Rev 28 | Blame | Compare with Previous | Last modification | View Log | Download | RSS feed
#! /usr/bin/env perl
use strict;
use warnings;
use Data::Dumper;
use File::Path qw(make_path);
# script will create the key files used for GELI encryption
# if only the combined key file is provided, it will be created as a single key.
# if both local key files are provided, the combined key will be split into
# the two local keys using XOR, so that both local keys are required to
# reconstruct the combined key.
# these are the names of the key files used to create the GELI encryption
# if both local key files are provided, the combined key will be split into
# the two local keys using XOR, so that both local keys are required to
# reconstruct the combined key.
# if only the combined key file is provided, it will be created as a single key.
my $rootKeyLocation = '/tmp/keys/'; # '/media/passkey/'; # should be a tmpfs or ramdisk so no record is left on disk
my $localKeyFile1 = $rootKeyLocation . 'local_geli_1.key';
my $localKeyFile2 = $rootKeyLocation . 'local_geli_2.key';
my $combinedKeyFile = $rootKeyLocation . 'combined_geli.key';
# sub will take three file names:
# 1: combined key file to create
# 2: local key file 1 to create (optional)
# 3: local key file 2 to create (optional)
# If both local key files are provided, the combined key will be split into
# the two local keys using XOR, so that both local keys are required to
# reconstruct the combined key.
# returns the actual contents of the combined key, local key 1, and local key 2 as array
sub makeKeys {
$combinedKeyFile = shift;
$localKeyFile1 = shift;
$localKeyFile2 = shift;
# the actual contents of each key file, returned as raw binary strings for further processing
my $combinedKey;
my $localKey1;
my $localKey2;
# create a new combined key file if it does not exist
$combinedKey = make256bitKeyFile( $combinedKeyFile );
# if both local key file names are provided, create them.
if ( $localKeyFile1 && $localKeyFile2 ) {
$localKey1 = make256bitKeyFile ( $localKeyFile1 );
$localKey2 = xorKeys( $combinedKey, $localKey1 );
writeKeyfile( $localKeyFile2, $localKey2 );
}
return ( $combinedKey, $localKey1, $localKey2 );
}
# unpack and display a binary key as hex with a label
sub displayKey {
my ( $key, $label ) = @_;
die "No key provided to displayKey\n" unless defined $key;
die "No label provided to displayKey\n" unless defined $label;
my $hex = unpack( 'H*', $key );
print "$label: $hex\n";
}
sub runCommand {
my $command = shift;
print "$command\n";
`$command`;
}
sub readKeyfile {
my $keyfile = shift;
die "No keyfile provided to readKeyfile\n" unless defined $keyfile;
open( my $fh, '<:raw', $keyfile ) or die "Cannot open keyfile $keyfile: $!";
my $key;
my $read = read($fh, $key, 32);
close $fh;
die "Failed to read 32 bytes from $keyfile (got " . (defined $read ? $read : 0) . ")\n" unless defined $read && $read == 32;
return $key; # raw 32-byte binary key
}
sub writeKeyfile {
my ( $keyfile, $key ) = @_;
die "No keyfile provided to writeKeyfile\n" unless defined $keyfile;
die "No key provided to writeKeyfile\n" unless defined $key;
open( my $fh, '>:raw', $keyfile ) or die "Cannot open keyfile $keyfile for writing: $!";
my $written = syswrite( $fh, $key );
close $fh;
die "Failed to write 32 bytes to $keyfile (wrote " . (defined $written ? $written : 0) . ")\n" unless defined $written && $written == 32;
}
sub xorKeys {
my ( $key1, $key2 ) = @_;
die "No key1 provided to xorKeys\n" unless defined $key1;
die "No key2 provided to xorKeys\n" unless defined $key2;
die "Keys must be 32 bytes each\n" unless length($key1) == 32 && length($key2) == 32;
my $result = $key1 ^ $key2;
return $result;
}
# create a new 256-bit (32 byte) random key file unless it already exixts
# returns the raw binary contents of the key
sub make256bitKeyFile {
my $keyfile = shift;
die "No keyfile name provided to make256bitKeyFile\n" unless defined $keyfile;
if ( -f $keyfile ) {
print "Key file $keyfile already exists, not overwriting\n";
} else {
print "Creating new key file $keyfile\n";
if ( -x '/usr/bin/openssl' ) {
# openssl prefers /dev/urandom automatically
runCommand( "openssl rand -out $keyfile 32" );
} else {
# dd displays too much output, so redirect to /dev/null (stdout and stderr)
runCommand( "dd if=/dev/random of=$keyfile bs=32 count=1 >/dev/null 2>&1" );
}
}
return readKeyfile( $keyfile );
}
# ensure the root key location directory exists
make_path( $rootKeyLocation ) unless -d $rootKeyLocation;
# create the key(s) used for GELI encryption
my ( $combinedKey, $localKey1, $localKey2 ) = makeKeys( $combinedKeyFile, $localKeyFile1, $localKeyFile2 );
# show the results as ASCII hex for recording
print "Keys created, please record this sensitive information for your records:\n";
displayKey( $combinedKey, 'Combined Key' );
displayKey( $localKey1, 'Local Key 1' ) if defined $localKey1;
displayKey( $localKey2, 'Local Key 2' ) if defined $localKey2;