From dc72bd5d31fec8dc052ca50fef8b6a80b36dd042 Mon Sep 17 00:00:00 2001
From: "Kevin Veen-Birkenbach [aka. Frantz]" <kevin@veen.world>
Date: Mon, 30 Sep 2019 17:19:27 +0200
Subject: [PATCH] Implemented encryption mechanism for data

---
 .gitignore                         |  1 +
 README.md                          | 16 +++++++++++-----
 scripts/decrypt-data.sh            |  1 -
 scripts/encrypt-data.sh            |  1 -
 scripts/import-data-from-system.sh | 17 +++++++++++------
 scripts/lock.sh                    |  6 ++++++
 scripts/system-setup.sh            |  8 ++++----
 scripts/unlock.sh                  |  7 +++++++
 8 files changed, 40 insertions(+), 17 deletions(-)
 delete mode 100644 scripts/decrypt-data.sh
 delete mode 100644 scripts/encrypt-data.sh
 create mode 100644 scripts/lock.sh
 create mode 100644 scripts/unlock.sh

diff --git a/.gitignore b/.gitignore
index 8fce603..79efc04 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 data/
+.encrypted/
diff --git a/README.md b/README.md
index af96a6f..fd83a82 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 This repository contains scripts to set up an working client system, maintain it and to save the data on an USB stick.
 It's adapted to the needs of Kevin Veen-Birkenbach aka. Frantz.
 ## Requirements
-This script is optimized for a [Manjaro Linux](https://manjaro.org) with [GNOME desktop](https://www.gnome.org/?). 
+This script is optimized for a [Manjaro Linux](https://manjaro.org) with [GNOME desktop](https://www.gnome.org/?).
 Specific system requirements are described in the [.travis file](./.travis).
 
 ## Functions
@@ -23,15 +23,21 @@ To export configuration files to the system you have to execute:
 ```bash
 bash ./scripts/export-data-to-system.sh
 ```
-### Decrypt Data
+### Unlock Data
 To decrypt the data you have to execute:
 ```bash
-bash ./scripts/decrypt-data.sh
+bash ./scripts/unlock.sh
 ```
-### Encrypt Data
+### Lock Data
 To encrypt the data you have to execute:
 ```bash
-bash ./scripts/encrypt-data.sh
+bash ./scripts/lock.sh
+```
+
+### Change Data Password
+To change the encryption password you have to type in:
+```bash
+encfsctl passwd .encrypted
 ```
 ## License
 The ["GNU GENERAL PUBLIC LICENSE Version 3"](./LICENSE.txt) applies to this project.
diff --git a/scripts/decrypt-data.sh b/scripts/decrypt-data.sh
deleted file mode 100644
index a9bf588..0000000
--- a/scripts/decrypt-data.sh
+++ /dev/null
@@ -1 +0,0 @@
-#!/bin/bash
diff --git a/scripts/encrypt-data.sh b/scripts/encrypt-data.sh
deleted file mode 100644
index a9bf588..0000000
--- a/scripts/encrypt-data.sh
+++ /dev/null
@@ -1 +0,0 @@
-#!/bin/bash
diff --git a/scripts/import-data-from-system.sh b/scripts/import-data-from-system.sh
index 23d42d0..e140b3c 100644
--- a/scripts/import-data-from-system.sh
+++ b/scripts/import-data-from-system.sh
@@ -3,6 +3,11 @@
 # @author Kevin Veen-Birkenbach [aka. Frantz]
 # @param $1 If the first parameter is "reverse" the data will be exported to the system
 DATA_FOLDER=$(readlink -f "$(dirname "$(readlink -f "${0}")")/../data");
+if [ -z $(mount | grep $DATA_FOLDER) ]
+  then
+    echo "The data folder $DATA_FOLDER is locked. You need to unlock it!"
+    bash "$(dirname "$(readlink -f "${0}")")/unlock.sh" || exit 1;
+fi
 declare -a BACKUP_LIST=("$HOME/.ssh/" "$HOME/.gitconfig");
 for system_item_path in "${BACKUP_LIST[@]}";
 do
@@ -31,11 +36,11 @@ do
         cp -vi "$source" "$destination"
       else
         if [ -d "$source" ]
-        then
-          echo "Copy data from directory $source to directory $destination_dir..."
-          cp -vir "$source" "$destination_dir"
-        else
-          echo "$source doesn't exist. Copying data is not possible."
-      fi
+          then
+            echo "Copy data from directory $source to directory $destination_dir..."
+            cp -vir "$source" "$destination_dir"
+          else
+            echo "$source doesn't exist. Copying data is not possible."
+        fi
     fi
 done
diff --git a/scripts/lock.sh b/scripts/lock.sh
new file mode 100644
index 0000000..eb99670
--- /dev/null
+++ b/scripts/lock.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# Locks the data
+# @author Kevin Veen-Birkenbach [aka. Frantz]
+DECRYPTED=$(readlink -f "$(dirname "$(readlink -f "${0}")")/../data");
+echo "Locking directory: $DECRYPTED"
+fusermount -u $DECRYPTED && echo "Data is now encrypted."
diff --git a/scripts/system-setup.sh b/scripts/system-setup.sh
index 6f84ece..d21b74b 100644
--- a/scripts/system-setup.sh
+++ b/scripts/system-setup.sh
@@ -1,13 +1,13 @@
 #!/bin/bash
-echo "--------------------------------------------"
-echo "Customized Pacman Core Software"
-echo "--------------------------------------------"
-echo ""
+echo "Start setup of customized core software..."
 echo "Synchronising packages..."
 echo "Synchronizing programing languages..."
 sudo pacman --needed -S jdk11-openjdk python php
 echo "Synchronizing administration tools..."
 sudo pacman --needed -S htop tree git base-devel yay make gcc cmake
+echo "Synchronizing security tools..."
+sudo pacman --needed -S ecryptfs-utils encfs
+echo "Setup SSH key"
 ssh_key_path="$HOME/.ssh/id_rsa"
 if [ ! -f "$ssh_key_path" ]; then
 	echo "SSH key $ssh_key_path doesn't exists!"
diff --git a/scripts/unlock.sh b/scripts/unlock.sh
new file mode 100644
index 0000000..cecda5b
--- /dev/null
+++ b/scripts/unlock.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Unlocks the data
+# @author Kevin Veen-Birkenbach [aka. Frantz]
+ENCRYPTED=$(readlink -f "$(dirname "$(readlink -f "${0}")")/../.encrypted");
+DECRYPTED=$(readlink -f "$(dirname "$(readlink -f "${0}")")/../data");
+echo "Unlocking directory: $DECRYPTED"
+encfs $ENCRYPTED $DECRYPTED && echo "ATTENTION: DATA IS NOW DECRYPTED!"