Permalink
Browse files

Time to push the next version. Many improvements and FreeBSD flaws fixed

  • Loading branch information...
1 parent 24d806f commit fdd357e7bb24ec6f64d4fe530df1e2ca5132c9c6 thomasfrivold committed Feb 15, 2014
Showing with 73 additions and 51 deletions.
  1. +8 −17 LUKSUS
  2. +47 −28 LUKSUS.functions
  3. +8 −4 LUKSUS.variables
  4. +10 −2 README
View
25 LUKSUS
@@ -82,12 +82,12 @@ fi
#########################################################
#########################################################
#########################################################
-set -o errtrace #enables error trace with trap
-set -o errexit #enables exit tasks with trap
-set -o pipefail # quit on errorlevel 1
-trap EXITHOUSEKEEPING EXIT # calls housekeeping function on exit. Will be run once for errorlevel 0 and once for every errorlevel 1. awesome.
-trap TRAPERR ERR # displays where an error occurred
-trap "rm -f $tempfile" 0 1 2 5 15
+#set -o errtrace #enables error trace with trap
+#set -o errexit #enables exit tasks with trap
+#set -o pipefail # quit on errorlevel 1
+#trap EXITHOUSEKEEPING EXIT # calls housekeeping function on exit. Will be run once for errorlevel 0 and once for every errorlevel 1. awesome.
+#trap TRAPERR ERR # displays where an error occurred
+#trap "rm -f $tempfile" 0 1 2 5 15
# Calling functions
OSTEST
@@ -98,31 +98,23 @@ WELCOMEINFORMATION
WIZARD
MENUSYSTEM
GRAPHICALVERIFYCHOICES
-# deprechated ASKUSERVERIFYCONSOLE # safety check. To be sure.
GRAPHICALLASTCHANCE
# PREPARE KEYFILE
CREATEKEYFILE
-
# LOOP DEVICE FUNCTIONS AND HOUSEKEEPING
LOOPBACKTEST
DRAGONFLYHOUSEKEEPING
FREEBSDHOUSEKEEPING
NETBSDHOUSEKEEPING
-
-
-
# THE STUFF BELOW REQUIRES STABLE RUNTIME VARIABLES
# NOTE TO SELF - DON'T LET THE USER OR THE PROGRAM ITSELF CHANGE ANY VARIABLES BELOW HERE
# THESE FUNCTIONS GO HAYWIRE IF THOSE VARIABLES ARE NOT PROPERLY SET
-
# BEGIN PROGRAM
LOOPBACKMETHOD
DEVICEEXISTS
DONTSHREDIFLOOPBACK
-
### ENCRYPTION PHASE ###
-
# TRUECRYPT PROCESS
TRUECRYPT
TRUECRYPTKEYFILE
@@ -137,8 +129,9 @@ LUKSOPEN
# GELI PROCESS
GELI
GELIKEYFILE
+sleep 10
GELIOPEN
-
+sleep 30
# CGD PROCESS COMING SOON FOR NETBSD SUPPORT
# CGD
# CGDKEYFILE
@@ -156,9 +149,7 @@ GELIOPEN
# CREATING THE FILESYSTEM AND MOUNTING IT
CREATEANDMOUNTFS
-
# END PROGRAM
-#DISPLAYLOGO
echo The data below can also be found in /keys/$name.information
DISPLAYSUMMARY
WRITEINFORMATIONFILE
View
@@ -15,14 +15,14 @@ ENCRYPTIONENGINE()
{
DIALOGAPP=${DIALOG=dialog}
-$DIALOGAPP --clear --title "Set your preferred encryption engine" \
+$DIALOGAPP --clear --title "Selectt your preferred encryption engine" \
--menu "Please choose encryption engine" 20 51 4 \
- "LUKS" "LUKS (Linux and DragonFlyBSD)" \
- "TRUECRYPT" "Truecrypt (TCPLAY) (Linux and DragonFlyBSD)" \
- "GELI" "GELI (FreeBSD)" \
- "CGD" "CGD (NetBSD) (NOT IMPLEMENTED YET)" \
- "BIOCTL" "BIOCTL (OpenBSD) (NOT IMPLEMENTED YET)" \
- "OPENPGP" "GNU GPG OPENPGP (NOT IMPLEMENTED YET)" 2> $tempfile.enginemode
+ "LUKS" "Linux or DragonFlyBSD" \
+ "TRUECRYPT" "Linux or DragonFlyBSD)" \
+ "GELI" "FreeBSD" \
+ "CGD" "NetBSD (NOT IMPLEMENTED YET)" \
+ "BIOCTL" "OpenBSD (NOT IMPLEMENTED YET)" \
+ "OPENPGP" "GNU GPG S/MIME (NOT IMPLEMENTED YET)" 2> $tempfile.enginemode
retval=$?
@@ -72,13 +72,12 @@ TRAPERR()
{
echo "$programname HAS STOPPED: ${BASH_SOURCE[1]} "" \
""at about line ${BASH_LINENO[0]}"
+rm *.$$
}
EXITHOUSEKEEPING()
{
rm *.$$
-rm menuchoices.*
-rm welcomelogo.*
}
NAMESET()
@@ -146,6 +145,9 @@ NAMESET
MENUSYSTEM()
{
+trap "rm -f menuchoices.*" 0 1 2 5 15
+trap "rm -f securitymode.*" 0 1 2 5 15
+trap "rm -f welcomelogo.*" 0 1 2 5 15
while [ $NEXT == false ] ;
do
@@ -189,7 +191,7 @@ do
esac
done
-# need to fill these variables again at this point
+# need to repopulate these variables again at this point
keyfile=/keys/$name.key
headerbackup=/keys/$name.header
mountpoint=/mnt/$name
@@ -309,7 +311,6 @@ DISPLAYLOGO ()
DISPLAYSUMMARY ()
{
- echo "Showing the contents of file: $keydir/$name.information";
echo Timestamp:
date;
echo Results of LUKSUS:;
@@ -375,11 +376,17 @@ DRAGONFLYHOUSEKEEPING ()
FREEBSDHOUSEKEEPING ()
{
if [ $UNAME == FreeBSD ]; then
- echo We are on FreeBSD here. Cool.;
- alias ghead=head;
- alias gshred=shred;
+ echo We are on FreeBSD here. Cool. Doing some housekeeping...;
+ HEADAPP=ghead
+ TAILAPP=gtail
+ SHREDAPP=gshred
kldload geom_eli;
- else
+ freebsdloopnumber=$(echo $device|{ read; echo "${REPLY#${REPLY%?}}";})
+ echo $luksfilesize
+ keyfile=/keys/$name.key
+ headerbackup=/keys/$name.header
+ mountpoint=/mnt/$name
+ else
echo "";
fi
}
@@ -394,9 +401,9 @@ GELI ()
}
GELIKEYFILE ()
{
- if [[ ENCRYPTION == GELI ]] && [[ $SECURITYMODE == KEYFILE ]]; then
- echo Initializing $device with $ENCRYPTION with a keyfile;
- geli init -B $headerbackup -p -s 4096 -K $keyfile $device;
+ if [[ $ENCRYPTION == GELI ]] && [[ $SECURITYMODE == KEYFILE ]]; then
+ echo Initializing $device with $ENCRYPTION with a keyfile
+ geli init -B $headerbackup -s 4096 -P -K $keyfile $device;
else
echo "";
fi
@@ -405,7 +412,7 @@ GELIOPEN ()
{
if [[ $ENCRYPTION == GELI ]] && [[ $SECURITYMODE == KEYFILE ]]; then
echo Attempting to open the newly created $ENCRYPTION volume $name with $keyfile;
- geli attach -k $keyfile $device;
+ geli attach -p -k $keyfile $device;
cryptoinithelp="geli attach -k $keyfile $device";
VOLUMESTATUS=$(geli dump $name);
else
@@ -467,25 +474,36 @@ LOOPBACKMETHOD ()
{
if [[ $LOOPBACKDEVICE == true ]] && [[ $UNAME == Linux ]]; then
echo Beginning loopbackmethod on $device;
- head -c $luksfilesize /dev/zero > $luksfile;
+# enogh of this head nonsense
+# head -c $luksfilesize /dev/zero > $luksfile;
+ dd if=/dev/zero of=$luksfile bs=$luksfilesize count=1
losetup -f 1>/dev/null 2> /dev/null;
losetup $device $luksfile;
loopbackhelp="losetup $device $luksfile";
else
if [[ $LOOPBACKDEVICE == true ]] && [[ $UNAME == DragonFly ]]; then
echo DragonFlyBSD - Nice...;
echo Beginning loopbackmethod on $device;
- $HEADAPP -c $luksfilesize /dev/zero > $luksfile;
+ # ENOUGH OF THIS HEAD NONSENSE, GOING TO USE DD FROM NOW ON
+ #$HEADAPP -c $luksfilesize /dev/zero > $luksfile;
+ dd if=/dev/zero of=$luksfile bs=$luksfilesize count=1
vnconfig > /dev/null 2> /dev/null;
vnconfig $device $luksfile;
loopbackhelp="vnconfig $device $luksfile";
else
if [[ $LOOPBACKDEVICE == true ]] && [[ $UNAME == FreeBSD ]]; then
echo FreeBSD - Nice...;
- $HEADAPP /dev/zero -c $luksfilesize > $luksfile;
+ echo $HEADAPP /dev/zero -c $luksfilesize > $luksfile;
+ echo mdconfig -a -t vnode -f $luksfile -u $freebsdloopnumber;
+ echo loopbackhelp="mdconfig -a -t vnode -f $luksfile -u $freebsdloopnumber";
+## # No more head nonsense
+## $HEADAPP /dev/zero -c $luksfilesize > $luksfile;
+ dd if=/dev/zero of=$luksfile bs=$luksfilesize count=1
+ echo dd if=/dev/zero of=$luksfile bs=$luksfilesize count=1
mdconfig -a -t vnode -f $luksfile -u $freebsdloopnumber;
loopbackhelp="mdconfig -a -t vnode -f $luksfile -u $freebsdloopnumber";
- else
+
+ else
echo "Okay, not using a loopback device, proceeding in normal mode";
fi;
fi;
@@ -523,11 +541,12 @@ dialog --msgbox "Proceeding with $ENCRYPTION" 0 0;
else
echo .
fi
-if [ -z `which cryptsetup` ] ; then
+if [[ $ENCRYPTION == LUKS ]] && [ -z `which cryptsetup` ] ; then
echo "Missing cryptsetup. Cannot continue using LUKS. Please install cryptsetup (cryptsetup package)";
fi
if [[ $ENCRYPTION == LUKS ]] && [[ $SECURITYMODE == PASSPHRASE ]]; then
- echo LUKS with passphrase;
+ echo LUKS with passphrase mode
+ echo LUKS will now as you to provide a password for the encrypted container.
echo You will only be prompted for a password once. Type carefully.;
cryptsetup --batch-mode --verbose --cipher=aes-xts-plain64 luksFormat $device;
else
@@ -545,7 +564,7 @@ dialog --msgbox "Proceeding with $ENCRYPTION" 0 0;
else
echo .
fi
-if [ -z `which cryptsetup` ] ; then
+if [[ $ENCRYPTION == LUKS ]] && [ -z `which cryptsetup` ] ; then
echo "Missing cryptsetup. Cannot continue using LUKS. Please install cryptsetup (cryptsetup package)";
fi
if [[ $ENCRYPTION == LUKS ]] && [[ $SECURITYMODE == KEYFILE ]]; then
@@ -635,7 +654,7 @@ dialog --msgbox "Proceeding with $ENCRYPTION" 0 0;
else
echo .
fi
-if [ -z `which tcplay` ] ; then
+if [[ $ENCRYPTION == TRUECRYPT ]] && [ -z `which tcplay` ] ; then
echo "Missing tcplay. Cannot continue. Please install Truecrypt (tcplay package). Note that you need the Libre Open Source GPL tcplay Truecrypt package and not the Truecrypt package downloaded from the Truecrypt.com website" ;
fi
if [[ $ENCRYPTION == TRUECRYPT ]] && [[ $SECURITYMODE == PASSPHRASE ]]; then
@@ -656,7 +675,7 @@ dialog --msgbox "Proceeding with $ENCRYPTION" 0 0;
else
echo .
fi
-if [ -z `which tcplay` ] ; then
+if [[ $ENCRYPTION == TRUECRYPT ]] && [ -z `which tcplay` ] ; then
echo "Missing tcplay. Cannot continue. Please install Truecrypt (tcplay package). Note that you need the Libre Open Source GPL tcplay Truecrypt package and not the Truecrypt package downloaded from the Truecrypt.com website" ;
fi
if [[ $ENCRYPTION == TRUECRYPT ]] && [[ $SECURITYMODE == KEYFILE ]]; then
View
@@ -1,7 +1,7 @@
# This file contains variables and command substitutions (no more backticks) in variables
programname=LUKSUS
-version=v1.2.50
-date="12.11.2013"
+version=v1.2.60
+date="15.02.2014"
author="Thomas J. Frivold"
time1="$(date +%s.%N)"
# $1, %2, %3, %4 are command line arguments
@@ -22,13 +22,17 @@ datenow=$(date)
USEKEY=false
linuxloopback=$(losetup -f)
linuxloopbackmessage="$linuxloopback is available"
+
+# Yes this is weird. I have to tell the FreeBSD encryption tool geli
+# which loopback device to attach to. It needs to know the numerical value.
freebsdloopnumber=$(echo $device|{ read; echo "${REPLY#${REPLY%?}}";})
ENCRYPTION=LUKS
NEXT=false
#DIALOGAPPOPTIONS="--nocancel"
#DIALOGAPPOPTIONS="--exit-label "PROCEED" --backtitle "$programname $version" "--title "$version"""
#--exit-label "PROCEED"
-# Set DEBUGSTEP=DEBUGSTEP to enable debugging
-DEBUGSTEP=
dialogapp=dialog
tempfile=`tempfile 2>/dev/null` || tempfile=/tmp/test$$
+TAILAPP=tail
+HEADAPP=head
+SHREDAPP=shred
View
12 README
@@ -29,6 +29,7 @@ have: dialog or whiptail, gnutools / coretools , and a supported
encryption engine installed. On Linux this is either found in the
cryptsetup package for LUKS support and tcplay for Truecrypt support.
+
# USAGE
./LUKSUS
@@ -131,6 +132,7 @@ A: It is based on the guides provided in the LUKS FAQ, Truecrypt/Tcplay FAQ, and
Cryptsetup / LUKS FAQ: https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
Truecrypt documentation: http://www.truecrypt.org/docs/
FreeBSD disk encryption documentation: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
+ BSDTutorial: http://bsdtutorial.org/freebsd/encrypt-filesystem
NetBSD disk encryption documentation: http://www.netbsd.org/docs/guide/en/chap-cgd.html
OpenBSD crypto documentation: http://www.openbsd.org/crypto.html
OpenBSD 16 systems tips: http://www.16s.us/OpenBSD/vnconfig.txt
@@ -181,9 +183,15 @@ Q: I lost the key or the password, is there a way to restore the key
if I forgot it?
A: No. Really. No.
+Q: LUKSUS is only a bash script, or a set of bash scripts. Is it robust?
+A: Recent versions of LUKSUS features several failsafe mechanisms to
+protect the user against its own mistakes, as well as faulty operating
+conditions like broken binaries and faulty command procedures (race errors).
+ERRTRAP has been set to 1 for instance.
Q: ON KEYFILES - ARE THEY BETTER THAN PASSWORDS?
-A: Good question, some crypto wizards gave me this answer: -
+A short: Depends. Keyfiles creates a flexible situation.fs
+A long: Good question, some crypto wizards gave me this answer: -
(Passphrase-protected) Keyfiles are two-factor (something you have,
something you know) and passphrases are one-factor (something you
know). It should be obvious that (passphrase-protected) keyfiles are
@@ -725,7 +733,7 @@ Consider posting elsewhere, if release is awesome enough.
-### LEGACY README INFORMATION FOR THOSE NOSTALGIC PEOPLE ###
+### LEGACY README INFORMATION FOR THOSE NOSTALGIC PEOPLE OUT THERE ###
Legacy documentation for those who really wish to use command line
options (not necessary anymore):

0 comments on commit fdd357e

Please sign in to comment.