-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtala
executable file
·186 lines (160 loc) · 4.85 KB
/
tala
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#!/usr/bin/env bash
#
# NAME
#
# tala - a cryptsetup wrapper
#
# SYNOPSIS
#
# tala [-h] <action> <arg>...
#
# DESCRIPTION
#
# tala is a wrapper script around cryptsetup(1) and friends to make it
# easier to create and manage LUKS containers (aka devices). Apart
# from cryptsetup(1), you will need some standard tools available in
# most GNU/Linux distributions. tala was written as an alternative to
# TrueCrypt. But note that unlike TrueCrypt, tala requires root
# privileges for all actions.
#
# ACTIONS
#
# create <container> <size>
# Create a LUKS container of given size. Size suffixes follow
# fallocate(1) conventions.
#
# key <container>
# Change the password of the given LUKS container.
#
# mount <container> <directory>
# Mount LUKS container at directory.
#
# unmount <container>
# unmount <directory>
# Unmount LUKS container mounted at directory.
#
# The actions c, k, m, and u are convenient aliases to the above
# actions. umount is an additional alias to unmount.
#
# EXAMPLES
#
# Create a 64 MB LUKS container named classified.luks
#
# tala c classified.luks 64M
#
# Mount classified.luks at /tmp/classified
#
# mkdir /tmp/classified
# tala m classified.luks /tmp/classified
#
# Unmount classified.luks
#
# tala u /tmp/classified
#
# SEE ALSO
#
# ctmg (https://git.zx2c4.com/ctmg/)
# tomb (https://www.dyne.org/software/tomb/)
#
set -eo pipefail
cipher="aes-xts-plain64" # Cipher used to encrypt the LUKS container.
hashfn="sha1" # Hash function used in LUKS key derivation.
key_size="512" # Encryption key size.
die() {
[[ "$*" ]] || set -- "usage: tala <action> <args>..."
echo >&2 "$1"
exit 1
}
check_luks_dev() {
cryptsetup isLuks "$1" &>/dev/null || die "Invalid LUKS container '${1}'"
}
get_dev_mapper() {
echo "luks-$(cryptsetup luksUUID "$1")"
}
tala_create() {
if [[ "$2" ]]
then
container="$1"
size="$2"
else
die "usage: tala create <container> <size>"
fi
[[ -e "$container" ]] && die "${container} already exists"
echo >&2 "Creating empty container at '${container}'"
fallocate --length "$size" "$container"
echo >&2 "Encrypting container '${container}'"
cryptsetup --cipher "$cipher" \
--hash "$hashfn" \
--key-size="$key_size" \
--verify-passphrase \
luksFormat "$container"
echo >&2 "Decrypting container and assigning to device mapper"
mapper=$(get_dev_mapper "$container")
cryptsetup luksOpen "$container" "$mapper"
# Use $SUDO_UID to figure out who invoked sudo. If this step isn't
# done, the user will have to change the owner of the container using
# chown -R once it's created. By default, the owner is root.
echo >&2 "Creating new filesystem on the container"
mkfs.ext4 -E root_owner="${SUDO_UID:-$(id -u)}:${SUDO_GID:-$(id -g)}" \
"/dev/mapper/${mapper}"
echo >&2 "Closing device mapper '${mapper}'"
cryptsetup luksClose "$mapper"
}
tala_key() {
if [[ "$*" ]]
then
container="$1"
check_luks_dev "$container"
else
die "usage: tala key <container>"
fi
if mount | grep -qF $(get_dev_mapper "$container")
then
echo >&2 "Unmounting ${container}"
tala_umount "$container"
fi
echo >&2 "Changing passphrase of LUKS container"
cryptsetup --verify-passphrase luksChangeKey "$container"
}
tala_mount() {
if [[ "$2" ]]
then
container="$1"
check_luks_dev "$container"
dir="$2"
[[ -d "$dir" ]] || die "'${dir}' is not a valid directory"
else
die "usage: tala mount <container> <directory>"
fi
echo >&2 "Decrypting container and assigning to device mapper"
mapper=$(get_dev_mapper "$container")
cryptsetup luksOpen "$container" "$mapper"
echo >&2 "Mounting filesystem at '${dir}'"
mount --type "ext4" "/dev/mapper/${mapper}" "$dir"
}
tala_umount() {
[[ "$*" ]] || die "usage: tala unmount <container>"
if [[ -d "$1" ]]
then
mapper=$(findmnt --noheadings --output=source --target "$1")
elif [[ -f "$1" ]]
then
check_luks_dev "$1"
mapper="/dev/mapper/$(get_dev_mapper "$1")"
fi
echo >&2 "Unmounting device mapper '${mapper}'"
umount "$mapper"
echo >&2 "Closing device mapper '${mapper}'"
cryptsetup luksClose "${mapper##*/}"
echo >&2 "Unmounting successful"
}
# Always run as root.
[[ $(id -u) -eq 0 ]] || exec sudo -- "$0" "$@"
case "$1" in
c|create) shift; tala_create "$@" ;;
k|key) shift; tala_key "$@" ;;
m|mount) shift; tala_mount "$@" ;;
u|umount|unmount) shift; tala_umount "$@" ;;
"") die ;;
*) echo >&2 "tala: unknown option: ${1}"; die ;;
esac