Piping output to ssss-split

Discussion in 'all things UNIX' started by raspb3rry, Nov 23, 2010.

Thread Status:
Not open for further replies.
  1. raspb3rry

    raspb3rry Registered Member

    Joined:
    Jun 8, 2010
    Posts:
    37
    Hey folks.
    I'm trying to make a script that will take any file, encrypt it with a random password, and split this password into several parts, using ssss.

    However, I've got the gpg-encryption to work, but I'm stuck with feeding the password from a file to ssss-strip.


    Please note that this script only will be run on a live-cd, which means that nothing will ever enter the hd, only the RAM.

    This is my script so far:
    Code:
    #!/bin/bash
    ### VARIABLES ###
    passfile=/tmp/pass
    prnt=$(cat /tmp/pass)
    pass=`</dev/urandom tr -dc [:print:] | head -c42`
    data=/file/to/encrypt
    
    ### Program ###
    
    #Make password file
    echo $pass>$passfile
    
    #Use password to encrypt file ($data)
    cat $passfile | gpg -c --passphrase-fd 0 $data
    
    #Split password into 4 different secrets using ssss
    ????
    
    So, I need to pass $passfile into ssss-split as th secret, but I just can't get it right.
    Some suggests using expect, but I can't figure out the syntax for my task.
     
  2. raspb3rry

    raspb3rry Registered Member

    Joined:
    Jun 8, 2010
    Posts:
    37
    Allright, I got it now.

    The following script will:
    1) Make a copy of your dm-crypt headers
    2) Encrypt these with GPG/AES256 using a password containg 42 psuedo-random symbols
    3) Use Shamir's Secret Sharing Scheme to split this password in 4 different parts.

    PLEASE NOTE:
    This script will save the following: The headers, the encrypted headers, the password and the created secrets.

    Therefore I strongly advise you to only use this script while using a live-cd without internet turned on, which will make sure that data is only stored in RAM, and will be gone a couple of minutes after shutdown.

    USE AT OWN RISK!

    Code:
    #!/bin/bash
    
    ### VARIABLES ###
    
    #Places and directories:
    enc_drive=/dev/sda1
    passfile=/tmp/pass
    secret=/tmp/secret
    data=/tmp/pass
    #Random password
    pass=`</dev/urandom tr -dc [:print:] | head -c42`
    #Determine location of headers
    header=$(cryptsetup luksDump $enc_drive | grep "Payload offset"|awk '{ print $3 }')
    
    ### Program ###
    
    echo "Backup headers located on $enc_drive at $header:"
    #Create header backup
    dd if=$enc_drive of=$data bs=512 count=$header
    echo "Done - Header backup stored at: $data"
    #Make password file
    echo $pass>$passfile
    echo "Encrypting $data"
    #Use password to encrypt header
    cat $passfile | gpg -c --quiet --cipher-algo AES256 --passphrase-fd 0 $data
    echo "Done encrypting $data"
    echo "Splitting password into 4 pieces"
    #Split password into 4 different secrets
    cat $passfile | ssss-split -q -t 4 -n 4 > $secret
    echo "Success! Secrets stored at $secret"
    echo -n "Do you want to copy secrets now (y/n)? "
    read -e answer
    echo $answer
    if [ "$answer" = "y" ];
     then
      echo -n "Enter location for the copy: "
      read -e loc
      cp $secret $loc
     else
      exit
    fi
    
     
  3. katio

    katio Guest

    Very nice bash scripting there, I could learn something from you :p Just an idea, would be nice if it asked you first which drive (/dev/sda?).
    One question though, you all do that to secure backup headers which are stored "in cleartext" on your local harddrive and which also are completely useless to any attacker, no matter if he has access to said drive or not - why?
    I expected something like splitting the gpg password for a cryptsetup keyfile.
     
  4. raspb3rry

    raspb3rry Registered Member

    Joined:
    Jun 8, 2010
    Posts:
    37
    Well, this was sort of a task to learn how to pipe outputs. However, it should be quite easy to re-write the script to do just the same to a keyfile:

    The following script will ask for a file to encrypt (keyfile or not), and ask if you want to display the secrets or just save them in a file.
    Furthermore I've removed the part where the password were saved in a file, since it was unnecessary.

    Instead of spamming this thread with long scripts, I've posted the script on pastebin: http://pastebin.com/ib6VBB7U

    PLEASE NOTE:
    If someone have all 4 secrets, they would know the password for the encryption.

    USE AT OWN RISK!
     
  5. katio

    katio Guest

    Nice work, though I didn't test it (currently in windows).
    For short passwords I'd use random instead of urandom.
     
Loading...
Thread Status:
Not open for further replies.