x42en · January 3, 2020 16:33 · x42en · Jul 9, 2023
diff --git a/fsencrypt.sh b/fsencrypt.sh
 #!/bin/bash

 # Script based on tutorial
 # http://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html

 if [[ "$EUID" -ne 0 ]]; then
    echo "[!] Sorry this script need to be run as root."
    exit 1
 fi

 function usage {
    echo "Description:"
    echo "This tool is used to encrypt specific user home directory"
    echo "You could use it to encrypt all in one pass with --all flag"
    echo ""
    echo "Note:"
    echo "You should AVOID using this tool while connected to any graphical interface."
    echo "Unexpected behaviours might happen while copying use directory if connected to GUI."
    echo ""
    echo "Usage:"
    echo "$0 [user | --all]"
    echo ""
 }

 # Print Usage if nothing is set as user
 if [[ -z $1 ]]; then
    usage
    exit 1
 elif [[ "$1" == "--all" ]]; then
    # Get list of all users
    cd /home
    USERS=( */ )
 else
    if [[ ! -d /home/$1 ]]; then
        echo '[!] This user does not have home directory. Make sure it exists.'
        exit 1
    fi
    # Store user as unique entry in array
    USERS=($1)
 fi

 echo '..:: Home Directory encryption tool ::..'

 # Setup var 
 DEVICE=$(df | grep -E '/$' | awk '{print $1}')
 echo "[+] We will work on ${DEVICE} partition"

 # Check block size are identical
 if [[ $(getconf PAGESIZE) -eq $(tune2fs -l $DEVICE | grep 'Block size' | awk '{print $3}') ]]; then
    echo '[+] Block size is identical, keep going...'
 else
    echo '[!] Block size does not appear to be identical, abort encryption!'
    exit 1
 fi

 echo '[+] Install required libs'
 apt -qq -y install fscrypt libpam-fscrypt

 # Install PAM encrypt module if first time
 if [[ ! -f /usr/share/pam-configs/keyinit-fix ]]; then
    echo '[+] Setup PAM encrypt module'
    tee /usr/share/pam-configs/keyinit-fix > /dev/null <<EOT
 Name: keyinit fix
 Default: yes
 Priority: 0
 Session-Type: Additional
 Session:
    optional    pam_keyinit.so force revoke
 EOT
    echo '[+] Reconfigure PAM'
    pam-auth-update --package

    echo '[+] Re-Configure fscrypt'
    fscrypt setup --force
 fi

 # Run encryption mode based on login passphrase for each user
 for usr in "${USERS[@]%*/}"; do
    echo "[+] Encrypt ${usr} home directory"
    mv /home/${usr} /home/${usr}.bak
    mkdir /home/${usr}
    chown ${usr}.${usr} /home/${usr}
    fscrypt encrypt /home/${usr} --user=${usr} --source=pam_passphrase
    rsync -avH --info=progress2 --info=name0 /home/${usr}.bak/ /home/${usr}/
    rm -rf /home/${usr}.bak
 done

 echo "[+] All done."
 exit 0
	#!/bin/bash

	# Script based on tutorial
	# http://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html

	if [[ "$EUID" -ne 0 ]]; then
	echo "[!] Sorry this script need to be run as root."
	exit 1
	fi

	function usage {
	echo "Description:"
	echo "This tool is used to encrypt specific user home directory"
	echo "You could use it to encrypt all in one pass with --all flag"
	echo ""
	echo "Note:"
	echo "You should AVOID using this tool while connected to any graphical interface."
	echo "Unexpected behaviours might happen while copying use directory if connected to GUI."
	echo ""
	echo "Usage:"
	echo "$0 [user \| --all]"
	echo ""
	}

	# Print Usage if nothing is set as user
	if [[ -z $1 ]]; then
	usage
	exit 1
	elif [[ "$1" == "--all" ]]; then
	# Get list of all users
	cd /home
	USERS=( */ )
	else
	if [[ ! -d /home/$1 ]]; then
	echo '[!] This user does not have home directory. Make sure it exists.'
	exit 1
	fi
	# Store user as unique entry in array
	USERS=($1)
	fi

	echo '..:: Home Directory encryption tool ::..'

	# Setup var
	DEVICE=$(df \| grep -E '/$' \| awk '{print $1}')
	echo "[+] We will work on ${DEVICE} partition"

	# Check block size are identical
	if [[ $(getconf PAGESIZE) -eq $(tune2fs -l $DEVICE \| grep 'Block size' \| awk '{print $3}') ]]; then
	echo '[+] Block size is identical, keep going...'
	else
	echo '[!] Block size does not appear to be identical, abort encryption!'
	exit 1
	fi

	echo '[+] Install required libs'
	apt -qq -y install fscrypt libpam-fscrypt

	# Install PAM encrypt module if first time
	if [[ ! -f /usr/share/pam-configs/keyinit-fix ]]; then
	echo '[+] Setup PAM encrypt module'
	tee /usr/share/pam-configs/keyinit-fix > /dev/null <<EOT
	Name: keyinit fix
	Default: yes
	Priority: 0
	Session-Type: Additional
	Session:
	optional pam_keyinit.so force revoke
	EOT
	echo '[+] Reconfigure PAM'
	pam-auth-update --package

	echo '[+] Re-Configure fscrypt'
	fscrypt setup --force
	fi

	# Run encryption mode based on login passphrase for each user
	for usr in "${USERS[@]%*/}"; do
	echo "[+] Encrypt ${usr} home directory"
	mv /home/${usr} /home/${usr}.bak
	mkdir /home/${usr}
	chown ${usr}.${usr} /home/${usr}
	fscrypt encrypt /home/${usr} --user=${usr} --source=pam_passphrase
	rsync -avH --info=progress2 --info=name0 /home/${usr}.bak/ /home/${usr}/
	rm -rf /home/${usr}.bak
	done

	echo "[+] All done."
	exit 0