Skip to content

Instantly share code, notes, and snippets.

Created October 10, 2018 16:16
What would you like to do?
#!/usr/bin/env bash
# This script mounts the encrypted directoy "./.encdata" on the plain-text
# directory "./data".
# It was written for use with `ledger-cli`, in response to a thread on the
# ledger mailing list.
# See!topic/ledger-cli/7yM9GMhHqyY
# The script depends on `ecryptfs` and has been tested on Ubuntu. Probably
# `ecryptfs` does not work on non-debian systems. To install on ubuntu/debian:
# `sudo apt install ecryptfs-utils`.
# In the encrypted directory, file contents and file names are
# encrypted, but directory structure is preserved. The encrypted
# directory can be loaded into a public git repo.
# Best practice is to add the `data` directory to your `.gitignore` file.
# The script prompts for two passwords - the 'mountphrase' and the
# 'passphrase'. If I had more time I'd figure out what is the
# difference between the two, and reduce it to a single password.
# Any tips appreciated!
# If you clone the git repo onto another `ecryptfs` enabled machine, anyone
# with the passwords will be able to mount the plain-text data directory.
# With `ecryptfs` I'm not sure how to rotate passwords, or get it working with
# public keys. It would be great if this worked with a key-management service
# like Amazon KMS, to be able to centrally expire keys. I think it's possible.
# If anyone knows how to do this, I'd love to learn.
# When working with ledger, use the plain-text files in the `data` directory.
# After you're done working, unmount the data directory to prevent unauthorized
# access to plain-text files on disk.
# Probably it would be better if the plain-text files were dynamically
# decrypted by the ledger IO pipeline. Beancount has a plugin-architecture
# that supports this. But lacking IO Plugins, IMO this full-directory
# encryption approach is workable.
# -----------------------------------------------------------------------------
# Create directory to start from a clean state
mkdir -p data
# Unmount to start from a clean state
sudo umount data 2> /dev/null
# Prompt for mountphrase
echo -n "Mountphrase: "
read -s mountphrase
echo ""
echo "passphrase_passwd=${mountphrase}" > ~/xkey.txt
# Add tokens into user session keyring
printf "%s" "${mountphrase}" | ecryptfs-add-passphrase - > tmp.txt
# Get the signature from the output of the above command
sig=`tail -1 tmp.txt | awk '{print $6}' | sed 's/\[//g' | sed 's/\]//g'`
rm -f tmp.txt
# Now perform the mount
sudo mount -t ecryptfs -o key=passphrase_passwd_file=~/xkey.txt,no_sig_cache,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_enable_filename=y,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=${sig},ecryptfs_sig=${sig},ecryptfs_unlink_sigs .encdata data
count=$(tree -i --noreport data | wc -l)
if [[ "$count" != "1" ]]; then
echo "SUCCESS ($count)"
echo "FAIL"
sudo umount data 2> /dev/null
rm -f ~/xkey.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment