For better syntax highlighting and the ability to copy paste the code snippets, view this post on . grimoire.science One of the problems of a shared system, is that sometimes multiple applications are used by multiple people. Normally this would be solved by the excellent multi-user support inherent to *nix systems. After all_,_ *nix and derivatives were used by multiple users at the same time. designed to be However, in some cases, it just makes sense for a single application to stay locked until a password is supplied. In any case, is one of the better encryption methods (as long as usability overshadows security) and it’s a good practice to encrypt application data anyway. The case for encryption varies, but weather it’s to make life harder for hackers, or just to stop cloud storage providers from sniffing around, it’s always a good idea. Even if multiple users will not be sharing an account, encryption prevents the or from getting too frisky with your data. encfs root users admins The popular and other security authentication methods are not a good fit for this since most of them are unlocked all at once and without being linked to a particular program. gnome-keyring Here we will create a few simple bash scripts to generically and flexibly lock and encrypt applications in a way which allows for multiple users to have their own private encrypted instances of shared apps. The complete scripts are located in my . Dotfiles Requirements The basic requirements are commonly found across most UNIX systems and its derivatives including MacOS, Ubuntu and other Debian distros, RPM based systems etc. I personally run but that’s just a biased endorsement. Arch Linux The requirements are: Bash This is needed for the shell substitutions in the shell script. Found almost everywhere. 2. EncFS This handles the encryption portion. Though everything covered here will require only the base program itself, new users would probably benefit from having one of the GUI interfaces to as well. I prefer . encfs Gnome Encfs Manager 3. An ASKPASS program These are most famously known for weird errors. However, here we will focus on and as a fallback. ssh zenity git And that’s it. Other variations of this method might use for more GUI goodness. Other programs and helpers may also be used, like the popular program. shoes askpass x11-ssh-askpass Program Structure Our basic structure is simple. An encrypted folder is mounted The application is run Additionally we would like the following features: Execution without the terminal (GUI, no terminal user queries) An automated way of generating a new stash for applications A sanitized name for the mount points Preliminaries Before getting to the creation of a script, I like to experiment with the native shell. In this case this simply involved checking the following: Shell trials This prompted me to create the directory if it didn’t exist, which would not be handled properly from within a shell script. Additionally the MAN page for showed me that support for external authentication managers is granted via the flag. encfs --extpass Implementation With those preliminaries out of the way, it is time to start scripting. Portions which require the bash shell specifically will have the shebang included. Always remember to start the script with it and to only put it once, right at the top of the file. The shebang Setting Variables Initially we might simply set an unlock string as follows: Using a variable for the unlock dialog Choosing an ASKPASS program Since scripts can quickly get clunky without intending too, we will first add a simple variable which is suitable for running the external authentication. Zenity Prompt Zenity implementation As mentioned previously, is the prettier choice, however, it may not be installed everywhere. So we need a fallback. zenity is more or less available everywhere, and it just so happens to have a pretty neat tool as well. Git askpass Git Askpass Prompt Git Askpass Implementaion However, it would be better to wrap them both up in a way to pick one or the other based on the availability. So, we write a simple test. The test logic Honestly the usage of instead of is a bit controversial. However, here I went with simply because it seemed faster. The more portable (POSIX compliant) version of the above would use . For more details check . which command -v which command -v this stack exchange question Creating Mount-points defaults to removing the mount point when the stash is unmounted, however, this causes a terminal input demand which needed to be suppressed, hence the directories are created prior to running Encfs. Gnome Encfs Manager Variables and directories Caveats The above snippet does not deal with situations where: The stash is already mounted The stash does not exist These are dealt with in the section of this document. Improvements Mount and Run Now we are in a position to simply mount our stash and run the program. A basic mount and run Caveats At this stage the script is not equipped to deal with situations where: The mount operation fails (wrong password) The config files are encrypted The script runs the program without testing the result of the mount, which will lead to much frustration and weird errors. These edge cases are handled by the code in . Handling Authentication Improvements Several improvements to the basic script created above are discussed in this section. Naming directories This is actually not a really important bit, however, I wanted the app directories to start with letters. Also I wanted the encrypted data to be stored in a folder. capital hidden In any case, this portion of the script uses a bash specific expansion. At thispoint we can also make the a little neater. unlockString Bash substitutions for prettier names Now that we have the name, we simply modify the directories. Renaming the directories Handling mounted directories To ensure that the script is able to eventually deal with situations where the command is run in succession, a check is required to figure out if the mount point is currently mounted. If it is mounted, we will unmount it. Testing for mounts Additionally, for cases where the stash does not yet exist, we will need to create the other directory as well. We shall also kill the application if the stash is to be mounted (for security). This portion was aided by . this stack exchange thread Mount handling with directory creation Handling Authentication Finally we shall deal with cases where the script executes and the stashes exist, but the password is incorrect. Additionally, we shall deal with managing the flow of control via the variable. $? Quite simply, the variable holds the result of the previous command. Hence it can be used to control the flow. This was inspired by the answers . $? here The results variable and flow of control Putting it all together For the latest revisions check . my Dotfiles It is also reproduced here as a gist, since Medium can’t handle syntax highlighting. Future Directions There ought to be a non-terminal way of creating the stash for the first time. Also, it may be interesting to work on the rules and configuration schemes for a variety of applications. Originally published at grimoire.science .
