Piping output to ssss-split

Hey folks.
I'm trying to make a script that will take any file, encrypt it with a random password, and split this password into several parts, using ssss.

However, I've got the gpg-encryption to work, but I'm stuck with feeding the password from a file to ssss-strip.


Please note that this script only will be run on a live-cd, which means that nothing will ever enter the hd, only the RAM.

This is my script so far:

Code:

#!/bin/bash
### VARIABLES ###
passfile=/tmp/pass
prnt=$(cat /tmp/pass)
pass=`</dev/urandom tr -dc [:print:] | head -c42`
data=/file/to/encrypt

### Program ###

#Make password file
echo $pass>$passfile

#Use password to encrypt file ($data)
cat $passfile | gpg -c --passphrase-fd 0 $data

#Split password into 4 different secrets using ssss
????

So, I need to pass $passfile into ssss-split as th secret, but I just can't get it right.
Some suggests using expect, but I can't figure out the syntax for my task.

 

Allright, I got it now.

The following script will:
1) Make a copy of your dm-crypt headers
2) Encrypt these with GPG/AES256 using a password containg 42 psuedo-random symbols
3) Use Shamir's Secret Sharing Scheme to split this password in 4 different parts.

PLEASE NOTE:
This script will save the following: The headers, the encrypted headers, the password and the created secrets.

Therefore I strongly advise you to only use this script while using a live-cd without internet turned on, which will make sure that data is only stored in RAM, and will be gone a couple of minutes after shutdown.

USE AT OWN RISK!

Code:

#!/bin/bash

### VARIABLES ###

#Places and directories:
enc_drive=/dev/sda1
passfile=/tmp/pass
secret=/tmp/secret
data=/tmp/pass
#Random password
pass=`</dev/urandom tr -dc [:print:] | head -c42`
#Determine location of headers
header=$(cryptsetup luksDump $enc_drive | grep "Payload offset"|awk '{ print $3 }')

### Program ###

echo "Backup headers located on $enc_drive at $header:"
#Create header backup
dd if=$enc_drive of=$data bs=512 count=$header
echo "Done - Header backup stored at: $data"
#Make password file
echo $pass>$passfile
echo "Encrypting $data"
#Use password to encrypt header
cat $passfile | gpg -c --quiet --cipher-algo AES256 --passphrase-fd 0 $data
echo "Done encrypting $data"
echo "Splitting password into 4 pieces"
#Split password into 4 different secrets
cat $passfile | ssss-split -q -t 4 -n 4 > $secret
echo "Success! Secrets stored at $secret"
echo -n "Do you want to copy secrets now (y/n)? "
read -e answer
echo $answer
if [ "$answer" = "y" ];
 then
  echo -n "Enter location for the copy: "
  read -e loc
  cp $secret $loc
 else
  exit
fi

 

Very nice bash scripting there, I could learn something from you Just an idea, would be nice if it asked you first which drive (/dev/sda?).
One question though, you all do that to secure backup headers which are stored "in cleartext" on your local harddrive and which also are completely useless to any attacker, no matter if he has access to said drive or not - why?
I expected something like splitting the gpg password for a cryptsetup keyfile.

 

Well, this was sort of a task to learn how to pipe outputs. However, it should be quite easy to re-write the script to do just the same to a keyfile:

The following script will ask for a file to encrypt (keyfile or not), and ask if you want to display the secrets or just save them in a file.
Furthermore I've removed the part where the password were saved in a file, since it was unnecessary.

Instead of spamming this thread with long scripts, I've posted the script on pastebin: http://pastebin.com/ib6VBB7U

PLEASE NOTE:
If someone have all 4 secrets, they would know the password for the encryption.

USE AT OWN RISK!

 

Nice work, though I didn't test it (currently in windows).
For short passwords I'd use random instead of urandom.