Added draft for storage encryption procedures

This commit is contained in:
Kevin Veen-Birkenbach 2020-05-20 10:35:37 +02:00
parent 78bee8d0cc
commit 7f629205ef
11 changed files with 99 additions and 30 deletions

View File

@ -33,11 +33,11 @@ This repository contains the following scripts:
| Order | Description | | Order | Description |
|---|---| |---|---|
| ```bash ./scripts/system-setup.sh``` | Setup the customized software on the system on which you execute it. | | ```bash ./scripts/system-setup.sh``` | Setup the customized software on the system on which you execute it. |
| ```bash ./scripts/backup.sh``` | Executes all setup scripts. | | ```bash ./scripts/image/backup.sh``` | Backup an device image |
| ```bash ./scripts/import-data-from-system.sh``` | Import data from the host system.| | ```bash ./scripts/data/import-data-from-system.sh``` | Import data from the host system.|
| ```bash ./scripts/export-data-to-system.sh``` | Export data to the host system.| | ```bash ./scripts/data/export-data-to-system.sh``` | Export data to the host system.|
| ```bash ./scripts/unlock.sh``` | Unlock the stored data.| | ```bash ./scripts/encryption/data/unlock.sh``` | Unlock the stored data.|
| ```bash ./scripts/lock.sh``` | Lock the stored data | | ```bash ./scripts/encryption/data/lock.sh``` | Lock the stored data |
| ```bash ./scripts/pull-local-repositories.sh``` | Pulls all local repositories branches | | ```bash ./scripts/pull-local-repositories.sh``` | Pulls all local repositories branches |
| ```bash ./scripts/pushs-local-repositories.sh``` | Pushs all local repositories branches | | ```bash ./scripts/pushs-local-repositories.sh``` | Pushs all local repositories branches |
| ```encfsctl passwd .encrypted``` | Change the password of the encrypted folder. | | ```encfsctl passwd .encrypted``` | Change the password of the encrypted folder. |
@ -56,7 +56,8 @@ $HOME/Documents/certificates/ | Contains certificates to authenticate via [certi
| $HOME/Documents/recovery_codes/ | Contains files with recovery_codes e.g. for [Two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication). | | $HOME/Documents/recovery_codes/ | Contains files with recovery_codes e.g. for [Two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication). |
| $HOME/Documents/identity/ | Contains files to prove the identity of the *Core System Owner* in physical live like passports. | | $HOME/Documents/identity/ | Contains files to prove the identity of the *Core System Owner* in physical live like passports. |
| $HOME/Documents/passwords/ | Contains e.g the [KeePassXC](https://keepassxc.org/) database with all *Core System Owner* passwords. | | $HOME/Documents/passwords/ | Contains e.g the [KeePassXC](https://keepassxc.org/) database with all *Core System Owner* passwords. |
| $HOME/Documents/repositories/ | Contains all git repositories | | $HOME/Repositories/ | Contains all git repositories |
| $HOME/Games/roms | Contains all roms |
| $HOME/Images/ | contains os images| | $HOME/Images/ | contains os images|
#### Desktop #### Desktop

View File

@ -65,6 +65,23 @@ error(){
exit 1; exit 1;
} }
# Routine to echo the full sd-card-path
set_device_path(){
info "Available devices:"
ls -lasi /dev/ | grep -E "sd|mm"
question "Please type in the name of the device: /dev/" && read -r device
device_path="/dev/$device"
if [ ! -b "$device_path" ]
then
error "$device_path is not valid device."
fi
# @see https://www.heise.de/ct/hotline/Optimale-Blockgroesse-fuer-dd-2056768.html
OPTIMAL_BLOCKSIZE=$(expr 64 \* "$(sudo cat /sys/block/$device/queue/physical_block_size)") &&
info "Device path set to: $device_path" &&
info "Optimal blocksize set to: $OPTIMAL_BLOCKSIZE" ||
error
}
HEADER(){ HEADER(){
echo echo
echo "${COLOR_YELLOW}The" echo "${COLOR_YELLOW}The"

View File

@ -18,11 +18,11 @@ declare -a BACKUP_LIST=("$HOME/.ssh/" \
"$HOME/Documents/identity/" \ "$HOME/Documents/identity/" \
"$HOME/Documents/passwords/" \ "$HOME/Documents/passwords/" \
"$HOME/Documents/licenses/"); "$HOME/Documents/licenses/");
if [ -z "$(mount | grep "$DECRYPTED_PATH")" ] if [ -z "$(mount | grep "$DECRYPTED_PATH")" ]
then then
info "The decrypted folder $DECRYPTED_PATH is locked. You need to unlock it!" && info "The decrypted folder $DECRYPTED_PATH is locked. You need to unlock it!" &&
bash "$SCRIPT_PATH""encryption/unlock.sh" || error "Unlocking failed."; bash "$SCRIPT_PATH""encryption/data/unlock.sh" || error "Unlocking failed.";
fi fi
if [ "$1" = "reverse" ] if [ "$1" = "reverse" ]
then then

View File

@ -5,7 +5,7 @@
# #
# shellcheck disable=SC2015 # Deactivating bool hint # shellcheck disable=SC2015 # Deactivating bool hint
# shellcheck source=/dev/null # Deactivate SC1090 # shellcheck source=/dev/null # Deactivate SC1090
source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1)
info "Locking directory $DECRYPTED_PATH..." && info "Locking directory $DECRYPTED_PATH..." &&
fusermount -u "$DECRYPTED_PATH" || error "Unmounting failed." fusermount -u "$DECRYPTED_PATH" || error "Unmounting failed."
info "Data is now encrypted." info "Data is now encrypted."

View File

@ -5,7 +5,7 @@
# #
# shellcheck source=/dev/null # Deactivate SC1090 # shellcheck source=/dev/null # Deactivate SC1090
# shellcheck disable=SC2015 # Deactivating bool hint # shellcheck disable=SC2015 # Deactivating bool hint
source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1)
info "Unlocking directory $DECRYPTED_PATH..." info "Unlocking directory $DECRYPTED_PATH..."
if [ ! -d "$DECRYPTED_PATH" ] if [ ! -d "$DECRYPTED_PATH" ]
then then

View File

@ -0,0 +1,13 @@
#!/bin/bash
source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1)
set_device_mount_and_mapper_paths(){
set_device_path &&
mapper_name="encrypteddrive-$device" &&
mapper_path="/dev/mapper/$mapper_name" &&
mount_path="/media/$mapper_name" &&
info "mapper name set to : $mapper_name" &&
info "mapper path set to : $mapper_path" ||
info "mount path set to : $mount_path" ||
error
}

View File

@ -0,0 +1,14 @@
source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
echo "Mounting encrypted storage..."
set_device_mount_and_mapper_paths
info "Unlock partition..." &&
sudo cryptsetup luksOpen $device_path $mapper_name ||
error
info "Mount partition..." &&
sudo mount $mapper_path $mount_path ||
error
success "Mounting successfull :)"

View File

@ -0,0 +1,40 @@
source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
echo "Setups disk encryption"
set_device_mount_and_mapper_paths
info "Overwritting device \"$device_path\" with zeros..." &&
sudo dd if=/dev/zero of=$device_path bs=$OPTIMAL_BLOCKSIZE status=progress conv=fdatasync ||
error
info "Creating new GPT partition table..."
( echo "g" # create a new empty GPT partition table
echo "w" # Write partition table
)| sudo fdisk "$device_path" || error
info "Creating partition table..."
( echo "n" # Create GPT partition table
echo "p" # Create GPT partition table
echo "w" # Write partition table
)| sudo fdisk "$device_path" || error
info "Show memory devices..." &&
sudo fdisk -l || error
info "Encrypt $device_path..." &&
sudo cryptsetup -v -y luksFormat $device_path
info "Unlock partition..." &&
sudo cryptsetup luksOpen $device_path $mapper_name
info "Create btrfs file system..." &&
sudo mkfs.btrfs $mapper_path || error
info "Creating mount folder unter \"$mount_path\"..." &&
mkdir -p $mount_path || error
info "Mount partition..." &&
sudo mount $mapper_path $mount_path || error
info "Own partition by user..." &&
sudo chown -R $USER:$USER $mount_path || error

View File

View File

@ -26,18 +26,6 @@ set_partition_paths(){
boot_partition_path=$(echo_partition_name "1") boot_partition_path=$(echo_partition_name "1")
} }
# Routine to echo the full sd-card-path
set_device_path(){
info "Available devices:"
ls -lasi /dev/ | grep -E "sd|mm"
question "Please type in the name of the device: /dev/" && read -r device
device_path="/dev/$device"
if [ ! -b "$device_path" ]
then
error "$device_path is not valid device."
fi
}
make_mount_folders(){ make_mount_folders(){
info "Preparing mount paths..." && info "Preparing mount paths..." &&
boot_mount_path="$working_folder_path""boot/" && boot_mount_path="$working_folder_path""boot/" &&

View File

@ -210,10 +210,6 @@ make_mount_folders
set_partition_paths set_partition_paths
# @see https://www.heise.de/ct/hotline/Optimale-Blockgroesse-fuer-dd-2056768.html
optimal_blocksize=$(expr 64 \* "$(sudo cat /sys/block/$device/queue/physical_block_size)") &&
info "Calculated optimal blocksize of $optimal_blocksize""Byte for \"dd\" operations."
question "Should the image be transfered to $device_path?(y/n)" && read -r transfer_image question "Should the image be transfered to $device_path?(y/n)" && read -r transfer_image
if [ "$transfer_image" = "y" ] if [ "$transfer_image" = "y" ]
then then
@ -222,7 +218,7 @@ if [ "$transfer_image" = "y" ]
if [ "$copy_zeros_to_device" = "y" ] if [ "$copy_zeros_to_device" = "y" ]
then then
info "Overwritting..." && info "Overwritting..." &&
dd if=/dev/zero of="$device_path" bs="$optimal_blocksize" || error "Overwritting $device_path failed." dd if=/dev/zero of="$device_path" bs="$OPTIMAL_BLOCKSIZE" status=progress || error "Overwritting $device_path failed."
else else
info "Skipping Overwritting..." info "Skipping Overwritting..."
fi fi
@ -267,19 +263,19 @@ if [ "$transfer_image" = "y" ]
elif [ "${image_path: -4}" = ".zip" ] elif [ "${image_path: -4}" = ".zip" ]
then then
info "Transfering .zip file..." && info "Transfering .zip file..." &&
unzip -p "$image_path" | sudo dd of="$device_path" bs="$optimal_blocksize" conv=fsync || error "DD $image_path to $device_path failed." && unzip -p "$image_path" | sudo dd of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress || error "DD $image_path to $device_path failed." &&
sync || sync ||
error error
elif [ "${image_path: -3}" = ".gz" ] elif [ "${image_path: -3}" = ".gz" ]
then then
info "Transfering .gz file..." && info "Transfering .gz file..." &&
gunzip -c "$image_path" | sudo dd of="$device_path" bs="$optimal_blocksize" conv=fsync && gunzip -c "$image_path" | sudo dd of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress &&
sync || sync ||
error error
elif [ "${image_path: -4}" = ".iso" ] elif [ "${image_path: -4}" = ".iso" ]
then then
info "Transfering .iso file..." && info "Transfering .iso file..." &&
sudo dd if="$image_path" of="$device_path" bs="$optimal_blocksize" conv=fsync && sudo dd if="$image_path" of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress &&
sync || sync ||
error error
else else