98 lines
3.3 KiB
Plaintext
98 lines
3.3 KiB
Plaintext
|
#!/bin/bash
|
||
|
#
|
||
|
# Set up encrypted directory ~/.enc
|
||
|
#
|
||
|
# Copyright (C) 2013 Mike Gerwitz
|
||
|
#
|
||
|
# This program is free software: you can redistribute it and/or modify
|
||
|
# it under the terms of the GNU General Public License as published by
|
||
|
# the Free Software Foundation, either version 3 of the License, or
|
||
|
# (at your option) any later version.
|
||
|
#
|
||
|
# This program is distributed in the hope that it will be useful,
|
||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
# GNU General Public License for more details.
|
||
|
#
|
||
|
# You should have received a copy of the GNU General Public License
|
||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
#
|
||
|
# This encrypted directory strikes a balance between a full encrypted home
|
||
|
# directory (a feature provided by many modern GNU/Linux distributions) and
|
||
|
# privacy: Specifically, most files are configuration and do not really need
|
||
|
# to be private (indeed, many of them are even in my public repository).
|
||
|
#
|
||
|
# This expects that the ~/.enc{,-data} directories have already been created
|
||
|
# when the system was set up. Any data in either of the directories will be
|
||
|
# copied into the final, encrypted directory, with the ~/.enc-data contents
|
||
|
# taking precedence in the event of a filename conflict.
|
||
|
##
|
||
|
|
||
|
encdatadir="$HOME/.enc-data"
|
||
|
encdatadirtmp="$HOME/.enc-data.tmp"
|
||
|
encdir="$HOME/.enc"
|
||
|
readyfile=".ready"
|
||
|
|
||
|
# graceful exit if we've already been set up
|
||
|
[ -e "$encdatadir/$readyfile" ] && {
|
||
|
echo "$encdir is already set up."
|
||
|
exit
|
||
|
}
|
||
|
|
||
|
# do not allow this action to be performed over SSH or while sshd is running
|
||
|
# and tell the user to ensure that all running processes are trusted (no
|
||
|
# keyloggers, etc)
|
||
|
[ "$1" != --shutit ] && pgrep '^sshd?$' &>/dev/null && {
|
||
|
echo "fatal: please disable SSH and close all connections" >&2
|
||
|
echo "fatal: and then verify all running processes" >&2
|
||
|
echo "fatal: (or pass --shutit if you're confident)" >&2
|
||
|
exit 1
|
||
|
}
|
||
|
|
||
|
# allows glob to match dotfiles
|
||
|
shopt -s dotglob || {
|
||
|
echo "fatal: failed to enable dotglob" >&2
|
||
|
exit 1
|
||
|
}
|
||
|
|
||
|
# move the existing dir so that we can copy the files back in after (just in
|
||
|
# case files were created in anticipation); also copy over existing .enc dir
|
||
|
# contents, having .enc-data contents take precedence
|
||
|
[ -e "$encdatadir" ] && {
|
||
|
mv -v "$encdatadir" "$encdatadirtmp" \
|
||
|
&& cp -rnv "$encdir"/* "$encdatadirtmp/" \
|
||
|
&& mkdir -v "$encdatadir" \
|
||
|
|| exit $?
|
||
|
}
|
||
|
|
||
|
# proceed (the nonempty options ignores the fact that ~/.enc---out mount
|
||
|
# point---is likely not empty)
|
||
|
echo "creating $encdatadir -> $encdir..."
|
||
|
encfs "$encdatadir" "$encdir" -ononempty \
|
||
|
|| {
|
||
|
err=$?
|
||
|
echo "fatal: failed!" >&2
|
||
|
exit $err
|
||
|
}
|
||
|
|
||
|
# this file will be copied into the encrypted dir and is an easy mount check
|
||
|
# for scripts
|
||
|
touch "$encdatadirtmp/.available"
|
||
|
|
||
|
# mark as complete (yes, we intend to put this directly into the encrypted
|
||
|
# data dir)
|
||
|
date +%s > "$encdatadir/$readyfile"
|
||
|
|
||
|
# copy previous data into the newly mounted and decrypted directory
|
||
|
mv -v "$encdatadirtmp"/* "$encdir/" \
|
||
|
&& find "$encdatadirtmp" -type f -exec shred -fuvz {} \; \
|
||
|
&& rm -rfv "$encdatadirtmp" \
|
||
|
|| {
|
||
|
err=$?
|
||
|
echo "fatal: $encdatadir created, but data copy failed" >&2
|
||
|
echo "fatal: please copy $encdatadirtmp/* manually" >&2
|
||
|
echo "fatal: and then shred its contents" >&2
|
||
|
}
|
||
|
|
||
|
echo Setup complete.
|