diff options
Diffstat (limited to 'share')
-rwxr-xr-x | share/hydractl/ecryptfs-home | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/share/hydractl/ecryptfs-home b/share/hydractl/ecryptfs-home new file mode 100755 index 0000000..73598a5 --- /dev/null +++ b/share/hydractl/ecryptfs-home @@ -0,0 +1,94 @@ +#!/bin/bash +# +# Wrapper around ecryptfs-migrate-home +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License along with this program. If not, see +# <http://www.gnu.org/licenses/>. + +# Load +source $APP_BASE/lib/hydra/functions || exit 1 +hydra_config_load + +# Command line arguments +BASENAME="`basename $0`" +USER="$1" +SERVER="$2" + +# Syntax check +if [ -z "$USER" ]; then + echo "usage: $BASENAME <user> [server]" + exit 1 +fi + +# Check if not already encrypted +if [ -d "/home/.ecryptfs/$USER" ]; then + echo "$USER folder seems already encrypted, aborting." + exit 1 +fi + +# Check sudo +if [ "`whoami`" != 'root' ]; then + sudo="sudo" +fi + +# Script description +cat <<EOF +Please make sure you have backups of anything important on +/home/$USER and /mnt/crypt/home/$USER as these folders will +be overwritten. + +Use this script AT YOUR OWN RISK. + +Press any key to continue, or ^C to abort. +EOF + +read prompt + +# Make sure we have the needed dependencies +hydra_install_package ecryptfs-utils + +# Start the migration +$sudo modprobe ecryptfs +$sudo ecryptfs-migrate-home -u $USER + +# Remove user folder +#rm -rf /home/$USER.* +rm -rf /mnt/crypt/home/$USER + +# We don't want unencrypted content to rest in our backups, so we should +# not let the user folder to be mounted on /home +# +# For more info, see the backup policy under puppet-backup module. +$sudo mkdir -p /mnt/crypt/home +$sudo mv /home/$USER /mnt/crypt/home/$USER +$sudo ln -s /mnt/crypt/home/$USER /home/$USER +echo "/mnt/crypt/home/$USER" | $sudo tee -a /home/.ecryptfs/$USER/.ecryptfs/Private.mnt + +# Unwrap the passphrase once so the user can save it +echo "Please save the unwrapped passphrase in a safe place:" +$sudo ecryptfs-unwrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase + +# Sync files +if [ ! -z "$SERVER" ]; then + echo "Mounting $USER's home..." + su $USER -c "ecryptfs-mount-private" + + echo "Syncing files from $USER's home on $SERVER..." + rsync -avz --exclude=.ecryptfs --exclude=.Private --exclude=.unison \ + /home/$USER/ $SERVER:/home/$USER/ +fi + +# Final recommendation +echo "Done migrating $USER home to ecryptfs" +echo "When ready, WIPE /home/$USER.*" |