#!/bin/bash # # Wrapper around ecryptfs-migrate-home # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License along with this program. If not, see # <http://www.gnu.org/licenses/>. # Load source $APP_BASE/lib/hydra/functions || exit 1 hydra_config_load # Command line arguments BASENAME="`basename $0`" USER="$1" SERVER="$2" # Syntax check if [ -z "$USER" ]; then echo "usage: $BASENAME <user> [server]" exit 1 fi # Check if not already encrypted if [ -d "/home/.ecryptfs/$USER" ]; then echo "$USER folder seems already encrypted, aborting." exit 1 fi # Check sudo if [ "`whoami`" != 'root' ]; then sudo="sudo" fi # Script description cat <<EOF Please make sure you have backups of anything important on /home/$USER and /mnt/crypt/home/$USER as these folders will be overwritten. Also, please make sure $USER is not logged in. Use this script AT YOUR OWN RISK. Press any key to continue, or ^C to abort. EOF read prompt # Make sure we have the needed dependencies hydra_install_package ecryptfs-utils # Start the migration $sudo modprobe ecryptfs $sudo ecryptfs-migrate-home -u $USER # Check result if [ "$?" != "0" ]; then echo "Error migrating $USER's folder" exit 1 fi # Remove user folder #rm -rf /home/$USER.* rm -rf /mnt/crypt/home/$USER # We don't want unencrypted content to rest in our backups, so we should # not let the user folder to be mounted on /home # # For more info, see the backup policy under puppet-backup module. $sudo mkdir -p /mnt/crypt/home $sudo mv /home/$USER /mnt/crypt/home/$USER $sudo ln -s /mnt/crypt/home/$USER /home/$USER echo "/mnt/crypt/home/$USER" | $sudo tee /home/.ecryptfs/$USER/.ecryptfs/Private.mnt # Unwrap the passphrase once so the user can save it echo "Please save the unwrapped passphrase in a safe place:" $sudo ecryptfs-unwrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase # Sync files if [ ! -z "$SERVER" ]; then echo "Mounting $USER's home..." su $USER -c "ecryptfs-mount-private" echo "Syncing files from $USER's home on $SERVER..." rsync -avz --exclude=.ecryptfs --exclude=.Private --exclude=.unison \ $SERVER:/home/$USER/ /home/$USER/ fi # Final recommendation echo "Done migrating $USER home to ecryptfs" echo "When ready, WIPE /home/$USER.*"