sgpg 0.1.0

data/README.md

@@ -0,0 +1,50 @@
+# Sgpg
+Short gpg, tool for manage your gpg key (backup tarball, unprivileged keys, etc)
+
+Followed my [post](https://szorfein.github.io/gpg/build-secure-gpg-key/) to
+create a secure gpg key, i need to update my key all the 6 month on each PC
+ and each time, it's very very annoying so i build this tool to gain in time
+ and sanity :).
+
+So with this tool, 'i,you,we' should use no more than 3 commands max instead of 50...
+
+You always need to create a gpg key as well
+
+    gpg --expert --full-generate-key
+
+## Install sgpg locally
+
+    gem install sgpg
+
+You also need to install dependencies: tar, cryptsetup, shred and gpg.
+
+## Configure
+The config is located at ~/.config/sgpg/config.yml. You can use the command line with `--save`:
+
+    sgpg --disk /dev/sdc2 --disk-encrypt --key szorfein@protonmail.com --save
+
+You can register the disk/by-id or disk/by-uuid if you prefer.
+
+    sgpg --disk /dev/disk/by-id/wmn-0xXXXX-part2 --disk-encrypt --save
+
+## Usage
+
+    sgpg -h
+
+When subkeys expire:
+
+    sgpg --last-master --edit-key # update expired keys, change password, etc...
+    sgpg --export
+    sgpg --close # unmount and close disk
+
+Import the last unpriviliged key (laptop and other)
+
+    sgpg --last-lesser --edit-key # trust (555)
+    sgpg --close # unmount and close disk
+
+## Gem push
+
+    gem login
+    gem build sgpg.gemspec
+    gem push sgpg-0.0.1.gem
+

data/bin/sgpg

@@ -0,0 +1,72 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'sgpg'
+require 'optparse'
+
+config_file = Sgpg::YamlConfig.new
+config_file.load
+
+options = config_file.config
+
+OptionParser.new do |opts|
+  opts.banner = 'Usage: sgpg.rb [options]'
+
+  opts.on('-d', '--disk DEV', 'Specify device disk to use to save your keys') do |dev|
+    options[:disk] = dev
+  end
+
+  opts.on('--disk-encrypt', 'If we need to use cryptsetup to open the disk.') do
+    options[:crypted] = true
+  end
+
+  opts.on('-k', '--key NAME', 'Use the key name, default use ENV["USER"]') do |name|
+    options[:keyname] = name
+  end
+
+  opts.on('-e', '--edit-key', 'Edit your secret key.') do
+    Sgpg::Main.edit_key(options)
+  end
+
+  opts.on('-l', '--list-key', "Display the last secret key #{Sgpg::MOUNTPOINT}.") do
+    Sgpg.list_keys(options[:keyname])
+  end
+
+  opts.on('-o', '--open', "Open and mount device disk at #{Sgpg::MOUNTPOINT}.") do
+    Sgpg.open(options[:disk], options[:crypted])
+  end
+
+  opts.on('-p', '--path-key PATH', 'use archive PATH') do |path|
+    raise "path #{path} didn't found" unless File.exist? path
+
+    options[:keypath] = path
+  end
+
+  opts.on('--last-master', 'Use the last archive master') do
+    options[:keypath] = Sgpg.last_key(options, 'master')
+  end
+
+  opts.on('--last-lesser', 'Use the last archive lesser (unpriviliged)') do
+    options[:keypath] = Sgpg.last_key(options, 'lesser')
+  end
+
+  opts.on('-c', '--close', 'Unmount and close disk device.') do
+    Sgpg.close(options[:disk], options[:crypted])
+  end
+
+  opts.on('-s', '--save', 'Save current optargs in the config file') do
+    config_file.save(options)
+  end
+
+  opts.on('--export', 'Export your current master key and create both archives (master and lesser)') do
+    Sgpg::Main.export_secret(options)
+    Sgpg::Main.lesser_keys(options)
+  end
+end.parse!
+
+raise 'no disk to use' if !options[:disk] || options[:disk] == ''
+raise 'no key to use' if !options[:keyname] || options[:keybase] == ''
+
+puts config_file
+
+puts "Sgpg v.#{Sgpg::VERSION}"

data/lib/sgpg/archive.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+
+module Sgpg
+  # Interact with program tar from unix
+  class Archive
+    # Code here
+    def initialize(key, name = ENV['USER'])
+      @key = key || ''
+      @name = name
+      @date = Time.now.strftime('%Y-%m-%d')
+      puts "create key #{@name}-#{@date}-master.tar"
+      FileUtils.mkdir_p Sgpg::WORKDIR
+      @gpg = Gpg.new(@name)
+      # make it compatabble with Tails Linux
+    end
+
+    def create_master_tar
+      Dir.chdir(Sgpg::WORKDIR)
+      @gpg.export_secret_keys(Sgpg::WORKDIR)
+      create_tar('master')
+    end
+
+    def create_lesser_tar
+      Dir.chdir(Sgpg::WORKDIR)
+      @gpg.export_subkey(Sgpg::WORKDIR)
+      @gpg.delete_keys
+      @gpg.import_lesser_keys
+      @gpg.export_secret_keys(Sgpg::WORKDIR)
+      create_tar('lesser')
+    end
+
+    def extract
+      raise 'No key found, try with --path-key PATH.' unless File.exist?(@key)
+
+      Dir.chdir(Sgpg::WORKDIR)
+      puts "Unpacking archive #{@key}..."
+      system('tar', 'xvf', @key)
+    end
+
+    def import
+      @gpg.delete_keys
+      puts 'Importing gpg keys...'
+      keys = Dir.glob("#{Sgpg::WORKDIR}/*.key")
+      import_secret(keys)
+      import_public(keys)
+      @gpg.edit_key
+    end
+
+    def move(pathdir)
+      raise "Dir #{pathdir} no found." unless Dir.exist?(pathdir)
+
+      tar = Dir.glob("#{Sgpg::WORKDIR}/*.tar")
+      raise 'No archive found.' unless tar.length >= 1
+
+      mv(tar, pathdir)
+    end
+
+    private
+
+    def import_secret(keys)
+      keys.each { |k| system('gpg', '-a', '--import', k) if k.match(/secret/) }
+    end
+
+    def import_public(keys)
+      keys.each { |k| system('gpg', '-a', '--import', k) if k.match(/public/) }
+    end
+
+    # suffix should be 'master' or 'lesser' (keys without privilege)
+    def create_tar(suffix = 'master')
+      if suffix == 'master'
+        system("tar -cf #{@name}-#{@date}-#{suffix}-keys.tar *.key revocation.cert")
+      else
+        system("tar -cf #{@name}-#{@date}-#{suffix}-keys.tar *.key")
+      end
+    end
+
+    def mv(tar, pathdir)
+      puts "Moving archive at #{pathdir}..."
+      case Helper.auth?
+      when :root
+        tar.each { |f| FileUtils.mv(f, "#{pathdir}/#{f}") }
+      when :sudo
+        tar.each { |f| system('sudo', 'mv', f, "#{pathdir}/") }
+      when :doas
+        tar.each { |f| system('doas', 'mv', f, "#{pathdir}/") }
+      end
+    end
+  end
+end

data/lib/sgpg/cryptsetup.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+# lib/cryptsetup.rb
+
+module Sgpg
+  # Manipule program cryptsetup
+  class Cryptsetup
+    class InvalidDisk < StandardError; end
+
+    def initialize(disk)
+      raise "no disk #{disk} specified..." unless disk
+
+      @disk = disk
+      @mapname = 'sgpg'
+    end
+
+    # tails linux make persistent volume on second partiton 'disk_name'2
+    def open
+      check_disk
+
+      case Helper.auth?
+      when :root
+        open_with
+      when :doas
+        open_with 'doas'
+      when :sudo
+        open_with 'sudo'
+      end
+    end
+
+    def close
+      case Helper.auth?
+      when :root
+        close_with
+      when :doas
+        close_with 'doas'
+      when :sudo
+        close_with 'sudo'
+      end
+    end
+
+    protected
+
+    def check_disk
+      raise InvalidDisk, "Disk #{@disk} not exist or not plugged." unless
+        File.exist?(@disk)
+    end
+
+    private
+
+    def open_with(prefix = '')
+      if prefix
+        puts "openning disk #{@disk} with #{prefix}..."
+      else
+        puts "openning disk #{@disk}..."
+      end
+
+      raise "unable to open #{@disk} #{prefix}" unless
+        system(prefix, 'cryptsetup', 'open', '--type', 'luks', @disk, @mapname)
+    end
+
+    def close_with(prefix = '')
+      puts "closing disk #{@disk}..."
+
+      raise "closing disk #{@disk} failed" unless
+        system(prefix, 'cryptsetup', 'close', @mapname)
+    end
+  end
+end

data/lib/sgpg/gpg.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Sgpg
+  # Interact with GnuPG from unix
+  class Gpg
+    # Code here
+    def initialize(keyname)
+      @keyname = keyname
+      puts "using key #{@keyname}"
+    end
+
+    def delete_keys
+      return unless system('gpg', '-k', @keyname)
+
+      puts "Found older key name #{@keyname}, need to be deleted to import new..."
+      system('gpg', '--delete-secret-keys', @keyname)
+      system('gpg', '--delete-keys', @keyname)
+    end
+
+    def edit_key
+      raise "No key #{@keyname} found." unless system('gpg', '-k', @keyname)
+
+      system('gpg', '--edit-key', @keyname)
+    end
+
+    def export_secret_keys(pathdir)
+      raise "No dir #{pathdir} exist" unless File.exist?(pathdir)
+
+      output = "#{pathdir}/#{@keyname}"
+      system("gpg --armor --export-secret-keys #{@keyname} > #{output}-secret.key")
+      system("gpg --armor --export #{@keyname} > #{output}-public.key")
+    end
+
+    def export_subkey(pathdir)
+      raise "No dir #{pathdir} exist" unless File.exist?(pathdir)
+
+      system("gpg --export-secret-subkeys #{@keyname} > #{pathdir}/subkeys")
+    end
+
+    def import_lesser_keys
+      keypath = "#{Sgpg::WORKDIR}/subkeys"
+      raise "No key #{keypath} exist" unless File.exist?(keypath)
+
+      system('gpg', '--import', keypath)
+    end
+  end
+end

data/lib/sgpg/helper.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# lib/helper.rb
+
+module Sgpg
+  # Reusable functions for the program
+  module Helper
+    def self.auth?
+      return :root if Process.uid == '0'
+      return :doas if File.exist?('/bin/doas') || File.exist?('/sbin/doas')
+      return :sudo if File.exist?('/bin/sudo') || File.exist?('/sbin/sudo')
+    end
+  end
+end

data/lib/sgpg/mount.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+# lib/mount.rb
+
+require 'fileutils'
+
+module Sgpg
+  # (un)mount a device to a mountpoint
+  class Mount
+    # Argument 'disk' = full path of the disk.
+    # e.g: /dev/mapper/sgpg for cryptsetup (See Sgpg::Cryptsetup) of just /dev/sdX
+    def initialize(disk)
+      @user = ENV['USER'] || 'root'
+      @disk = disk
+    end
+
+    def open
+      case Helper.auth?
+      when :root
+        open_with
+      when :doas
+        open_with 'doas'
+      when :sudo
+        open_with 'sudo'
+      end
+    end
+
+    def close
+      case Helper.auth?
+      when :root
+        close_with
+      when :doas
+        close_with 'doas'
+      when :sudo
+        close_with 'sudo'
+      end
+    end
+
+    protected
+
+    def open_with(prefix = '')
+      prefix == '' ? create_with_ruby : create_with_system(prefix)
+
+      raise "Unable to mount #{@disk}" unless
+        system(prefix, 'mount', '-t', 'ext4', @disk, Sgpg::MOUNTPOINT)
+    end
+
+    def close_with(prefix = '')
+      raise "Unable to umount #{@disk}" unless
+        system(prefix, 'umount', Sgpg::MOUNTPOINT)
+    end
+
+    private
+
+    def create_wiht_ruby
+      FileUtils.mkdir_p Sgpg::MOUNTPOINT
+      FileUtils.chown @user, @user, Sgpg::MOUNTPOINT, verbose: true
+      FileUtils.chmod 0644, Sgpg::MOUNTPOINT, verbose: true
+    end
+
+    def create_with_system(prefix)
+      system(prefix, 'mkdir', '-p', Sgpg::MOUNTPOINT)
+      system(prefix, 'chown', "#{@user}:#{@user}", Sgpg::MOUNTPOINT)
+      system(prefix, 'chmod', '0644', Sgpg::MOUNTPOINT)
+    end
+  end
+end

data/lib/sgpg/option.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# lib/option.rb
+
+module Sgpg
+  MOUNTPOINT = '/mnt/sgpg' # Better permission than /media/sgpg
+  KEYDIR = "#{MOUNTPOINT}/Persistent" # Tails Linux Comptatible
+  WORKDIR = '/tmp/sgpg'
+end

data/lib/sgpg/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Sgpg
+  VERSION = '0.1.0'
+end

data/lib/sgpg/yaml_config.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Sgpg
+  # Manage the configuration file
+  class YamlConfig
+    attr_reader :config
+
+    def initialize
+      @file_dir = "#{ENV['HOME']}/.config/sgpg"
+      @filename = 'config.yml'
+      @full_path = "#{@file_dir}/#{@filename}"
+      @config = {
+        disk: '',
+        keyname: '',
+        crypted: false
+      }
+    end
+
+    def load
+      if !Dir.exist?(@file_dir) || !File.exist?(@full_path)
+        create_dir
+        write_config unless File.exist?(@full_path)
+      else
+        loading
+      end
+    end
+
+    def to_s
+      "Using disk >> #{@config[:disk]}, key >> #{@config[:keyname]}"
+    end
+
+    def save(opts)
+      puts "saving options #{opts}"
+      @config[:disk] = opts[:disk] if opts[:disk]
+      @config[:keyname] = opts[:keyname] if opts[:keyname]
+      @config[:crypted] = opts[:crypted] if opts[:crypted]
+      puts "current #{config}"
+      write_config
+    end
+
+    protected
+
+    def loading
+      puts "Loading #{@full_path}..."
+      @config = YAML.load_file(@full_path)
+    rescue Psych::SyntaxError => e
+      puts "YAML syntax error: #{e.message}"
+    rescue Errno::ENOENT
+      puts "File not found: #{@full_path}"
+    end
+
+    private
+
+    def create_dir
+      return if Dir.exist? @file_dir
+
+      puts "Creating #{@file_dir}..."
+      Dir.mkdir @file_dir
+    end
+
+    def write_config
+      in_yaml = YAML.dump(@config)
+      File.write(@full_path, in_yaml)
+    end
+  end
+end

data/lib/sgpg.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require_relative 'sgpg/version'
+require_relative 'sgpg/option'
+require_relative 'sgpg/yaml_config'
+require_relative 'sgpg/helper'
+require_relative 'sgpg/cryptsetup'
+require_relative 'sgpg/mount'
+require_relative 'sgpg/gpg'
+require_relative 'sgpg/archive'
+
+# Manage your gpg key easyly
+module Sgpg
+  def self.open(disk, is_crypted = false)
+    return if Dir.glob("#{Sgpg::MOUNTPOINT}/*").length >= 1
+
+    puts "Open device #{disk}..."
+    if is_crypted
+      Cryptsetup.new(disk).open
+      Mount.new('/dev/mapper/sgpg').open
+    else
+      Mount.new(disk).open
+    end
+  end
+
+  def self.close(disk, is_crypted = false)
+    if is_crypted
+      Mount.new('/dev/mapper/sgpg').close
+      Cryptsetup.new(disk).close
+    else
+      Mount.new(disk).close
+    end
+  end
+
+  def self.list_keys(keyname)
+    keys = Dir.glob("#{Sgpg::MOUNTPOINT}/Persistent/#{keyname}*.tar")
+    puts "Listing keys for #{keyname}..."
+    keys = Dir.glob("#{Sgpg::MOUNTPOINT}/Persistent/*.tar") if keys == [] || keys == ''
+    puts keys
+  end
+
+  # argument 'suffix' = master or lesser
+  def self.last_key(opts, suffix = 'master')
+    Sgpg.open(opts[:disk], opts[:crypted])
+
+    keys = Dir.glob("#{Sgpg::KEYDIR}/#{opts[:keyname]}*#{suffix}*.tar").sort
+    raise 'No keys found' unless keys.length >= 1
+
+    keys[0]
+  end
+
+  def self.clear_keys
+    return unless Dir.glob("#{Sgpg::WORKDIR}/*.key").length >= 1
+
+    print "Clearing keys located at #{Sgpg::WORKDIR}? (y/n) "
+    choice = gets.chomp
+    return unless choice.match(/^y|^Y/)
+
+    puts "Clearing #{Sgpg::WORKDIR}..."
+    system("shred -u #{Sgpg::WORKDIR}/*.key")
+  end
+
+  # Main logic here
+  module Main
+    # import and edit a gpg key from an archive (opts[:keypath])
+    def self.edit_key(opts)
+      Sgpg.open(opts[:disk], opts[:crypted])
+      archive = Archive.new(opts[:keypath], opts[:keyname])
+      archive.extract
+      archive.import
+      Sgpg.clear_keys
+    end
+
+    # export your real keys and create an archive (tar)
+    def self.export_secret(opts)
+      archive = Archive.new(opts[:keypath], opts[:keyname])
+      archive.create_master_tar
+      archive.move(Sgpg::KEYDIR)
+      Sgpg.clear_keys
+    end
+
+    # create an unpriviliged gpg key (no change can be made)
+    def self.lesser_keys(opts)
+      archive = Archive.new(opts[:keypath], opts[:keyname])
+      archive.create_lesser_tar
+      archive.move(Sgpg::KEYDIR)
+      Sgpg.clear_keys
+    end
+  end
+end

data/sgpg.gemspec

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require_relative 'lib/sgpg/version'
+
+# https://guides.rubygems.org/specification-reference/
+Gem::Specification.new do |s|
+  s.name = 'sgpg'
+  s.summary = 'Short gpg, tool for manage your gpg key (backup tarball, unprivileged keys, etc...)'
+  s.version = Sgpg::VERSION
+  s.platform = Gem::Platform::RUBY
+
+  s.description = <<-DESCRIPTION
+    Short gpg, tool for manage your gpg key (backup tarball, unprivileged keys, etc...)
+  DESCRIPTION
+
+  s.email = 'szorfein@protonmail.com'
+  s.homepage = 'https://github.com/szorfein/sgpg'
+  s.license = 'GPL-3'
+  s.author = 'szorfein'
+
+  s.metadata = {
+    'bug_tracker_uri' => 'https://github.com/szorfein/sgpg/issues',
+    'changelog_uri' => 'https://github.com/szorfein/sgpg/blob/main/CHANGELOG.md',
+    'source_code_uri' => 'https://github.com/szorfein/sgpg',
+    'wiki_uri' => 'https://github.com/szorfein/sgpg/wiki',
+    'funding_uri' => 'https://patreon.com/szorfein'
+  }
+
+  s.files = Dir.glob('{lib,bin}/**/*', File::FNM_DOTMATCH).reject { |f| File.directory?(f) }
+  s.files += %w[CHANGELOG.md LICENSE README.md]
+  s.files += %w[sgpg.gemspec]
+
+  s.bindir = 'bin'
+  s.executables << 'sgpg'
+  s.extra_rdoc_files = %w[README.md]
+
+  # s.cert_chain = %w[certs/szorfein.pem]
+  # s.signing_key = File.expand_path('~/.ssh/gem-private_key.pem')
+
+  s.required_ruby_version = '>=2.6'
+  s.requirements << 'gpg'
+  s.requirements << 'cryptsetup'
+  s.requirements << 'shred'
+  s.requirements << 'tar'
+end