diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2013-07-09 11:56:10 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2013-07-09 11:56:10 -0300 |
commit | 12908bf27f5d70f496f31452a5fa3de32fceb31d (patch) | |
tree | 19657f2035d23f0dec69c9f4765e55530e3164d4 /share/hydractl/ecryptfs-home | |
parent | 52c80d9daef676228dec221ad149567d05be5f2f (diff) | |
download | hydra-12908bf27f5d70f496f31452a5fa3de32fceb31d.tar.gz hydra-12908bf27f5d70f496f31452a5fa3de32fceb31d.tar.bz2 |
Adding ecryptfs-home hydractl action
Diffstat (limited to 'share/hydractl/ecryptfs-home')
-rwxr-xr-x | share/hydractl/ecryptfs-home | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/share/hydractl/ecryptfs-home b/share/hydractl/ecryptfs-home new file mode 100755 index 0000000..73598a5 --- /dev/null +++ b/share/hydractl/ecryptfs-home @@ -0,0 +1,94 @@ +#!/bin/bash +# +# Wrapper around ecryptfs-migrate-home +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License along with this program. If not, see +# <http://www.gnu.org/licenses/>. + +# Load +source $APP_BASE/lib/hydra/functions || exit 1 +hydra_config_load + +# Command line arguments +BASENAME="`basename $0`" +USER="$1" +SERVER="$2" + +# Syntax check +if [ -z "$USER" ]; then + echo "usage: $BASENAME <user> [server]" + exit 1 +fi + +# Check if not already encrypted +if [ -d "/home/.ecryptfs/$USER" ]; then + echo "$USER folder seems already encrypted, aborting." + exit 1 +fi + +# Check sudo +if [ "`whoami`" != 'root' ]; then + sudo="sudo" +fi + +# Script description +cat <<EOF +Please make sure you have backups of anything important on +/home/$USER and /mnt/crypt/home/$USER as these folders will +be overwritten. + +Use this script AT YOUR OWN RISK. + +Press any key to continue, or ^C to abort. +EOF + +read prompt + +# Make sure we have the needed dependencies +hydra_install_package ecryptfs-utils + +# Start the migration +$sudo modprobe ecryptfs +$sudo ecryptfs-migrate-home -u $USER + +# Remove user folder +#rm -rf /home/$USER.* +rm -rf /mnt/crypt/home/$USER + +# We don't want unencrypted content to rest in our backups, so we should +# not let the user folder to be mounted on /home +# +# For more info, see the backup policy under puppet-backup module. +$sudo mkdir -p /mnt/crypt/home +$sudo mv /home/$USER /mnt/crypt/home/$USER +$sudo ln -s /mnt/crypt/home/$USER /home/$USER +echo "/mnt/crypt/home/$USER" | $sudo tee -a /home/.ecryptfs/$USER/.ecryptfs/Private.mnt + +# Unwrap the passphrase once so the user can save it +echo "Please save the unwrapped passphrase in a safe place:" +$sudo ecryptfs-unwrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase + +# Sync files +if [ ! -z "$SERVER" ]; then + echo "Mounting $USER's home..." + su $USER -c "ecryptfs-mount-private" + + echo "Syncing files from $USER's home on $SERVER..." + rsync -avz --exclude=.ecryptfs --exclude=.Private --exclude=.unison \ + /home/$USER/ $SERVER:/home/$USER/ +fi + +# Final recommendation +echo "Done migrating $USER home to ecryptfs" +echo "When ready, WIPE /home/$USER.*" |