summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rwxr-xr-xshare/hydractl/ecryptfs-home94
1 files changed, 94 insertions, 0 deletions
diff --git a/share/hydractl/ecryptfs-home b/share/hydractl/ecryptfs-home
new file mode 100755
index 0000000..73598a5
--- /dev/null
+++ b/share/hydractl/ecryptfs-home
@@ -0,0 +1,94 @@
+#!/bin/bash
+#
+# Wrapper around ecryptfs-migrate-home
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License along with this program. If not, see
+# <http://www.gnu.org/licenses/>.
+
+# Load
+source $APP_BASE/lib/hydra/functions || exit 1
+hydra_config_load
+
+# Command line arguments
+BASENAME="`basename $0`"
+USER="$1"
+SERVER="$2"
+
+# Syntax check
+if [ -z "$USER" ]; then
+ echo "usage: $BASENAME <user> [server]"
+ exit 1
+fi
+
+# Check if not already encrypted
+if [ -d "/home/.ecryptfs/$USER" ]; then
+ echo "$USER folder seems already encrypted, aborting."
+ exit 1
+fi
+
+# Check sudo
+if [ "`whoami`" != 'root' ]; then
+ sudo="sudo"
+fi
+
+# Script description
+cat <<EOF
+Please make sure you have backups of anything important on
+/home/$USER and /mnt/crypt/home/$USER as these folders will
+be overwritten.
+
+Use this script AT YOUR OWN RISK.
+
+Press any key to continue, or ^C to abort.
+EOF
+
+read prompt
+
+# Make sure we have the needed dependencies
+hydra_install_package ecryptfs-utils
+
+# Start the migration
+$sudo modprobe ecryptfs
+$sudo ecryptfs-migrate-home -u $USER
+
+# Remove user folder
+#rm -rf /home/$USER.*
+rm -rf /mnt/crypt/home/$USER
+
+# We don't want unencrypted content to rest in our backups, so we should
+# not let the user folder to be mounted on /home
+#
+# For more info, see the backup policy under puppet-backup module.
+$sudo mkdir -p /mnt/crypt/home
+$sudo mv /home/$USER /mnt/crypt/home/$USER
+$sudo ln -s /mnt/crypt/home/$USER /home/$USER
+echo "/mnt/crypt/home/$USER" | $sudo tee -a /home/.ecryptfs/$USER/.ecryptfs/Private.mnt
+
+# Unwrap the passphrase once so the user can save it
+echo "Please save the unwrapped passphrase in a safe place:"
+$sudo ecryptfs-unwrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase
+
+# Sync files
+if [ ! -z "$SERVER" ]; then
+ echo "Mounting $USER's home..."
+ su $USER -c "ecryptfs-mount-private"
+
+ echo "Syncing files from $USER's home on $SERVER..."
+ rsync -avz --exclude=.ecryptfs --exclude=.Private --exclude=.unison \
+ /home/$USER/ $SERVER:/home/$USER/
+fi
+
+# Final recommendation
+echo "Done migrating $USER home to ecryptfs"
+echo "When ready, WIPE /home/$USER.*"