itmeditation - coffin - secure lan file storage on a device Err parazyd.org 70 hgit clone git://parazyd.org/coffin.git URL:git://parazyd.org/coffin.git parazyd.org 70 1Log /git/coffin/log.gph parazyd.org 70 1Files /git/coffin/files.gph parazyd.org 70 1Refs /git/coffin/refs.gph parazyd.org 70 1Submodules /git/coffin/file/.gitmodules.gph parazyd.org 70 1README /git/coffin/file/README.md.gph parazyd.org 70 1LICENSE /git/coffin/file/LICENSE.gph parazyd.org 70 i--- Err parazyd.org 70 1commit 80b539b360ebc00c063e06cba6324aa28740d0e3 /git/coffin/commit/80b539b360ebc00c063e06cba6324aa28740d0e3.gph parazyd.org 70 1parent ebb5d5c4ec031e2a774a97301db08f918e6146cd /git/coffin/commit/ebb5d5c4ec031e2a774a97301db08f918e6146cd.gph parazyd.org 70 hAuthor: parazyd URL:mailto:parazyd@dyne.org parazyd.org 70 iDate: Wed, 30 Mar 2016 00:57:37 +0200 Err parazyd.org 70 i Err parazyd.org 70 imeditation Err parazyd.org 70 i Err parazyd.org 70 iDiffstat: Err parazyd.org 70 i M Makefile | 5 ++--- Err parazyd.org 70 i M conf/config.sh | 82 ++++++++++++++++++------------- Err parazyd.org 70 i A conf/init.skel | 21 +++++++++++++++++++++ Err parazyd.org 70 i D conf/initscript-deb | 95 ------------------------------ Err parazyd.org 70 i M src/Tomb/Makefile | 33 +++++++++++++------------------ Err parazyd.org 70 i R src/Tomb/kdf-keys/benchmark.c -> s… | 0 Err parazyd.org 70 i D src/Tomb/doc/Makefile.am | 6 ------ Err parazyd.org 70 i D src/Tomb/doc/tomb.1 | 467 ------------------------------- Err parazyd.org 70 i R src/Tomb/kdf-keys/gen_salt.c -> sr… | 0 Err parazyd.org 70 i R src/Tomb/kdf-keys/hexencode.c -> s… | 0 Err parazyd.org 70 i D src/Tomb/kdf-keys/.gitignore | 4 ---- Err parazyd.org 70 i D src/Tomb/kdf-keys/Makefile | 19 ------------------- Err parazyd.org 70 i D src/Tomb/kdf-keys/README | 27 --------------------------- Err parazyd.org 70 i D src/Tomb/kdf-keys/test.sh | 22 ---------------------- Err parazyd.org 70 i D src/Tomb/kdf-keys/test.txt | 0 Err parazyd.org 70 i R src/Tomb/kdf-keys/pbkdf2.c -> src/… | 0 Err parazyd.org 70 i A src/coffin | 25 +++++++++++++++++++++++++ Err parazyd.org 70 i D src/coffinrc | 15 --------------- Err parazyd.org 70 i D src/mourner | 23 ----------------------- Err parazyd.org 70 i M src/sacrist | 13 ++++++------- Err parazyd.org 70 i D src/zlibs/config | 19 ------------------- Err parazyd.org 70 i M src/zlibs/features | 8 ++++---- Err parazyd.org 70 i Err parazyd.org 70 i22 files changed, 119 insertions(+), 765 deletions(-) Err parazyd.org 70 i--- Err parazyd.org 70 1diff --git a/Makefile b/Makefile /git/coffin/file/Makefile.gph parazyd.org 70 it@@ -1,14 +1,13 @@ Err parazyd.org 70 i all: Err parazyd.org 70 i- make -C src/Tomb/kdf-keys Err parazyd.org 70 i+ make -C src/Tomb Err parazyd.org 70 i @./conf/config.sh checkdep Err parazyd.org 70 i Err parazyd.org 70 i install: Err parazyd.org 70 i make -C src/Tomb install Err parazyd.org 70 i- make -C src/Tomb/kdf-keys install Err parazyd.org 70 i @./conf/config.sh snowman Err parazyd.org 70 i Err parazyd.org 70 i clean: Err parazyd.org 70 i- make -C src/Tomb/kdf-keys clean Err parazyd.org 70 i+ make -C src/Tomb clean Err parazyd.org 70 i Err parazyd.org 70 i uninstall: Err parazyd.org 70 i @./conf/config.sh unsnowman Err parazyd.org 70 1diff --git a/conf/config.sh b/conf/config.sh /git/coffin/file/conf/config.sh.gph parazyd.org 70 it@@ -31,25 +31,45 @@ Err parazyd.org 70 i } Err parazyd.org 70 i Err parazyd.org 70 i # `make install` Err parazyd.org 70 i-[[ $1 == "snowman" || $1 == "unsnowman" ]] && { Err parazyd.org 70 i- [[ $UID = 0 ]] || { Err parazyd.org 70 i- print "You must run this as root!" Err parazyd.org 70 i- return 1 Err parazyd.org 70 i- } Err parazyd.org 70 i-} Err parazyd.org 70 i+#[[ $1 == "snowman" || $1 == "unsnowman" ]] && { Err parazyd.org 70 i+# [[ $UID = 0 ]] || { Err parazyd.org 70 i+# print "You must run this as root!" Err parazyd.org 70 i+# return 1 Err parazyd.org 70 i+# } Err parazyd.org 70 i+#} Err parazyd.org 70 i Err parazyd.org 70 i edit-sudo() { Err parazyd.org 70 i if [[ $1 == "add" ]]; then Err parazyd.org 70 i print "%coffin `hostname`=(ALL) NOPASSWD: ALL" | (EDITOR="tee -a" visudo) Err parazyd.org 70 i [[ $? = 0 ]] && print "Added coffin group to sudoers" Err parazyd.org 70 i elif [[ $1 == "remove" ]]; then Err parazyd.org 70 i- # FIXME: doesn't write to sudoers Err parazyd.org 70 i- tmp=`sed '/^%coffin / d' /etc/sudoers` Err parazyd.org 70 i+ tmp=`sed '/^%coffin / d' /etc/sudoers` Err parazyd.org 70 i print $tmp | (EDITOR="tee" visudo) Err parazyd.org 70 i [[ $? = 0 ]] && print "Removed coffin group from sudoers" Err parazyd.org 70 i fi Err parazyd.org 70 i } Err parazyd.org 70 i Err parazyd.org 70 i+generate-init() { Err parazyd.org 70 i+ cat < Err parazyd.org 70 i+ Err parazyd.org 70 i+NAME=coffin Err parazyd.org 70 i+DESC="coffin daemon" Err parazyd.org 70 i+COFFINDIR=/usr/local/share/coffin Err parazyd.org 70 i+DAEMON=\$COFFINDIR/bin/\$NAME Err parazyd.org 70 i+COFFINPID=\$COFFINPIDDIR/coffin.pid Err parazyd.org 70 i+EOF Err parazyd.org 70 i+ cat tempinit init.skel > initscript-$distro Err parazyd.org 70 i+ rm tempinit Err parazyd.org 70 i+} Err parazyd.org 70 i+ Err parazyd.org 70 i update-init() { Err parazyd.org 70 i # TODO: rearrange this into another function and add other distros Err parazyd.org 70 i update-rc.d Err parazyd.org 70 it@@ -71,7 +91,6 @@ ckdistro() { Err parazyd.org 70 i gpasswd -a www-data coffin && print "added www-data to coffin group" Err parazyd.org 70 i Err parazyd.org 70 i # ssl Err parazyd.org 70 i- print "Generating ssl certificate..." Err parazyd.org 70 i openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \ Err parazyd.org 70 i -keyout coffin.key -out coffin.pem Err parazyd.org 70 i [[ $? = 0 ]] || { Err parazyd.org 70 it@@ -79,18 +98,17 @@ ckdistro() { Err parazyd.org 70 i return 1 Err parazyd.org 70 i } Err parazyd.org 70 i Err parazyd.org 70 i- install -Dm640 -d /etc/ssl/coffin Err parazyd.org 70 i- install -Dm440 coffin.pem /etc/ssl/coffin/ Err parazyd.org 70 i- install -Dm400 coffin.key /etc/ssl/coffin/ Err parazyd.org 70 i+ install -Dm440 coffin.pem /etc/ssl/coffin/coffin.pem Err parazyd.org 70 i+ install -Dm400 coffin.key /etc/ssl/coffin/coffin.key Err parazyd.org 70 i print "Done!" Err parazyd.org 70 i Err parazyd.org 70 i- # Apache Err parazyd.org 70 i- install -Dm774 -g www-data -d /etc/apache2/DAV Err parazyd.org 70 i+ # apache Err parazyd.org 70 i+ install -Dm775 -g www-data -d /etc/apache2/DAV Err parazyd.org 70 i [[ `grep '^DAVLockDB ' /etc/apache2/apache2.conf` ]] || { Err parazyd.org 70 i print "DAVLockDB /etc/apache2/DAV/DAVLock" >> /etc/apache2/apache2.conf Err parazyd.org 70 i } Err parazyd.org 70 i- install -Dm600 davpasswd /etc/apache2/DAV/ Err parazyd.org 70 i- install -Dm640 coffindav.conf /etc/apache2/sites-available/ Err parazyd.org 70 i+ install -Dm600 davpasswd /etc/apache2/DAV/davpasswd Err parazyd.org 70 i+ install -Dm640 coffindav.conf /etc/apache2/sites-available/coffindav.conf Err parazyd.org 70 i Err parazyd.org 70 i apachemods=(dav dav_fs dav_lock ssl) Err parazyd.org 70 i print "Enabling Apache modules..." Err parazyd.org 70 it@@ -107,9 +125,10 @@ ckdistro() { Err parazyd.org 70 i edit-sudo add Err parazyd.org 70 i Err parazyd.org 70 i install -Dm770 -g coffin -d /home/graveyard Err parazyd.org 70 i- install -Dm755 initscript-$distro /etc/init.d/coffin Err parazyd.org 70 i Err parazyd.org 70 i+ generate-init Err parazyd.org 70 i update-init Err parazyd.org 70 i+ install -Dm755 initscript-$distro /etc/init.d/coffin Err parazyd.org 70 i Err parazyd.org 70 i print "Successfully installed and configured coffin!" Err parazyd.org 70 i print "You can start it with '/etc/init.d/coffin start'" Err parazyd.org 70 it@@ -123,7 +142,7 @@ ckdistro() { Err parazyd.org 70 i print "" Err parazyd.org 70 i Err parazyd.org 70 i popd Err parazyd.org 70 i- return 0 Err parazyd.org 70 i+ #return 0 Err parazyd.org 70 i } Err parazyd.org 70 i Err parazyd.org 70 i # `make uninstall` Err parazyd.org 70 it@@ -133,36 +152,29 @@ ckdistro() { Err parazyd.org 70 i Err parazyd.org 70 i /etc/init.d/coffin stop Err parazyd.org 70 i Err parazyd.org 70 i- # uncomment if you wish to revert apache Err parazyd.org 70 i- #revert=true Err parazyd.org 70 i+ # comment if you wish to keep apache Err parazyd.org 70 i+ revert=true Err parazyd.org 70 i [[ $revert == "true" ]] && { Err parazyd.org 70 i a2dissite coffindav.conf Err parazyd.org 70 i a2ensite 000-default.conf Err parazyd.org 70 i rm -rv /home/graveyard/DAV Err parazyd.org 70 i rm -v /etc/apache2/sites-available/coffindav.conf Err parazyd.org 70 i Err parazyd.org 70 i- #apachemods=(dav dav_fs dav_lock ssl) Err parazyd.org 70 i- #print "Enabling Apache modules..." Err parazyd.org 70 i- #for i in $apachemods; do Err parazyd.org 70 i- # a2enmod $i Err parazyd.org 70 i- #done Err parazyd.org 70 i+ apachemods=(dav dav_fs dav_lock ssl) Err parazyd.org 70 i+ print "Enabling Apache modules..." Err parazyd.org 70 i+ for i in $apachemods; do Err parazyd.org 70 i+ a2enmod $i Err parazyd.org 70 i+ done Err parazyd.org 70 i Err parazyd.org 70 i+ sed -i '/^DAVLockDB / d' /etc/apache2/apache2.conf Err parazyd.org 70 i+ [[ $? = 0 ]] && print "removed entry from apache2.conf" Err parazyd.org 70 i /etc/init.d/apache2 restart Err parazyd.org 70 i } Err parazyd.org 70 i- sed -i '/^DAVLockDB / d' /etc/apache2/apache2.conf Err parazyd.org 70 i- [[ $? = 0 ]] && print "removed entry from apache2.conf" Err parazyd.org 70 i Err parazyd.org 70 i # groupdel coffin Err parazyd.org 70 i edit-sudo remove Err parazyd.org 70 i Err parazyd.org 70 i- # rm -v /etc/init.d/coffin Err parazyd.org 70 i- rm -rv /etc/ssl/coffin Err parazyd.org 70 i- rm -v src/tomb-kdb-hexencode Err parazyd.org 70 i- rm -v src/tomb-kdb-pbkdf2 Err parazyd.org 70 i- rm -v src/tomb-kdb-pbkdf2-gensalt Err parazyd.org 70 i- rm -v src/tomb-kdb-pbkdf2-getiter Err parazyd.org 70 i- rm -v src/tomb Err parazyd.org 70 i- rm -v /etc/init.d/coffin Err parazyd.org 70 i+ rm -rv /usr/local/share/coffin Err parazyd.org 70 i Err parazyd.org 70 i update-init Err parazyd.org 70 i } Err parazyd.org 70 1diff --git a/conf/init.skel b/conf/init.skel /git/coffin/file/conf/init.skel.gph parazyd.org 70 it@@ -0,0 +1,21 @@ Err parazyd.org 70 i+text -x $DAEMON || exit 0 Err parazyd.org 70 i+ Err parazyd.org 70 i+case "$1" in Err parazyd.org 70 i+ start) Err parazyd.org 70 i+ log_action_begin_msg "Starting $DESC" Err parazyd.org 70 i+ nohup $DAEMON & Err parazyd.org 70 i+ ;; Err parazyd.org 70 i+ stop) Err parazyd.org 70 i+ log_daemon_msg "Stopping $DESC" Err parazyd.org 70 i+ pid=`cat $COFFINPID 2>/dev/null` Err parazyd.org 70 i+ kill $pid && rm $COFFINPID Err parazyd.org 70 i+ ;; Err parazyd.org 70 i+ restart) Err parazyd.org 70 i+ $0 stop Err parazyd.org 70 i+ sleep 1 Err parazyd.org 70 i+ $0 start Err parazyd.org 70 i+ ;; Err parazyd.org 70 i+esac Err parazyd.org 70 i+exit 0 Err parazyd.org 70 i+ Err parazyd.org 70 i+# vim: syntax=sh ts=4 sw=4 sts=4 sr noet Err parazyd.org 70 1diff --git a/conf/initscript-deb b/conf/initscript-deb /git/coffin/file/conf/initscript-deb.gph parazyd.org 70 it@@ -1,95 +0,0 @@ Err parazyd.org 70 i-#!/bin/bash Err parazyd.org 70 i- Err parazyd.org 70 i-### BEGIN INIT INFO Err parazyd.org 70 i-# Provides: coffin Err parazyd.org 70 i-# Required-Start: $local_fs $network $ Err parazyd.org 70 i-# Required-Stop: $remote_fs $syslog Err parazyd.org 70 i-# Default-Start: 2 3 4 5 Err parazyd.org 70 i-# Default-Stop: 0 1 6 Err parazyd.org 70 i-# Short-Description: Example initscript Err parazyd.org 70 i-# Description: This file should be used to construct scripts to be Err parazyd.org 70 i-# placed in /etc/init.d. This example start a Err parazyd.org 70 i-# single forking daemon capable of writing a pid Err parazyd.org 70 i-# file. To get other behavoirs, implemend Err parazyd.org 70 i-# do_start(), do_stop() or other functions to Err parazyd.org 70 i-# override the defaults in /lib/init/init-d-script. Err parazyd.org 70 i-### END INIT INFO Err parazyd.org 70 i- Err parazyd.org 70 i-# Author: parazyd Err parazyd.org 70 i- Err parazyd.org 70 i-DAEMON=/usr/src/coffin/run/coffin Err parazyd.org 70 i-NAME=coffin Err parazyd.org 70 i-DESC="coffin daemon" Err parazyd.org 70 i-COFFINPIDDIR=/usr/src/coffin/run Err parazyd.org 70 i-COFFINPID=$COFFINPIDDIR/coffin.pid Err parazyd.org 70 i-WAITFORDAEMON=20 Err parazyd.org 70 i- Err parazyd.org 70 i-text -x $DAEMON || exit 0 Err parazyd.org 70 i- Err parazyd.org 70 i-wait-for-dead-daemon() { Err parazyd.org 70 i- pid=$1 Err parazyd.org 70 i- sleep 1 Err parazyd.org 70 i- if test -n "$pid"; then Err parazyd.org 70 i- if kill -0 $pid 2>/dev/null ; then Err parazyd.org 70 i- cnt=0 Err parazyd.org 70 i- while kill -0 $pid 2>/dev/null ; do Err parazyd.org 70 i- cnt=`expt $cnt + 1` Err parazyd.org 70 i- if [ $cnt -gt $WAITFORDAEMON ]; then Err parazyd.org 70 i- log_action_end_msg 1 "still running" Err parazyd.org 70 i- exit 1 Err parazyd.org 70 i- fi Err parazyd.org 70 i- sleep 1 Err parazyd.org 70 i- [ "`expt $cnt % 3`" != 2 ] || log_action_cont_msg "" Err parazyd.org 70 i- done Err parazyd.org 70 i- fi Err parazyd.org 70 i- fi Err parazyd.org 70 i- log_action_end_msg 0 Err parazyd.org 70 i-} Err parazyd.org 70 i- Err parazyd.org 70 i-case "$1" in Err parazyd.org 70 i- start) Err parazyd.org 70 i- log_action_begin_msg "Starting $DESC" Err parazyd.org 70 i- Err parazyd.org 70 i- if start-stop-daemon --stop --signal 0 --quiet --pidfile $COFFINPID --exec $DAEMON; then Err parazyd.org 70 i- log_action_end_msg 0 "already running" Err parazyd.org 70 i- else Err parazyd.org 70 i- if start-stop-daemon --start --quiet \ Err parazyd.org 70 i- --pidfile $COFFINPID \ Err parazyd.org 70 i- --exec $DAEMON -- Err parazyd.org 70 i- then Err parazyd.org 70 i- log_action_end_msg 0 Err parazyd.org 70 i- else Err parazyd.org 70 i- log_action_end_msg 1 Err parazyd.org 70 i- exit 1 Err parazyd.org 70 i- fi Err parazyd.org 70 i- fi Err parazyd.org 70 i- ;; Err parazyd.org 70 i- stop) Err parazyd.org 70 i- log_daemon_msg "Stopping $DESC" Err parazyd.org 70 i- pid=`cat $COFFINPID 2>/dev/null` || true Err parazyd.org 70 i- Err parazyd.org 70 i- if test ! -f $COFFINPID -o -z "$pid"; ten Err parazyd.org 70 i- log_action_end_msg 0 "not running - there is no $COFFINPID" Err parazyd.org 70 i- exit 0 Err parazyd.org 70 i- fi Err parazyd.org 70 i- Err parazyd.org 70 i- if start-stop-daemon --stop --signal INT --quiet --pidfile $TORPID --exec $DAEMON; then Err parazyd.org 70 i- wait-for-dead-daemon $pid Err parazyd.org 70 i- elif kill -0 $pid 2>/dev/null; then Err parazyd.org 70 i- log_action_end_msg 1 "is $pid not $NAME? is $DAEMON a different binary now?" Err parazyd.org 70 i- exit 1 Err parazyd.org 70 i- else Err parazyd.org 70 i- log_action_end_msg 1 "$DAEMON died: process $pid not running; or permission denied" Err parazyd.org 70 i- exit 1 Err parazyd.org 70 i- fi Err parazyd.org 70 i- ;; Err parazyd.org 70 i- restart) Err parazyd.org 70 i- $0 stop Err parazyd.org 70 i- sleep 1 Err parazyd.org 70 i- $0 start Err parazyd.org 70 i- ;; Err parazyd.org 70 i-esac Err parazyd.org 70 i- Err parazyd.org 70 i-exit 0 Err parazyd.org 70 i- Err parazyd.org 70 i-# vim: syntax=sh ts=4 sw=4 sts=4 sr noet Err parazyd.org 70 1diff --git a/src/Tomb/Makefile b/src/Tomb/Makefile /git/coffin/file/src/Tomb/Makefile.gph parazyd.org 70 it@@ -1,25 +1,20 @@ Err parazyd.org 70 i-PROG = tomb Err parazyd.org 70 i-PREFIX = ../ Err parazyd.org 70 i-REALPREFIX = $(realpath $(PREFIX)) Err parazyd.org 70 i+PREFIX = /usr/local/share/coffin/bin Err parazyd.org 70 i Err parazyd.org 70 i all: Err parazyd.org 70 i- @echo Err parazyd.org 70 i- @echo "Tomb is a script and does not need compilation, it can be simply executed." Err parazyd.org 70 i- @echo Err parazyd.org 70 i- @echo "To install it in /usr/local together with its manpage use 'make install'." Err parazyd.org 70 i- @echo Err parazyd.org 70 i- @echo "To run Tomb one needs to have some tools installed on the system:" Err parazyd.org 70 i- @echo "Sudo, cryptsetup, pinentry and gnupg. Also wipe is recommended." Err parazyd.org 70 i- @echo Err parazyd.org 70 i+ $(CC) -Os -o tomb-kdb-pbkdf2 pbkdf2.c -lgcrypt Err parazyd.org 70 i+ $(CC) -O2 -o tomb-kdb-pbkdf2-getiter benchmark.c -lgcrypt Err parazyd.org 70 i+ $(CC) -O2 -o tomb-kdb-pbkdf2-gensalt gen_salt.c -lgcrypt Err parazyd.org 70 i+ $(CC) -O2 -o tomb-kdb-hexencode hexencode.c Err parazyd.org 70 i+ Err parazyd.org 70 i+clean: Err parazyd.org 70 i+ rm -f tomb-kdb-pbkdf2 tomb-kdb-pbkdf2-getiter tomb-kdb-pbkdf2-gensalt tomb-kdb-hexencode Err parazyd.org 70 i Err parazyd.org 70 i install: Err parazyd.org 70 i- install -Dm755 ${PROG} ${REALPREFIX}/${PROG} Err parazyd.org 70 i- @echo Err parazyd.org 70 i- @echo "Tomb is installed succesfully. To install language translations, make sure" Err parazyd.org 70 i- @echo "gettext is also installed, then 'cd extras/translations' and 'make install' there." Err parazyd.org 70 i+ install -Dm755 tomb ${PREFIX}/tomb Err parazyd.org 70 i+ install -Dm755 tomb-kdb-pbkdf2 ${PREFIX}/tomb-kdb-pbkdf2 Err parazyd.org 70 i+ install -Dm755 tomb-kdb-pbkdf2-getiter ${PREFIX}/tomb-kdb-pbkdf2-getiter Err parazyd.org 70 i+ install -Dm755 tomb-kdb-pbkdf2-gensalt ${PREFIX}/tomb-kdb-pbkdf2-gensalt Err parazyd.org 70 i+ install -Dm755 tomb-kdb-hexencode ${PREFIX}/tomb-kdb-hexencode Err parazyd.org 70 i @echo Err parazyd.org 70 i- @echo "Look around the extras/ directory, it contains other interesting modules." Err parazyd.org 70 i+ @echo "Tomb is installed succesfully." Err parazyd.org 70 i @echo Err parazyd.org 70 i- Err parazyd.org 70 i-test: Err parazyd.org 70 i- make -C extras/test Err parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/benchmark.c b/src/Tomb/benchmark.c /git/coffin/file/src/Tomb/benchmark.c.gph parazyd.org 70 1diff --git a/src/Tomb/doc/Makefile.am b/src/Tomb/doc/Makefile.am /git/coffin/file/src/Tomb/doc/Makefile.am.gph parazyd.org 70 it@@ -1,6 +0,0 @@ Err parazyd.org 70 i- Err parazyd.org 70 i-man_MANS = tomb.1 tomb-open.1 tomb-status.1 Err parazyd.org 70 i- Err parazyd.org 70 i-EXTRA_DIST = tomb.1 tomb-open.1 tomb-status.1 Luks_on_disk_format.pdf \ Err parazyd.org 70 i- New_methods_in_HD_encryption.pdf TKS1-draft.pdf Err parazyd.org 70 i- Err parazyd.org 70 1diff --git a/src/Tomb/doc/tomb.1 b/src/Tomb/doc/tomb.1 /git/coffin/file/src/Tomb/doc/tomb.1.gph parazyd.org 70 it@@ -1,467 +0,0 @@ Err parazyd.org 70 i-.TH tomb 1 "November 26, 2014" "tomb" Err parazyd.org 70 i- Err parazyd.org 70 i-.SH NAME Err parazyd.org 70 i-Tomb \- the Crypto Undertaker Err parazyd.org 70 i- Err parazyd.org 70 i-.SH SYNOPSIS Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "tomb [options] command [arguments]" Err parazyd.org 70 i- Err parazyd.org 70 i-.SH DESCRIPTION Err parazyd.org 70 i- Err parazyd.org 70 i-Tomb is an application to manage the creation and access of encrypted Err parazyd.org 70 i-storage files: it can be operated from commandline and it can Err parazyd.org 70 i-integrate with a user's graphical desktop. Err parazyd.org 70 i- Err parazyd.org 70 i-Tomb generates encrypted storage files to be opened and closed using Err parazyd.org 70 i-their associated keys, which are also protected with a password chosen Err parazyd.org 70 i-by the user. To create, open and close tombs a user will need super Err parazyd.org 70 i-user rights to execute the tomb commandline utility. Err parazyd.org 70 i- Err parazyd.org 70 i-A tomb is like a locked folder that can be safely transported and Err parazyd.org 70 i-hidden in a filesystem; it encourages users to keep their keys Err parazyd.org 70 i-separate from tombs, for instance keeping a tomb file on your computer Err parazyd.org 70 i-harddisk and its key file on a USB stick. Err parazyd.org 70 i- Err parazyd.org 70 i- Err parazyd.org 70 i-.SH COMMANDS Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "dig" Err parazyd.org 70 i-Generates a file that can be used as a tomb and will occupy as much Err parazyd.org 70 i-space as its desired initial size, the unlocked \fI.tomb\fR file can Err parazyd.org 70 i-then be locked using a \fIkey\fR. It takes a mandatory \fI-s\fR option which is Err parazyd.org 70 i-the size in megabytes (MiB). Tombs are digged using Err parazyd.org 70 i-low-quality random data (/dev/urandom). Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "forge" Err parazyd.org 70 i-Creates a new \fIkey\fR and prompts the user for a \fIpassword\fR to Err parazyd.org 70 i-protect its usage. This operation requires high quality random data Err parazyd.org 70 i-(/dev/random) which can take quite some time to be gathered on a Err parazyd.org 70 i-server: it works better on a desktop where the mouse can be moved Err parazyd.org 70 i-around for entropy. The default cipher to protect the key is AES256, a Err parazyd.org 70 i-custom one can be specified using the \fI-o\fR option, for a list of Err parazyd.org 70 i-supported ciphers use \fI-v\fR. For additional protection against Err parazyd.org 70 i-dictionary attacks on keys, the (experimental) \fI--kdf\fR option can Err parazyd.org 70 i-be used when forging a key, making sure that the \fItomb-kdb-pbkdf2\fR Err parazyd.org 70 i-binaries in \fIextras/kdf\fR were compiled and installed on the Err parazyd.org 70 i-system. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "lock" Err parazyd.org 70 i-Initializes and locks an empty tomb (made with \fIdig\fR) using a key Err parazyd.org 70 i-(made with \fIforge\fR), making it ready for usage. After this Err parazyd.org 70 i-operation, the tomb can only be opened in possession of the key and Err parazyd.org 70 i-knowing its password. As in any other command requiring a key, the Err parazyd.org 70 i-option \fI-k\fR should be used to specify a key file. The \fI-o\fR Err parazyd.org 70 i-option can be used to specify the cipher specification: default is Err parazyd.org 70 i-"aes-xts-plain64:sha256", old versions of Tomb used "aes-cbc-essiv:sha256". Err parazyd.org 70 i-If you are looking for something exotic, also try "serpent-xts-plain64". Err parazyd.org 70 i-More options may be found in cryptsetup(8) and Linux documentation. Err parazyd.org 70 i-This operation requires root privileges to loopback mount, format the tomb (using Err parazyd.org 70 i-LUKS and Ext4), then set the key in its first LUKS slot. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "open" Err parazyd.org 70 i-Opens an existing \fI.tomb\fR (first argument) using a key (\fI-k\fR), Err parazyd.org 70 i-if a second argument is given it will indicate the \fImountpoint\fR Err parazyd.org 70 i-where the tomb should be made accessible, else the tomb is mounted in Err parazyd.org 70 i-a directory inside /media (if not available it uses /run/media/$USER). Err parazyd.org 70 i-The option \fI-o\fR can be used to pass mount(8) options Err parazyd.org 70 i-(default: rw,noatime,nodev). Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "list" Err parazyd.org 70 i-List all the tombs found open, including information about the time Err parazyd.org 70 i-they were opened and the hooks that they mounted. If the first Err parazyd.org 70 i-argument is present, then shows only the tomb named that way or Err parazyd.org 70 i-returns an error if it's not found. If the option Err parazyd.org 70 i-\fI--get-mountpoint\fR is used then print a simple list of currently Err parazyd.org 70 i-open tomb mountpoint paths. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "index" Err parazyd.org 70 i-Creates or updates the search indexes of all tombs currently open: Err parazyd.org 70 i-enables use of the \fIsearch\fR command using simple word patterns on Err parazyd.org 70 i-file names. Indexes are created using mlocate's updatedb(8) and Err parazyd.org 70 i-swish-e(1) if they are found on the system. Indexes allow to search Err parazyd.org 70 i-very fast for filenames and contents inside a tomb, they are stored Err parazyd.org 70 i-inside it and are not accessible if the Tomb is closed. To avoid Err parazyd.org 70 i-indexing a specific tomb simply touch a \fI.noindex\fR file in it. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "search" Err parazyd.org 70 i-Takes any string as argument and searches for them through all tombs Err parazyd.org 70 i-currently open and previously indexed using the \fIindex\fR command. Err parazyd.org 70 i-The search matches filenames if mlocate is installed and then also Err parazyd.org 70 i-file contents if swish++ is present on the system, results are listed Err parazyd.org 70 i-on the console. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "close" Err parazyd.org 70 i-Closes a currently open tomb. If more tombs are open, the first Err parazyd.org 70 i-argument should be used to specify the name of the tomb to be closed, Err parazyd.org 70 i-or \fIall\fR to close all currently open tombs. This command fails if Err parazyd.org 70 i-the tomb is in use by running processes (to force close, see Err parazyd.org 70 i-\fIslam\fR below). Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "slam" Err parazyd.org 70 i-Closes a tomb like the command \fIclose\fR does, but it doesn't fail Err parazyd.org 70 i-even if the tomb is in use by other application processes: it looks Err parazyd.org 70 i-for and violently kills \-9 each of them. This command may Err parazyd.org 70 i-provoke unsaved data loss, but assists users to face surprise Err parazyd.org 70 i-situations. Err parazyd.org 70 i- Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "passwd" Err parazyd.org 70 i-Changes the password protecting a key file specified using Err parazyd.org 70 i-\fI-k\fR. The user will need to know the key's current password, then Err parazyd.org 70 i-its content will be decoded and reencoded using the new one. This Err parazyd.org 70 i-action can't be forced if the current password is not known. If the Err parazyd.org 70 i-key file is broken (missing headers) this function also attempts its Err parazyd.org 70 i-recovery. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "setkey" Err parazyd.org 70 i-Changes the key file that locks a tomb, substituting the old one with Err parazyd.org 70 i-a new one. Both the old and the new key files are needed for this Err parazyd.org 70 i-operation and their passwords must be known. The new key must be Err parazyd.org 70 i-specified using the \fI-k\fR option, the first argument should be the old Err parazyd.org 70 i-key and the second and last argument the tomb file. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "resize" Err parazyd.org 70 i-Increase the size of a tomb file to the amount specified by the Err parazyd.org 70 i-\fI-s\fR option, which is the new size in megabytes (MiB). Full access to the tomb using Err parazyd.org 70 i-a key (\fI-k\fR) and its password is required. Tombs can only grow and Err parazyd.org 70 i-can never be made smaller. This command makes use of the cryptsetup(8) Err parazyd.org 70 i-resize feature and the resize2fs command: its much more practical than Err parazyd.org 70 i-creating a new tomb and moving everything into it. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "engrave" Err parazyd.org 70 i-This command transforms a tomb key into an image that can be printed Err parazyd.org 70 i-on paper and physically stored as backup, i.e. hidden in a book. It Err parazyd.org 70 i-Renders a QRCode of the tomb key, still protected by its password: a Err parazyd.org 70 i-PNG image (extension \fI.qr.png\fR) will be created in the current Err parazyd.org 70 i-directory and can be later printed (fits an A4 or Letter format). To Err parazyd.org 70 i-recover an engraved key one can use any QRCode reader on a smartphone: Err parazyd.org 70 i-save it into a file and then use that file as a key (\fI-k\fR). Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "bury" Err parazyd.org 70 i-Hides a tomb key (\fI-k\fR) inside a \fIjpeg image\fR (first argument) Err parazyd.org 70 i-using \fIsteganography\fR: the image will change in a way that cannot Err parazyd.org 70 i-be noticed by human eye and hardly detected by data analysis. This Err parazyd.org 70 i-option is useful to backup tomb keys in unsuspected places; it depends Err parazyd.org 70 i-from the availability of \fIsteghide\fR. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "exhume" Err parazyd.org 70 i-This command recovers from jpeg images the keys that were previously Err parazyd.org 70 i-hidden into them using \fIbury\fR. Exhume requires a key filename Err parazyd.org 70 i-(\fI-k\fR) and a \fIjpeg image\fR file (first argument) known to be Err parazyd.org 70 i-containing a key. If the right key password is given, the key will be Err parazyd.org 70 i-exhumed. If the password is not known, it is very hard to verify if a Err parazyd.org 70 i-key is buried in any image or not. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH OPTIONS Err parazyd.org 70 i-.B Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-k \fI\fR" Err parazyd.org 70 i-For all operations requiring a key, this option specifies the location Err parazyd.org 70 i-of the key file to use. Arguments can also be \fIjpeg image\fR files Err parazyd.org 70 i-where keys have been hidden using the \fIbury\fR command, or text Err parazyd.org 70 i-files retrieved from \fIengraved\fR QR codes. If the \fIkeyfile\fR Err parazyd.org 70 i-argument is "-" (dash), Tomb will read the key from stdin (blocking). Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-n" Err parazyd.org 70 i-Skip processing of post-hooks and bind-hooks if found inside the tomb. Err parazyd.org 70 i-See the \fIHOOKS\fR section in this manual for more information. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-o" Err parazyd.org 70 i-Manually specify mount options to be used when opening a tomb instead Err parazyd.org 70 i-of the default \fIrw,noatime,nodev\fR, i.e. to mount a tomb read-only Err parazyd.org 70 i-(ro) to prevent any modification of its data. Can also be used to Err parazyd.org 70 i-change the symmetric encryption algorithm for keys during \fIforge\fR Err parazyd.org 70 i-operations (default \fIAES256\fR) or the LUKS encryption method during Err parazyd.org 70 i-\fIlock\fR operations (default \fIaes-xts-plain64:sha256\fR). Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-f" Err parazyd.org 70 i-Force flag, currently used to override swap checks, might be Err parazyd.org 70 i-overriding more wimpy behaviours in future, but make sure you know Err parazyd.org 70 i-what you are doing if you force an operation. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-s \fI\fR" Err parazyd.org 70 i-When digging or resizing a tomb, this option must be used to specify Err parazyd.org 70 i-the \fIsize\fR of the new file to be created. Units are megabytes (MiB). Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "--kdf \fI\fR" Err parazyd.org 70 i-Activate the KDF feature against dictionary attacks when creating a Err parazyd.org 70 i-key: forces a delay of \fI\fR seconds every time this key is used. Err parazyd.org 70 i-You should keep in mind that the actual iteration count is calculated based on Err parazyd.org 70 i-the performance of the computer where you forge the key. Err parazyd.org 70 i-The argument must be an integer, so you cannot say \fI--kdf 0.3\fR for 300ms. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-h" Err parazyd.org 70 i-Display a help text and quit. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-v" Err parazyd.org 70 i-Display version and quit. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-q" Err parazyd.org 70 i-Run more quietly Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-D" Err parazyd.org 70 i-Print more information while running, for debugging purposes Err parazyd.org 70 i- Err parazyd.org 70 i-.SH DEV MODE Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "--no-color" Err parazyd.org 70 i-Suppress colors in console output (needed for string parsing by Err parazyd.org 70 i-wrappers). Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "--unsafe" Err parazyd.org 70 i-Enable using dev-mode arguments, i.e. to pass passwords from Err parazyd.org 70 i-commandline options. This is mostly used needed for execution by Err parazyd.org 70 i-wrappers and testing suite. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "--use-urandom" Err parazyd.org 70 i-Use an inferior quality random source to improve the speed of key Err parazyd.org 70 i-generation at the cost of security (needed for the testing suite). Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "--tomb-pwd " Err parazyd.org 70 i-Use string as password when needed on tomb. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "--tomb-old-pwd " Err parazyd.org 70 i-Use string as old password when needed in tomb commands requiring Err parazyd.org 70 i-multiple keys, like \fIpasswd\fR or \fIsetkey\fR. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-U" Err parazyd.org 70 i-Switch to this user ID when dropping privileges. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-G" Err parazyd.org 70 i-Switch to this group ID when dropping privileges. Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "-T" Err parazyd.org 70 i-Switch to this TTY terminal when dropping privileges. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH HOOKS Err parazyd.org 70 i- Err parazyd.org 70 i-Hooks are special files that can be placed inside the tomb and trigger Err parazyd.org 70 i-actions when it is opened and closed; there are two kinds of such Err parazyd.org 70 i-files: \fIbind-hooks\fR and \fIpost-hooks\fR can be placed in the Err parazyd.org 70 i-base root of the tomb. Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "bind-hooks" Err parazyd.org 70 i-This hook file consists of a simple two column list of files or Err parazyd.org 70 i-directories inside the tomb to be made directly accessible inside the Err parazyd.org 70 i-current user's home directory. Tomb will use the "mount \-o bind" Err parazyd.org 70 i-command to bind locations inside the tomb to locations found in $HOME Err parazyd.org 70 i-so in the first column are indicated paths relative to the tomb and in Err parazyd.org 70 i-the second column are indicated paths relative to $HOME contents, for Err parazyd.org 70 i-example: Err parazyd.org 70 i-.EX Err parazyd.org 70 i- mail mail Err parazyd.org 70 i- .gnupg .gnupg Err parazyd.org 70 i- .fmrc .fetchmailrc Err parazyd.org 70 i- .mozilla .mozilla Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP "post-hooks" Err parazyd.org 70 i-This hook file gets executed as user by tomb right after opening it; Err parazyd.org 70 i-it should be a regular shell script, starting with a shebang. Tomb Err parazyd.org 70 i-executes this hook as user (dropping root privileges) and giving it Err parazyd.org 70 i-two arguments: "$1" is "open" or "close" depending from the tomb Err parazyd.org 70 i-command given, "$2" is the full path to the mountpoint where the tomb Err parazyd.org 70 i-is open. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH PRIVILEGE ESCALATION Err parazyd.org 70 i- Err parazyd.org 70 i-The tomb commandline tool needs to acquire super user rights to Err parazyd.org 70 i-execute most of its operations: to do so it uses sudo(8), while Err parazyd.org 70 i-pinentry(1) is adopted to collect passwords from the user. Tomb Err parazyd.org 70 i-executes as super user only when required. Err parazyd.org 70 i- Err parazyd.org 70 i-To be made available on multi user systems, the superuser execution of Err parazyd.org 70 i-the tomb script can be authorized for users without jeopardizing the Err parazyd.org 70 i-whole system's security: just add such a line to \fI/etc/sudoers\fR: Err parazyd.org 70 i- Err parazyd.org 70 i-.EX Err parazyd.org 70 i- username ALL=NOPASSWD: /usr/local/bin/tomb Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-Password input is handled by the pinentry program: it can be text Err parazyd.org 70 i-based or graphical and is usually configured with a symlink. When Err parazyd.org 70 i-using Tomb in X11 it is better to use a graphical pinentry-gtk2 or Err parazyd.org 70 i-pinentry-qt because it helps preventing keylogging by other X Err parazyd.org 70 i-clients. When using it from a remote ssh connection it might be Err parazyd.org 70 i-necessary to force use of pinentry-curses for instance by unsetting Err parazyd.org 70 i-the DISPLAY environment var. Err parazyd.org 70 i- Err parazyd.org 70 i- Err parazyd.org 70 i-.SH SWAP Err parazyd.org 70 i- Err parazyd.org 70 i-On execution of certain commands Tomb will complain about swap memory Err parazyd.org 70 i-on disk when present and \fIabort if your system has swap Err parazyd.org 70 i-activated\fR. You can disable this behaviour using the Err parazyd.org 70 i-\fI--force\fR. Before doing that, however, you may be interested in Err parazyd.org 70 i-knowing the risks of doing so: Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-During such operations a lack of available memory could cause the swap Err parazyd.org 70 i-to write your secret key on the disk. Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-Even while using an opened tomb, another application could occupy too Err parazyd.org 70 i-much memory so that the swap needs to be used, this way it is possible Err parazyd.org 70 i-that some contents of files contained into the tomb are physically Err parazyd.org 70 i-written on your disk, not encrypted. Err parazyd.org 70 i-.P Err parazyd.org 70 i- Err parazyd.org 70 i-If you don't need swap, execute \fI swapoff -a\fR. If you really need Err parazyd.org 70 i-it, you could make an encrypted swap partition. Tomb doesn't detect if Err parazyd.org 70 i-your swap is encrypted, and will complain anyway. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH EXAMPLES Err parazyd.org 70 i- Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-Create a 128MB large "secret" tomb and its keys, then open it: Err parazyd.org 70 i- Err parazyd.org 70 i-.EX Err parazyd.org 70 i- tomb dig -s 128 secret.tomb Err parazyd.org 70 i- Err parazyd.org 70 i- tomb forge secret.tomb.key Err parazyd.org 70 i- Err parazyd.org 70 i- tomb lock secret.tomb -k secret.tomb.key Err parazyd.org 70 i- Err parazyd.org 70 i- tomb open secret.tomb -k secret.tomb.key Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-Open a Tomb using the key from a remote SSH shell, without saving any Err parazyd.org 70 i-local copy of it: Err parazyd.org 70 i- Err parazyd.org 70 i-.EX Err parazyd.org 70 i- ssh user@my.shell.net 'cat .secrets/tomb.key' | tomb open secret.tomb -k - Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-Open a Tomb on a remote server passing the unencrypted local key on stdin via SSH, Err parazyd.org 70 i-without saving any remote copy of it: Err parazyd.org 70 i- Err parazyd.org 70 i-.EX Err parazyd.org 70 i- gpg -d .secrets/tomb.key | ssh server tomb open secret.tomb -k cleartext --unsafe Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-Create a bind hook that places your GnuPG folder inside the tomb, but Err parazyd.org 70 i-makes it reachable from the standard $HOME/.gnupg location every time Err parazyd.org 70 i-the tomb will be opened: Err parazyd.org 70 i- Err parazyd.org 70 i-.EX Err parazyd.org 70 i- tomb open GPG.tomb -k GPG.tomb.key Err parazyd.org 70 i- echo ".gnupg .gnupg" > /media/GPG.tomb/bind-hooks Err parazyd.org 70 i- mv ~/.gnupg /media/GPG.tomb/.gnupg && mkdir ~/.gnupg Err parazyd.org 70 i- tomb close GPG && tomb open GPG.tomb -k GPG.tomb.key Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-Script a tomb to launch the Firefox browser every time is opened, Err parazyd.org 70 i-keeping all its profile data inside it: Err parazyd.org 70 i- Err parazyd.org 70 i-.EX Err parazyd.org 70 i- tomb open FOX.tomb -k FOX.tomb.key Err parazyd.org 70 i- cat < /media/FOX.tomb/post-hooks Err parazyd.org 70 i-#!/bin/sh Err parazyd.org 70 i-if [ "$1" = "open" ]; then Err parazyd.org 70 i- firefox -no-remote -profile "$2"/firefox-pro & Err parazyd.org 70 i-fi Err parazyd.org 70 i-EOF Err parazyd.org 70 i- chmod +x /media/FOX.tomb/post-hooks Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-.IP \(bu Err parazyd.org 70 i-Script a tomb to archive Pictures using Shotwell, launching it on open: Err parazyd.org 70 i- Err parazyd.org 70 i-.EX Err parazyd.org 70 i- tomb open Pictures.tomb -k Pictures.tomb.key Err parazyd.org 70 i- cat < /media/Pictures.tomb/bind-hooks Err parazyd.org 70 i-Pictures Pictures Err parazyd.org 70 i-EOF Err parazyd.org 70 i- cat < /media/Pictures.tomb/post-hooks Err parazyd.org 70 i-#!/bin/sh Err parazyd.org 70 i-if [ "$1" = "open" ]; then Err parazyd.org 70 i- which shotwell > /dev/null Err parazyd.org 70 i- if [ "$?" = "0" ]; then Err parazyd.org 70 i- shotwell -d "$2"/Pictures/.shotwell & Err parazyd.org 70 i- fi Err parazyd.org 70 i-fi Err parazyd.org 70 i-EOF Err parazyd.org 70 i- chmod +x /media/Pictures.tomb/post-hooks Err parazyd.org 70 i-.EE Err parazyd.org 70 i- Err parazyd.org 70 i-.SH BUGS Err parazyd.org 70 i-Please report bugs on the Github issue tracker at Err parazyd.org 70 i-.UR https://github.com/dyne/Tomb/issues Err parazyd.org 70 i-.UE Err parazyd.org 70 i- Err parazyd.org 70 i-One can also try to get in touch with developers via the #dyne chat channel on \fIhttps://irc.dyne.org\fR. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH AUTHORS Err parazyd.org 70 i- Err parazyd.org 70 i-Tomb is designed, written and maintained by Denis Roio aka Jaromil. Err parazyd.org 70 i- Err parazyd.org 70 i-Tomb includes code by Anathema, Boyska, Hellekin O. Wolf and GDrooid. Err parazyd.org 70 i- Err parazyd.org 70 i-Tomb's artwork is contributed by Jordi aka Mon Mort and Logan VanCuren. Err parazyd.org 70 i- Err parazyd.org 70 i-Gettext internationalization and Spanish translation is contributed by Err parazyd.org 70 i-GDrooid, French translation by Hellekin, Russian translation by fsLeg, Err parazyd.org 70 i-German translation by x3nu. Err parazyd.org 70 i- Err parazyd.org 70 i-Testing, reviews and documentation are contributed by Dreamer, Shining Err parazyd.org 70 i-the Translucent, Mancausoft, Asbesto Molesto, Nignux, Vlax, The Grugq, Err parazyd.org 70 i-Reiven, GDrooid, Alphazo, Brian May, TheJH, fsLeg, JoelMon and the Err parazyd.org 70 i-Linux Action Show! Err parazyd.org 70 i- Err parazyd.org 70 i-Cryptsetup was developed by Christophe Saout and Clemens Fruhwirth. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH COPYING Err parazyd.org 70 i- Err parazyd.org 70 i-This manual is Copyright (c) 2011-2015 by Denis Roio <\fIjaromil@dyne.org\fR> Err parazyd.org 70 i- Err parazyd.org 70 i-This manual includes contributions by Boyska and Hellekin O. Wolf. Err parazyd.org 70 i- Err parazyd.org 70 i-Permission is granted to copy, distribute and/or modify this manual Err parazyd.org 70 i-under the terms of the GNU Free Documentation License, Version 1.1 or Err parazyd.org 70 i-any later version published by the Free Software Foundation. Err parazyd.org 70 i-Permission is granted to make and distribute verbatim copies of this Err parazyd.org 70 i-manual page provided the above copyright notice and this permission Err parazyd.org 70 i-notice are preserved on all copies. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH AVAILABILITY Err parazyd.org 70 i- Err parazyd.org 70 i-The most recent version of Tomb sourcecode and up to date Err parazyd.org 70 i-documentation is available for download from its website on Err parazyd.org 70 i-\fIhttps://tomb.dyne.org\fR. Err parazyd.org 70 i- Err parazyd.org 70 i-.SH SEE ALSO Err parazyd.org 70 i- Err parazyd.org 70 i-.B Err parazyd.org 70 i-.IP cryptsetup(8) Err parazyd.org 70 i- Err parazyd.org 70 i-GnuPG website: Err parazyd.org 70 i-.br Err parazyd.org 70 i-https://www.gnupg.org Err parazyd.org 70 i- Err parazyd.org 70 i-DM-Crypt website: Err parazyd.org 70 i-.br Err parazyd.org 70 i-https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt Err parazyd.org 70 i- Err parazyd.org 70 i-LUKS website: Err parazyd.org 70 i-.br Err parazyd.org 70 i-https://gitlab.com/cryptsetup/cryptsetup/wikis/home Err parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/gen_salt.c b/src/Tomb/gen_salt.c /git/coffin/file/src/Tomb/gen_salt.c.gph parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/hexencode.c b/src/Tomb/hexencode.c /git/coffin/file/src/Tomb/hexencode.c.gph parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/.gitignore b/src/Tomb/kdf-keys/.gitignore /git/coffin/file/src/Tomb/kdf-keys/.gitignore.gph parazyd.org 70 it@@ -1,4 +0,0 @@ Err parazyd.org 70 i-tomb-kdf-pbkdf2 Err parazyd.org 70 i-tomb-kdf-pbkdf2-gensalt Err parazyd.org 70 i-tomb-kdf-pbkdf2-getiter Err parazyd.org 70 i-tomb-utils-hexencode Err parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/Makefile b/src/Tomb/kdf-keys/Makefile /git/coffin/file/src/Tomb/kdf-keys/Makefile.gph parazyd.org 70 it@@ -1,19 +0,0 @@ Err parazyd.org 70 i- Err parazyd.org 70 i-PREFIX ?= ../../ Err parazyd.org 70 i-REALPREFIX = $(realpath $(PREFIX)) Err parazyd.org 70 i- Err parazyd.org 70 i-all: Err parazyd.org 70 i- $(CC) -O2 -o tomb-kdb-pbkdf2 pbkdf2.c -lgcrypt Err parazyd.org 70 i- $(CC) -O2 -o tomb-kdb-pbkdf2-getiter benchmark.c -lgcrypt Err parazyd.org 70 i- $(CC) -O2 -o tomb-kdb-pbkdf2-gensalt gen_salt.c -lgcrypt Err parazyd.org 70 i- $(CC) -O2 -o tomb-kdb-hexencode hexencode.c Err parazyd.org 70 i- Err parazyd.org 70 i-clean: Err parazyd.org 70 i- rm -f tomb-kdb-pbkdf2 tomb-kdb-pbkdf2-getiter tomb-kdb-pbkdf2-gensalt tomb-kdb-hexencode Err parazyd.org 70 i- Err parazyd.org 70 i-install: Err parazyd.org 70 i- install -Dm755 tomb-kdb-pbkdf2 ${REALPREFIX}/tomb-kdb-pbkdf2 Err parazyd.org 70 i- install -Dm755 tomb-kdb-pbkdf2-getiter ${REALPREFIX}/tomb-kdb-pbkdf2-getiter Err parazyd.org 70 i- install -Dm755 tomb-kdb-pbkdf2-gensalt ${REALPREFIX}/tomb-kdb-pbkdf2-gensalt Err parazyd.org 70 i- install -Dm755 tomb-kdb-hexencode ${REALPREFIX}/tomb-kdb-hexencode Err parazyd.org 70 i- @echo "Tomb-kdb auxiliary binaries installed in ${REALPREFIX}" Err parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/README b/src/Tomb/kdf-keys/README /git/coffin/file/src/Tomb/kdf-keys/README.gph parazyd.org 70 it@@ -1,27 +0,0 @@ Err parazyd.org 70 i- Err parazyd.org 70 i-BUILD Err parazyd.org 70 i------- Err parazyd.org 70 i- Err parazyd.org 70 i-Just type make. Err parazyd.org 70 i-You need a recent development version of libgcrypt installed. Err parazyd.org 70 i-On Debian 7 (not earlier) the libgcrypt11-dev package works: Err parazyd.org 70 i- # apt-get install libgcrypt11-dev Err parazyd.org 70 i- Err parazyd.org 70 i-PLANS Err parazyd.org 70 i------- Err parazyd.org 70 i- Err parazyd.org 70 i-While this can be useful for general purpose, it specially fits tomb, and it's designed for easy integration and compilation. Err parazyd.org 70 i- Err parazyd.org 70 i-Binary name will then be: Err parazyd.org 70 i-tomb-kdb-${algo} Err parazyd.org 70 i-tomb-kdb-${algo}-gensalt Err parazyd.org 70 i-tomb-kdb-${algo}-getiter Err parazyd.org 70 i-tomb-kdb-hexencode Err parazyd.org 70 i- Err parazyd.org 70 i-Base64 vs hexencode Err parazyd.org 70 i-------------------- Err parazyd.org 70 i- Err parazyd.org 70 i-While base64 is easier to use (shell command, more compact), pbkdf2 use hex Err parazyd.org 70 i-in its specifications. Err parazyd.org 70 i-This could be solved with an option (-x for hex, defaults to base64) Err parazyd.org 70 i- Err parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/test.sh b/src/Tomb/kdf-keys/test.sh /git/coffin/file/src/Tomb/kdf-keys/test.sh.gph parazyd.org 70 it@@ -1,22 +0,0 @@ Err parazyd.org 70 i-#!/usr/bin/env zsh Err parazyd.org 70 i- Err parazyd.org 70 i-error=0 Err parazyd.org 70 i-while read line; do Err parazyd.org 70 i- pass=`cut -f1 <<<$line` Err parazyd.org 70 i- salt=`cut -f2 <<<$line` Err parazyd.org 70 i- iter=`cut -f3 <<<$line` Err parazyd.org 70 i- keylen=`cut -f4 <<<$line` Err parazyd.org 70 i- expected=`cut -f5 <<<$line` Err parazyd.org 70 i- hexsalt=`cut -f6 <<<$line` Err parazyd.org 70 i- #TODO: check! Err parazyd.org 70 i- derived=`./pbkdf2 $hexsalt $iter $keylen <<<$pass` Err parazyd.org 70 i- if [[ $derived != $expected ]]; then Err parazyd.org 70 i- echo ./pbkdf2 $hexsalt $iter $keylen "<<<$pass" Err parazyd.org 70 i- echo "Expected $expected, got $derived" >&2 Err parazyd.org 70 i- error=$((error + 1)) Err parazyd.org 70 i- fi Err parazyd.org 70 i-done < test.txt Err parazyd.org 70 i- Err parazyd.org 70 i-if [[ $error == 1 ]]; then Err parazyd.org 70 i- exit $error Err parazyd.org 70 i-fi Err parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/test.txt b/src/Tomb/kdf-keys/test.txt /git/coffin/file/src/Tomb/kdf-keys/test.txt.gph parazyd.org 70 iBinary files differ. Err parazyd.org 70 1diff --git a/src/Tomb/kdf-keys/pbkdf2.c b/src/Tomb/pbkdf2.c /git/coffin/file/src/Tomb/pbkdf2.c.gph parazyd.org 70 1diff --git a/src/coffin b/src/coffin /git/coffin/file/src/coffin.gph parazyd.org 70 it@@ -0,0 +1,25 @@ Err parazyd.org 70 i+#!/usr/bin/env bash Err parazyd.org 70 i+# Err parazyd.org 70 i+# coffin - inotify script to watch /dev for new keys Err parazyd.org 70 i+# Err parazyd.org 70 i+# ~ parazyd Err parazyd.org 70 i+ Err parazyd.org 70 i+pattern='sd[a-z][1-9]$' Err parazyd.org 70 i+coproc inotifywait --monitor --event create,delete --format '%e %w%f' /dev Err parazyd.org 70 i+ Err parazyd.org 70 i+echo $$ > `pwd`/coffin.pid # pidfile Err parazyd.org 70 i+ Err parazyd.org 70 i+while read -r -u "${COPROC[0]}" event file; do Err parazyd.org 70 i+ if [[ $file =~ $pattern ]]; then Err parazyd.org 70 i+ case $event in Err parazyd.org 70 i+ CREATE) Err parazyd.org 70 i+ echo "Created $file..." #; sleep 1 Err parazyd.org 70 i+ `pwd`/coffin $file $event Err parazyd.org 70 i+ ;; Err parazyd.org 70 i+ DELETE) Err parazyd.org 70 i+ echo "Removed $file..." #; sleep 1 Err parazyd.org 70 i+ `pwd`/coffin $file $event Err parazyd.org 70 i+ ;; Err parazyd.org 70 i+ esac Err parazyd.org 70 i+ fi Err parazyd.org 70 i+done Err parazyd.org 70 1diff --git a/src/coffinrc b/src/coffinrc /git/coffin/file/src/coffinrc.gph parazyd.org 70 it@@ -1,15 +0,0 @@ Err parazyd.org 70 i-# Configuration file for coffin. If you want to override any defaults, Err parazyd.org 70 i-# please do so here, and rename the file to '.coffinrc'. Err parazyd.org 70 i-# Careful! Err parazyd.org 70 i- Err parazyd.org 70 i-# Directory where you keep all your tombs and data Err parazyd.org 70 i-# Reminder that the default is already installed, Err parazyd.org 70 i-# and the directory group owner must be 'coffin' Err parazyd.org 70 i-# with permissions 770 Err parazyd.org 70 i-GRAVEYARD /home/graveyard Err parazyd.org 70 i- Err parazyd.org 70 i-# Directory where your keys get mounted Err parazyd.org 70 i-KEYMOUNT /media/tombkey Err parazyd.org 70 i- Err parazyd.org 70 i-# Path to tomb executable Err parazyd.org 70 i-TOMB /usr/local/bin/tomb Err parazyd.org 70 1diff --git a/src/mourner b/src/mourner /git/coffin/file/src/mourner.gph parazyd.org 70 it@@ -1,23 +0,0 @@ Err parazyd.org 70 i-#!/usr/bin/env bash Err parazyd.org 70 i-# Err parazyd.org 70 i-# mourner - inotify script to watch /dev for new keys Err parazyd.org 70 i-# Err parazyd.org 70 i-# ~ parazyd Err parazyd.org 70 i- Err parazyd.org 70 i-pattern='sd[a-z][1-9]$' Err parazyd.org 70 i-coproc inotifywait --monitor --event create,delete --format '%e %w%f' /dev Err parazyd.org 70 i- Err parazyd.org 70 i-while read -r -u "${COPROC[0]}" event file; do Err parazyd.org 70 i- if [[ $file =~ $pattern ]]; then Err parazyd.org 70 i- case $event in Err parazyd.org 70 i- CREATE) Err parazyd.org 70 i- echo "Created $file..." #; sleep 1 Err parazyd.org 70 i- `pwd`/sacrist $file $event Err parazyd.org 70 i- ;; Err parazyd.org 70 i- DELETE) Err parazyd.org 70 i- echo "Removed $file..." #; sleep 1 Err parazyd.org 70 i- `pwd`/sacrist $file $event Err parazyd.org 70 i- ;; Err parazyd.org 70 i- esac Err parazyd.org 70 i- fi Err parazyd.org 70 i-done Err parazyd.org 70 1diff --git a/src/sacrist b/src/sacrist /git/coffin/file/src/sacrist.gph parazyd.org 70 it@@ -1,6 +1,6 @@ Err parazyd.org 70 i #!/usr/bin/env zsh Err parazyd.org 70 i # Err parazyd.org 70 i-# sacrist - script called by mourner, for our graveyard administration Err parazyd.org 70 i+# sacrist - script called by coffin, for our graveyard administration Err parazyd.org 70 i # Err parazyd.org 70 i # ~ parazyd Err parazyd.org 70 i Err parazyd.org 70 it@@ -33,28 +33,28 @@ source $R/zlibs/hooks Err parazyd.org 70 i source $R/zlibs/keyfiles Err parazyd.org 70 i source $R/zlibs/mounts Err parazyd.org 70 i source $R/zlibs/ttab Err parazyd.org 70 i-source $R/zlibs/config Err parazyd.org 70 i+#source $R/zlibs/config Err parazyd.org 70 i Err parazyd.org 70 i LOCK=$R/.lock Err parazyd.org 70 i [[ -f $LOCK ]] && { warn "Lock found. Wait until finished." && exit } Err parazyd.org 70 i touch $LOCK Err parazyd.org 70 i Err parazyd.org 70 i # Check for a configuration file Err parazyd.org 70 i-[[ -f ".coffinrc" ]] && parse-config Err parazyd.org 70 i+# [[ -f ".coffinrc" ]] && parse-config Err parazyd.org 70 i Err parazyd.org 70 i device=$1 && xxx "Device: $device" Err parazyd.org 70 i happenz=$2 && xxx "Happenz: $happenz" Err parazyd.org 70 i keyuuid=$(lsblk -no uuid $device) && xxx "Key UUID: $keyuuid" Err parazyd.org 70 i Err parazyd.org 70 i-GRAVEYARD="${GRAVEYARD:-/home/graveyard}" # Our graveyard, with all the tombs Err parazyd.org 70 i+GRAVEYARD="/home/graveyard" # Our graveyard, with all the tombs Err parazyd.org 70 i TOMBS="$GRAVEYARD/tombs" # Info about opened tombs, holds keyuuid, keyhash and tombid Err parazyd.org 70 i TMPTOMBS="$GRAVEYARD/tmptombs" # Temp tempfile, for updating $tombs Err parazyd.org 70 i TOMBPASSWD="$GRAVEYARD/passwd" Err parazyd.org 70 i-KEYMOUNT="${KEYMOUNT:-/media/tombkey}" # Directory where keys get mounted Err parazyd.org 70 i+KEYMOUNT="/media/tombkey" # Directory where keys get mounted Err parazyd.org 70 i COFFINDOT="$KEYMOUNT/.coffin" # .coffin directory on the usb key Err parazyd.org 70 i TTAB="$COFFINDOT/ttab" # Our ttab Err parazyd.org 70 i HOOKS="$COFFINDOT/hook" Err parazyd.org 70 i-TOMB="$R/src/tomb/tomb" Err parazyd.org 70 i+TOMB="/usr/local/share/coffin/bin/tomb" Err parazyd.org 70 i Err parazyd.org 70 i # Main Err parazyd.org 70 i req=(happenz device) Err parazyd.org 70 it@@ -90,4 +90,3 @@ act "Version: $coffin_version, $coffin_release_date" Err parazyd.org 70 i # TODO: Some kind of endgame Err parazyd.org 70 i rm $LOCK Err parazyd.org 70 i } Err parazyd.org 70 i- Err parazyd.org 70 1diff --git a/src/zlibs/config b/src/zlibs/config /git/coffin/file/src/zlibs/config.gph parazyd.org 70 it@@ -1,19 +0,0 @@ Err parazyd.org 70 i-#!/usr/bin/env zsh Err parazyd.org 70 i- Err parazyd.org 70 i-parse-config() { Err parazyd.org 70 i- act "Found config file. Parsing..." Err parazyd.org 70 i- Err parazyd.org 70 i- ttmp=`awk ' Err parazyd.org 70 i- /^#/ { next } Err parazyd.org 70 i- /^GRAVEYARD / { printf "GRAVEYARD=\"%s\";", $2 } Err parazyd.org 70 i- /^KEYMOUNT / { printf "KEYMOUNT=\"%s\";", $2 } Err parazyd.org 70 i- /^TOMB / { printf "TOMB=\"%s\";", $2 } Err parazyd.org 70 i- ' "$R/.coffinrc"` Err parazyd.org 70 i- { test $? = 0 } || { Err parazyd.org 70 i- die "Error parsing config file." Err parazyd.org 70 i- return 1 Err parazyd.org 70 i- } Err parazyd.org 70 i- Err parazyd.org 70 i- eval "$ttmp" Err parazyd.org 70 i- act "Success parsing config file!" Err parazyd.org 70 i-} Err parazyd.org 70 1diff --git a/src/zlibs/features b/src/zlibs/features /git/coffin/file/src/zlibs/features.gph parazyd.org 70 it@@ -8,11 +8,11 @@ create-webdav-hook() { Err parazyd.org 70 i if [[ $entry =~ webdav && -f $COFFINDOT/webdav.conf ]]; then Err parazyd.org 70 i act "Found WebDAV data. Setting up..." Err parazyd.org 70 i Err parazyd.org 70 i- [[ -f $COFFINDOT/davinfo ]] && { Err parazyd.org 70 i- cat $COFFINDOT/davinfo >> /etc/apache2/davpasswd Err parazyd.org 70 i+ [[ -f $COFFINDOT/davpasswd ]] && { Err parazyd.org 70 i+ cat $COFFINDOT/davpasswd >> /etc/apache2/davpasswd Err parazyd.org 70 i [[ $? = 0 ]] && { Err parazyd.org 70 i- rm $COFFINDOT/davinfo Err parazyd.org 70 i- gpasswd -a www-data $undertaker Err parazyd.org 70 i+ rm $COFFINDOT/davpasswd Err parazyd.org 70 i+ gpasswd -a www-data $undertaker # NOTE: consider standalone group Err parazyd.org 70 i act "Added new WebDAV user" Err parazyd.org 70 i } Err parazyd.org 70 i } Err parazyd.org 70 .