From 7f629205ef9d6d35ffcc75d0192fcf9b2f4b2add Mon Sep 17 00:00:00 2001 From: "Kevin Veen-Birkenbach [aka. Frantz]" Date: Wed, 20 May 2020 10:35:37 +0200 Subject: [PATCH] Added draft for storage encryption procedures --- README.md | 13 ++++---- scripts/base.sh | 17 +++++++++++ scripts/data/import-from-system.sh | 4 +-- scripts/encryption/{ => data}/lock.sh | 2 +- scripts/encryption/{ => data}/unlock.sh | 2 +- scripts/encryption/storage/base.sh | 13 ++++++++ scripts/encryption/storage/mount.sh | 14 +++++++++ scripts/encryption/storage/setup.sh | 40 +++++++++++++++++++++++++ scripts/encryption/storage/umount.sh | 0 scripts/image/base.sh | 12 -------- scripts/image/setup.sh | 12 +++----- 11 files changed, 99 insertions(+), 30 deletions(-) rename scripts/encryption/{ => data}/lock.sh (79%) rename scripts/encryption/{ => data}/unlock.sh (83%) create mode 100644 scripts/encryption/storage/base.sh create mode 100644 scripts/encryption/storage/mount.sh create mode 100644 scripts/encryption/storage/setup.sh create mode 100644 scripts/encryption/storage/umount.sh diff --git a/README.md b/README.md index a2bd921..6d67b99 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,11 @@ This repository contains the following scripts: | Order | Description | |---|---| | ```bash ./scripts/system-setup.sh``` | Setup the customized software on the system on which you execute it. | -| ```bash ./scripts/backup.sh``` | Executes all setup scripts. | -| ```bash ./scripts/import-data-from-system.sh``` | Import data from the host system.| -| ```bash ./scripts/export-data-to-system.sh``` | Export data to the host system.| -| ```bash ./scripts/unlock.sh``` | Unlock the stored data.| -| ```bash ./scripts/lock.sh``` | Lock the stored data | +| ```bash ./scripts/image/backup.sh``` | Backup an device image | +| ```bash ./scripts/data/import-data-from-system.sh``` | Import data from the host system.| +| ```bash ./scripts/data/export-data-to-system.sh``` | Export data to the host system.| +| ```bash ./scripts/encryption/data/unlock.sh``` | Unlock the stored data.| +| ```bash ./scripts/encryption/data/lock.sh``` | Lock the stored data | | ```bash ./scripts/pull-local-repositories.sh``` | Pulls all local repositories branches | | ```bash ./scripts/pushs-local-repositories.sh``` | Pushs all local repositories branches | | ```encfsctl passwd .encrypted``` | Change the password of the encrypted folder. | @@ -56,7 +56,8 @@ $HOME/Documents/certificates/ | Contains certificates to authenticate via [certi | $HOME/Documents/recovery_codes/ | Contains files with recovery_codes e.g. for [Two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication). | | $HOME/Documents/identity/ | Contains files to prove the identity of the *Core System Owner* in physical live like passports. | | $HOME/Documents/passwords/ | Contains e.g the [KeePassXC](https://keepassxc.org/) database with all *Core System Owner* passwords. | -| $HOME/Documents/repositories/ | Contains all git repositories | +| $HOME/Repositories/ | Contains all git repositories | +| $HOME/Games/roms | Contains all roms | | $HOME/Images/ | contains os images| #### Desktop diff --git a/scripts/base.sh b/scripts/base.sh index 51c3cd4..d9e1944 100644 --- a/scripts/base.sh +++ b/scripts/base.sh @@ -65,6 +65,23 @@ error(){ exit 1; } +# Routine to echo the full sd-card-path +set_device_path(){ + info "Available devices:" + ls -lasi /dev/ | grep -E "sd|mm" + question "Please type in the name of the device: /dev/" && read -r device + device_path="/dev/$device" + if [ ! -b "$device_path" ] + then + error "$device_path is not valid device." + fi + # @see https://www.heise.de/ct/hotline/Optimale-Blockgroesse-fuer-dd-2056768.html + OPTIMAL_BLOCKSIZE=$(expr 64 \* "$(sudo cat /sys/block/$device/queue/physical_block_size)") && + info "Device path set to: $device_path" && + info "Optimal blocksize set to: $OPTIMAL_BLOCKSIZE" || + error +} + HEADER(){ echo echo "${COLOR_YELLOW}The" diff --git a/scripts/data/import-from-system.sh b/scripts/data/import-from-system.sh index 2537cae..dfd0a85 100644 --- a/scripts/data/import-from-system.sh +++ b/scripts/data/import-from-system.sh @@ -18,11 +18,11 @@ declare -a BACKUP_LIST=("$HOME/.ssh/" \ "$HOME/Documents/identity/" \ "$HOME/Documents/passwords/" \ "$HOME/Documents/licenses/"); - + if [ -z "$(mount | grep "$DECRYPTED_PATH")" ] then info "The decrypted folder $DECRYPTED_PATH is locked. You need to unlock it!" && - bash "$SCRIPT_PATH""encryption/unlock.sh" || error "Unlocking failed."; + bash "$SCRIPT_PATH""encryption/data/unlock.sh" || error "Unlocking failed."; fi if [ "$1" = "reverse" ] then diff --git a/scripts/encryption/lock.sh b/scripts/encryption/data/lock.sh similarity index 79% rename from scripts/encryption/lock.sh rename to scripts/encryption/data/lock.sh index b561543..a449e74 100644 --- a/scripts/encryption/lock.sh +++ b/scripts/encryption/data/lock.sh @@ -5,7 +5,7 @@ # # shellcheck disable=SC2015 # Deactivating bool hint # shellcheck source=/dev/null # Deactivate SC1090 -source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) +source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1) info "Locking directory $DECRYPTED_PATH..." && fusermount -u "$DECRYPTED_PATH" || error "Unmounting failed." info "Data is now encrypted." diff --git a/scripts/encryption/unlock.sh b/scripts/encryption/data/unlock.sh similarity index 83% rename from scripts/encryption/unlock.sh rename to scripts/encryption/data/unlock.sh index df52479..4d1b1aa 100644 --- a/scripts/encryption/unlock.sh +++ b/scripts/encryption/data/unlock.sh @@ -5,7 +5,7 @@ # # shellcheck source=/dev/null # Deactivate SC1090 # shellcheck disable=SC2015 # Deactivating bool hint -source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) +source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1) info "Unlocking directory $DECRYPTED_PATH..." if [ ! -d "$DECRYPTED_PATH" ] then diff --git a/scripts/encryption/storage/base.sh b/scripts/encryption/storage/base.sh new file mode 100644 index 0000000..fc35dce --- /dev/null +++ b/scripts/encryption/storage/base.sh @@ -0,0 +1,13 @@ +#!/bin/bash +source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1) + +set_device_mount_and_mapper_paths(){ + set_device_path && + mapper_name="encrypteddrive-$device" && + mapper_path="/dev/mapper/$mapper_name" && + mount_path="/media/$mapper_name" && + info "mapper name set to : $mapper_name" && + info "mapper path set to : $mapper_path" || + info "mount path set to : $mount_path" || + error +} diff --git a/scripts/encryption/storage/mount.sh b/scripts/encryption/storage/mount.sh new file mode 100644 index 0000000..a4a10f6 --- /dev/null +++ b/scripts/encryption/storage/mount.sh @@ -0,0 +1,14 @@ +source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) +echo "Mounting encrypted storage..." + +set_device_mount_and_mapper_paths + +info "Unlock partition..." && +sudo cryptsetup luksOpen $device_path $mapper_name || +error + +info "Mount partition..." && +sudo mount $mapper_path $mount_path || +error + +success "Mounting successfull :)" diff --git a/scripts/encryption/storage/setup.sh b/scripts/encryption/storage/setup.sh new file mode 100644 index 0000000..a29320f --- /dev/null +++ b/scripts/encryption/storage/setup.sh @@ -0,0 +1,40 @@ +source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) +echo "Setups disk encryption" + +set_device_mount_and_mapper_paths + +info "Overwritting device \"$device_path\" with zeros..." && +sudo dd if=/dev/zero of=$device_path bs=$OPTIMAL_BLOCKSIZE status=progress conv=fdatasync || +error + +info "Creating new GPT partition table..." +( echo "g" # create a new empty GPT partition table + echo "w" # Write partition table +)| sudo fdisk "$device_path" || error + +info "Creating partition table..." +( echo "n" # Create GPT partition table + echo "p" # Create GPT partition table + echo "w" # Write partition table +)| sudo fdisk "$device_path" || error + +info "Show memory devices..." && +sudo fdisk -l || error + +info "Encrypt $device_path..." && +sudo cryptsetup -v -y luksFormat $device_path + +info "Unlock partition..." && +sudo cryptsetup luksOpen $device_path $mapper_name + +info "Create btrfs file system..." && +sudo mkfs.btrfs $mapper_path || error + +info "Creating mount folder unter \"$mount_path\"..." && +mkdir -p $mount_path || error + +info "Mount partition..." && +sudo mount $mapper_path $mount_path || error + +info "Own partition by user..." && +sudo chown -R $USER:$USER $mount_path || error diff --git a/scripts/encryption/storage/umount.sh b/scripts/encryption/storage/umount.sh new file mode 100644 index 0000000..e69de29 diff --git a/scripts/image/base.sh b/scripts/image/base.sh index 45e9032..f3be809 100644 --- a/scripts/image/base.sh +++ b/scripts/image/base.sh @@ -26,18 +26,6 @@ set_partition_paths(){ boot_partition_path=$(echo_partition_name "1") } -# Routine to echo the full sd-card-path -set_device_path(){ - info "Available devices:" - ls -lasi /dev/ | grep -E "sd|mm" - question "Please type in the name of the device: /dev/" && read -r device - device_path="/dev/$device" - if [ ! -b "$device_path" ] - then - error "$device_path is not valid device." - fi -} - make_mount_folders(){ info "Preparing mount paths..." && boot_mount_path="$working_folder_path""boot/" && diff --git a/scripts/image/setup.sh b/scripts/image/setup.sh index 0432701..da6701c 100644 --- a/scripts/image/setup.sh +++ b/scripts/image/setup.sh @@ -210,10 +210,6 @@ make_mount_folders set_partition_paths -# @see https://www.heise.de/ct/hotline/Optimale-Blockgroesse-fuer-dd-2056768.html -optimal_blocksize=$(expr 64 \* "$(sudo cat /sys/block/$device/queue/physical_block_size)") && -info "Calculated optimal blocksize of $optimal_blocksize""Byte for \"dd\" operations." - question "Should the image be transfered to $device_path?(y/n)" && read -r transfer_image if [ "$transfer_image" = "y" ] then @@ -222,7 +218,7 @@ if [ "$transfer_image" = "y" ] if [ "$copy_zeros_to_device" = "y" ] then info "Overwritting..." && - dd if=/dev/zero of="$device_path" bs="$optimal_blocksize" || error "Overwritting $device_path failed." + dd if=/dev/zero of="$device_path" bs="$OPTIMAL_BLOCKSIZE" status=progress || error "Overwritting $device_path failed." else info "Skipping Overwritting..." fi @@ -267,19 +263,19 @@ if [ "$transfer_image" = "y" ] elif [ "${image_path: -4}" = ".zip" ] then info "Transfering .zip file..." && - unzip -p "$image_path" | sudo dd of="$device_path" bs="$optimal_blocksize" conv=fsync || error "DD $image_path to $device_path failed." && + unzip -p "$image_path" | sudo dd of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress || error "DD $image_path to $device_path failed." && sync || error elif [ "${image_path: -3}" = ".gz" ] then info "Transfering .gz file..." && - gunzip -c "$image_path" | sudo dd of="$device_path" bs="$optimal_blocksize" conv=fsync && + gunzip -c "$image_path" | sudo dd of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress && sync || error elif [ "${image_path: -4}" = ".iso" ] then info "Transfering .iso file..." && - sudo dd if="$image_path" of="$device_path" bs="$optimal_blocksize" conv=fsync && + sudo dd if="$image_path" of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress && sync || error else