From 02bd649d8a3580689e1a87baebc6c0b202d741db Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Thu, 2 Jul 2015 21:43:17 +0100
Subject: [PATCH] Use libgfshare for key splitting
---
man/freedombone-splitkey.1.gz | Bin 765 -> 769 bytes
src/freedombone | 24 ++++++-------
src/freedombone-recoverkey | 29 +++++-----------
src/freedombone-splitkey | 63 ++++++++++------------------------
4 files changed, 37 insertions(+), 79 deletions(-)
diff --git a/man/freedombone-splitkey.1.gz b/man/freedombone-splitkey.1.gz
index c725747fe73ea58f072a9c4ca7066c7531b1ee74..11128e346ea68103f416d62fa24930725ecd35cd 100644
GIT binary patch
literal 769
zcmV+c1OEIUiwFP=oRw7o1BFygZ`(!?z4KQLcxeJeRP3NYDg;HORF&P>mS9p15;rK8
z<cM6D`+=QZ+r0F*XO>dp8ln+`2V!RDy_q*}nH6WSbBMK3rO`Mc+ev?mJ)A)L<~95k
zG@QOZ`89=<-#;G@!j{neLU1W`5M7!iS$+oT)%<dqCZl-&OdyZnARz2Z8{0t4NbL>x
zAR2|*6YPwGPIz=sOY%;Z!AqkL1o`Ky^(H^hpCOq9xQXamDEtZ&4L3TdlA+A*k%1Ek
zH>iZ{K-9HEqOS+|KbHB2>+?-<zP?J6qLl<xIcYr%4D?Lzg40;Zox~bO_~5=39+c?8
zx2U1S$HBP3Xs~ThvJxFAtfhb#*krKH7kr$-pmy>O=_Rl%cbs*oj7KO%bsH>YaPEQI
zw8HsF$_$VO%^Ei7y(l}3ZKgmyc~snqtXdFVXYL6qqilza<*+h$==z~+*&*-183m{-
z*W1|Ro-9j}!a(JamopGW0UoD}ksq=!gmmNqAFOc^LPYUAKKOy*738f@GAc>Ph%68K
z*3_|(6|R9*9V8!6W5r%+Y6Y(=gMy>`ZxGg^aBweuEA?=EzoH~tz<<-M(ZM$V{^&BP
zB~R;(>$AhkxA}a<o-KMitRRqRn2csg0{r~kWl6HO(V#4954{Oc3C#+VIhdl49+UeM
zaZOyq-lp&Li|vZde2q~iC_}>o`Ph2vy`|Z7+VEVV%y?JRQc&xv>Hk`qN}_=D{cbFm
zFu%yxPwvKxlb5faOu^k$==@Q<>Ld#^n&Oh-wu~h@w(?l~L0S6@$8p%`ootT6veCvJ
z4`3Z0Bkym;NLb_jWOOK}#%FSBbR?%nCt~*=#e#mO^N299f`~JRoz1t!+4?$77N&$t
z<2~C0-j$|&?@VdDtSAe&nK!>DS?Q9^YBODJRx?=6e|vkneDijQE~Hod3uD{PU~xG)
ztv-cTE$;rVckZmcFkgzA?1$TrC=27ZNcqK3^$E+_U^4dDQ?BG2&=EY-69xbP6%mEZ
literal 765
zcmV<Z0s{RXiwFQd0FzY!1BF!EZrer>edkvU_>u&OsMtY)R0xVnsVcj*Ey1K3v~Ex=
z$q~6Q_kx{W+kEM_ca~D37@|=@55mmuoXeb5R$Rc&A=XBfM&pERC;dJ4a0co7cko-#
zaQ^P>hZIu&{(3wJTSE7W;9BS)x-?0$`~uRO`SmhQM(6!Kfjs^O0bzf&u?@tI)ZQ=$
z(J0iOU}qe3!lQ#)l6SHUUK)J>$p5@qZ}Q9h1&~RAyEt77g<oKz;Z6rt@+h-AB5(uY
z4waA{h`M%2^yM)Amu3Fx_Ht8Pu5Z$$Xe9wvPFfEG0=>Xpa2qSRlUTzD9z3?fgAzUX
z7B!T36vh{f2HW-|E75_%S_*iLO$OV1!N++R)J{Giy#co6fx8Zs@d%};?t`TaE<G?!
zE1Zv@i~woS>|ul6i?YK=GX?6&qhcnqYC&|Jc_gTevK{g)hn0Ci*AJ{^hr9!46riqL
zZzIP&Se7J(fyyB-X8?)@99723H(PjwbmRe_tZ{LKh~{~G@&m%#y%p3eh3o`t@A~iX
z9;IiNEQ-jsP7ofB5BWJ*K4NqR1#>tu64s({!!)S}e*5hu*#iEZW{nQE`RCj5q?T-i
zH?GePY1roT700>g?XaCdqCu86OA_GE{|7Kh);4B$P}iFPmC$THnL}Rs7(cl`5jV(p
zIQH}vez9F~&Tla~2xVwkkdM?`?=8)y(}s10GUGK)OF^xxrr%MTN}_=D_1P?!Fu%&z
z&z{Zevo~*_sbDr0I)75HI>`o&w)o2Mkj5Gvr+lpbq^x}b<Fst_PBtfH*=XZV1z3lt
zllKp1q^$9AGAhccaZOH*N^)vc5n**w3;G4-al$0#ojZq}&9}wH`Zi4#ri5$bJ;wt+
zmZtpKnbLS!Q5NnqZ+=R$(j}YKX1dy}X0V+9_~Cr{{=-mRNU!+cjbl55#r5R8`W#xd
vc=)5<xr_G7{8iLsKi&V1vM_FolwS?EK4Uo>LdF?;j+OieYB|?lE(QPq)UAE^
diff --git a/src/freedombone b/src/freedombone
index e943fea82..25cd729e4 100755
--- a/src/freedombone
+++ b/src/freedombone
@@ -1702,7 +1702,7 @@ function create_backup_script {
if grep -Fxq "create_backup_script" $COMPLETION_FILE; then
return
fi
- apt-get -y install rsyncrypto cryptsetup ssss
+ apt-get -y install rsyncrypto cryptsetup libgfshare-bin
get_mariadb_password
get_mariadb_gnusocial_admin_password
@@ -3782,7 +3782,7 @@ function backup_to_friends_servers {
# we just need to rsync it to each friend
echo '# For each remote server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo 'ctr=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo 'ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo 'while read remote_server' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo 'do' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' # Get the server and its password' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
@@ -3810,22 +3810,20 @@ function backup_to_friends_servers {
if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then
echo " if [ -d /home/$MY_USERNAME/.gnupg_fragments ]; then" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " cd /home/$MY_USERNAME/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' no_of_fragments=$(ls -afq data* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' no_of_fragments=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' if [[ ${no_of_fragments} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' key_files=(/home/$MY_USERNAME/.gnupg_fragments/data*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' key_filename=${key_files[ctr]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' no_of_shares=$(ls -afq keyshare* | wc -l)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' no_of_shares=$((no_of_fragments - 2))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' if [[ ${no_of_shares} > 0 ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' share_files=(/home/$MY_USERNAME/.gnupg_fragments/keyshare*)' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' share_filename=${key_files[ctr_share]}' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " mkdir -p /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' ctrb=$((ctr + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo " sed \"$ctrbq;d\" /home/$MY_USERNAME/.gnupg_fragments/shares.txt > /home/$MY_USERNAME/tempkey/.gnupg_fragments/share.txt" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo " cp $key_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo " cp $share_filename /home/$MY_USERNAME/tempkey/.gnupg_fragments/data" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo -n ' /usr/bin/sshpass -p $REMOTE_PASSWORD ' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo "scp -r -P $REMOTE_SSH_PORT /home/$MY_USERNAME/tempkey/.gnupg_fragments $REMOTE_SERVER" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " shred -zu /home/$MY_USERNAME/tempkey/.gnupg_fragments/*" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo " rm -rf /home/$MY_USERNAME/tempkey" >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' ctr=$((ctr + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' if [[ ${ctr} >= ${no_of_fragments} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
- echo ' ctr=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' ctr_share=$((ctr_share + 1))' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' if [[ ${ctr_share} >= ${no_of_shares} ]]; then' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
+ echo ' ctr_share=0' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
echo ' fi' >> /usr/bin/$BACKUP_TO_FRIENDS_SCRIPT_NAME
diff --git a/src/freedombone-recoverkey b/src/freedombone-recoverkey
index 803a8262c..99ac67c3c 100755
--- a/src/freedombone-recoverkey
+++ b/src/freedombone-recoverkey
@@ -76,30 +76,17 @@ if [ ! -d $FRAGMENTS_DIR ]; then
exit 7483
fi
-# join the fragments
-if [ ! -d /home/$MY_USERNAME/.tempgnupg ]; then
- mkdir /home/$MY_USERNAME/.tempgnupg
-fi
-KEYS_FILE=/home/$MY_USERNAME/.tempgnupg/tempfile.asc
-cat $FRAGMENTS_DIR/data* > $KEYS_FILE.gpg
-if [ ! "$?" = "0" ]; then
- echo 'Unable to find key fragments'
- exit 8727
-fi
-
# decrypt the file
-cd /home/$MY_USERNAME/.tempgnupg
-gpg -d $KEYS_FILE.gpg -o $KEYS_FILE
-if [ ! "$?" = "0" ]; then
- echo 'Unable to decrypt data. This may mean that not enough fragments are available'
- exit 6283
-fi
-shred -zu $KEYS_FILE.gpg
+KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
+cd $FRAGMENTS_DIR
+gfcombine $KEYS_FILE.*
+
if [ ! -f $KEYS_FILE ]; then
- echo 'Unable to find decrypted key file. This may mean that not enough fragments are available'
- exit 8358
+ echo 'Unable to decrypt key. This may mean that not enough fragments are available'
+ exit 6283
fi
-echo 'Key fragments decrypted'
+
+echo 'Key fragments recombined'
# import the gpg key
su -c "gpg --allow-secret-key-import --import $KEYS_FILE" - $MY_USERNAME
diff --git a/src/freedombone-splitkey b/src/freedombone-splitkey
index e5f83e85c..a346acb91 100755
--- a/src/freedombone-splitkey
+++ b/src/freedombone-splitkey
@@ -37,11 +37,10 @@
KEY_FRAGMENTS=3
MY_USERNAME=
MY_EMAIL_ADDRESS=
-PASSPHRASE=
function show_help {
echo ''
- echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address] -p [passphrase]'
+ echo 'freedombone-splitkey -u [username] -n [number of fragments] -e [email address]'
echo ''
exit 0
}
@@ -66,10 +65,6 @@ case $key in
shift
MY_EMAIL_ADDRESS=$1
;;
- -p|--passphrase)
- shift
- PASSPHRASE=$1
- ;;
*)
# unknown option
;;
@@ -103,60 +98,38 @@ KEYID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - \
$MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
# create the key file
-KEYS_FILE=/home/$MY_USERNAME/tempdatafile.asc
-gpg --output /home/$MY_USERNAME/pubkey.txt --armor --export $KEYID
+mkdir -p $FRAGMENTS_DIR
+KEYS_FILE=$FRAGMENTS_DIR/keyshare.asc
+gpg --output $FRAGMENTS_DIR/pubkey.txt --armor --export $KEYID
if [ ! "$?" = "0" ]; then
echo "Unable to extract public key for $KEYID"
exit 7835
fi
-gpg --output /home/$MY_USERNAME/privkey.txt --armor --export-secret-key $KEYID
+gpg --output $FRAGMENTS_DIR/privkey.txt --armor --export-secret-key $KEYID
if [ ! "$?" = "0" ]; then
echo "Unable to extract private key for $KEYID"
exit 7823
fi
-cat /home/$MY_USERNAME/pubkey.txt /home/$MY_USERNAME/privkey.txt > $KEYS_FILE
-shred -zu /home/$MY_USERNAME/privkey.txt
-shred -zu /home/$MY_USERNAME/pubkey.txt
+cat $FRAGMENTS_DIR/pubkey.txt $FRAGMENTS_DIR/privkey.txt > $KEYS_FILE
+shred -zu $FRAGMENTS_DIR/privkey.txt
+shred -zu $FRAGMENTS_DIR/pubkey.txt
-# generate a random passphrase if one isn't supplied
-if [ ! $PASSPHRASE ]; then
- PASSPHRASE="$(openssl rand -base64 100)"
-fi
-
-# encrypt the keys file with a passphrase
-echo "$PASSPHRASE" | gpg --passphrase-fd 0 --output $KEYS_FILE.gpg --symmetric $KEYS_FILE
+KEY_SHARES=$((KEY_FRAGMENTS * 2))
+gfsplit -n $KEY_FRAGMENTS -m $KEY_SHARES $KEYS_FILE
if [ ! "$?" = "0" ]; then
- echo "Unable to encrypt the data prior to splitting"
- exit 7352
+ echo "Unable to split the gpg key"
+ rm -rf $FRAGMENTS_DIR
+ if [ -f $KEYS_FILE ]; then
+ shred -zu $KEYS_FILE
+ fi
+ exit 63028
fi
shred -zu $KEYS_FILE
-# split the passphrase into shares
-echo "$PASSPHRASE" | ssss-split -q -t $KEY_FRAGMENTS -n $KEY_FRAGMENTS > \
- /home/$MY_USERNAME/.gnupg_fragments/shares.txt
-
-# (maybe) overwrite passphrase after use
-PASSPHRASE="$(openssl rand -base64 100)"
-
-# check that passphrase shares were created
-if [ ! -f /home/$MY_USERNAME/.gnupg_fragments/shares.txt ]; then
- echo 'Passphrase for key fragments could not be split'
- shred -zu $KEYS_FILE.gpg
- exit 74549
-fi
-
-# generate fragments
-GPG_KEYS_SIZE_BYTES=$(wc -c <"$KEYS_FILE.gpg")
-GPG_BYTES_PER_FRAGMENT=$((GPG_KEYS_SIZE_BYTES / KEY_FRAGMENTS))
-GPG_BYTES_PER_FRAGMENT=$((GPG_BYTES_PER_FRAGMENT + 1))
-mkdir -p $FRAGMENTS_DIR
-split --bytes=$GPG_BYTES_PER_FRAGMENT $KEYS_FILE.gpg $FRAGMENTS_DIR/data
+# set permissions
chown -R $MY_USERNAME:$MY_USERNAME $FRAGMENTS_DIR
chmod -R 600 $FRAGMENTS_DIR
-# delete the keys file
-shred -zu $KEYS_FILE.gpg
-
-echo "$KEY_FRAGMENTS key fragments created"
+echo "$KEY_SHARES key shares created"
exit 0
--
GitLab