From f03e699362526cc37380b9d6e410bc19da5e8d54 Mon Sep 17 00:00:00 2001 From: Thomas Heller Date: Sun, 31 Oct 2021 19:43:06 +0100 Subject: [PATCH 1/2] Add nc-luks-close, nc-luks-format, nc-luks-open --- bin/ncp/TOOLS/nc-luks-close.sh | 64 +++++++++++++++++++++ bin/ncp/TOOLS/nc-luks-format.sh | 87 +++++++++++++++++++++++++++++ bin/ncp/TOOLS/nc-luks-open.sh | 61 ++++++++++++++++++++ build/build-SD-rpi.sh | 5 ++ etc/ncp-config.d/nc-luks-close.cfg | 17 ++++++ etc/ncp-config.d/nc-luks-format.cfg | 35 ++++++++++++ etc/ncp-config.d/nc-luks-open.cfg | 23 ++++++++ 7 files changed, 292 insertions(+) create mode 100644 bin/ncp/TOOLS/nc-luks-close.sh create mode 100644 bin/ncp/TOOLS/nc-luks-format.sh create mode 100644 bin/ncp/TOOLS/nc-luks-open.sh create mode 100644 etc/ncp-config.d/nc-luks-close.cfg create mode 100644 etc/ncp-config.d/nc-luks-format.cfg create mode 100644 etc/ncp-config.d/nc-luks-open.cfg diff --git a/bin/ncp/TOOLS/nc-luks-close.sh b/bin/ncp/TOOLS/nc-luks-close.sh new file mode 100644 index 000000000..a42a51413 --- /dev/null +++ b/bin/ncp/TOOLS/nc-luks-close.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# Unmount and close external USB drive encrypted by LUKS +# +# Copyleft 2021 by Thomas Heller +# Copyleft 2017 by Ignacio Nunez Hernanz +# GPL licensed (see end of file) * Use at your own risk! +# +# More at: https://ownyourbits.com +# + +configure() +{ + [[ "$DEV" == "" ]] && { + echo "error: please specify device" + return 1 + } + + if [[ ! -e /media/USBdrive ]]; then + echo "notice: /media/USBdrive is not yet mounted -- no need to unmount" + else + echo "unmounting /media/USBdrive ..." + + umount /media/USBdrive || { + echo "unmount failed" + return 2 + } + fi + + echo "closing LUKS mapping ..." + + cryptsetup close nc || { + echo "cryptsetup close failed" + return 3 + } + + echo "ejecting $DEV ..." + + eject "$DEV" || { + echo "eject failed" + return 4 + } + + echo "successfully unmounted $DEV" +} + +install() { :; } + +# License +# +# This script is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This script is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this script; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place, Suite 330, +# Boston, MA 02111-1307 USA diff --git a/bin/ncp/TOOLS/nc-luks-format.sh b/bin/ncp/TOOLS/nc-luks-format.sh new file mode 100644 index 000000000..36993d2c6 --- /dev/null +++ b/bin/ncp/TOOLS/nc-luks-format.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# Format external USB drive for encryption by LUKS (dangerous) +# +# Copyleft 2021 by Thomas Heller +# Copyleft 2017 by Ignacio Nunez Hernanz +# GPL licensed (see end of file) * Use at your own risk! +# +# More at: https://ownyourbits.com +# + +configure() +{ + [[ "$DEV" == "" ]] && { + echo "error: please specify device" + return 1 + } + + [[ "$DEVICE_LABEL" == "" ]] && { + echo "error: please specify device label" + return 2 + } + + [[ "$PARTITION_LABEL" == "" ]] && { + echo "error: please specify partition label" + return 3 + } + + [[ "$PASS" == "" ]] && { + echo "error: please specify password" + return 4 + } + + [[ ! -b "$DEV" ]] && { + echo "error: $DEV is not a block device" + return 5 + } + + if [[ -e /media/USBdrive ]]; then + echo "warning: device may be currently mounted" + echo "consider deactivating nc-automount or unmounting with nc-luks-close before formatting!" + fi + + echo "formatting LUKS device $DEV ..." + + echo -n "$PASS" | cryptsetup luksFormat "$DEV" --label "$DEVICE_LABEL" -d - || { + echo "error: cryptsetup format failed" + return 6 + } + + echo "successfully formatted $DEV" + + echo "opening LUKS device $DEV ..." + + echo -n "$PASS" | cryptsetup open --type luks -d - "$DEV" nc || { + echo "error: cryptsetup open failed" + return 7 + } + + mkfs.btrfs -q /dev/mapper/nc -f -L "$PARTITION_LABEL" || { + echo "error: mkfs.btrfs failed" + return 8 + } + + echo "BTRFS file system successfully created on $DEV" + + echo "notice: consider enabling nc-automount to mount the device if you haven't already done so" +} + +install() { :; } + +# License +# +# This script is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This script is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this script; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place, Suite 330, +# Boston, MA 02111-1307 USA diff --git a/bin/ncp/TOOLS/nc-luks-open.sh b/bin/ncp/TOOLS/nc-luks-open.sh new file mode 100644 index 000000000..118d81e47 --- /dev/null +++ b/bin/ncp/TOOLS/nc-luks-open.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# Mount external USB drive encrypted by LUKS +# +# Copyleft 2021 by Thomas Heller +# Copyleft 2017 by Ignacio Nunez Hernanz +# GPL licensed (see end of file) * Use at your own risk! +# +# More at: https://ownyourbits.com +# + +configure() +{ + [[ -e /dev/mapper/nc ]] && { + echo "encrypted device is already opened" + return 0 + } + + [[ "$DEV" == "" ]] && { + echo "error: please specify device" + return 1 + } + + [[ "$PASS" == "" ]] && { + echo "error: please specify password" + return 2 + } + + [[ ! -b "$DEV" ]] && { + echo "error: $DEV is not a block device" + return 3 + } + + echo "opening LUKS device $DEV ..." + + echo -n "$PASS" | cryptsetup open --type luks -d - "$DEV" nc || { + echo "error: cryptsetup open failed" + return 4 + } + + echo "successfully opened $DEV" +} + +install() { :; } + +# License +# +# This script is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This script is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this script; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place, Suite 330, +# Boston, MA 02111-1307 USA diff --git a/build/build-SD-rpi.sh b/build/build-SD-rpi.sh index a9f2b18b8..688d82fe8 100755 --- a/build/build-SD-rpi.sh +++ b/build/build-SD-rpi.sh @@ -72,6 +72,11 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ apt-get install -y --no-install-recommends haveged systemctl enable haveged.service + # install cryptsetup for LUKS support + # depmod seems to be broken on Raspbian? + # reboot is required to load the required dm_mod kernel module + apt-get install -y cryptsetup + # harden SSH further for Raspbian sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config diff --git a/etc/ncp-config.d/nc-luks-close.cfg b/etc/ncp-config.d/nc-luks-close.cfg new file mode 100644 index 000000000..378849eeb --- /dev/null +++ b/etc/ncp-config.d/nc-luks-close.cfg @@ -0,0 +1,17 @@ +{ + "id": "nc-luks-close", + "name": "nc-luks-close", + "title": "nc-luks-close", + "description": "Unmount and close external USB drive encrypted by LUKS", + "info": "Note that if you moved the Nextcloud database to the USB drive using nc-database, you need to move it back to the default location or stop the database service manually before you can unmount the USB drive.", + "infotitle": "", + "params": [ + { + "id": "DEV", + "name": "Device", + "value": "/dev/sda1", + "suggest": "/dev/sda1", + "type": "file" + } + ] +} diff --git a/etc/ncp-config.d/nc-luks-format.cfg b/etc/ncp-config.d/nc-luks-format.cfg new file mode 100644 index 000000000..69f99a1cb --- /dev/null +++ b/etc/ncp-config.d/nc-luks-format.cfg @@ -0,0 +1,35 @@ +{ + "id": "nc-luks-format", + "name": "nc-luks-format", + "title": "nc-luks-format", + "description": "Format external USB drive for encryption by LUKS (dangerous)", + "info": "Make sure that ONLY the USB drive that you want to format is plugged in.\ncareful, this will destroy any data in the USB drive\n\n** YOU WILL LOSE ALL YOUR USB DATA **\n\nThe password is required to retrieve the data later on!\nNOTE: The password is NOT stored here for security reasons!", + "infotitle": "", + "params": [ + { + "id": "DEV", + "name": "Device", + "value": "/dev/sda1", + "suggest": "/dev/sda1", + "type": "file" + }, + { + "id": "DEVICE_LABEL", + "name": "Device label", + "value": "myCloudDrive", + "suggest": "myCloudDrive" + }, + { + "id": "PARTITION_LABEL", + "name": "Partition label", + "value": "myCloudDrive", + "suggest": "myCloudDrive" + }, + { + "id": "PASS", + "name": "Password", + "suggest": "LUKS password", + "type": "password" + } + ] +} diff --git a/etc/ncp-config.d/nc-luks-open.cfg b/etc/ncp-config.d/nc-luks-open.cfg new file mode 100644 index 000000000..512307504 --- /dev/null +++ b/etc/ncp-config.d/nc-luks-open.cfg @@ -0,0 +1,23 @@ +{ + "id": "nc-luks-open", + "name": "nc-luks-open", + "title": "nc-luks-open", + "description": "Mount external USB drive encrypted by LUKS", + "info": "Note that this step needs to be repeated after every reboot.\nThe password is NOT stored for security reasons.", + "infotitle": "", + "params": [ + { + "id": "DEV", + "name": "Device", + "value": "/dev/sda1", + "suggest": "/dev/sda1", + "type": "file" + }, + { + "id": "PASS", + "name": "Password", + "suggest": "LUKS password", + "type": "password" + } + ] +} From b5bd9e6ba0e554e97f5a52c4f834443355b04e1f Mon Sep 17 00:00:00 2001 From: Thomas Heller Date: Tue, 2 Nov 2021 19:43:44 +0100 Subject: [PATCH 2/2] Fix install for nc-luks-close, nc-luks-format, nc-luks-open --- bin/ncp/TOOLS/nc-luks-close.sh | 8 ++++++-- bin/ncp/TOOLS/nc-luks-format.sh | 8 ++++++-- bin/ncp/TOOLS/nc-luks-open.sh | 8 ++++++-- build/build-SD-rpi.sh | 5 ----- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/bin/ncp/TOOLS/nc-luks-close.sh b/bin/ncp/TOOLS/nc-luks-close.sh index a42a51413..46eaa2d75 100644 --- a/bin/ncp/TOOLS/nc-luks-close.sh +++ b/bin/ncp/TOOLS/nc-luks-close.sh @@ -9,6 +9,12 @@ # More at: https://ownyourbits.com # +install() +{ + apt-get install -y cryptsetup + modprobe dm_mod +} + configure() { [[ "$DEV" == "" ]] && { @@ -44,8 +50,6 @@ configure() echo "successfully unmounted $DEV" } -install() { :; } - # License # # This script is free software; you can redistribute it and/or modify it diff --git a/bin/ncp/TOOLS/nc-luks-format.sh b/bin/ncp/TOOLS/nc-luks-format.sh index 36993d2c6..744817aef 100644 --- a/bin/ncp/TOOLS/nc-luks-format.sh +++ b/bin/ncp/TOOLS/nc-luks-format.sh @@ -9,6 +9,12 @@ # More at: https://ownyourbits.com # +install() +{ + apt-get install -y cryptsetup + modprobe dm_mod +} + configure() { [[ "$DEV" == "" ]] && { @@ -67,8 +73,6 @@ configure() echo "notice: consider enabling nc-automount to mount the device if you haven't already done so" } -install() { :; } - # License # # This script is free software; you can redistribute it and/or modify it diff --git a/bin/ncp/TOOLS/nc-luks-open.sh b/bin/ncp/TOOLS/nc-luks-open.sh index 118d81e47..d0e872e94 100644 --- a/bin/ncp/TOOLS/nc-luks-open.sh +++ b/bin/ncp/TOOLS/nc-luks-open.sh @@ -9,6 +9,12 @@ # More at: https://ownyourbits.com # +install() +{ + apt-get install -y cryptsetup + modprobe dm_mod +} + configure() { [[ -e /dev/mapper/nc ]] && { @@ -41,8 +47,6 @@ configure() echo "successfully opened $DEV" } -install() { :; } - # License # # This script is free software; you can redistribute it and/or modify it diff --git a/build/build-SD-rpi.sh b/build/build-SD-rpi.sh index 688d82fe8..a9f2b18b8 100755 --- a/build/build-SD-rpi.sh +++ b/build/build-SD-rpi.sh @@ -72,11 +72,6 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ apt-get install -y --no-install-recommends haveged systemctl enable haveged.service - # install cryptsetup for LUKS support - # depmod seems to be broken on Raspbian? - # reboot is required to load the required dm_mod kernel module - apt-get install -y cryptsetup - # harden SSH further for Raspbian sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config