1
0
Fork 0
dotfiles/desktop-bin/enc-setup

98 lines
3.3 KiB
Plaintext
Raw Normal View History

#!/bin/bash
#
# Set up encrypted directory ~/.enc
#
# Copyright (C) 2013 Mike Gerwitz
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# This encrypted directory strikes a balance between a full encrypted home
# directory (a feature provided by many modern GNU/Linux distributions) and
# privacy: Specifically, most files are configuration and do not really need
# to be private (indeed, many of them are even in my public repository).
#
# This expects that the ~/.enc{,-data} directories have already been created
# when the system was set up. Any data in either of the directories will be
# copied into the final, encrypted directory, with the ~/.enc-data contents
# taking precedence in the event of a filename conflict.
##
encdatadir="$HOME/.enc-data"
encdatadirtmp="$HOME/.enc-data.tmp"
encdir="$HOME/.enc"
readyfile=".ready"
# graceful exit if we've already been set up
[ -e "$encdatadir/$readyfile" ] && {
echo "$encdir is already set up."
exit
}
# do not allow this action to be performed over SSH or while sshd is running
# and tell the user to ensure that all running processes are trusted (no
# keyloggers, etc)
[ "$1" != --shutit ] && pgrep '^sshd?$' &>/dev/null && {
echo "fatal: please disable SSH and close all connections" >&2
echo "fatal: and then verify all running processes" >&2
echo "fatal: (or pass --shutit if you're confident)" >&2
exit 1
}
# allows glob to match dotfiles
shopt -s dotglob || {
echo "fatal: failed to enable dotglob" >&2
exit 1
}
# move the existing dir so that we can copy the files back in after (just in
# case files were created in anticipation); also copy over existing .enc dir
# contents, having .enc-data contents take precedence
[ -e "$encdatadir" ] && {
mv -v "$encdatadir" "$encdatadirtmp" \
&& cp -rnv "$encdir"/* "$encdatadirtmp/" \
&& mkdir -v "$encdatadir" \
|| exit $?
}
# proceed (the nonempty options ignores the fact that ~/.enc---out mount
# point---is likely not empty)
echo "creating $encdatadir -> $encdir..."
encfs "$encdatadir" "$encdir" -ononempty \
|| {
err=$?
echo "fatal: failed!" >&2
exit $err
}
# this file will be copied into the encrypted dir and is an easy mount check
# for scripts
touch "$encdatadirtmp/.available"
# mark as complete (yes, we intend to put this directly into the encrypted
# data dir)
date +%s > "$encdatadir/$readyfile"
# copy previous data into the newly mounted and decrypted directory
mv -v "$encdatadirtmp"/* "$encdir/" \
&& find "$encdatadirtmp" -type f -exec shred -fuvz {} \; \
&& rm -rfv "$encdatadirtmp" \
|| {
err=$?
echo "fatal: $encdatadir created, but data copy failed" >&2
echo "fatal: please copy $encdatadirtmp/* manually" >&2
echo "fatal: and then shred its contents" >&2
}
echo Setup complete.