Offline Encryption Helper Scripts

decrypt-symmetric.sh

#!/bin/sh

set -eu

# Usage: ./decrypt-symmetric.sh [input-file] [output-file] [passphrase]

gpg2 --passphrase "$3" --batch --yes --no-tty --output $2 --decrypt $1

diceware.sh

#!/bin/sh

set -eu

# Usage: ./diceware.sh [word-count]

# Note: On first boot, run `dd if=/dev/random of=/dev/null bs=32 count=1` to ensure /dev/urandom is correctly seeded.
# Should only be needed on live USB/VMs.

LC_ALL=C egrep '^[[:lower:]]{4,6}$' /usr/share/dict/words | shuf --random-source=/dev/urandom -n$1 | paste -s -d ' '

encrypt-symmetric.sh

#!/bin/sh

set -eu

# Usage: ./encrypt-symmetric.sh [input-file] [passphrase]

gpg2 --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 --passphrase "$2" --batch --yes --no-tty --symmetric "$1"

mount-encrypted.sh

#!/bin/sh

set -eu

MOUNTNAME=encrypted
FILESIZE=32M
READONLY=true

while getopts ":f:m:s:p:w" opt; do
  case $opt in
    f)
      FILENAME="$OPTARG"
      ;;
    m)
      MOUNTNAME="$OPTARG"
      ;;
    s)
      FILESIZE="$OPTARG"
      ;;
    p)
      PASSPHRASE="$OPTARG"
      ;;
    w)
      READONLY=false
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
    :)
      echo "Option -$OPTARG requires an argument." >&2
      exit 1
      ;;
  esac
done

# Default FILENAME to MOUNTNAME.img
if [ -z "${FILENAME+x}" ]; then
  FILENAME="$MOUNTNAME".img
fi
VOLUMENAME="$MOUNTNAME"Volume

# Create encrypted volume if it doesn't exist
if [ ! -f "$FILENAME" ]; then

  if [ "$READONLY" = true ]; then
	  >&2 echo "Error: readonly but file doesn't exist"
		exit 1
	fi

	echo "Creating image file \"$FILENAME\" (size: $FILESIZE)..."
	fallocate -l $FILESIZE "$FILENAME"

	echo "Encrypting image file..."
	if [ -z "${PASSPHRASE+x}" ]; then
		sudo cryptsetup -y luksFormat "$FILENAME"
	else
		echo -n "$PASSPHRASE" | sudo cryptsetup -y luksFormat "$FILENAME" -d -
	fi

	echo "Opening encrypted volume..."
	if [ -z "${PASSPHRASE+x}" ]; then
		sudo cryptsetup luksOpen "$FILENAME" "$VOLUMENAME"
	else
	  echo -n "$PASSPHRASE" | sudo cryptsetup luksOpen "$FILENAME" "$VOLUMENAME" -d -
	fi

	echo "Formatting encrypted volume..."
	sudo mkfs.ext4 -L "$MOUNTNAME" /dev/mapper/"$VOLUMENAME"

	echo "Closing encrypted volume..."
	sudo cryptsetup luksClose /dev/mapper/"$VOLUMENAME"

fi

echo "Opening image file \"$FILENAME\"..."
if [ -z "${PASSPHRASE+x}" ]; then
  sudo cryptsetup luksOpen "$FILENAME" "$VOLUMENAME"
else
  echo -n "$PASSPHRASE" | sudo cryptsetup luksOpen "$FILENAME" "$VOLUMENAME" -d -
fi

echo "Mounting encrypted volume..."
mkdir -p ~/mnt/private/"$MOUNTNAME"
chmod 700 ~/mnt/private

if [ "$READONLY" = true ]; then
	sudo mount -o ro /dev/mapper/"$VOLUMENAME" ~/mnt/private/"$MOUNTNAME"
else
	sudo mount /dev/mapper/"$VOLUMENAME" ~/mnt/private/"$MOUNTNAME"
fi

echo "Done."

umount-encrypted.sh

#!/bin/sh

set -eu

MOUNTNAME=encrypted

while getopts ":m:" opt; do
  case $opt in
    m)
      MOUNTNAME="$OPTARG"
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
    :)
      echo "Option -$OPTARG requires an argument." >&2
      exit 1
      ;;
  esac
done

VOLUMENAME="$MOUNTNAME"Volume

echo "Unmounting image file"
sudo umount ~/mnt/private/"$MOUNTNAME"

echo "Closing image file..."
sudo cryptsetup luksClose /dev/mapper/"$VOLUMENAME"

echo "Done."