mounted, please specify one (see tomb list)" _warning "or issue the command 'tomb close all' to close them all." _failure "Operation aborted." } for t in ${mounted_tombs}; do mapper=`basename ${t[(ws:;:)1]}` # strip square parens from tombname tombname=${t[(ws:;:)5]} tombmount="${t[(ws:;:)2]}" tombfs=${t[(ws:;:)3]} tombfsopts=${t[(ws:;:)4]} tombloop=${mapper[(ws:.:)4]} _verbose "Name: ::1 tomb name::" $tombname _verbose "Mount: ::1 mount point::" "$tombmount" _verbose "Loop: ::1 mount loop::" $tombloop _verbose "Mapper: ::1 mapper::" $mapper [[ -e "$mapper" ]] && { _warning "Tomb not found: ::1 tomb file::" $1 _warning "Please specify an existing tomb." return 0 } option_is_set -n || { exec_safe_func_hooks \ close "$tombmount" "$tombname" "$tombloop" "$mapper" exec_hook_res=$? [[ $exec_hook_res = 0 ]] || { _warning "close exec-hook returns a non-zero error code: ::1 error::" $exec_hook_res _failure "Operation aborted" } } # if SLAM is set kill possible processes [[ -v SLAM ]] && { _message "Slamming tomb ::1 tombname:: mounted on ::2 tombmount::" \ ${tombname} "${tombmount}" _kill_processes "$tombname" "$tombmount" [[ $? -ne 0 ]] && { _failure "Still active processes for ::1 tombname ::, cannot close tomb." "$tombname" } } || { _message "Closing tomb ::1 tomb name:: mounted on ::2 mount point::" \ $tombname "$tombmount" } # check if there are bind mounted dirs and close them first # Can be due to bind-hooks or outside --bind mounts bind_tombs=(`list_tomb_binds "$mapper"`) for b in ${bind_tombs}; do bind_mapper="${b[(ws:;:)1]}" bind_mount="${b[(ws:;:)2]}" _message "Closing tomb bind hook: ::1 hook::" "$bind_mount" _sudo umount "$(echo "$bind_mount")" || _failure "Tomb bind hook ::1 hook:: is busy, cannot close tomb." "$bind_mount" done # umount the main mount _verbose "Performing umount of ::1 mount point::" "$tombmount" touch "${tombmount}"/.cleanexit _sudo umount "${tombmount}" [[ $? = 0 ]] || { rm -f "${tombmount}"/.cleanexit _failure "Tomb is busy, cannot umount!" } # If we used a default mountpoint and is now empty, delete it tombname_regex=${tombname//\[/} tombname_regex=${tombname_regex//\]/} [[ "$tombmount" =~ "(/run)?/media(/$_USER)?/$tombname_regex" ]] && { _sudo rmdir "$tombmount" } _sudo cryptsetup luksClose $mapper || _failure "Error occurred in cryptsetup luksClose ::1 mapper::" $mapper _success "Tomb ::1 tomb name:: closed: your bones will rest in peace." $tombname done # loop across mounted tombs return 0 } list_processes() { # $1 = (optional) name of tomb # runs lsof on the mounted_tombs local mounted_tombs i indicator lsofres indicator=1 # != 0 means there were processes mounted_tombs=(`list_tomb_mounts ${1//[\[\]]/}`) # remove possible [] if [[ "${#mounted_tombs}" -gt 0 ]]; then if [[ -z $1 ]]; then _message "Looking for processes running inside all open tombs..." else _message "Looking for processes running inside tomb ::1 tombname::..." "$1" fi for i in ${mounted_tombs}; do _verbose "scanning tomb: ::1 tombmount::" $i lsofres=$(_sudo lsof +D "${i[(ws:;:)2]}") # Check on output, as $? will always return 1 for whatever reasons [[ -n $lsofres ]] && { indicator=0; echo $lsofres } || { _success "None found" } done fi return $indicator } # Kill all processes using the specified tomb _kill_processes() { # $1 = name of tomb to slam # $2 = mount location of tomb [[ -z "$2" ]] && _failure "Missing arguments for slamming." local pnum result lsofres result=0 _verbose "::1 tombname:: Determining if there are open processes that needs killing" "$1" list_processes "$1" [[ $? -eq 0 ]] && { _verbose "Found open processes in ::1 tombname::" "$1" # iterate through 3 different signals, break on success for s in TERM HUP KILL; do lsofres=(`_sudo lsof -t +D "$2"`) [[ -n $lsofres ]] && { # iterate through all processes before switching signals for pnum in $lsofres; do _message "::1 tombname:: sending ::2 sig:: to open process ::3 pnum::" \ ${1} ${s} ${pnum} _sudo kill -$s $pnum done } || { break } # give some time to the process for a clean quit sleep .5 done } # if there are still processes then signal failure lsofres=(`_sudo lsof -t +D "$tombmount"`) [[ -n $lsofres ]] && { _verbose "Verify that no open processes remain in ::1 tombname::" "$1" for pnum in $lsofres; do _warning "Couldn't kill ::1 pnum::" $pnum done result=1 } return $result } # }}} - Tomb close # {{{ Main routine main() { _ensure_dependencies # Check dependencies are present or bail out local -A subcommands_opts ### Options configuration # # Hi, dear developer! Are you trying to add a new subcommand, or # to add some options? Well, keep in mind that option names are # global: they cannot bear a different meaning or behaviour across # subcommands. The only exception is "-o" which means: "options # passed to the local subcommand", and thus can bear a different # meaning for different subcommands. # # For example, "-s" means "size" and accepts one argument. If you # are tempted to add an alternate option "-s" (e.g., to mean # "silent", and that doesn't accept any argument) DON'T DO IT! # # There are two reasons for that: # I. Usability; users expect that "-s" is "size" # II. Option parsing WILL EXPLODE if you do this kind of bad # things (it will complain: "option defined more than once") # # If you want to use the same option in multiple commands then you # can only use the non-abbreviated long-option version like: # -force and NOT -f # main_opts=(q -quiet=q D -debug=D h -help=h v -version=v f -force=f -tmp: U: G: T: -no-color -unsafe g -gpgkey=g -sudo:) subcommands_opts[__default]="" # -o in open and mount is used to pass alternate mount options subcommands_opts[open]="n -nohook=n k: o: -ignore-swap -tomb-pwd: r: R: p -preserve-ownership=p" subcommands_opts[mount]=${subcommands_opts[open]} subcommands_opts[create]="" # deprecated, will issue warning # -o in forge and lock is used to pass an alternate cipher. subcommands_opts[forge]="-ignore-swap k: -kdf: -kdfiter: -kdfmem: -kdfpar: o: -tomb-pwd: -use-random r: R: " subcommands_opts[dig]="-ignore-swap s: -size=s " subcommands_opts[lock]="-ignore-swap k: o: -tomb-pwd: r: R: -filesystem: " subcommands_opts[setkey]="k: -ignore-swap -tomb-old-pwd: -tomb-pwd: r: R: " subcommands_opts[engrave]="k: " subcommands_opts[passwd]="k: -ignore-swap -kdf: -kdfiter: -kdfmem: -kdfpar: -tomb-old-pwd: -tomb-pwd: r: R: " subcommands_opts[close]="" subcommands_opts[help]="" subcommands_opts[slam]="" subcommands_opts[ps]="" subcommands_opts[list]="-get-mountpoint " subcommands_opts[index]="" subcommands_opts[search]="" subcommands_opts[bury]="k: -tomb-pwd: r: R: " subcommands_opts[exhume]="k: -tomb-pwd: r: R: " subcommands_opts[cloak]="k: " subcommands_opts[uncloak]="k: " # subcommands_opts[decompose]="" # subcommands_opts[recompose]="" # subcommands_opts[install]="" subcommands_opts[askpass]="" subcommands_opts[source]="" subcommands_opts[resize]="-ignore-swap s: -size=s k: -tomb-pwd: r: R: " subcommands_opts[check]="-ignore-swap " # subcommands_opts[translate]="" ### Detect subcommand local -aU every_opts #every_opts behave like a set; that is, an array with unique elements for optspec in $subcommands_opts$main_opts; do for opt in ${=optspec}; do every_opts+=${opt} done done local -a oldstar oldstar=("${(@)argv}") #### detect early: useful for --option-parsing zparseopts -M -D -Adiscardme ${every_opts} if [[ -n ${(k)discardme[--option-parsing]} ]]; then print $1 if [[ -n "$1" ]]; then return 1 fi return 0 fi unset discardme if ! zparseopts -M -E -D -Adiscardme ${every_opts}; then _failure "Error parsing." return 127 fi unset discardme subcommand=$1 if [[ -z $subcommand ]]; then subcommand="__default" fi if [[ -z ${(k)subcommands_opts[$subcommand]} ]]; then _warning "There's no such command \"::1 subcommand::\"." $subcommand exitv=127 _failure "Please try -h for help." fi argv=("${(@)oldstar}") unset oldstar ### Parsing global + command-specific options # zsh magic: ${=string} will split to multiple arguments when spaces occur set -A cmd_opts ${main_opts} ${=subcommands_opts[$subcommand]} # if there is no option, we don't need parsing if [[ -n $cmd_opts ]]; then zparseopts -M -E -D -AOPTS ${cmd_opts} if [[ $? != 0 ]]; then _warning "Some error occurred during option processing." exitv=127 _failure "See \"tomb help\" for more info." fi fi #build PARAM (array of arguments) and check if there are unrecognized options ok=0 PARAM=() for arg in $*; do if [[ $arg == '--' || $arg == '-' ]]; then ok=1 continue #it shouldn't be appended to PARAM elif [[ $arg[1] == '-' ]]; then if [[ $ok == 0 ]]; then exitv=127 _failure "Unrecognized option ::1 arg:: for subcommand ::2 subcommand::" $arg $subcommand fi fi PARAM+=$arg done # First parameter actually is the subcommand: delete it and shift [[ $subcommand != '__default' ]] && { PARAM[1]=(); shift } ### End parsing command-specific options # Use colors unless told not to { ! option_is_set --no-color } && { autoload -Uz colors && colors } # Some options are only available during insecure mode { ! option_is_set --unsafe } && { for opt in --tomb-pwd --tomb-old-pwd; do { option_is_set $opt } && { exitv=127 _failure "You specified option ::1 option::, which is DANGEROUS and should only be used for testing\nIf you really want so, add --unsafe" $opt } done } # read -t or --tmp flags to set a custom temporary directory option_is_set --tmp && TMPDIR=$(option_value --tmp) option_is_set --sudo && { local _opt=`basename $(option_value --sudo)` _message "Privilege escalation tool configured: ::1 exec::" $_opt } # When we run as root, we remember the original uid:gid to set # permissions for the calling user and drop privileges _whoami # Reset _UID, _GID, _TTY [[ -z $PARAM ]] && { _verbose "Tomb command: ::1 subcommand::" $subcommand } || { _verbose "Tomb command: ::1 subcommand:: ::2 param::" $subcommand $PARAM } [[ -z $_UID ]] || { _verbose "Caller: uid[::1 uid::], gid[::2 gid::], tty[::3 tty::]." \ $_UID $_GID $_TTY } _verbose "Temporary directory: $TMPDIR" # Process subcommand case "$subcommand" in # USAGE help) usage ;; # DEPRECATION notice (leave here as 'create' is still present in old docs) create) _warning "The create command is deprecated, please use dig, forge and lock instead." _warning "For more information see Tomb's manual page (man tomb)." _failure "Operation aborted." ;; # CREATE Step 1: dig -s NN file.tomb dig) dig_tomb $PARAM ;; # CREATE Step 2: forge file.tomb.key forge) forge_key $PARAM ;; # CREATE Step 3: lock -k file.tomb.key file.tomb lock) lock_tomb_with_key $PARAM ;; # Open the tomb mount|open) mount_tomb $PARAM ;; # List all processes using a tomb ps) list_processes $PARAM ;; # Slam a tomb killing all processes running inside slam) [[ $LSOF -eq 1 ]] && { SLAM=1 } || { _warning "lsof not installed: cannot slam tombs." _warning "Trying a regular close."} ;& # Close the tomb umount|close) umount_tomb $PARAM[1] ;; # Grow tomb's size resize) [[ $RESIZER == 0 ]] && { _failure "Resize2fs not installed: cannot resize tombs." } resize_tomb $PARAM[1] ;; ## Contents manipulation # Index tomb contents index) index_tombs $PARAM[1] ;; # List tombs list) list_tombs $PARAM[1] ;; # Search tomb contents search) search_tombs $PARAM ;; ## Locking operations # Export key to QR Code engrave) [[ $QRENCODE == 0 ]] && { _failure "QREncode not installed: cannot engrave keys on paper." } engrave_key $PARAM ;; # Change password on existing key passwd) change_passwd $PARAM[1] ;; # Change tomb key setkey) change_tomb_key $PARAM ;; # STEGANOGRAPHY: hide key inside an image bury) [[ $STEGHIDE == 0 ]] && { _failure "Steghide not installed: cannot bury keys into images." } bury_key $PARAM[1] ;; # STEGANOGRAPHY: read key hidden in an image exhume) [[ $STEGHIDE == 0 ]] && { _failure "Steghide not installed: cannot exhume keys from images." } exhume_key $PARAM[1] ;; # STEGANOGRAPHY: transform key into text using cipher cloak) [[ $CLOAKIFY == 0 ]] && { _failure "Cloakify not installed: cannot cipher keys into texts" } cloakify_key $PARAM ;; # STEGANOGRAPHY: read key from text using cipher uncloak) [[ $DECLOAKIFY == 0 ]] && { _failure "Decloakify not installed: cannot decipher keys from texts" } decloakify_key $PARAM ;; ## Internal commands useful to developers # Make tomb functions available to the calling shell or script 'source') return 0 ;; # Ask user for a password interactively askpass) ask_password $PARAM[1] $PARAM[2] ;; # Default operation: presentation, or version information with -v __default) _print "Tomb ::1 version:: - a strong and gentle undertaker for your secrets" $VERSION echo _print " Copyright (C) 2007-2024 Dyne.org Foundation, License GNU GPL v3+" _print " This is free software: you are free to change and redistribute it" _print " For the latest sourcecode go to " echo option_is_set -v && { local langwas=$LANG LANG=en _print " This source code is distributed in the hope that it will be useful," _print " but WITHOUT ANY WARRANTY; without even the implied warranty of" _print " MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." LANG=$langwas _print " When in need please refer to ." echo _print "System utils:" echo cat <