Use libgfshare for key splitting

02bd649d · Bob Mottram · 7b6cd7ad · 02bd649d · 02bd649d · 02bd649d
Commit 02bd649d authored 9 years ago by Bob Mottram
--- a/man/freedombone-splitkey.1.gz
+++ b/man/freedombone-splitkey.1.gz
--- a/src/freedombone
+++ b/src/freedombone
@@ -1702,7 +1702,7 @@ function create_backup_script {
  if grep -Fxq "create_backup_script" $COMPLETION_FILE; then
      return
  fi
-  apt-get -y install rsyncrypto cryptsetup ssss
+  apt-get -y install rsyncrypto cryptsetup libgfshare-bin
  
  get_mariadb_password
  get_mariadb_gnusocial_admin_password
@@ -3782,7 +3782,7 @@ function backup_to_friends_servers {
  # we just need to rsync it to each friend
  
  echo '# For each remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-  echo 'ctr=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+  echo 'ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo 'while read remote_server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo 'do' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
  echo '  # Get the server and its password' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
@@ -3810,22 +3810,20 @@ function backup_to_friends_servers {
  if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then
      echo "    if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo "        cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '        no_of_fragments=$(ls -afq data* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '        no_of_fragments=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '        if [[ ${no_of_fragments} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            key_files=(/home/$MY_USERNAME/.gnupg_fragments/data*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            key_filename=${key_files[ctr]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '        no_of_shares=$(ls -afq keyshare* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '        no_of_shares=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '        if [[ ${no_of_shares} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '            share_files=(/home/$MY_USERNAME/.gnupg_fragments/keyshare*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '            share_filename=${key_files[ctr_share]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo "            mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            ctrb=$((ctr + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo "            sed \"$ctrbq;d\" /home/$MY_USERNAME/.gnupg_fragments/shares.txt > /home/$MY_USERNAME/tempkey/.gnupg_fragments/share.txt" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo "            cp $key_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo "            cp $share_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments/data" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo -n '            /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo "            shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo "            rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            ctr=$((ctr + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '            if [[ ${ctr} >= ${no_of_fragments} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
-      echo '                ctr=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '            ctr_share=$((ctr_share + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '            if [[ ${ctr_share} >= ${no_of_shares} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+      echo '                ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo '            fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo '        fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
      echo '    fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME

--- a/src/freedombone-recoverkey
+++ b/src/freedombone-recoverkey
@@ -76,30 +76,17 @@ if [ ! -d $FRAGMENTS_DIR ]; then
    exit 7483
 fi

-# join the fragments
-if [ ! -d /home/$MY_USERNAME/.tempgnupg ]; then
-    mkdir /home/$MY_USERNAME/.tempgnupg
-fi
-KEYS_FILE=/home/$MY_USERNAME/.tempgnupg/tempfile.asc
-cat $FRAGMENTS_DIR/data* > $KEYS_FILE.gpg
-if [ ! "$?" = "0" ]; then
-    echo 'Unable to find key fragments'
-    exit 8727
-fi
-
 # decrypt the file
-cd /home/$MY_USERNAME/.tempgnupg
-gpg -d $KEYS_FILE.gpg -o $KEYS_FILE
-if [ ! "$?" = "0" ]; then
-    echo 'Unable to decrypt data. This may mean that not enough fragments are available'
-    exit 6283
-fi
-shred -zu $KEYS_FILE.gpg
+KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
+cd $FRAGMENTS_DIR
+gfcombine $KEYS_FILE.*
+
 if [ ! -f $KEYS_FILE ]; then
-    echo 'Unable to find decrypted key file. This may mean that not enough fragments are available'
-    exit 8358
+    echo 'Unable to decrypt key. This may mean that not enough fragments are available'
+    exit 6283
 fi
-echo 'Key fragments decrypted'
+
+echo 'Key fragments recombined'

 # import the gpg key
 su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME

--- a/src/freedombone-splitkey
+++ b/src/freedombone-splitkey
@@ -37,11 +37,10 @@
 KEY_FRAGMENTS=3
 MY_USERNAME=
 MY_EMAIL_ADDRESS=
-PASSPHRASE=

 function show_help {
    echo ''
-    echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address] -p [passphrase]'
+    echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address]'
    echo ''
    exit 0
 }
@@ -66,10 +65,6 @@ case $key in
    shift
    MY_EMAIL_ADDRESS=$1
    ;;
-    -p|--passphrase)
-    shift
-    PASSPHRASE=$1
-    ;;
    *)
    # unknown option
    ;;
@@ -103,60 +98,38 @@ KEYID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - \
        $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')

 # create the key file
-KEYS_FILE=/home/$MY_USERNAME/tempdatafile.asc
-gpg --output /home/$MY_USERNAME/pubkey.txt --armor --export $KEYID
+mkdir -p $FRAGMENTS_DIR
+KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
+gpg --output $FRAGMENTS_DIR/pubkey.txt --armor --export $KEYID
 if [ ! "$?" = "0" ]; then
    echo "Unable to extract public key for $KEYID"
    exit 7835
 fi
-gpg --output /home/$MY_USERNAME/privkey.txt --armor --export-secret-key $KEYID
+gpg --output $FRAGMENTS_DIR/privkey.txt --armor --export-secret-key $KEYID
 if [ ! "$?" = "0" ]; then
    echo "Unable to extract private key for $KEYID"
    exit 7823
 fi
-cat /home/$MY_USERNAME/pubkey.txt /home/$MY_USERNAME/privkey.txt > $KEYS_FILE
-shred -zu /home/$MY_USERNAME/privkey.txt
-shred -zu /home/$MY_USERNAME/pubkey.txt
+cat $FRAGMENTS_DIR/pubkey.txt $FRAGMENTS_DIR/privkey.txt > $KEYS_FILE
+shred -zu $FRAGMENTS_DIR/privkey.txt
+shred -zu $FRAGMENTS_DIR/pubkey.txt

-# generate a random passphrase if one isn't supplied
-if [ ! $PASSPHRASE ]; then
-    PASSPHRASE="$(openssl rand -base64 100)"
-fi
-
-# encrypt the keys file with a passphrase
-echo "$PASSPHRASE" | gpg --passphrase-fd 0 --output $KEYS_FILE.gpg --symmetric $KEYS_FILE
+KEY_SHARES=$((KEY_FRAGMENTS * 2))
+gfsplit -n $KEY_FRAGMENTS -m $KEY_SHARES $KEYS_FILE
 if [ ! "$?" = "0" ]; then
-    echo "Unable to encrypt the data prior to splitting"
-    exit 7352
+    echo "Unable to split the gpg key"
+    rm -rf $FRAGMENTS_DIR
+    if [ -f $KEYS_FILE ]; then
+        shred -zu $KEYS_FILE
+    fi
+    exit 63028
 fi
 shred -zu $KEYS_FILE

-# split the passphrase into shares
-echo "$PASSPHRASE" | ssss-split -q -t $KEY_FRAGMENTS -n $KEY_FRAGMENTS > \
-                                /home/$MY_USERNAME/.gnupg_fragments/shares.txt
-
-# (maybe) overwrite passphrase after use
-PASSPHRASE="$(openssl rand -base64 100)"
-
-# check that passphrase shares were created
-if [ ! -f /home/$MY_USERNAME/.gnupg_fragments/shares.txt ]; then
-    echo 'Passphrase for key fragments could not be split'
-    shred -zu $KEYS_FILE.gpg
-    exit 74549
-fi
-
-# generate fragments
-GPG_KEYS_SIZE_BYTES=$(wc -c <"$KEYS_FILE.gpg")
-GPG_BYTES_PER_FRAGMENT=$((GPG_KEYS_SIZE_BYTES / KEY_FRAGMENTS))
-GPG_BYTES_PER_FRAGMENT=$((GPG_BYTES_PER_FRAGMENT + 1))
-mkdir -p $FRAGMENTS_DIR
-split --bytes=$GPG_BYTES_PER_FRAGMENT $KEYS_FILE.gpg $FRAGMENTS_DIR/data
+# set permissions
 chown -R $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR
 chmod -R 600 $FRAGMENTS_DIR

-# delete the keys file
-shred -zu $KEYS_FILE.gpg
-
-echo "$KEY_FRAGMENTS key fragments created"
+echo "$KEY_SHARES key shares created"

 exit 0