I know people probably have their own scripts for creating and mounting loop-aes encrypted devices with loop-aes-ciphers and there's probably a number around, but here's mine anyway. The default setting is to embed keys (other than the first, which must be detatched), in the previous loop device. I've tested it up to the maxmimum number of loop devices by extending the arrays CIPHER, MODULE etc but of course that is extremely ridiculous (!) and was only for testing purposes.
Thought I'd post it and get a bit of review since I want to distribute it, so feel free to try it out on a spare partition or floppy. Of course change the settings at the beginning of the script to suit. It's still a bit alpha and I'm not a linux veteran so go easy on me.
Note: I always have /sbin in PATH, but if you don't then you need to do:
export PATH="/sbin:${PATH}"
before running the scri[pt.
==================================================================================
#!/bin/bash
# tripl - single or multiple encryption with loop-aes-ciphers
# (C) WDef 2006 v0.1 <WDef200 at yahoo dot co dot uk>
# Simple tool to do single or multiple encrypted partitions using loop-aes v3.x (multikey) and loop-aes-ciphers.
# Automates gpg key generation, allocation and setup/pulldown of loops, layered embedding of keys, filesystem checking etc.
# Does not write to /etc/fstab.
# Note: multiple encryption can use a lot of cpu at times.
# Single or double encryption with a good password is probably sufficient (really!).
# Script skips loops that are already in use and only pulls down encrypted loops on umounting.
# Blowfish is not supported since it does not work with multiline keychains in loopaes and
# is not recommended for large amounts of data.
# This is free software. No warranty. Use AYOR.
#===================// USER SETTINGS //============================
# Put your settings here.
# Alternatively, make these settings in a file $HOME/.triplrc, where $HOME is root's home dir.
# These will override any made here.
DEVICE=/dev/hda7
MOUNTPT=/mnt/test
MODE=3 # Triple encryption
#MODE=2 # Double encryption
#MODE=1 # Single encryption
# You can rearrange the order of ciphers, but remember
#- module order must match order of ciphers, and
#- you'll have to run tripl -new if you change this (so back up data first).
CIPHER[1]=serpent128
CIPHER[2]=AES128
CIPHER[3]=twofish128
MODULE[1]=loop_serpent
MODULE[2]=loop
MODULE[3]=loop_twofish
key[1]=/mnt/hda9/test1
key[2]=/mnt/hda9/test2
key[3]=/mnt/hda9/test3
#EMBED=no
EMBED=yes # If enabled, the user only need specify one external gpg-encrypted key (key[1]) in user settings.
# Other keys will be automatically generated for each encryption layer by tripl -new (prompts user
# for passwords) and successively embedded in the encryption layer previous to that being set up.
# This also means an attacker has to crack the first encryption layer just to get the
# encrypted key for the second, and so on. No effect if MODE=1
# If unset, a seperate external (detached) key should be created with tripl -mkkey for each
# encryption layer and set in the user settings prior to running tripl -new.
MAXLOOPS=8 # Usual default number of loops in linux
FORCE=true # Kills processes accessing files on mount point in order to force a dismount.
#FORCE=false
SHOWKEY=yes # Show 1st external keyfile name when setting up new partition with embedded keys.
GPGHOME="${HOME}/.gnupg"
#=================================================================
help(){
cat <<"EOF"
tripl - single or multiple encryption with loop-aes-ciphers
(c) WDef 2007 v0.1
Usage: tripl OPTION
Option:
-m = mount
-u = unmount
-mkkey = make key
-new = set up encrypted partition (destroys data!)
-fix = check, repair encrypted filesystem
-h = this
Set partition name, keys, order of ciphers, mountpoint and MODE
(1,2,3 for single,double,triple encryption) at top of script.
EOF
}
check_losetup(){
if $(which strings &>/dev/null); then
strings /sbin/losetup | grep -q -s multi-key-v3
return $?
elif grep --version | grep -q 'GNU grep' 2>/dev/null; then
grep -q -a -s multi-key-v3 /sbin/losetup
return $?
else
echo "Error: can't check losetup compatibility"
echo "Install strings or GNU grep before proceeding."
exit 1
fi
}
run_checks(){
if [ $EUID -ne 0 ]; then echo "You're not root."; exit 1; fi
if [ $# -ne 1 ]; then help; exit 1; fi
if ! which gpg &>/dev/null; then echo "Can't find GnuPG"; exit 1; fi
if ! check_losetup; then
echo "Error: your losetup is incompatible with loop-aes v3.x"
echo "See the loop-aes README for details."
exit 1
fi
}
loopfree()
# find free loop
{
j=0
while losetup -a | awk ' { print $1 } '| grep -q loop$j; do
(( j = j + 1 ))
[ $j -eq $MAXLOOPS ] && return 1 # j=8 means no free loop was found
done
NEXTLP=$j
return 0
}
pull_down(){
X=$1
if grep -q "${MOUNTPT}" /etc/mtab; then
if $FORCE; then fuser -m -k ${MOUNTPT}; fi
umount ${MOUNTPT}
fi
# Pull down all encrypted (only) loops
losetup -a | awk -F: '/^\/dev\/loop.+encryption.+multi-key-v3/ {print $1}' | sort -r | while read D; do
losetup -d $D || X=$?
done
exit $X
}
makekey(){
head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
| gpg --symmetric -a
return
}
setup_loops(){
NUMBUSY=$(losetup -a|wc -l)
(( NUMFREELOOPS = MAXLOOPS - NUMBUSY ))
if [ $NUMFREELOOPS -lt $MODE ]; then
echo "Insufficient loops free ($NUMFREELOOPS)"
echo "Require $MODE free loop device(s)."
exit 1
fi
echo
if [ $EMBED = yes ]; then
if [ ! -e "${key[1]}" ]; then
echo "Can't find key ${key[1]} - need one external key for embedded mode."
exit 1
fi
if [ "${1}" = new ]; then
[ $SHOWKEY = yes ] && echo ">>>>>> Using key ${key[1]} for loop1 <<<<<<"
else
echo "Enter $MODE password(s):"
fi
else
echo "Enter $MODE password(s):"
fi
for k in $(seq 1 $MODE); do
modprobe ${MODULE[k]} || pull_down 1
loopfree || pull_down 1
TOPLOOP="/dev/loop$NEXTLP"
# Taking care to get previous loop-aes encrypted loop only:
PREVIOUSLOOP=$(losetup -a | awk -F: '/^\/dev\/loop.+encryption.+multi-key-v3/ {print $1}' | tail -n 1 )
if [ $k -eq 1 ]; then
D=${DEVICE}
else
D=${PREVIOUSLOOP}
fi
if [ $EMBED = yes ]; then
if [ $k -eq 1 ]; then
# No offset key on first loop
echo "Setting up loop1 .."
losetup -e ${CIPHER[1]} -K ${key[1]} -G ${GPGHOME} ${TOPLOOP} ${D} || pull_down 1
else
if [ "${1}" = new ]; then
echo
echo ">>>>>> Making embedded key for loop$k <<<<<<"
echo "Enter new password at three prompts .."
yes "" | dd of=${PREVIOUSLOOP} bs=512 count=16
makekey | dd of=${PREVIOUSLOOP} conv=notrunc
fi
echo "Setting up loop$k .."
losetup -e ${CIPHER[k]} -K ${PREVIOUSLOOP} -o 8192 -G ${GPGHOME} ${TOPLOOP} ${PREVIOUSLOOP} || pull_down 1
fi
else
if [ ! -e "${key[k]}" ]; then
echo "Can't find key no. $k ${key[k]}"
pull_down 1
fi
echo "Setting up loop$k .."
losetup -e ${CIPHER[k]} -K ${key[k]} -G ${GPGHOME} ${TOPLOOP} ${D} || pull_down 1
fi
done
}
#=====================// MAIN //==================================
[ -f "${HOME}/.triplrc" ] && . ${HOME}/.triplrc
run_checks $*
case $1 in
-new)
echo
echo "WARNING: this will destroy all data on $DEVICE !"
echo "~~~~~~~"
while true; do
echo -n "Last chance to exit. Are you sure you want to proceed? (YeS/n) "
read
case $REPLY in
YeS) break ;;
n|N|n*|N*) exit 0;;
y|y*|Y|Yes|YE*) echo "You must type YeS to proceed.";;
*) echo "Invalid response.";;
esac
done
echo "Shredding ${DEVICE} .. pls wait .."
shred -n 1 ${DEVICE}
setup_loops new
echo
echo ">>>>>> Making filesystem <<<<<<"
mkfs -t ext2 ${TOPLOOP}
pull_down 0 ;;
-m)
if grep -q "${MOUNTPT}" /etc/mtab; then echo "${MOUNTPT} in use."; exit 1; fi
setup_loops
mount -t ext2 ${TOPLOOP} ${MOUNTPT}
if grep -q "${TOPLOOP}" /etc/mtab; then echo "OK"; else pull_down 1; fi ;;
-u)
pull_down 0 ;;
-mkkey)
while true; do
echo -n "Enter path and filename of new key (CNTRL-C = quit): "
read
DIR=$(dirname ${REPLY})
if [ -e "${REPLY}" ]; then
echo "File $REPLY already exists."; continue
fi
if [ ! -d "${DIR}" ]; then
echo "Invalid path ${DIR}" ; continue
fi
if [ ! -w "${DIR}" ]; then
echo "${DIR} not writeable" ; continue
fi
break
done
echo "Making key ${REPLY} .."
makekey >${REPLY}
if [ $? -eq 0 ]; then
echo "Done."
echo "Set your new key location at top of the script."
else
rm -f ${REPLY} # gpg will provide error messages if it fails.
exit 1
fi ;;
-fix)
if losetup -a | grep -q ${DEVICE} ; then
echo "${DEVICE} in use."
exit 1
fi
setup_loops
fsck -t ext2 -C -f -y ${TOPLOOP}
echo "Done."
pull_down 0;;
-h) help ;;
*)
echo "Unknown option $1. Try tripl -h"; exit 1 ;;
esac
exit 0
8:00? 8:25? 8:40? Find a flick in no time
with theYahoo! Search movie showtime shortcut.
