Skip to content

Commit

Permalink
First draft of (new style) of crouton passwordless encryption
Browse files Browse the repository at this point in the history 
mount-chroot now accepts blank passwords (after prompt), and will
save padded unencrypted keys instead of wrapped keys.
  • Loading branch information
@Timvrakas
Timvrakas committed Apr 9, 2015
1 parent 66d0393 commit 36b8bbd
Showing 1 changed file with 92 additions and 32 deletions.
124 changes: 92 additions & 32 deletions host-bin/mount-chroot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ CREATE=''
ENCRYPT=''
KEYFILE=''
PRINT=''
NOPASS=''
NOENC=''
ROOT="`readlink -m '/var/run/crouton'`"
MOUNTOPTS='rw,dev,exec,suid'

Expand Down Expand Up @@ -64,11 +66,6 @@ promptNewPassphrase() {
[ -t 0 ] && stty -echo
while [ -z "$passphrase" ]; do
read -r passphrase
if [ -z "$passphrase" ]; then
echo 1>&2
echo -n 'You must specify a passphrase: ' 1>&2
continue
fi
echo 1>&2
echo -n 'Please confirm your passphrase: ' 1>&2
read -r confirmation
Expand All @@ -77,6 +74,19 @@ promptNewPassphrase() {
echo 1>&2
echo -n 'Passphrases do not match; try again: ' 1>&2
fi
if [ -z "$passphrase" ]; then
echo 'You did not specify a passphrase! Your keys will not be encrypted.
You should only do this if you have specified to store the keys in your
encrypted user folder (/home/chronos/user/...) or on removable media.
Enter "Yes" to confirm, or "No" to set a passphrase' 1>&2
read -r response
echo 1>&2
if [ "$response" = "N*" -o "$response" = "n*" ]; then
continue
fi
echo 'No password set, keys will not be encrypted' 1>&2
NOPASS='y'
fi
confirmation=''
done
[ -t 0 ] && stty echo
Expand Down Expand Up @@ -185,29 +195,30 @@ for NAME in "$@"; do
echo 'done' 1>&2

# Create key file
wrappedkey="`mktemp`"
wrappedfnek="`mktemp`"
addtrap "rm -f '$wrappedkey' '$wrappedfnek'"
echo -n "$key
if [ -z "$NOPASS" ]; then
wrappedkey="`mktemp`"
wrappedfnek="`mktemp`"
addtrap "rm -f '$wrappedkey' '$wrappedfnek'"
echo -n "$key
$passphrase" | ecryptfs-wrap-passphrase "$wrappedkey" -
echo -n "$fnek
echo -n "$fnek
$passphrase" | ecryptfs-wrap-passphrase "$wrappedfnek" -
unset key fnek
echo | cat - "$wrappedkey" "$wrappedfnek" > "$KEYFILE"
unset key fnek
echo | cat - "$wrappedkey" "$wrappedfnek" > "$KEYFILE"
else
echo > "$KEYFILE"
echo -n '$$$$$$$$$$$$$$$$' >> "$KEYFILE"
echo -n "$key" >> "$KEYFILE"
echo -n "$fnek" >> "$KEYFILE"
echo -n '$$$$$$$$$$$$$$$$' >> "$KEYFILE"
unset key fnek
fi
if [ ! -f "$CHROOTSRC/.ecryptfs" ]; then
echo "$KEYFILE" > "$CHROOTSRC/.ecryptfs"
fi
elif [ ! -f "$KEYFILE" ]; then
error 1 "Unable to find encryption key file $KEYFILE"
else
echo -n "Enter encryption passphrase for $NAME: " 1>&2
[ -t 0 ] && stty -echo
if [ -z "$passphrase" ]; then
read -r passphrase
fi
[ -t 0 ] && stty echo
echo 1>&2

wrappedkey="`mktemp`"
wrappedfnek="`mktemp`"
addtrap "rm -f '$wrappedkey' '$wrappedfnek'"
Expand All @@ -216,32 +227,81 @@ $passphrase" | ecryptfs-wrap-passphrase "$wrappedfnek" -
tail -c 160 "$KEYFILE" | head -c 80 > "$wrappedkey"
tail -c 80 "$KEYFILE" > "$wrappedfnek"

PAD1="`cat "$wrappedkey" | head -c 16`"
PAD2="`cat "$wrappedfnek" | tail -c 16`"

if [ "$PAD1" == '$$$$$$$$$$$$$$$$' -a "$PAD2" == '$$$$$$$$$$$$$$$$']; then
NOENC='y'
key="`tail -c 64 "$wrappedkey"`"
fnek="`head -c 64 "$wrappedfnek"`"
else
echo -n "Enter encryption passphrase for $NAME: " 1>&2
[ -t 0 ] && stty -echo
if [ -z "$passphrase" ]; then
read -r passphrase
fi
[ -t 0 ] && stty echo
echo 1>&2
fi

# Change the passphrase if requested
if [ "${ENCRYPT:-0}" -ge 2 ]; then
oldpassphrase="$passphrase"
passphrase="$CROUTON_NEW_PASSPHRASE"
promptNewPassphrase

echo "Applying passphrase change" 1>&2
echo -n "$oldpassphrase

if [ -z "$NOENC" -a -z "$NOPASS" ]; then
echo -n "$oldpassphrase
$passphrase" | ecryptfs-rewrap-passphrase "$wrappedkey" -
echo -n "$oldpassphrase
echo -n "$oldpassphrase
$passphrase" | ecryptfs-rewrap-passphrase "$wrappedfnek" -
echo | cat - "$wrappedkey" "$wrappedfnek" > "$KEYFILE"
echo | cat - "$wrappedkey" "$wrappedfnek" > "$KEYFILE"
elif [ -n "$NOENC" -a -z "$NOPASS" ]; then
echo -n "$key
$passphrase" | ecryptfs-wrap-passphrase "$wrappedkey" -
echo -n "$fnek
$passphrase" | ecryptfs-wrap-passphrase "$wrappedfnek" -
echo | cat - "$wrappedkey" "$wrappedfnek" > "$KEYFILE"
unset key fnek
elif [ -z "$NOENC" -a -n "$NOPASS" ]; then
key="`echo -n "$oldpassphrase" \
| ecryptfs-unwrap-passphrase "$wrappedkey" - 2>/dev/null`"
fnek="`echo -n "$oldpassphrase" \
| ecryptfs-unwrap-passphrase "$wrappedfnek" - 2>/dev/null`"
echo > "$KEYFILE"
echo -n '$$$$$$$$$$$$$$$$' >> "$KEYFILE"
echo -n "$key" >> "$KEYFILE"
echo -n "$fnek" >> "$KEYFILE"
echo -n '$$$$$$$$$$$$$$$$' >> "$KEYFILE"
elif [ -n "$NOENC" -a -n "$NOPASS" ]; then
echo "Changing from nothing to nothing? You must be high-security..."
fi

NOENC=$NOPASS
unset oldpassphrase
fi
fi

# Add keys to keychain and extract
keysig="`echo -n "$passphrase" \
| ecryptfs-unwrap-passphrase "$wrappedkey" - 2>/dev/null \
| ecryptfs-add-passphrase - 2>/dev/null \
| sed -n 's/.*\[\([0-9a-zA-Z]*\)\].*/\1/p'`"
fneksig="`echo -n "$passphrase" \
| ecryptfs-unwrap-passphrase "$wrappedfnek" - 2>/dev/null \
| ecryptfs-add-passphrase - 2>/dev/null \
| sed -n 's/.*\[\([0-9a-zA-Z]*\)\].*/\1/p'`"
if [ -n "$NOENC" ]; then
keysig="`echo -n "$key" \
| ecryptfs-add-passphrase - 2>/dev/null \
| sed -n 's/.*\[\([0-9a-zA-Z]*\)\].*/\1/p'`"
fneksig="`echo -n "$fnek" \
| ecryptfs-add-passphrase - 2>/dev/null \
| sed -n 's/.*\[\([0-9a-zA-Z]*\)\].*/\1/p'`"
else
keysig="`echo -n "$passphrase" \
| ecryptfs-unwrap-passphrase "$wrappedkey" - 2>/dev/null \
| ecryptfs-add-passphrase - 2>/dev/null \
| sed -n 's/.*\[\([0-9a-zA-Z]*\)\].*/\1/p'`"
fneksig="`echo -n "$passphrase" \
| ecryptfs-unwrap-passphrase "$wrappedfnek" - 2>/dev/null \
| ecryptfs-add-passphrase - 2>/dev/null \
| sed -n 's/.*\[\([0-9a-zA-Z]*\)\].*/\1/p'`"
fi

if [ -z "$keysig" -o -z "$fneksig" ]; then
error 1 "Failed to decrypt $NAME."
fi
Expand Down

0 comments on commit 36b8bbd

Please sign in to comment.