kevinveenbirkenbach/linux-image-manager
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/linux-image-manager.git synced 2024-09-19 20:43:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added draft for storage encryption procedures

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2020-05-20 10:35:37 +02:00
parent 78bee8d0cc
commit 7f629205ef
11 changed files with 99 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -33,11 +33,11 @@ This repository contains the following scripts:
| Order | Description | | Order | Description |
|---|---| |---|---|
| ```bash ./scripts/system-setup.sh``` | Setup the customized software on the system on which you execute it. | | ```bash ./scripts/system-setup.sh``` | Setup the customized software on the system on which you execute it. |
| ```bash ./scripts/backup.sh``` | Executes all setup scripts. | | ```bash ./scripts/image/backup.sh``` | Backup an device image |
| ```bash ./scripts/import-data-from-system.sh``` | Import data from the host system.| | ```bash ./scripts/data/import-data-from-system.sh``` | Import data from the host system.|
| ```bash ./scripts/export-data-to-system.sh``` | Export data to the host system.| | ```bash ./scripts/data/export-data-to-system.sh``` | Export data to the host system.|
| ```bash ./scripts/unlock.sh``` | Unlock the stored data.| | ```bash ./scripts/encryption/data/unlock.sh``` | Unlock the stored data.|
| ```bash ./scripts/lock.sh``` | Lock the stored data | | ```bash ./scripts/encryption/data/lock.sh``` | Lock the stored data |
| ```bash ./scripts/pull-local-repositories.sh``` | Pulls all local repositories branches | | ```bash ./scripts/pull-local-repositories.sh``` | Pulls all local repositories branches |
| ```bash ./scripts/pushs-local-repositories.sh``` | Pushs all local repositories branches | | ```bash ./scripts/pushs-local-repositories.sh``` | Pushs all local repositories branches |
| ```encfsctl passwd .encrypted``` | Change the password of the encrypted folder. | | ```encfsctl passwd .encrypted``` | Change the password of the encrypted folder. |
@ -56,7 +56,8 @@ $HOME/Documents/certificates/ | Contains certificates to authenticate via [certi
| $HOME/Documents/recovery_codes/ | Contains files with recovery_codes e.g. for [Two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication). | | $HOME/Documents/recovery_codes/ | Contains files with recovery_codes e.g. for [Two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication). |
| $HOME/Documents/identity/ | Contains files to prove the identity of the *Core System Owner* in physical live like passports. | | $HOME/Documents/identity/ | Contains files to prove the identity of the *Core System Owner* in physical live like passports. |
| $HOME/Documents/passwords/ | Contains e.g the [KeePassXC](https://keepassxc.org/) database with all *Core System Owner* passwords. | | $HOME/Documents/passwords/ | Contains e.g the [KeePassXC](https://keepassxc.org/) database with all *Core System Owner* passwords. |
| $HOME/Documents/repositories/ | Contains all git repositories | | $HOME/Repositories/ | Contains all git repositories |
| $HOME/Games/roms | Contains all roms |
| $HOME/Images/ | contains os images| | $HOME/Images/ | contains os images|
#### Desktop #### Desktop

17
scripts/base.sh
View File

@ -65,6 +65,23 @@ error(){
exit 1; exit 1;
} }
# Routine to echo the full sd-card-path
set_device_path(){
info "Available devices:"
ls -lasi /dev/ | grep -E "sd|mm"
question "Please type in the name of the device: /dev/" && read -r device
device_path="/dev/$device"
if [ ! -b "$device_path" ]
then
error "$device_path is not valid device."
fi
# @see https://www.heise.de/ct/hotline/Optimale-Blockgroesse-fuer-dd-2056768.html
OPTIMAL_BLOCKSIZE=$(expr 64 \* "$(sudo cat /sys/block/$device/queue/physical_block_size)") &&
info "Device path set to: $device_path" &&
info "Optimal blocksize set to: $OPTIMAL_BLOCKSIZE" ||
error
}
HEADER(){ HEADER(){
echo echo
echo "${COLOR_YELLOW}The" echo "${COLOR_YELLOW}The"

4
scripts/data/import-from-system.sh
View File

@ -18,11 +18,11 @@ declare -a BACKUP_LIST=("$HOME/.ssh/" \
"$HOME/Documents/identity/" \ "$HOME/Documents/identity/" \
"$HOME/Documents/passwords/" \ "$HOME/Documents/passwords/" \
"$HOME/Documents/licenses/"); "$HOME/Documents/licenses/");
if [ -z "$(mount | grep "$DECRYPTED_PATH")" ] if [ -z "$(mount | grep "$DECRYPTED_PATH")" ]
then then
info "The decrypted folder $DECRYPTED_PATH is locked. You need to unlock it!" && info "The decrypted folder $DECRYPTED_PATH is locked. You need to unlock it!" &&
bash "$SCRIPT_PATH""encryption/unlock.sh" || error "Unlocking failed."; bash "$SCRIPT_PATH""encryption/data/unlock.sh" || error "Unlocking failed.";
fi fi
if [ "$1" = "reverse" ] if [ "$1" = "reverse" ]
then then

2
scripts/encryption/lock.sh → scripts/encryption/data/lock.sh
View File

@ -5,7 +5,7 @@
# #
# shellcheck disable=SC2015 # Deactivating bool hint # shellcheck disable=SC2015 # Deactivating bool hint
# shellcheck source=/dev/null # Deactivate SC1090 # shellcheck source=/dev/null # Deactivate SC1090
source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1)
info "Locking directory $DECRYPTED_PATH..." && info "Locking directory $DECRYPTED_PATH..." &&
fusermount -u "$DECRYPTED_PATH" || error "Unmounting failed." fusermount -u "$DECRYPTED_PATH" || error "Unmounting failed."
info "Data is now encrypted." info "Data is now encrypted."

2
scripts/encryption/unlock.sh → scripts/encryption/data/unlock.sh
View File

@ -5,7 +5,7 @@
# #
# shellcheck source=/dev/null # Deactivate SC1090 # shellcheck source=/dev/null # Deactivate SC1090
# shellcheck disable=SC2015 # Deactivating bool hint # shellcheck disable=SC2015 # Deactivating bool hint
source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1)
info "Unlocking directory $DECRYPTED_PATH..." info "Unlocking directory $DECRYPTED_PATH..."
if [ ! -d "$DECRYPTED_PATH" ] if [ ! -d "$DECRYPTED_PATH" ]
then then

13
scripts/encryption/storage/base.sh Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1)
set_device_mount_and_mapper_paths(){
set_device_path &&
mapper_name="encrypteddrive-$device" &&
mapper_path="/dev/mapper/$mapper_name" &&
mount_path="/media/$mapper_name" &&
info "mapper name set to : $mapper_name" &&
info "mapper path set to : $mapper_path" ||
info "mount path set to : $mount_path" ||
error
}

14
scripts/encryption/storage/mount.sh Normal file
View File

@ -0,0 +1,14 @@
source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
echo "Mounting encrypted storage..."
set_device_mount_and_mapper_paths
info "Unlock partition..." &&
sudo cryptsetup luksOpen $device_path $mapper_name ||
error
info "Mount partition..." &&
sudo mount $mapper_path $mount_path ||
error
success "Mounting successfull :)"

40
scripts/encryption/storage/setup.sh Normal file
View File

@ -0,0 +1,40 @@
source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1)
echo "Setups disk encryption"
set_device_mount_and_mapper_paths
info "Overwritting device \"$device_path\" with zeros..." &&
sudo dd if=/dev/zero of=$device_path bs=$OPTIMAL_BLOCKSIZE status=progress conv=fdatasync ||
error
info "Creating new GPT partition table..."
( echo "g" # create a new empty GPT partition table
echo "w" # Write partition table
)| sudo fdisk "$device_path" || error
info "Creating partition table..."
( echo "n" # Create GPT partition table
echo "p" # Create GPT partition table
echo "w" # Write partition table
)| sudo fdisk "$device_path" || error
info "Show memory devices..." &&
sudo fdisk -l || error
info "Encrypt $device_path..." &&
sudo cryptsetup -v -y luksFormat $device_path
info "Unlock partition..." &&
sudo cryptsetup luksOpen $device_path $mapper_name
info "Create btrfs file system..." &&
sudo mkfs.btrfs $mapper_path || error
info "Creating mount folder unter \"$mount_path\"..." &&
mkdir -p $mount_path || error
info "Mount partition..." &&
sudo mount $mapper_path $mount_path || error
info "Own partition by user..." &&
sudo chown -R $USER:$USER $mount_path || error

0
scripts/encryption/storage/umount.sh Normal file
View File

12
scripts/image/base.sh
View File

@ -26,18 +26,6 @@ set_partition_paths(){
boot_partition_path=$(echo_partition_name "1") boot_partition_path=$(echo_partition_name "1")
} }
# Routine to echo the full sd-card-path
set_device_path(){
info "Available devices:"
ls -lasi /dev/ | grep -E "sd|mm"
question "Please type in the name of the device: /dev/" && read -r device
device_path="/dev/$device"
if [ ! -b "$device_path" ]
then
error "$device_path is not valid device."
fi
}
make_mount_folders(){ make_mount_folders(){
info "Preparing mount paths..." && info "Preparing mount paths..." &&
boot_mount_path="$working_folder_path""boot/" && boot_mount_path="$working_folder_path""boot/" &&

12
scripts/image/setup.sh
View File

@ -210,10 +210,6 @@ make_mount_folders
set_partition_paths set_partition_paths
# @see https://www.heise.de/ct/hotline/Optimale-Blockgroesse-fuer-dd-2056768.html
optimal_blocksize=$(expr 64 \* "$(sudo cat /sys/block/$device/queue/physical_block_size)") &&
info "Calculated optimal blocksize of $optimal_blocksize""Byte for \"dd\" operations."
question "Should the image be transfered to $device_path?(y/n)" && read -r transfer_image question "Should the image be transfered to $device_path?(y/n)" && read -r transfer_image
if [ "$transfer_image" = "y" ] if [ "$transfer_image" = "y" ]
then then
@ -222,7 +218,7 @@ if [ "$transfer_image" = "y" ]
if [ "$copy_zeros_to_device" = "y" ] if [ "$copy_zeros_to_device" = "y" ]
then then
info "Overwritting..." && info "Overwritting..." &&
dd if=/dev/zero of="$device_path" bs="$optimal_blocksize" || error "Overwritting $device_path failed." dd if=/dev/zero of="$device_path" bs="$OPTIMAL_BLOCKSIZE" status=progress || error "Overwritting $device_path failed."
else else
info "Skipping Overwritting..." info "Skipping Overwritting..."
fi fi
@ -267,19 +263,19 @@ if [ "$transfer_image" = "y" ]
elif [ "${image_path: -4}" = ".zip" ] elif [ "${image_path: -4}" = ".zip" ]
then then
info "Transfering .zip file..." && info "Transfering .zip file..." &&
unzip -p "$image_path" | sudo dd of="$device_path" bs="$optimal_blocksize" conv=fsync || error "DD $image_path to $device_path failed." && unzip -p "$image_path" | sudo dd of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress || error "DD $image_path to $device_path failed." &&
sync || sync ||
error error
elif [ "${image_path: -3}" = ".gz" ] elif [ "${image_path: -3}" = ".gz" ]
then then
info "Transfering .gz file..." && info "Transfering .gz file..." &&
gunzip -c "$image_path" | sudo dd of="$device_path" bs="$optimal_blocksize" conv=fsync && gunzip -c "$image_path" | sudo dd of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress &&
sync || sync ||
error error
elif [ "${image_path: -4}" = ".iso" ] elif [ "${image_path: -4}" = ".iso" ]
then then
info "Transfering .iso file..." && info "Transfering .iso file..." &&
sudo dd if="$image_path" of="$device_path" bs="$optimal_blocksize" conv=fsync && sudo dd if="$image_path" of="$device_path" bs="$OPTIMAL_BLOCKSIZE" conv=fsync status=progress &&
sync || sync ||
error error
else else