From 144c2a181f3c1919b7f8ab43c01eb0e35f2dd2dd Mon Sep 17 00:00:00 2001 From: "wsha.code+ga@b38779424f41c5701bbe5937340be43ff1474b2d" Date: Sat, 26 Dec 2015 12:31:13 +0000 Subject: Added a comment --- ...ent_6_ab0b660e5a3d7fc7d3d3a4b460022da5._comment | 139 +++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 doc/forum/Future_proofing___47___disaster_recovery_with_an_encrypted_special_remote/comment_6_ab0b660e5a3d7fc7d3d3a4b460022da5._comment diff --git a/doc/forum/Future_proofing___47___disaster_recovery_with_an_encrypted_special_remote/comment_6_ab0b660e5a3d7fc7d3d3a4b460022da5._comment b/doc/forum/Future_proofing___47___disaster_recovery_with_an_encrypted_special_remote/comment_6_ab0b660e5a3d7fc7d3d3a4b460022da5._comment new file mode 100644 index 000000000..eda99e459 --- /dev/null +++ b/doc/forum/Future_proofing___47___disaster_recovery_with_an_encrypted_special_remote/comment_6_ab0b660e5a3d7fc7d3d3a4b460022da5._comment @@ -0,0 +1,139 @@ +[[!comment format=mdwn + username="wsha.code+ga@b38779424f41c5701bbe5937340be43ff1474b2d" + subject="comment 6" + date="2015-12-26T12:31:13Z" + content=""" +joey, thanks for answering my questions. I have put together a bash script to check my understanding of how the different encryption methods work. The script is below. With it, I am able to generate the encrypted keys for items for `hybrid` and `shared` encrypted `directory` remotes and to decrypt items for `hybrid`, `shared`, and `pubkey` encrypted `directory` remotes (and presumably other special remotes but I tested with `directory` remotes since those were simplest). The only thing I have not been able to get to work is the generation of the encrypted item keys for `pubkey` remotes. Do you see what I am doing wrong for that case? Once I figure that out, I can make a tip entry on the wiki with the script. + + #!/usr/bin/env bash + + # args: file_path remote decrypt decrypt_path + + # For shared, pubkey, and hybrid encryption: + # 1. Take in symlink and output encrypted key + # 2. Take in path to encrypted file and print decrypted file to stdout + # + # args: -r remote [-k symlink] [-d encrypted_file_path] + + usage() { + echo \"Usage: ga_decrypt.sh -r REMOTE [-k SYMLINK] [-d FILE]\" + echo \"\" + echo \" Either lookups up key on REMOTE for annex file linked with SYMLINK\" + echo \" or decrypts FILE encrypted for REMOTE.\" + echo \"\" + echo \" -r: REMOTE is special remote to use\" + echo \" -k: SYMLINK is symlink in annex to print encrypted special remote key for\" + echo \" -d: FILE is path to special remote file to decrypt to STDOUT\" + echo \"\" + echo \"NOTES: \" + echo \" * Run in an indirect git annex repo.\" + echo \" * Must specify -k or -d.\" + echo \" * -k prints the key including the leading directory names used for a \" + echo \" directory remote (even if REMOTE is not a directory remote)\" + echo \" * -d works on a locally accessible file. It does not fetch a remote file\" + echo \" * Must have gpg and openssl\" + } + + decrypt_cipher() { + cipher=\"$1\" + echo \"$(echo -n \"$cipher\" | base64 -d | gpg --decrypt --quiet)\" + } + + lookup_key() { + encryption=\"$1\" + cipher=\"$2\" + symlink=\"$3\" + + if [ \"$encryption\" == \"hybrid\" ] || [ \"$encryption\" == \"pubkey\" ]; then + cipher=\"$(decrypt_cipher \"$cipher\")\" + fi + + # Pull out MAC cipher from beginning of cipher + if [ \"$encryption\" = \"hybrid\" ] ; then + cipher=\"$(echo -n \"$cipher\" | head -c 256 )\" + elif [ \"$encryption\" = \"shared\" ] ; then + cipher=\"$(echo -n \"$cipher\" | base64 -d | tr -d '\n' | head -c 256 )\" + elif [ \"$encryption\" = \"pubkey\" ] ; then + # ??? + : # Use entire base64 decrypted cipher + # cipher=\"$(echo -n \"$cipher\" | head -c 256 )\" + # cipher=\"$(echo -n \"$cipher\" | base64 -d | tr -d '\n' | head -c 256 )\" + # cipher=\"$(echo -n \"$cipher\" | base64 -d | tr -d '\n' )\" + fi + + annex_key=\"$(basename \"$(readlink \"$symlink\")\")\" + hash=\"$(echo -n \"$annex_key\" | openssl dgst -sha1 -hmac \"$cipher\" | sed 's/(stdin)= //')\" + key=\"GPGHMACSHA1--$hash\" + checksum=\"$(echo -n $key | md5sum)\" + echo \"${checksum:0:3}/${checksum:3:3}/$key\" + } + + decrypt_file() { + encryption=\"$1\" + cipher=\"$2\" + file_path=\"$3\" + + if [ \"$encryption\" = \"pubkey\" ] ; then + gpg --quiet --decrypt \"${file_path}\" + else + if [ \"$encryption\" = \"hybrid\" ] ; then + cipher=\"$(decrypt_cipher \"$cipher\" | tail -c +257)\" + elif [ \"$encryption\" = \"shared\" ] ; then + cipher=\"$(echo -n \"$cipher\" | base64 -d | tr -d '\n' | tail -c +257 )\" + fi + gpg --quiet --batch --passphrase \"$cipher\" --output - \"${file_path}\" + fi + } + + main() { + OPTIND=1 + + mode=\"\" + remote=\"\" + + while getopts \"r:k:d:\" opt; do + case \"$opt\" in + r) remote=\"$OPTARG\" + ;; + k) if [ -z \"$mode\" ] ; then + mode=\"lookup key\" + else + usage + exit 2 + fi + symlink=\"$OPTARG\" + ;; + d) if [ -z \"$mode\" ] ; then + mode=\"decrypt file\" + else + usage + exit 2 + fi + file_path=\"$OPTARG\" + ;; + esac + done + + if [ -z \"$mode\" ] || [ -z \"$remote\" ] ; then + usage + exit 2 + fi + + shift $((OPTIND-1)) + + # Pull out config for desired remote name + remote_config=\"$(git show git-annex:remote.log | grep 'name='\"$remote \")\" + + # Get encryption type and cipher from config + encryption=\"$(echo \"$remote_config\" | grep -oP 'encryption\=.*? ' | tr -d ' \n' | sed 's/encryption=//')\" + cipher=\"$(echo \"$remote_config\" | grep -oP 'cipher\=.*? ' | tr -d ' \n' | sed 's/cipher=//')\" + + if [ \"$mode\" = \"lookup key\" ] ; then + lookup_key \"$encryption\" \"$cipher\" \"$symlink\" + elif [ \"$mode\" = \"decrypt file\" ] ; then + decrypt_file \"$encryption\" \"$cipher\" \"${file_path}\" + fi + } + + main \"$@\" +"""]] -- cgit v1.2.3