tomb

the crypto undertaker
git clone git://parazyd.org/tomb.git
Log | Files | Refs | README | LICENSE

commit 1af4c42749f10f25d9deb5f7bf6ddbffeabb7799
parent 35e1afdcebfbf8d1eaf7edb59187a4039d45eec4
Author: Jaromil <jaromil@dyne.org>
Date:   Tue, 17 Jan 2012 17:28:40 +0100

messaging and debugging enhancements

Now checks for GnuPG and lists available ciphers

Some more information about the tomb opened is retrieved via cryptsetup
Also some duplicate strings were eliminated and year notices were updated

Diffstat:
Msrc/tomb | 91++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 65 insertions(+), 26 deletions(-)

diff --git a/src/tomb b/src/tomb @@ -4,7 +4,7 @@ # # a tool to easily operate file encryption of private and secret data # -# {{{ Copyleft (C) 2007-2011 Denis Roio <jaromil@dyne.org> +# {{{ Copyleft (C) 2007-2012 Denis Roio <jaromil@dyne.org> # # This source code is free software; you can redistribute it and/or @@ -23,8 +23,8 @@ # }}} # {{{ GLOBAL VARIABLES -VERSION=1.2 -DATE=Nov/2011 +VERSION=1.3 +DATE=Nov/2012 TOMBEXEC=$0 TOMBOPENEXEC="${TOMBEXEC}-open" typeset -a OLDARGS @@ -63,13 +63,13 @@ function _msg() { pchars=" . "; pcolor="green" ;; verbose) - pchars="[D]"; pcolor="yellow" + pchars="[D]"; pcolor="blue" ;; success) pchars="(*)"; pcolor="green"; message="%{%F{$pcolor}%}${2}%{%f%}" ;; warning) - pchars="[W]"; pcolor="red"; message="%{%F{yellow}%}${2}%{%f%}" + pchars="[W]"; pcolor="yellow"; message="%{%F{$pcolor}%}${2}%{%f%}" ;; failure) pchars="[E]"; pcolor="red"; message="%{%F{$pcolor}%}${2}%{%f%}" @@ -119,7 +119,7 @@ function _failure die() check_bin() { # check for required programs - for req in cryptsetup pinentry sudo; do + for req in cryptsetup pinentry sudo gpg; do which $req >/dev/null || die "Cannot find $req. Please install it." 1 done @@ -285,11 +285,6 @@ EOF # {{{ - TOMB USAGE usage() { cat <<EOF -Tomb $VERSION - a strong and gentle undertaker for your secrets - - Copyright (C) 2007-2011 Dyne.org Foundation, License GNU GPL v3+ - This is free software: you are free to change and redistribute it - The latest Tomb sourcecode is published on <http://tomb.dyne.org> Syntax: tomb [options] command [file] [place] @@ -320,7 +315,7 @@ Options: -f force operation (i.e. even if swap is active) -h print this help - -v version information for this tool + -v print version, license and list of available ciphers -q run quietly without printing informations -D print debugging information at runtime @@ -333,8 +328,8 @@ EOF generate_translatable_strings() { cat <<EOF # Tomb - The Crypto Undertaker. -# Copyright (C) 2007-2011 Dyne.org Foundation -# Denis Roio <jaromil@dyne.org>, 2011. +# Copyright (C) 2007-2012 Dyne.org Foundation +# Denis Roio <jaromil@dyne.org>, 2012. # #, fuzzy msgid "" @@ -492,6 +487,22 @@ print "-----END PGP MESSAGE-----" return $res } + +list_gnupg_ciphers() { + # prints an array of ciphers available in gnupg (to encrypt keys) + # prints an error if GnuPG is not found + which gnupg > /dev/null || die "gpg (GnuPG) is not found, Tomb cannot function without it." + + ciphers=(`gpg --version | awk ' +BEGIN { ciphers=0 } +/^Cipher:/ { gsub(/,/,""); sub(/^Cipher:/,""); print; ciphers=1; next } +/^Hash:/ { ciphers=0 } +{ if(ciphers==0) { next } else { gsub(/,/,""); print; } } +'`) + echo " ${ciphers}" + return 1 +} + # }}} # }}} # {{{ - HOOK HELPERS @@ -805,7 +816,7 @@ mount_tomb() { return 1 fi - _success "mounting $tombfile on mountpoint $tombmount" + _success "Opening $tombfile on $tombmount" # we need root from here on mkdir -p $tombmount @@ -825,13 +836,21 @@ mount_tomb() { return 1 fi + tombdump=(`cryptsetup luksDump ${nstloop} | awk ' + /^Cipher name/ {print $3} + /^Cipher mode/ {print $3} + /^Hash spec/ {print $3}'`) + say "cipher is \"$tombdump[1]\" mode \"$tombdump[2]\" hash \"$tombdump[3]\"" + + # save date of mount in minutes since 1970 mapdate=`date +%s` + mapper="tomb.${tombname}.${mapdate}.`basename $nstloop`" keyname=`basename $tombkey | cut -d. -f1` - _success "Password is required for key ${keyname}" + _warning "Password is required for key ${keyname}" for c in 1 2 3; do if [ $c = 1 ]; then tombpass=`exec_as_user ${TOMBEXEC} askpass "Open tomb ${keyname}"` @@ -855,13 +874,20 @@ mount_tomb() { done if ! [ -r /dev/mapper/${mapper} ]; then - _warning "failure mounting the encrypted file" losetup -d ${nstloop} $norm || rmdir ${tombmount} 2>/dev/null - return 1 + die "failure mounting the encrypted file" fi - _message "encrypted storage filesystem check" + # array: [ cipher, keysize, loopdevice ] + tombstat=(`cryptsetup status ${mapper} | awk ' + /cipher:/ {print $2} + /keysize:/ {print $2} + /device:/ {print $2}'`) + yes "Success unlocking tomb $tombname" + xxx "key size is $tombstat[2] for cipher $tombstat[1]" + + _message "checking filesystem via $tombstat[3]" fsck -p -C0 /dev/mapper/${mapper} xxx "tomb engraved as $tombname" tune2fs -L ${tombname} /dev/mapper/${mapper} > /dev/null @@ -873,7 +899,7 @@ mount_tomb() { chmod 0750 ${tombmount} chown $(id -u $ME):$(id -g $ME) ${tombmount} - _success "encrypted storage $tombfile succesfully mounted on $tombmount" + _success "Success opening $tombfile on $tombmount" if ! option_is_set -n ; then exec_safe_bind_hooks ${tombmount} exec_safe_post_hooks ${tombmount} open @@ -1328,6 +1354,11 @@ list_tombs() { print "$fg_bold[white]$tombfs $tombfsopts" print -n "$fg_no_bold[green]$tombname" + print -n "$fg_no_bold[white] cipher ${tombstat}" + print -n "keysize $tombstat[1]" + print "mounted via $tombstat[2]" + + print -n "$fg_no_bold[green]$tombname" print -n "$fg_no_bold[white] open since " print "$fg_bold[white]$tombsince$fg_no_bold[white]" @@ -1368,7 +1399,7 @@ launch_status() { which tomb-status > /dev/null if [ $? != 0 ]; then - _warning "Cannot find tomb-status binary, operation aborted." + die "Cannot find tomb-status binary, operation aborted." return 1 fi @@ -1703,11 +1734,19 @@ main() { mktemp) safe_dir ${CMD2} ;; translate) generate_translatable_strings ;; __default) - if option_is_set -v; then - echo Tomb - $VERSION - else - usage - fi + cat <<EOF +Tomb $VERSION - a strong and gentle undertaker for your secrets + + Copyright (C) 2007-2012 Dyne.org Foundation, License GNU GPL v3+ + This is free software: you are free to change and redistribute it + The latest Tomb sourcecode is published on <http://tomb.dyne.org> + +GnuPG available ciphers: +`list_gnupg_ciphers` +EOF + option_is_set -v && return 0 + + usage ;; *) _warning "command \"$CMD\" not recognized"