-
-
Save andyl/36ba81e2ccd3c8ebcff8b14179d8ef09 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # This script mounts the encrypted directoy "./.encdata" on the plain-text | |
| # directory "./data". | |
| # It was written for use with `ledger-cli`, in response to a thread on the | |
| # ledger mailing list. | |
| # See https://groups.google.com/forum/#!topic/ledger-cli/7yM9GMhHqyY | |
| # The script depends on `ecryptfs` and has been tested on Ubuntu. Probably | |
| # `ecryptfs` does not work on non-debian systems. To install on ubuntu/debian: | |
| # `sudo apt install ecryptfs-utils`. | |
| # In the encrypted directory, file contents and file names are | |
| # encrypted, but directory structure is preserved. The encrypted | |
| # directory can be loaded into a public git repo. | |
| # Best practice is to add the `data` directory to your `.gitignore` file. | |
| # The script prompts for two passwords - the 'mountphrase' and the | |
| # 'passphrase'. If I had more time I'd figure out what is the | |
| # difference between the two, and reduce it to a single password. | |
| # Any tips appreciated! | |
| # If you clone the git repo onto another `ecryptfs` enabled machine, anyone | |
| # with the passwords will be able to mount the plain-text data directory. | |
| # With `ecryptfs` I'm not sure how to rotate passwords, or get it working with | |
| # public keys. It would be great if this worked with a key-management service | |
| # like Amazon KMS, to be able to centrally expire keys. I think it's possible. | |
| # If anyone knows how to do this, I'd love to learn. | |
| # When working with ledger, use the plain-text files in the `data` directory. | |
| # After you're done working, unmount the data directory to prevent unauthorized | |
| # access to plain-text files on disk. | |
| # Probably it would be better if the plain-text files were dynamically | |
| # decrypted by the ledger IO pipeline. Beancount has a plugin-architecture | |
| # that supports this. But lacking IO Plugins, IMO this full-directory | |
| # encryption approach is workable. | |
| # ----------------------------------------------------------------------------- | |
| # Create directory to start from a clean state | |
| mkdir -p data | |
| # Unmount to start from a clean state | |
| sudo umount data 2> /dev/null | |
| # Prompt for mountphrase | |
| echo -n "Mountphrase: " | |
| read -s mountphrase | |
| echo "" | |
| echo "passphrase_passwd=${mountphrase}" > ~/xkey.txt | |
| # Add tokens into user session keyring | |
| printf "%s" "${mountphrase}" | ecryptfs-add-passphrase - > tmp.txt | |
| # Get the signature from the output of the above command | |
| sig=`tail -1 tmp.txt | awk '{print $6}' | sed 's/\[//g' | sed 's/\]//g'` | |
| rm -f tmp.txt | |
| # Now perform the mount | |
| sudo mount -t ecryptfs -o key=passphrase_passwd_file=~/xkey.txt,no_sig_cache,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_enable_filename=y,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=${sig},ecryptfs_sig=${sig},ecryptfs_unlink_sigs .encdata data | |
| count=$(tree -i --noreport data | wc -l) | |
| if [[ "$count" != "1" ]]; then | |
| echo "SUCCESS ($count)" | |
| else | |
| echo "FAIL" | |
| sudo umount data 2> /dev/null | |
| fi | |
| rm -f ~/xkey.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment