-
Notifications
You must be signed in to change notification settings - Fork 1
/
restore-gpg.sh
73 lines (50 loc) · 2.22 KB
/
restore-gpg.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/env bash
source support/gpg-common.sh
if [[ $1 == "" ]]; then
log "ERROR: Provide argument to GPG key backup directory (ex ./$0 output/gpg.1234)"
exit 1;
fi
GPG_KEY_PATH="$(realpath -s $1)"
GPG_PRIV_KEY_PATH="$GPG_KEY_PATH/all_private_keys"
if [[ ! -d "$GPG_KEY_PATH" || ! -f "$GPG_PRIV_KEY_PATH" ]]; then
log "Supplied path does not contain gpg keys."
exit 1;
fi
init_config
init_yubikey_setup
ask_for_gpg_key_passwords
# Make copy of encrypted keys to temporary directory.
# gpg's import command can be desctructive
# (ie, modifying original key file and leaving a stub behind).
CLONED_KEY_TEMP_DIR=`mktemp -d`
cp -R "$GPG_KEY_PATH/." "$CLONED_KEY_TEMP_DIR/"
#Import public keys
#gpg --import "$CLONED_KEY_TEMP_DIR"/public_keys 2>&1 | grep "gpg: key" | head -n1 | sed 's/gpg: key //g' | sed 's/:.*//g'
log "Killing gpg agent before import."
sudo killall gpg-agent
#Import private keys
log "Importing private keys to GPG."
KEY_ID=`gpg --import "$CLONED_KEY_TEMP_DIR"/all_private_keys 2>&1 | grep "gpg: key" | head -n1 | sed 's/gpg: key //g' | sed 's/:.*//g'`
#log "Moving Subkeys to YUBIKEY"
key_to_card "1" "1"
key_to_card "2" "2"
key_to_card "3" "3"
echo "Setting touch policy to be required for encryption signature and authentication operations"
enable_touch_policy_for_all_actions
sleep 2
#Get imported key id. As we clear gnupg at beginning of script, there should
#only be one key.
RECIPIENT=`gpg --list-keys --with-colons | awk -F: '/^pub:/ { print $5 }'`
log "Testing encryption and decryption"
log "Testing encryption and decryption. You should be prompted for PIN. After typing GPG User Pin, the yubikey should require a physical touch to complete decryption."
echo "Hello world!" | gpg -a --encrypt --recipient "$RECIPIENT" --always-trust | gpg --decrypt
if [[ $? -ne 0 ]]; then
log "Failed to decrypt test message. Setup is not successful."
exit
fi
if echo "DECRYPTEDMSG" | grep "Hello world!"; then
log "Failed to decrypt test message. Setup is not successful."
exit
fi
log "Decrypted message successfully."
log "IMPORTANT! If you were asked for a PIN (not a passphrase), and had to touch the yuibkey to decrypt, setup was succesful. Otherwise, an error has occured. Re-insert yubikey and try again."