summaryrefslogtreecommitdiffstats
path: root/krebs/5pkgs
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2021-01-24 10:30:47 +0100
committerlassulus <lassulus@lassul.us>2021-01-24 10:30:47 +0100
commit293fa449e1d69d2d070f6990e414c76409c4913d (patch)
treec15b8be3493d08b60693665a6f2798de4a0a1603 /krebs/5pkgs
parent5433345ad4c042313d30709b413d12dbbda3ed99 (diff)
ecrypt: l -> krebs
Diffstat (limited to 'krebs/5pkgs')
-rw-r--r--krebs/5pkgs/simple/ecrypt/default.nix111
1 files changed, 111 insertions, 0 deletions
diff --git a/krebs/5pkgs/simple/ecrypt/default.nix b/krebs/5pkgs/simple/ecrypt/default.nix
new file mode 100644
index 00000000..f83f8cfe
--- /dev/null
+++ b/krebs/5pkgs/simple/ecrypt/default.nix
@@ -0,0 +1,111 @@
+{ pkgs, lib }:
+
+#usage: ecrypt mount /var/crypted /var/unencrypted
+pkgs.writers.writeDashBin "ecrypt" ''
+ set -euf
+
+ PATH=${lib.makeBinPath (with pkgs; [
+ coreutils
+ ecryptfs
+ gnused
+ gnugrep
+ jq
+ mount
+ keyutils
+ umount
+ ])}
+
+ # turn echo back on if killed
+ trap 'stty echo' INT
+
+ case "$1" in
+ init)
+ shift
+ mkdir -p "$1" "$2"
+
+ # abort if src or dest are not empty
+ if [ -e "$1"/.cfg.json ]; then
+ echo 'source dir is already configured, aborting'
+ exit 1
+ elif ls -1qA "$2" | grep -q .; then
+ echo 'destination dir is not empty, aborting'
+ exit 1
+ else
+ # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
+ echo 4 | ecryptfs-manager
+ stty -echo
+ printf "passphrase: "
+ read passphrase
+ stty echo
+ sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
+ mount -t ecryptfs \
+ -o ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
+ "$1" "$2"
+
+ # add sig to json state file
+ jq -n --arg sig "$sig" '{ "sig": $sig }' > "$1"/.cfg.json
+ fi
+ ;;
+
+ mount)
+ shift
+ if ! [ -e "$1"/.cfg.json ]; then
+ echo '.cfg.json missing in src'
+ exit 1
+ fi
+ old_sig=$(cat "$1"/.cfg.json | jq -r .sig)
+
+ # check if key is already in keyring, otherwise add it
+
+ if keyctl list @u | grep -q "$old_sig"; then
+ echo 'pw already saved'
+ else
+ # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
+ echo 4 | ecryptfs-manager
+ stty -echo
+ printf "passphrase: "
+ read passphrase
+ stty echo
+ new_sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
+
+ # check if passphrase matches sig
+ if [ "$old_sig" != "$new_sig" ]; then
+ echo 'passphrase does not match sig, bailing out'
+ new_keyid=$(keyctl list @u | grep "$new_sig" | sed 's/\([0-9]*\).*/\1/')
+ keyctl revoke "$new_keyid"
+ keyctl unlink "$new_keyid"
+ exit 1
+ fi
+ fi
+
+ sig=$old_sig
+ keyid=$(keyctl list @u | grep "$sig" | sed 's/\([0-9]*\).*/\1/')
+ if (ls -1qA "$2" | grep -q .); then
+ echo 'destination is not empty, bailing out'
+ exit 1
+ else
+ mount -i -t ecryptfs \
+ -o ecryptfs_passthrough=no,verbose=no,ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
+ "$1" "$2"
+ fi
+ ;;
+
+ unmount)
+ shift
+
+ sig=$(cat "$1"/.cfg.json | jq -r .sig)
+ keyid=$(keyctl list @u | grep "$sig" | sed 's/\s*\([0-9]*\).*/\1/')
+
+ umount "$2" || :
+ keyctl revoke "$keyid"
+ keyctl unlink "$keyid"
+ ;;
+
+ *)
+ echo 'usage:
+ ecrypt init /tmp/src/ /tmp/dst/
+ ecrypt mount /tmp/src/ /tmp/dst/
+ ecrypt unmount /tmp/src/ /tmp/dst/
+ '
+ esac
+''