#!/bin/bash # # Set up encrypted directory ~/.enc # # Copyright (C) 2013 Mike Gerwitz # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # This encrypted directory strikes a balance between a full encrypted home # directory (a feature provided by many modern GNU/Linux distributions) and # privacy: Specifically, most files are configuration and do not really need # to be private (indeed, many of them are even in my public repository). # # This expects that the ~/.enc{,-data} directories have already been created # when the system was set up. Any data in either of the directories will be # copied into the final, encrypted directory, with the ~/.enc-data contents # taking precedence in the event of a filename conflict. ## encdatadir="$HOME/.enc-data" encdatadirtmp="$HOME/.enc-data.tmp" encdir="$HOME/.enc" readyfile=".ready" # graceful exit if we've already been set up [ -e "$encdatadir/$readyfile" ] && { echo "$encdir is already set up." exit } # do not allow this action to be performed over SSH or while sshd is running # and tell the user to ensure that all running processes are trusted (no # keyloggers, etc) [ "$1" != --shutit ] && pgrep '^sshd?$' &>/dev/null && { echo "fatal: please disable SSH and close all connections" >&2 echo "fatal: and then verify all running processes" >&2 echo "fatal: (or pass --shutit if you're confident)" >&2 exit 1 } # allows glob to match dotfiles shopt -s dotglob || { echo "fatal: failed to enable dotglob" >&2 exit 1 } # move the existing dir so that we can copy the files back in after (just in # case files were created in anticipation); also copy over existing .enc dir # contents, having .enc-data contents take precedence [ -e "$encdatadir" ] && { mv -v "$encdatadir" "$encdatadirtmp" \ && cp -rnv "$encdir"/* "$encdatadirtmp/" \ && mkdir -v "$encdatadir" \ || exit $? } # proceed (the nonempty options ignores the fact that ~/.enc---out mount # point---is likely not empty) echo "creating $encdatadir -> $encdir..." encfs "$encdatadir" "$encdir" -ononempty \ || { err=$? echo "fatal: failed!" >&2 exit $err } # this file will be copied into the encrypted dir and is an easy mount check # for scripts touch "$encdatadirtmp/.available" # mark as complete (yes, we intend to put this directly into the encrypted # data dir) date +%s > "$encdatadir/$readyfile" # copy previous data into the newly mounted and decrypted directory mv -v "$encdatadirtmp"/* "$encdir/" \ && find "$encdatadirtmp" -type f -exec shred -fuvz {} \; \ && rm -rfv "$encdatadirtmp" \ || { err=$? echo "fatal: $encdatadir created, but data copy failed" >&2 echo "fatal: please copy $encdatadirtmp/* manually" >&2 echo "fatal: and then shred its contents" >&2 } echo Setup complete.