

For better syntax highlighting and the ability to copy paste the code snippets, view this post on grimoire.science.
One of the probΒlems of a shared sysΒtem, is that someΒtimes mulΒtiΒple apΒpliΒcaΒtions are used by mulΒtiΒple peoΒple. Normally this would be solved by the exΒcelΒlent multi-user supΒport inΒherΒent to *nix sysΒtems. After all, *nix and deΒrivΒaΒtives were deΒsigned to be used by mulΒtiΒple users at the same time.
However, in some cases, it just makes sense for a sinΒgle apΒpliΒcaΒtion to stay locked unΒtil a passΒword is supΒplied. In any case, encfs is one of the betΒter enΒcrypΒtion methΒods (as long as usΒabilΒity overΒshadΒows seΒcuΒrity) and itβs a good pracΒtice to enΒcrypt apΒpliΒcaΒtion data anyΒway. The case for enΒcrypΒtion varies, but weather itβs to make life harder for hackΒers, or just to stop cloud storΒage providers from sniffΒing around, itβs always a good idea. Even if mulΒtiΒple users will not be sharΒing an acΒcount, enΒcrypΒtion preΒvents the root users
or admins
from getΒting too frisky with your data.
The popΒuΒlar gnome-keyring and other seΒcuΒrity auΒthenΒtiΒcaΒtion methΒods are not a good ο¬t for this since most of them are unΒlocked all at once and withΒout beΒing linked to a parΒticΒuΒlar proΒgram.
Here we will creΒate a few simΒple bash scripts to generΒiΒcally and ο¬exΒiΒbly lock and enΒcrypt apΒpliΒcaΒtions in a way which alΒlows for mulΒtiΒple users to have their own priΒvate enΒcrypted inΒstances of shared apps. The comΒplete scripts are loΒcated in my Dotο¬les.
The baΒsic reΒquireΒments are comΒmonly found across most UNIX sysΒtems and its deΒrivΒaΒtives inΒcludΒing MacOS, Ubuntu and other Debian disΒtros, RPM based sysΒtems etc.
I perΒsonΒally run Arch Linux but thatβs just a biΒased enΒdorseΒment.
The reΒquireΒments are:
This is needed for the shell subΒstiΒtuΒtions in the shell script. Found alΒmost everyΒwhere.
2. EncFS
This hanΒdles the enΒcrypΒtion porΒtion. Though everyΒthing covΒered here will reΒquire only the base proΒgram itΒself, new users would probΒaΒbly benΒeΒο¬t from havΒing one of the GUI inΒterΒfaces to encfs
as well. I preΒfer Gnome Encfs Manager.
3. An ASKPASS proΒgram
These are most faΒmously known for weird ssh
erΒrors. However, here we will foΒcus on zenΒity and git as a fallΒback.
And thatβs it. Other variΒaΒtions of this method might use shoes for more GUI goodΒness. Other askpass
proΒgrams and helpers may also be used, like the popΒuΒlar x11-ssh-askpass proΒgram.
Our basic structure is simple.
Additionally we would like the folΒlowΒing feaΒtures:
Before getΒting to the creΒation of a script, I like to exΒperΒiΒment with the naΒtive shell. In this case this simΒply inΒvolved checkΒing the folΒlowΒing:
Additionally the MAN page for encfs
showed me that supΒport for exΒterΒnal auΒthenΒtiΒcaΒtion manΒagers is granted via the --extpass
ο¬ag.
With those preΒlimΒiΒnarΒies out of the way, it is time to start scriptΒing. Portions which reΒquire the bash shell specifΒiΒcally will have the sheΒbang inΒcluded.
Always reΒmemΒber to start the script with it and to only put it once, right at the top of the ο¬le.
Initially we might simply set an unlock string as follows:
Since scripts can quickly get clunky withΒout inΒtendΒing too, we will ο¬rst add a simΒple variΒable which is suitΒable for runΒning the exΒterΒnal auΒthenΒtiΒcaΒtion.
As menΒtioned preΒviΒously, zenΒity is the pretΒtier choice, howΒever, it may not be inΒstalled everyΒwhere. So we need a fallΒback.
Git is more or less availΒable everyΒwhere, and it just so hapΒpens to have a pretty neat askpass
tool as well.
However, it would be betΒter to wrap them both up in a way to pick one or the other based on the availΒabilΒity. So, we write a simΒple test.
Honestly the usΒage of which
inΒstead of command -v
is a bit conΒtroΒverΒsial. However, here I went with which
simΒply beΒcause it seemed faster. The more portable (POSIX comΒpliΒant) verΒsion of the above would use command -v
. For more deΒtails check this stack exΒchange quesΒtion.
Gnome Encfs Manager deΒfaults to reΒmovΒing the mount point when the stash is unΒmounted, howΒever, this causes a terΒmiΒnal inΒput deΒmand which needed to be supΒpressed, hence the diΒrecΒtoΒries are creΒated prior to runΒning Encfs.
The above snipΒpet does not deal with sitΒuΒaΒtions where:
These are dealt with in the Improvements secΒtion of this docΒuΒment.
Now we are in a poΒsiΒtion to simΒply mount our stash and run the proΒgram.
At this stage the script is not equipped to deal with sitΒuΒaΒtions where:
The script runs the proΒgram withΒout testΒing the reΒsult of the mount, which will lead to much frusΒtraΒtion and weird erΒrors. These edge cases are handled by the code in Handling Authentication.
Several imΒproveΒments to the baΒsic script creΒated above are disΒcussed in this secΒtion.
This is acΒtuΒally not a reΒally imΒporΒtant bit, howΒever, I wanted the app diΒrecΒtoΒries to start with capΒiΒtal letΒters. Also I wanted the enΒcrypted data to be stored in a hidΒden folder.
In any case, this porΒtion of the script uses a bash speΒciο¬c exΒpanΒsion. At this
point we can also make the unlockString
a little neater.
Now that we have the name, we simply modify the directories.
To enΒsure that the script is able to evenΒtuΒally deal with sitΒuΒaΒtions where the comΒmand is run in sucΒcesΒsion, a check is reΒquired to ο¬gΒure out if the mount point is curΒrently mounted.
If it is mounted, we will unΒmount it.
Additionally, for cases where the stash does not yet exΒist, we will need to creΒate the other diΒrecΒtory as well. We shall also kill the apΒpliΒcaΒtion if the stash is to be mounted (for seΒcuΒrity). This porΒtion was aided by this stack exΒchange thread.
Finally we shall deal with cases where the script exΒeΒcutes and the stashes exΒist, but the passΒword is inΒcorΒrect. Additionally, we shall deal with manΒagΒing the ο¬ow of conΒtrol via the $?
variΒable.
Quite simΒply, the $?
variΒable holds the reΒsult of the preΒviΒous comΒmand. Hence it can be used to conΒtrol the ο¬ow. This was inΒspired by the anΒswers here.
For the latΒest reΒviΒsions check my Dotο¬les.
It is also reΒproΒduced here as a gist, since Medium canβt handle syntax highlighting.
There ought to be a non-terΒmiΒnal way of creΒatΒing the stash for the ο¬rst time. Also, it may be inΒterΒestΒing to work on the rules and conΒο¬gΒuΒraΒtion schemes for a vaΒriΒety of apΒpliΒcaΒtions.
Originally published at grimoire.science.
Create your free account to unlock your custom reading experience.