mzpqnxow/build-ecryptfs-debian-buster.sh

## build-ecryptfs-debian-buster.sh
#!/bin/bash
set -e
#
# As of 11/24/2019, Debian still can't get it together with ecryptfs-utils so there
# is no longer an ecryptfs-utils in the apt repositories, removing the ability for
# a user to use ecryptfs at all, unless they build from source and manually configure
# the system
#
# Before using this, please see the status of the bugreport:
#
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854
#
# Basically, Debian removed the apt package until this bug can be fixed. The problem
# was that private ecryptfs mounts were not being unmounted on logout, almost completely
# voiding the value of the functionality :<
#
# If the bug is not yet fixed, you can use this script/guide to get ecryptfs per-user
# home directory encryption working
#
# This is probably a bit broader than necessary, but many of these are requirements to
# build ecryptfs-utils. Others, such as rsync and lsof are included as they are required
# for ecryptfs-migrate-home at runtime
DEPS="gpgv2 intltool keyutils libgpgme-dev libkeyutils-dev libnss3-dev libpam-dev \
      libpam-pkcs11 libpkcs11-helper1-dev libtspi-dev python2-dev python3-dev \
      simple-tpm-pk11 rsync lsof build-essential"
# You can use /opt/ecryptfs or something if you don't want it in your root
# Using something other than /usr may cause issues due to assumptions made in this script!
PREFIX=/usr
apt-get update
echo -n 'Press enter to install dependencies via apt-get ...'
apt-get install $DEPS
cd /usr/src
echo 'WARN: The source package is downloaded from the distribution site, but no signature check is performed!'
echo -n 'Press enter to download version 111 of ecryptfs-utils from the distribution site ...'
read x
# Change the link to a different version if desired, but other versions are untested
# This is the latest version as of 2019-11-24 ...
wget https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
# You should check the signature here, probably
tar -xvzf ecryptfs-utils_111.orig.tar.gz
cd ecryptfs-utils-111
echo 'NOTE: if the following step fails, you may need to apt-get some additional dependencies'
echo -n 'Press enter to configure, build and install ecryptfs-utils from source ...'
read x
./configure LIBS='-lkeyutils -lnss3 -lnssutil3' --prefix=/usr KEYUTILS_LIBS='-lnss3 -lnssutil3' NSS_CFLAGS='-I/usr/include/nss -I/usr/include/nspr'
make -j && make install
cd
echo 'The ecryptfs-utils are now installed on your system, but there is more to do'
echo 'Step 1 - fix pam so that mounting is automated'
echo -n '  Add auth required pam_ecryptfs unwrap to pam common-auth? Enter to continue... '
read x
echo 'auth    required        pam_ecryptfs.so unwrap' >> /etc/pam.d/common-auth
echo -n '  Add auth optional pam_ecryptfs unwrap to /etc/pam.d/common-session? Enter to continue... '
read x
echo 'session optional        pam_ecryptfs.so unwrap' >> /etc/pam.d/common-session
echo 'Done fixing PAM. If you want configuration/migration of users to use ecryptfs to work, it is necessary'
echo 'to add the setuid bit to /usr/sbin/mount.ecryptfs_private'
echo 'Step 2 - fix permissions on mount.ecryptfs_private so setreuid succeeds at runtime'
echo -n '  Use chmod to set setuid bit on mount.ecryptfs_private? Enter to continue ... '
read x
chmod u+s /usr/sbin/mount.ecryptfs_private
echo 'Done. Consider the following manual steps for increased security:'
echo '  1. Create a group called "ecryptfs" using "groupadd ecryptfs"'
echo '  2. Place "trusted" users who should be allowed to user ecryptfs in that group by editing /etc/group'
echo '  3. Use "chmod 4750 && chgrp /usr/sbin/mount.ecryptfs_private ecryptfs" to protect the mount app'
echo
echo 'Installation and configuration complete!'
echo 'Try using ecryptfs-migrate-home to migrate a user to an encrypted home directory'
echo 'Make sure you test to ensure things are working, this is not official documentation!'
	#!/bin/bash
	set -e
	#
	# As of 11/24/2019, Debian still can't get it together with ecryptfs-utils so there
	# is no longer an ecryptfs-utils in the apt repositories, removing the ability for
	# a user to use ecryptfs at all, unless they build from source and manually configure
	# the system
	#
	# Before using this, please see the status of the bugreport:
	#
	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854
	#
	# Basically, Debian removed the apt package until this bug can be fixed. The problem
	# was that private ecryptfs mounts were not being unmounted on logout, almost completely
	# voiding the value of the functionality :<
	#
	# If the bug is not yet fixed, you can use this script/guide to get ecryptfs per-user
	# home directory encryption working
	#
	# This is probably a bit broader than necessary, but many of these are requirements to
	# build ecryptfs-utils. Others, such as rsync and lsof are included as they are required
	# for ecryptfs-migrate-home at runtime
	DEPS="gpgv2 intltool keyutils libgpgme-dev libkeyutils-dev libnss3-dev libpam-dev \
	libpam-pkcs11 libpkcs11-helper1-dev libtspi-dev python2-dev python3-dev \
	simple-tpm-pk11 rsync lsof build-essential"
	# You can use /opt/ecryptfs or something if you don't want it in your root
	# Using something other than /usr may cause issues due to assumptions made in this script!
	PREFIX=/usr
	apt-get update
	echo -n 'Press enter to install dependencies via apt-get ...'
	apt-get install $DEPS
	cd /usr/src
	echo 'WARN: The source package is downloaded from the distribution site, but no signature check is performed!'
	echo -n 'Press enter to download version 111 of ecryptfs-utils from the distribution site ...'
	read x
	# Change the link to a different version if desired, but other versions are untested
	# This is the latest version as of 2019-11-24 ...
	wget https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
	# You should check the signature here, probably
	tar -xvzf ecryptfs-utils_111.orig.tar.gz
	cd ecryptfs-utils-111
	echo 'NOTE: if the following step fails, you may need to apt-get some additional dependencies'
	echo -n 'Press enter to configure, build and install ecryptfs-utils from source ...'
	read x
	./configure LIBS='-lkeyutils -lnss3 -lnssutil3' --prefix=/usr KEYUTILS_LIBS='-lnss3 -lnssutil3' NSS_CFLAGS='-I/usr/include/nss -I/usr/include/nspr'
	make -j && make install
	cd
	echo 'The ecryptfs-utils are now installed on your system, but there is more to do'
	echo 'Step 1 - fix pam so that mounting is automated'
	echo -n ' Add auth required pam_ecryptfs unwrap to pam common-auth? Enter to continue... '
	read x
	echo 'auth required pam_ecryptfs.so unwrap' >> /etc/pam.d/common-auth
	echo -n ' Add auth optional pam_ecryptfs unwrap to /etc/pam.d/common-session? Enter to continue... '
	read x
	echo 'session optional pam_ecryptfs.so unwrap' >> /etc/pam.d/common-session
	echo 'Done fixing PAM. If you want configuration/migration of users to use ecryptfs to work, it is necessary'
	echo 'to add the setuid bit to /usr/sbin/mount.ecryptfs_private'
	echo 'Step 2 - fix permissions on mount.ecryptfs_private so setreuid succeeds at runtime'
	echo -n ' Use chmod to set setuid bit on mount.ecryptfs_private? Enter to continue ... '
	read x
	chmod u+s /usr/sbin/mount.ecryptfs_private
	echo 'Done. Consider the following manual steps for increased security:'
	echo ' 1. Create a group called "ecryptfs" using "groupadd ecryptfs"'
	echo ' 2. Place "trusted" users who should be allowed to user ecryptfs in that group by editing /etc/group'
	echo ' 3. Use "chmod 4750 && chgrp /usr/sbin/mount.ecryptfs_private ecryptfs" to protect the mount app'
	echo
	echo 'Installation and configuration complete!'
	echo 'Try using ecryptfs-migrate-home to migrate a user to an encrypted home directory'
	echo 'Make sure you test to ensure things are working, this is not official documentation!'