summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xgpgsecure.sh70
1 files changed, 62 insertions, 8 deletions
diff --git a/gpgsecure.sh b/gpgsecure.sh
index 261d046..3d0628a 100755
--- a/gpgsecure.sh
+++ b/gpgsecure.sh
@@ -24,7 +24,9 @@ trap shutdown SIGINT SIGTERM SIGKILL SIGQUIT SIGHUP
shutdown() {
- tar -C "${TMP}" -c . | gpg -e --recipient "${KEY}" > "${DIR}.tar.gpg"
+ gpgtar -e --recipient "${KEY}" -o "${DIR}.tar.gpg" .
+ cd - 2>/dev/null 1>/dev/null
+
# Shred all files in memory
find "${TMP}" -type f -exec shred -n 100 -f -u "{}" \;
# Delete the link
@@ -38,16 +40,51 @@ shutdown() {
writeback() {
trap shutdown SIGINT SIGTERM SIGKILL SIGQUIT SIGHUP
- # Sync back to disk every 10 seconds
+ local tmp # Temp file in memory to write re-encrypted container to. This is
+ # used for faster writebacks to storage for bigger containers.
+ # This also protects data, bigger containers take longer to write
+ # to storage, leaving a bigger window for data corruption.
+ local sleep=20
+ local perms # Permissions of the dest encrypted file. Used for setting perms
+ # on temp archive to avoid overwriting permissions on move
+
+ # Read dest archive permissions, if it exists, else set to 700
+ if [ -f "${DIR}.tar.gpg" ]; then
+ perms=$(stat -c %a "${DIR}.tar.gpg")
+ else
+ perms=700
+ fi
+
+ cd "${TMP}"
+
+ # Sync back to disk every ${sleep} seconds
while [ 0 ]; do
- #printf '%s Syncing back to encrypted storage\n' "$(date '+%F %T')"
- tar -C "${TMP}" -c . | gpg -e --recipient "${KEY}" > "${DIR}.tar.gpg"
+ # Create temp archive for writing back so we don't risk corrupting the
+ # actual destination archive in case of crash. Protect with 700 perms.
+ tmp="$(mktemp /tmp/XXXXXXXXXXXX)"
+ chmod 700 "${tmp}"
+
+ # Write encrypted archive to temp file
+ gpgtar -e --recipient "${KEY}" -o "${tmp}" .
+ if [ $? -gt 0 ]; then
+ printf 'WARNING: Something went wrong syncing back to encrypted storage\n'
+ printf 'Your data is likely in danger.\n'
+ printf 'If you see this message more than once, take a manual backup\n'
+ fi
+
+ # Update perms of temp file to match destination archive so we don't
+ # overwrite those of the destination archive on move
+ # TODO: This is a split second of permissions danger. We should find a way
+ # to remediate this. Set perms on dest archive *after* move instead?
+ chmod "${perms}" "${tmp}"
+ mv "${tmp}" "${DIR}.tar.gpg"
if [ $? -gt 0 ]; then
printf 'WARNING: Something went wrong syncing back to encrypted storage\n'
printf 'Your data is likely in danger.\n'
printf 'If you see this message more than once, take a manual backup\n'
fi
- sleep 20 &
+
+ sleep ${sleep} &
wait $!
done
}
@@ -64,13 +101,13 @@ open() {
export TMP=$(mktemp -d /tmp/dec-XXXXXXXXXXXXXX)
# Link!
ln -s "${TMP}" "${dir}"
-
+
if [ ! -f "${dir}.tar.gpg" ]; then
# Tell the user if that encrypted archive does not exist.
printf 'Encrypted archive does not exist. Creating.\n'
else
# Extract the encrypted tarchive if it exists
- gpg -d "${dir}.tar.gpg" | tar -C "${TMP}" -x
+ gpgtar --decrypt --directory "${TMP}" "${dir}.tar.gpg"
fi
writeback &
@@ -129,6 +166,23 @@ close() {
}
+pathtoabs() {
+ local path="${1}"
+
+ if [ -f "${path}" ]; then
+ cd $(dirname ${path})
+ printf "%s/%s\n" "$(pwd)" "$(basename ${path})"
+ return 0
+ elif [ -d "${path}" ]; then
+ cd ${path} && pwd
+ return 0
+ elif [ ! -e "${path}" ]; then
+ printf -- "%s/%s\n" "$(pwd)" "${path}"
+ return 0
+ fi
+ return 1
+}
+
main() {
local action="${1}"
local archive="${2}"
@@ -156,7 +210,7 @@ main() {
local dirname="$(dirname ${archive})"
local basename="$(basename ${archive})"
- export DIR="${dirname}/${basename}"
+ export DIR="$(pathtoabs ${dirname}/${basename})"
if [ "${action}" = 'open' ]; then
# Check if already open

Generated by cgit