Download
#!/usr/bin/perl -w
# $Revision: 1.8 $
# $Date: 2006-04-20 03:24:27 $
# Luis Mondesi < lemsx1@gmail.com >
#
# DESCRIPTION: simple way to mount a File Vault on Linux $HOME/Vault directory for the current user
# USAGE: mount_vault --help
# LICENSE: GPL
use strict;
$|++;
my $revision='1.8'; # version
# standard Perl modules
use Getopt::Long;
Getopt::Long::Configure('bundling');
# Args:
my $PVERSION=0;
my $HELP=0;
my $DEBUG=0;
my $ENCRYPTION = "-aes-256-ecb"; # ie -aes-256-ecb, etc... openssl --help for more
my $USER = $ENV{'USER'};
my $MOUNT_POINT = $ENV{'HOME'}."/Vault";
my $MOUNT_TYPE = "xfs";
my $ENC_IMAGE = "/home/Shared/pri/ehd/$USER.img";
my $ENC_KEY_FILE = "/etc/ehd/$USER.key";
my $EXTRA_MOUNT_OPTIONS=undef;
# find unused loop device
my $LOOP_DEV = qx/sudo losetup -f/; # "/dev/loop".int(rand(7));
chomp($LOOP_DEV);
# get options
GetOptions(
# flags
'v|version' => \$PVERSION,
'h|help' => \$HELP,
'D|debug' => \$DEBUG,
# strings
'E|mount-options=s' => \$EXTRA_MOUNT_OPTIONS,
'e|encryption=s' => \$ENCRYPTION,
'i|image=s' => \$ENC_IMAGE,
'f|key-file=s' => \$ENC_KEY_FILE,
'l|loop=s' => \$LOOP_DEV,
'm|mount-point=s' => \$MOUNT_POINT,
'u|user=s' => \$USER,
't|type=s' => \$MOUNT_TYPE
);
if ( $HELP ) {
use Pod::Text;
my $parser = Pod::Text->new (sentence => 0, width => 78);
$parser->parse_from_file($0,\*STDOUT);
exit 0;
}
if ( $PVERSION ) { print STDOUT ($revision,"
"); exit 0; }
# 1. sanity checks
die ("File not found $ENC_IMAGE
") if ( ! -e $ENC_IMAGE );
if ( ! -d $MOUNT_POINT )
{
die ("Could not create directory $MOUNT_POINT
") if ( ! mkdir($MOUNT_POINT,0700) );
} else {
# check if something is already mounted there!
my $mounted = qx/mount/;
die ("File system already mounted at $MOUNT_POINT
")
if ( $mounted =~ /$MOUNT_POINT/mig);
}
system("sudo losetup -d $LOOP_DEV 2> /dev/null");
# 2. setup loop
my ($LO_foo,$LO_ENC,$LO_KEY,$LO_OTHER) = split(/-/,$ENCRYPTION);
my $cmd = "openssl enc -d $ENCRYPTION -in $ENC_KEY_FILE | sudo losetup -e $LO_ENC -k $LO_KEY -p0 $LOOP_DEV $ENC_IMAGE";
print STDOUT ($cmd,"
") if ( $DEBUG );
my $err = qx/$cmd/;
die ("Failed to setup unencrypted loopback on $LOOP_DEV
")
if ($? != 0 or $err =~ /error/i);
# 3. mount vault
my $MOUNT_OPTIONS = (defined($EXTRA_MOUNT_OPTIONS) and $EXTRA_MOUNT_OPTIONS !~ /^\s*$/) ? "exec,nosuid,rw,defaults,$EXTRA_MOUNT_OPTIONS":"exec,nosuid,rw,defaults";
my $mount_cmd = "sudo mount -t $MOUNT_TYPE -o $MOUNT_OPTIONS $LOOP_DEV $MOUNT_POINT";
print STDOUT ($mount_cmd,"
") if ($DEBUG);
system($mount_cmd);
warn ("Failed to mount encrypted image
") if ($? != 0);
__END__
=head1 NAME
mount_vault - a simple script to mount an encrypted file system. See http://www.kiskeyix.org/article.php?story_id=1151
=head1 SYNOPSIS
B<mount_vault> [-v,--version]
[-D,--debug]
[-h,--help]
=head1 DESCRIPTION
This script mounts an encrypted image from /home/Shared/pri/ehd/$USER.img to $HOME/Vault.
To setup the .img file, please follow this instructions carefully:
http://www.kiskeyix.org/article.php?story_id=1151
# need pam-mount only if you want the .img to be mounted at login
apt-get install libpam-mount openssl
# again, this is only for pam-mount
1. change /etc/pam.d/* files:
add B<@include common-pammount> after B<@include common-session> to
gdm, gdm-autologin, login, ssh, and any other login-related
service
2. create a password-proteced encryption key:
C<mkdir /etc/ehd>
C<chmod 0750 /etc/ehd>
C<chown root:staff /etc/ehd>
C<dd if=/dev/urandom bs=1c count=32 | openssl enc -aes-256-ecb | tee /etc/ehd/$USER.key>
C<chmod 0640 /etc/ehd/$USER.key>
# where $USER is the user you want to have that given key file
C<chown :$GROUP /etc/ehd/$USER.key>
# where $GROUP is a group where $USER belong
3. create encrypted image:
# 1024 * 5 of block-size 1M = 5 GB image
dd if=/dev/urandom of=/home/Shared/pri/ehd/$USER.img bs=1M count=5120
openssl enc -d -aes-256-ecb -in /etc/ehd/$USER.key | \
losetup -e aes -k 256 -p0 /dev/loop0 /home/Shared/pri/ehd/$USER.img
chown $USER /home/Shared/pri/ehd/$USER.img
chmod 0600 /home/Shared/pri/ehd/$USER.img
mkfs -t xfs /dev/loop0
umount /dev/loop0
losetup -d /dev/loop0
# only need to edit /etc/fstab for pam-mount
4. edit /etc/fstab and add:
# encrypted hard drive
/home/Shared/pri/ehd/&.img /home/& xfs defaults,exec,user,rw,loop,encryption=aes,keybits=256,noauto 0 0
# this applies to pam-mount:
5. edit /etc/security/pam_mount.conf and add:
volume * local - /home/&.img - loop,user,exec,encryption=aes,keybits=256 aes-256-ecb /etc/ehd/&.key
6. edit /etc/login.defs and make sure that CLOSE_SESSION is set to "yes"
Notes:
* if the user ever changes his/her password, use the passwdehd script from libpam-mount to change the password for the /etc/ehd/$USER.key file
* Make sure you read /usr/share/doc/libpam-mount/README.Debian.gz file
=head1 OPTIONS
=over 8
=item -v,--version
prints version and exits
=item -D,--debug
enables debug mode
=item -h,--help
prints this help and exits
=back
=head1 AUTHOR
Luis Mondesi <lemsx1@gmail.com>
=cut