| Chess | Tools | Data | Blog | Poetry | Why? | Wiki | Admin | Logout |

Download


#!/usr/bin/perl -w
# $Revision: 1.8 $
# $Date: 2006-04-20 03:24:27 $
# Luis Mondesi < lemsx1@gmail.com >
#
# DESCRIPTION: simple way to mount a File Vault on Linux $HOME/Vault directory for the current user
# USAGE: mount_vault --help
# LICENSE: GPL

use strict;
$|++;

my $revision='1.8'; # version

# standard Perl modules
use Getopt::Long;
Getopt::Long::Configure('bundling');

# Args:
my $PVERSION=0;
my $HELP=0;
my $DEBUG=0;
my $ENCRYPTION = "-aes-256-ecb"; # ie -aes-256-ecb, etc... openssl --help for more
my $USER = $ENV{'USER'};
my $MOUNT_POINT = $ENV{'HOME'}."/Vault";
my $MOUNT_TYPE = "xfs";
my $ENC_IMAGE = "/home/Shared/pri/ehd/$USER.img";
my $ENC_KEY_FILE = "/etc/ehd/$USER.key";
my $EXTRA_MOUNT_OPTIONS=undef;
# find unused loop device
my $LOOP_DEV = qx/sudo losetup -f/; # "/dev/loop".int(rand(7));
chomp($LOOP_DEV);

# get options
GetOptions(
    # flags
    'v|version'         =>  \$PVERSION,
    'h|help'            =>  \$HELP,
    'D|debug'           =>  \$DEBUG,
    # strings
    'E|mount-options=s' =>  \$EXTRA_MOUNT_OPTIONS,
    'e|encryption=s'    =>  \$ENCRYPTION,
    'i|image=s'         =>  \$ENC_IMAGE,
    'f|key-file=s'      =>  \$ENC_KEY_FILE,
    'l|loop=s'          =>  \$LOOP_DEV,
    'm|mount-point=s'   =>  \$MOUNT_POINT,
    'u|user=s'          =>  \$USER,
    't|type=s'          =>  \$MOUNT_TYPE
);

if ( $HELP ) { 
    use Pod::Text;
    my $parser = Pod::Text->new (sentence => 0, width => 78);
    $parser->parse_from_file($0,\*STDOUT);
    exit 0;
}

if ( $PVERSION ) { print STDOUT ($revision,"
"); exit 0; }

# 1. sanity checks

die ("File not found $ENC_IMAGE
") if ( ! -e $ENC_IMAGE );

if ( ! -d $MOUNT_POINT )
{
    die ("Could not create directory $MOUNT_POINT
") if ( ! mkdir($MOUNT_POINT,0700) );
} else {
    # check if something is already mounted there!
    my $mounted = qx/mount/;
    die ("File system already mounted at $MOUNT_POINT
") 
        if ( $mounted =~ /$MOUNT_POINT/mig);
}

system("sudo losetup -d $LOOP_DEV 2> /dev/null"); 

# 2. setup loop

my ($LO_foo,$LO_ENC,$LO_KEY,$LO_OTHER) = split(/-/,$ENCRYPTION);
my $cmd = "openssl enc -d $ENCRYPTION -in $ENC_KEY_FILE | sudo losetup -e $LO_ENC -k $LO_KEY -p0 $LOOP_DEV $ENC_IMAGE";
print STDOUT ($cmd,"
") if ( $DEBUG );
my $err = qx/$cmd/;

die ("Failed to setup unencrypted loopback on $LOOP_DEV
") 
    if ($? != 0 or $err =~ /error/i);

# 3. mount vault

my $MOUNT_OPTIONS = (defined($EXTRA_MOUNT_OPTIONS) and $EXTRA_MOUNT_OPTIONS !~ /^\s*$/) ? "exec,nosuid,rw,defaults,$EXTRA_MOUNT_OPTIONS":"exec,nosuid,rw,defaults";
my $mount_cmd = "sudo mount -t $MOUNT_TYPE -o $MOUNT_OPTIONS $LOOP_DEV $MOUNT_POINT";
print STDOUT ($mount_cmd,"
") if ($DEBUG);
system($mount_cmd);
warn ("Failed to mount encrypted image 
") if ($? != 0);

__END__

=head1 NAME

mount_vault - a simple script to mount an encrypted file system. See http://www.kiskeyix.org/article.php?story_id=1151

=head1 SYNOPSIS

B<mount_vault>  [-v,--version]
                [-D,--debug] 
                [-h,--help]

=head1 DESCRIPTION 

    This script mounts an encrypted image from /home/Shared/pri/ehd/$USER.img to $HOME/Vault.
    To setup the .img file, please follow this instructions carefully:
    http://www.kiskeyix.org/article.php?story_id=1151

# need pam-mount only if you want the .img to be mounted at login

apt-get install libpam-mount openssl

# again, this is only for pam-mount

1. change /etc/pam.d/* files:

add B<@include common-pammount> after B<@include common-session> to
gdm, gdm-autologin, login, ssh, and any other login-related
service

2. create a password-proteced encryption key:

C<mkdir /etc/ehd>

C<chmod 0750 /etc/ehd>

C<chown root:staff /etc/ehd>

C<dd if=/dev/urandom bs=1c count=32 | openssl enc -aes-256-ecb | tee /etc/ehd/$USER.key>

C<chmod 0640 /etc/ehd/$USER.key>

# where $USER is the user you want to have that given key file

C<chown :$GROUP /etc/ehd/$USER.key>

# where $GROUP is a group where $USER belong

3. create encrypted image:

# 1024 * 5 of block-size 1M = 5 GB image

dd if=/dev/urandom of=/home/Shared/pri/ehd/$USER.img bs=1M count=5120

openssl enc -d -aes-256-ecb -in /etc/ehd/$USER.key | \

losetup -e aes -k 256 -p0 /dev/loop0 /home/Shared/pri/ehd/$USER.img

chown $USER /home/Shared/pri/ehd/$USER.img

chmod 0600 /home/Shared/pri/ehd/$USER.img

mkfs -t xfs /dev/loop0

umount /dev/loop0

losetup -d /dev/loop0

# only need to edit /etc/fstab for pam-mount

4. edit /etc/fstab and add:

# encrypted hard drive

/home/Shared/pri/ehd/&.img /home/& xfs defaults,exec,user,rw,loop,encryption=aes,keybits=256,noauto 0 0

# this applies to pam-mount:

5. edit /etc/security/pam_mount.conf and add:

volume * local - /home/&.img - loop,user,exec,encryption=aes,keybits=256 aes-256-ecb /etc/ehd/&.key

6. edit /etc/login.defs and make sure that CLOSE_SESSION is set to "yes"

Notes:

* if the user ever changes his/her password, use the passwdehd script from libpam-mount to change the password for the /etc/ehd/$USER.key file

* Make sure you read /usr/share/doc/libpam-mount/README.Debian.gz file

=head1 OPTIONS

=over 8

=item -v,--version

prints version and exits

=item -D,--debug

enables debug mode

=item -h,--help

prints this help and exits

=back

=head1 AUTHOR

Luis Mondesi <lemsx1@gmail.com>

=cut

Advertisement