diff --git a/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh new file mode 100644 index 0000000..82ba898 --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env sh + +loopdir=/usr/local/data/loopdevices +loopfile=$loopdir/crypt.loop + +keyfiledir=/usr/local/data/.crypto +keyfile=$keyfiledir/ss_crypto.keyfile + +#megabytes +loopsize=16 + +#/dev/mapper/xxxxx when open +cryptmapper=secStorage + +makefilesystem=ext4 + +#mountpoint of uncrypted device +mountpoint=/usr/local/data/secure-storage + +create_keyfile() { + # echo "Create key file" + systemd-notify --status="Create key file" + mkdir -p $keyfiledir + dd if=/dev/urandom of=$keyfile bs=1 count=256 + chown root:root $keyfiledir/* + chmod 000 $keyfiledir/* +} + +error() { + echo "Error: $1" + exit $? +} + +#creates a new file +create_loopback_and_open() { + # echo "Creating a file with random bits.. this could take a while..." + systemd-notify --status="Creating a file with random bits.. this could take a while..." + mkdir -p $loopdir || error "Creating loopdir" + mkdir -p $mountpoint || error "Creating mountpoint" + dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile" + loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device" + echo "Selected loop device: $loopdevice" + cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device" + cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device" + mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS" + mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS" + systemd-notify --ready --status="Sucessfully mounted secure storage" +} + +#mounts crypted loopback file +open() { + #echo "Open secure-storage" + systemd-notify --status="Open secure storage" + loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device" + echo "Selected loop device: $ld" + cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device" + mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS" + systemd-notify --ready --status="Sucessfully mounted secure storage" +} + +#unmounts previously mounted loopback file +close() { + echo "Close secure-storage" + # get loopdevice + loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}') + umount $mountpoint + cryptsetup close $cryptmapper + losetup -d $loopdevice +} + +if [ $# -eq 1 ] +then + #echo "Parameter detected" + $1 + exit 0 +fi + +if [ -e $keyfile ] +then + #echo "Key file available" + if [ -e $loopfile ] + then + #echo "Loop file available" + open + else + #echo "Loop file not available" + create_loopback_and_open + fi +else + #echo "Key file not available" + create_keyfile + create_loopback_and_open +fi diff --git a/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service new file mode 100644 index 0000000..5e0f549 --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service @@ -0,0 +1,12 @@ +[Unit] +Description=Secure Storage Service +RequiresMountsFor=/usr/local/data + +[Service] +Type=notify +ExecStart=/usr/bin/sec-storage-loopback.sh +TimeoutSec=300 + +[Install] +WantedBy=local-fs.target + diff --git a/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb new file mode 100644 index 0000000..e1df434 --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb @@ -0,0 +1,34 @@ +SUMMARY = "Provides a Secure Storage" +DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest" +AUTHOR = "Patrick Vogelaar" +LICENSE = "CLOSED" + +SRC_URI = "\ + file://sec-storage-loopback.sh \ + file://secure-storage.service \ + " + +S = "${WORKDIR}" + +inherit systemd + +FILES:${PN} += "\ + /usr/local/data/ \ + ${systemd_unitdir}/system \ + ${bindir}/sec-storage-loopback.sh \ + ${systemd_unitdir}/system/secure-storage.service \ + " + +do_install() { + install -d ${D}$/usr/local/data/ + install -d ${D}${bindir} + install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system +} + +SYSTEMD_SERVICE:${PN} = "secure-storage.service" +SYSTEMD_AUTO_ENABLE = "enable" + +RDEPENDS:${PN} += "cryptsetup"