Re: Tripl: a simple front-end for multiple encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I should have said "beta" since I'm unable to find any problems with this script on my system (GNU bash, version 2.05b.0(1)-release, with Busybox utils).  Which is not to say there aren't any.

Any test reports on this humble offering will be gratefully received ....

Phil H <philtickle200@xxxxxxxxx> wrote:
Hi

I know people probably have their own scripts for creating and mounting loop-aes encrypted devices with loop-aes-ciphers and there's probably a number around, but here's mine anyway.  The default setting is to embed keys (other than the first, which must be detatched), in the previous loop device.  I've tested it up to the maxmimum number of loop devices by extending the arrays CIPHER,  MODULE etc but of course that is extremely ridiculous (!) and was only for testing purposes.

Thought I'd post it and get a bit of review since I want to distribute it, so feel free to try it out on a spare partition or floppy. Of course change the settings at the beginning of the script to suit.   It's still a bit alpha and I'm not a linux veteran so go easy on me.

Note:  I always have /sbin in PATH, but if you don't then you need to do:

export PATH="/sbin:${PATH}"

before running the scri[pt.

==================================================================================


#!/bin/bash

# tripl - single or multiple encryption with loop-aes-ciphers
# (C) WDef 2006 v0.1 <WDef200 at yahoo dot co dot uk>

# Simple tool to do single or multiple encrypted partitions using loop-aes v3.x (multikey) and loop-aes-ciphers.
# Automates gpg key generation, allocation and setup/pulldown of loops, layered embedding of keys, filesystem checking etc.
# Does not write to /etc/fstab.
# Note: multiple encryption can use a lot of cpu at times.
# Single or double encryption with a good password is probably sufficient (really!).
# Script skips loops that are already in use and only pulls down encrypted loops on umounting.
# Blowfish is not supported since it does not work with multiline keychains in loopaes and
# is not recommended for large amounts of data.

# This is free software. No warranty. Use AYOR.

#===================// USER SETTINGS //============================

# Put your settings here.
# Alternatively, make these settings in a file $HOME/.triplrc, where $HOME is root's home dir.
# These will override any made here.

DEVICE=/dev/hda7
MOUNTPT=/mnt/test

MODE=3        # Triple encryption
#MODE=2        # Double encryption
#MODE=1        # Single encryption

# You can rearrange the order of ciphers, but remember
#- module order must match order of ciphers, and
#- you'll have to run tripl -new if you change this (so back up data first).

CIPHER[1]=serpent128
CIPHER[2]=AES128
CIPHER[3]=twofish128

MODULE[1]=loop_serpent
MODULE[2]=loop
MODULE[3]=loop_twofish

key[1]=/mnt/hda9/test1
key[2]=/mnt/hda9/test2
key[3]=/mnt/hda9/test3

#EMBED=no
EMBED=yes    # If enabled, the user only need specify one external gpg-encrypted key (key[1]) in user settings.
        # Other keys will be automatically generated for each encryption layer by tripl -new (prompts user
        # for passwords) and successively embedded in the encryption layer previous to that being set up.
        # This also means an attacker has to crack the first encryption layer just to get the
        # encrypted key for the second, and so on. No effect if MODE=1
       
        # If unset, a seperate external (detached) key should be created with tripl -mkkey for each
        # encryption layer and set in the user settings prior to running tripl -new.

MAXLOOPS=8    # Usual default number of loops in linux

FORCE=true    # Kills processes accessing files on mount point in order to force a dismount.
#FORCE=false

SHOWKEY=yes    # Show 1st external keyfile name when setting up new partition with embedded keys.

GPGHOME="${HOME}/.gnupg"

#=================================================================

help(){
cat <<"EOF"
tripl - single or multiple encryption with loop-aes-ciphers
(c) WDef 2007 v0.1
Usage: tripl OPTION
Option:
    -m = mount
    -u = unmount
    -mkkey = make key
    -new = set up encrypted partition (destroys data!)
    -fix = check, repair encrypted filesystem
    -h = this
Set partition name, keys, order of ciphers, mountpoint and MODE
(1,2,3 for single,double,triple encryption) at top of script.
EOF
}


check_losetup(){
if $(which strings &>/dev/null); then
    strings /sbin/losetup | grep -q -s multi-key-v3
    return $?
elif grep --version | grep -q 'GNU grep' 2>/dev/null; then
    grep -q -a -s multi-key-v3 /sbin/losetup
    return $?
else
    echo "Error: can't check losetup compatibility"
    echo "Install strings or GNU grep before proceeding."
    exit 1
fi
}


run_checks(){
if [ $EUID -ne 0 ]; then echo "You're not root."; exit 1; fi
if [ $# -ne 1 ]; then help; exit 1; fi
if ! which gpg &>/dev/null; then echo "Can't find GnuPG"; exit 1; fi
if ! check_losetup; then
    echo "Error: your losetup is incompatible with loop-aes v3.x"
    echo "See the loop-aes README for details."
    exit 1
fi
}

loopfree()
# find free loop
{
j=0
while  losetup -a | awk ' { print $1 } '| grep -q loop$j; do
    (( j = j + 1 ))
    [ $j -eq $MAXLOOPS ] && return 1    # j=8 means no free loop was found
done
NEXTLP=$j
return 0

}


pull_down(){
X=$1
if grep -q "${MOUNTPT}" /etc/mtab; then
    if $FORCE; then fuser -m -k ${MOUNTPT}; fi
    umount ${MOUNTPT}
fi
# Pull down all encrypted (only) loops
losetup -a | awk -F: '/^\/dev\/loop.+encryption.+multi-key-v3/ {print $1}' | sort -r | while read D; do
            losetup -d $D || X=$?
            done
exit $X

}

makekey(){
head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
| gpg --symmetric -a
return
}


setup_loops(){

NUMBUSY=$(losetup -a|wc -l)
(( NUMFREELOOPS = MAXLOOPS - NUMBUSY ))
if [ $NUMFREELOOPS -lt $MODE ]; then
    echo "Insufficient loops free ($NUMFREELOOPS)"
    echo "Require $MODE free loop device(s)."
    exit 1
fi
echo
if [ $EMBED = yes ]; then
    if [ ! -e "${key[1]}" ]; then
        echo "Can't find key ${key[1]} - need one external key for embedded mode."
        exit 1
    fi
    if [ "${1}" = new ]; then
        [ $SHOWKEY = yes ] && echo ">>>>>> Using key ${key[1]} for loop1 <<<<<<"
    else
        echo "Enter $MODE password(s):"
    fi
else
    echo "Enter $MODE password(s):"
fi


for k in $(seq 1 $MODE); do

    modprobe ${MODULE[k]} || pull_down 1
    loopfree || pull_down 1
    TOPLOOP="/dev/loop$NEXTLP"
    # Taking care to get previous loop-aes encrypted loop only:
    PREVIOUSLOOP=$(losetup -a | awk -F: '/^\/dev\/loop.+encryption.+multi-key-v3/ {print $1}' | tail -n 1 )   
    if [ $k -eq 1 ]; then
        D=${DEVICE}
    else
        D=${PREVIOUSLOOP}
    fi
    if [ $EMBED = yes ]; then
        if [ $k -eq 1 ]; then
            # No offset key on first loop
            echo "Setting up loop1 .."
            losetup -e ${CIPHER[1]} -K ${key[1]} -G ${GPGHOME} ${TOPLOOP} ${D} || pull_down 1
        else
            if [ "${1}" = new ]; then
                echo
                echo ">>>>>> Making embedded key for loop$k <<<<<<"
                echo "Enter new password at three prompts .."
                yes "" | dd of=${PREVIOUSLOOP} bs=512 count=16
                makekey | dd of=${PREVIOUSLOOP} conv=notrunc
            fi
            echo "Setting up loop$k .."
            losetup -e ${CIPHER[k]} -K ${PREVIOUSLOOP} -o 8192 -G ${GPGHOME} ${TOPLOOP} ${PREVIOUSLOOP} || pull_down 1

        fi
    else
        if [ ! -e "${key[k]}" ]; then
            echo "Can't find key no. $k ${key[k]}"
            pull_down 1
        fi
        echo "Setting up loop$k .."
        losetup -e ${CIPHER[k]} -K ${key[k]} -G ${GPGHOME} ${TOPLOOP} ${D} || pull_down 1
    fi
done

}

#=====================// MAIN //==================================

[ -f "${HOME}/.triplrc" ] && . ${HOME}/.triplrc

run_checks $*

case $1 in

-new)
echo
echo "WARNING: this will destroy all data on $DEVICE !"
echo "~~~~~~~"

while true; do
    echo -n "Last chance to exit. Are you sure you want to proceed? (YeS/n) "
    read
    case $REPLY in
        YeS) break ;;
        n|N|n*|N*) exit 0;;
        y|y*|Y|Yes|YE*) echo "You must type YeS to proceed.";;
        *) echo "Invalid response.";;
    esac
done
echo "Shredding ${DEVICE} .. pls wait .."
shred -n 1 ${DEVICE}
setup_loops new
echo
echo ">>>>>> Making filesystem <<<<<<"
mkfs -t ext2 ${TOPLOOP}
pull_down 0 ;;


-m)
if grep -q "${MOUNTPT}" /etc/mtab; then echo "${MOUNTPT} in use."; exit 1; fi
setup_loops
mount -t ext2 ${TOPLOOP} ${MOUNTPT}
if grep -q "${TOPLOOP}" /etc/mtab; then echo "OK"; else pull_down 1; fi ;;

-u)
pull_down 0 ;;

-mkkey)
while true; do
    echo -n "Enter path and filename of new key (CNTRL-C = quit): "
    read
    DIR=$(dirname ${REPLY})
    if [ -e "${REPLY}" ]; then
        echo "File $REPLY already exists."; continue
    fi
    if [ ! -d "${DIR}" ]; then
        echo "Invalid path ${DIR}" ; continue
    fi
    if [ ! -w "${DIR}" ]; then
        echo "${DIR} not writeable" ; continue
    fi
    break
done
echo "Making key ${REPLY} .."
makekey >${REPLY}
if [ $? -eq 0 ]; then
    echo "Done."
    echo "Set your new key location at top of the script."
else
    rm -f ${REPLY} # gpg will provide error messages if it fails.
    exit 1
fi ;;


-fix)
if losetup -a | grep -q ${DEVICE} ; then
    echo "${DEVICE} in use."
    exit 1
fi
setup_loops
fsck -t ext2 -C -f -y ${TOPLOOP}
echo "Done."
pull_down 0;;


-h) help ;;

*)
echo "Unknown option $1. Try tripl -h"; exit 1 ;;

esac

exit 0





8:00? 8:25? 8:40? Find a flick in no time
with theYahoo! Search movie showtime shortcut.


Never Miss an Email
Stay connected with Yahoo! Mail on your mobile. Get started!

[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux