shellcheck
This commit is contained in:
parent
e6fe7dcf0c
commit
5809878004
|
@ -10,12 +10,14 @@ PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head
|
||||||
KEY="${ECRYPTFS_KEY:-passphrase:passphrase_passwd=${PASSPHRASE}}"
|
KEY="${ECRYPTFS_KEY:-passphrase:passphrase_passwd=${PASSPHRASE}}"
|
||||||
FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}"
|
FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}"
|
||||||
|
|
||||||
# ecryptfs already mounted ?
|
# if not already mounted
|
||||||
grep -q "${LOWER_DIR} ${UPPER_DIR} ecryptfs " /proc/mounts 2>/dev/null && break
|
if ! grep -q "${LOWER_DIR} ${UPPER_DIR} ecryptfs " /proc/mounts 2>/dev/null; then
|
||||||
|
|
||||||
mkdir -p "${LOWER_DIR}" "${UPPER_DIR}"
|
# create mount point
|
||||||
|
mkdir -p "${LOWER_DIR}" "${UPPER_DIR}"
|
||||||
|
|
||||||
/bin/mount -t ecryptfs -o \
|
# mount ecryptfs
|
||||||
|
/bin/mount -t ecryptfs -o \
|
||||||
key="${KEY}",\
|
key="${KEY}",\
|
||||||
no_sig_cache,\
|
no_sig_cache,\
|
||||||
ecryptfs_cipher="${CIPHER}",\
|
ecryptfs_cipher="${CIPHER}",\
|
||||||
|
@ -25,10 +27,11 @@ ecryptfs_fnek_sig="${FNEK_SIG}",\
|
||||||
ecryptfs_key_bytes="${KEY_BYTES}",\
|
ecryptfs_key_bytes="${KEY_BYTES}",\
|
||||||
ecryptfs_passthrough=n,\
|
ecryptfs_passthrough=n,\
|
||||||
ecryptfs_unlink_sigs\
|
ecryptfs_unlink_sigs\
|
||||||
"${LOWER_DIR}" "${UPPER_DIR}" 1>/dev/null
|
"${LOWER_DIR}" "${UPPER_DIR}" >/dev/null
|
||||||
|
|
||||||
# Overwrite sensible variables with random data
|
# Overwrite sensible variables with random data
|
||||||
ECRYPTFS_KEY="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
ECRYPTFS_KEY="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||||
ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||||
KEY="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
KEY="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||||
PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||||
|
fi
|
||||||
|
|
|
@ -1,50 +1,74 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
[ -n "${DEBUG}" ] && set -x
|
[ -n "${DEBUG}" ] && set -x
|
||||||
|
|
||||||
[ ! -f "${HOME}/.ecryptfs/auto-mount" ] && break
|
# if auto-mount ecryptfs
|
||||||
|
if [ -f "${HOME}/.ecryptfs/auto-mount" ]; then
|
||||||
|
|
||||||
LOWER_DIR="${1:-${ECRYPTFS_LOWER_DIR:-${HOME}/Secure}}"
|
LOWER_DIR="${1:-${ECRYPTFS_LOWER_DIR:-${HOME}/Secure}}"
|
||||||
UPPER_DIR="${ECRYPTFS_UPPER_DIR:-${LOWER_DIR}}"
|
UPPER_DIR="${ECRYPTFS_UPPER_DIR:-${LOWER_DIR}}"
|
||||||
ALIAS="${ECRYPTFS_ALIAS:-${LOWER_DIR##*/}}"
|
ALIAS="${ECRYPTFS_ALIAS:-${LOWER_DIR##*/}}"
|
||||||
mkdir -p "${LOWER_DIR}" "${UPPER_DIR}"
|
|
||||||
|
|
||||||
# ecryptfs already mounted ?
|
# if not already mounted
|
||||||
grep -q "${LOWER_DIR} ${UPPER_DIR} ecryptfs " /proc/mounts 2>/dev/null && break
|
if ! grep -q "${LOWER_DIR} ${UPPER_DIR} ecryptfs " /proc/mounts 2>/dev/null; then
|
||||||
|
|
||||||
# we should always use the same key when multiple keys are loaded in ssh-agent
|
# create mount point
|
||||||
if [ -f "${HOME}/.ecryptfs/${ALIAS}.key" ]; then
|
mkdir -p "${LOWER_DIR}" "${UPPER_DIR}"
|
||||||
|
|
||||||
|
# we should always use the same key when multiple keys are loaded in ssh-agent
|
||||||
|
if [ -f "${HOME}/.ecryptfs/${ALIAS}.key" ]; then
|
||||||
ssh_key_fingerprint=$(cat "${HOME}/.ecryptfs/${ALIAS}.key")
|
ssh_key_fingerprint=$(cat "${HOME}/.ecryptfs/${ALIAS}.key")
|
||||||
else
|
# first time, select the first key and write fingerprint to file
|
||||||
|
else
|
||||||
ssh_key_fingerprint=$(/usr/bin/ssh-add -l 2>/dev/null |awk '{print $2; exit;}')
|
ssh_key_fingerprint=$(/usr/bin/ssh-add -l 2>/dev/null |awk '{print $2; exit;}')
|
||||||
[ -n "${ssh_key_fingerprint}" ] && printf "%s\n" "${ssh_key_fingerprint}" > "${HOME}/.ecryptfs/${ALIAS}.key"
|
[ -n "${ssh_key_fingerprint}" ] && printf "%s\n" "${ssh_key_fingerprint}" > "${HOME}/.ecryptfs/${ALIAS}.key"
|
||||||
fi
|
fi
|
||||||
# select ssh key
|
|
||||||
ssh_key=$(/usr/bin/ssh-add -l 2>/dev/null |awk '$2 == "'${ssh_key_fingerprint:-undef}'" {print $3}')
|
|
||||||
[ -z "${ssh_key}" ] && echo "WARNING: Unable to find ssh key ${ssh_key} in ssh agent ${SSH_AUTH_SOCK}" && break
|
|
||||||
|
|
||||||
if [ -f "${HOME}/.ecryptfs/${ALIAS}.ssh" ]; then
|
# select ssh key name matching fingerprint
|
||||||
|
ssh_key=$(/usr/bin/ssh-add -l 2>/dev/null |awk '$2 == "'"${ssh_key_fingerprint:-undef}"'" {print $3}')
|
||||||
|
# if ssh key
|
||||||
|
if [ -n "${ssh_key}" ]; then
|
||||||
|
# decrypt encrypted passphrase
|
||||||
|
if [ -f "${HOME}/.ecryptfs/${ALIAS}.ssh" ]; then
|
||||||
PASSPHRASE=$(/usr/local/bin/ssh-crypt -b -d -k "${ssh_key}" -i "${HOME}/.ecryptfs/${ALIAS}.ssh")
|
PASSPHRASE=$(/usr/local/bin/ssh-crypt -b -d -k "${ssh_key}" -i "${HOME}/.ecryptfs/${ALIAS}.ssh")
|
||||||
else
|
# first time, generate random passphrase and write encrypted passphrase to file
|
||||||
|
else
|
||||||
PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)}"
|
PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)}"
|
||||||
printf "%s" "${PASSPHRASE}" |/usr/local/bin/ssh-crypt -b -e -k "${ssh_key}" -o "${HOME}/.ecryptfs/${ALIAS}.ssh"
|
printf "%s" "${PASSPHRASE}" |/usr/local/bin/ssh-crypt -b -e -k "${ssh_key}" -o "${HOME}/.ecryptfs/${ALIAS}.ssh"
|
||||||
fi
|
fi
|
||||||
SIG="${ECRYPTFS_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase - |/usr/bin/awk '$5 == "sig" {print substr($6,2,16); exit;}')}"
|
# load authentication token signature (fekek)
|
||||||
FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}"
|
SIG="${ECRYPTFS_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase - |/usr/bin/awk '$5 == "sig" {print substr($6,2,16); exit;}')}"
|
||||||
|
# load filename authentication token signature (fnek)
|
||||||
|
FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}"
|
||||||
|
|
||||||
# Overwrite sensible variables with random data
|
# Overwrite sensible variables with random data
|
||||||
ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||||
PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||||
|
|
||||||
if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.conf" ]; then
|
# first time, write ecryptfs_private config to file
|
||||||
|
if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.conf" ]; then
|
||||||
printf "%s %s ecryptfs\n" "${LOWER_DIR}" "${UPPER_DIR}" > "${HOME}/.ecryptfs/${ALIAS}.conf"
|
printf "%s %s ecryptfs\n" "${LOWER_DIR}" "${UPPER_DIR}" > "${HOME}/.ecryptfs/${ALIAS}.conf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.sig" ]; then
|
# first time, write authentication token signatures to file
|
||||||
|
if [ ! -f "${HOME}/.ecryptfs/${ALIAS}.sig" ]; then
|
||||||
printf "%s\n" "${SIG}" > "${HOME}/.ecryptfs/${ALIAS}.sig"
|
printf "%s\n" "${SIG}" > "${HOME}/.ecryptfs/${ALIAS}.sig"
|
||||||
printf "%s\n" "${FNEK_SIG}" >> "${HOME}/.ecryptfs/${ALIAS}.sig"
|
printf "%s\n" "${FNEK_SIG}" >> "${HOME}/.ecryptfs/${ALIAS}.sig"
|
||||||
else
|
# mount ecryptfs
|
||||||
grep "${SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null
|
/sbin/mount.ecryptfs_private "${ALIAS}"
|
||||||
grep "${FNEK_SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null
|
else
|
||||||
fi
|
# check authentication tokens to prevent mounting with bad ones
|
||||||
|
if grep "${SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null \
|
||||||
|
&& grep "${FNEK_SIG}" "${HOME}/.ecryptfs/${ALIAS}.sig" >/dev/null; then
|
||||||
|
# mount ecryptfs
|
||||||
|
/sbin/mount.ecryptfs_private "${ALIAS}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
/sbin/mount.ecryptfs_private "${ALIAS}"
|
else
|
||||||
|
echo "WARNING: Unable to find ssh key ${ssh_key} in ssh agent ${SSH_AUTH_SOCK}"
|
||||||
|
# if ssh key
|
||||||
|
fi
|
||||||
|
# if not already mounted
|
||||||
|
fi
|
||||||
|
# if auto-mount ecryptfs
|
||||||
|
fi
|
||||||
|
|
Loading…
Reference in New Issue