2
# This script sets up an ecryptfs mount in a user's ~/Private
4
# Originally ecryptfs-setup-pam-wrapped.sh by Michael Halcrow, IBM
6
# Ported for use on Ubuntu by Dustin Kirkland <kirkland@canonical.com>
7
# Copyright (C) 2008 Canonical Ltd.
8
# Copyright (C) 2007-2008 International Business Machines
15
echo "# $0 [--username USER]"
16
echo " [--loginpass LOGINPASS] [--mountpass MOUNTPASS]"
18
echo " --username Username for encrypted private mountpoint,"
19
echo " defaults to yourself"
20
echo " --loginpass System passphrase for USER, used to wrap MOUNTPASS"
21
echo " --mountpass Passphrase for mounting the ecryptfs directory,"
22
echo " defaults to a randomly generated 16 bytes"
24
echo " Be sure to properly escape your parameters according to your"
25
echo " shell's special character nuances, and also surround the"
26
echo " parameters by double quotes, if necessary."
28
echo " Any of these parameters may be:"
29
echo " 1) exported as environment variables (USER, MOUNTPASS,"
31
echo " 2) specified on the command line"
32
echo " 3) left empty and interactively prompted"
34
echo " BEWARE: They will, however, be displayed on STDOUT"
46
umount.ecryptfs_private >/dev/null
51
if [ ! -z "$SUDO_USER" ]; then
55
while [ ! -z "$1" ]; do
75
# Prompt for the USER name, if not on the command line and not in the environment
76
if [ -z "$USER" ]; then
78
read -p "Enter the username: " -r USER
79
if [ -z "$USER" ]; then
80
echo "ERROR: You must provide a username"
83
# Verify the USER name is in /etc/passwd
84
if ! grep "^$USER:" /etc/passwd >/dev/null; then
85
echo "ERROR: User [$USER] does not exist"
92
# Verify the USER name is in /etc/passwd
93
grep "^$USER:" /etc/passwd >/dev/null || error "User [$USER] does not exist"
96
# Obtain the user's home directory from /etc/passwd
97
HOME=`grep "^$USER:" /etc/passwd | awk -F: '{print $6}'`
98
if [ ! -d "$HOME" ]; then
99
error "User home directory [$HOME] does not exist"
102
# Check for active mounts
103
MOUNTPOINT="$HOME/$PRIVATE_DIR"
104
CRYPTDIR="$HOME/.$PRIVATE_DIR"
105
grep -qs "$MOUNTPOINT " /proc/mounts && error "[$MOUNTPOINT] is already mounted"
106
grep -qs "$CRYPTDIR " /proc/mounts && error "[$CRYPTDIR] is already mounted"
109
# Prompt for the LOGINPASS, if not on the command line and not in the environment
110
if [ -z "$LOGINPASS" ]; then
113
read -p "Enter your login passphrase: " -r LOGINPASS
116
if [ -z "$LOGINPASS" ]; then
117
echo "ERROR: You must provide a login passphrase"
121
read -p "Enter your login passphrase (again): " -r LOGINPASS2
124
if [ "$LOGINPASS" != "$LOGINPASS2" ]; then
125
echo "ERROR: Login passphrases do not match"
134
# Prompt for the MOUNTPASS, if not on the command line and not in the environment
135
if [ -z "$MOUNTPASS" ]; then
138
read -p "Enter your mount passphrase [leave blank to generate one]: " -r MOUNTPASS
141
if [ -z "$MOUNTPASS" ]; then
142
# Pull 128 bits of random data from /dev/urandom, and convert
143
# to a string of 32 hex digits
144
MOUNTPASS=`head -c 16 /dev/urandom | od -x | head -n 1 |sed "s/^0000000//" | sed "s/\s*//g"`
148
read -p "Enter your mount passphrase (again): " -r MOUNTPASS2
151
if [ "$MOUNTPASS" != "$MOUNTPASS2" ]; then
152
echo "ERROR: Mount passphrases do not match"
163
echo "Using username [$USER]"
164
echo "Using mount passphrase [$MOUNTPASS]"
165
echo "Using login passphrase [$LOGINPASS]"
166
echo "Using mount point [$MOUNTPOINT]"
167
echo "Using encrypted dir [$CRYPTDIR]"
169
echo "This script will attempt to set up your system to mount"
170
echo "$MOUNTPOINT with eCryptfs automatically on login,"
171
echo "using your login passphrase."
173
echo "************************************************************************"
174
echo "YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
176
echo "THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME."
177
echo "************************************************************************"
180
###############################################################################
182
# Setup private directory in home
183
mkdir -m 700 -p "$CRYPTDIR" || error "Could not create crypt directory [$CRYPTDIR]"
184
mkdir -m 700 -p "$MOUNTPOINT" || error "Could not create mount directory [$MOUNTPOINT]"
185
ln -s /sbin/mount.ecryptfs_private "$MOUNTPOINT"/"THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA -- Run mount.ecryptfs_private to mount again"
187
# Setup ~/.ecryptfs directory
188
mkdir -m 700 $HOME/.ecryptfs 2>/dev/null
189
touch $HOME/.ecryptfs/auto-mount || error "Could not setup ecryptfs auto-mount"
191
# Backup any existing wrapped-passphrase or sig files; we DO NOT destroy this
192
timestamp=`date +%Y%m%d%H%M%S`
193
for i in "$HOME/.ecryptfs/wrapped-passphrase" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"; do
195
mv -f "$i" "$i.$timestamp" || error "Could not backup existing data [$i]"
199
# Setup wrapped-passphrase file
202
ecryptfs-wrap-passphrase "$HOME/.ecryptfs/wrapped-passphrase" "$MOUNTPASS" "$LOGINPASS" || error "Could not wrap passphrase"
205
# Add the passphrase to current keyring
206
# On subsequent logins, this should be handled by "pam_ecryptfs.so unwrap"
207
response=`ecryptfs-add-passphrase "$MOUNTPASS"`
208
if [ $? -ne 0 ]; then
209
error "Could not add passphrase to the current keyring"
211
sig=`echo "$response" | grep "Inserted auth tok" | sed "s/^.*\[//" | sed "s/\].*$//"`
212
if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{16,16}$"; then
213
error "Could not obtain the key signature"
215
echo "$sig" > "$HOME/.ecryptfs/$PRIVATE_DIR.sig" || error "Could not create signature file [$HOME/.ecryptfs/$PRIVATE_DIR.sig]"
218
echo "Done configuring."
221
# Now let's perform some basic mount/write/umount/read sanity testing...
222
echo "Testing mount/write/umount/read..."
223
mount.ecryptfs_private || error "Could not mount private ecryptfs directory"
224
temp=`mktemp "$HOME/$PRIVATE_DIR/ecryptfs.test.XXXXXX"` || error_testing "$temp" "Could not create empty file"
225
random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" "Could not generate random data"
226
echo "$random_data" > "$temp" || error_testing "$temp" "Could not write encrypted file"
227
md5sum1=`md5sum "$temp"` || error_testing "$temp" "Could not read encrypted file"
228
umount.ecryptfs_private || error_testing "$temp" "Could not unmount private ecryptfs directory"
229
mount.ecryptfs_private || error_testing "$temp" "Could not mount private ecryptfs directory (2)"
230
md5sum2=`md5sum "$temp"` || error_testing "$temp" "Could not read encrypted file (2)"
232
umount.ecryptfs_private || error_testing "$temp" "Could not unmount private ecryptfs directory (2)"
233
if [ "$md5sum1" != "$md5sum2" ]; then
234
error "Testing failed."
236
echo "Testing succeeded."