feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209)

2025-12-11 22:35:54 +08:00 · 2021-09-15 13:12:32 +00:00 · 2021-09-15 13:12:32 +00:00 · 99686499b1
commit 99686499b1
parent 8e6c247cdf
4 changed files with 80 additions and 6 deletions
--- a/bin/cron/osh-backup-acl-keys.sh
+++ b/bin/cron/osh-backup-acl-keys.sh
@ -26,6 +26,8 @@ LOG_FACILITY="local6"
 DESTDIR=""
 DAYSTOKEEP="90"
 GPGKEYS=""
+SIGNING_KEY=""
+SIGNING_KEY_PASSPHRASE=""
 PUSH_REMOTE=""
 PUSH_OPTIONS=""

@ -132,7 +134,12 @@ fi

 encryption_worked=0
 if [ -n "$GPGKEYS" ] ; then
-    cmdline=""
+    cmdline="--encrypt --batch"
+    sign=0
+    if [ -n "$SIGNING_KEY" ] && [ -n "$SIGNING_KEY_PASSPHRASE" ]; then
+        sign=1
+        cmdline="$cmdline --sign --local-user $SIGNING_KEY"
+    fi
    for recipient in $GPGKEYS
    do
        cmdline="$cmdline -r $recipient"
@ -140,10 +147,21 @@ if [ -n "$GPGKEYS" ] ; then
    # just in case, encrypt all .tar.gz files we find in $DESTDIR
    while IFS= read -r -d '' file
    do
-        _log "Encrypting $file..."
+        if [ "$sign" = 1 ]; then
+            _log "Encrypting & signing $file..."
+        else
+            _log "Encrypting $file..."
+        fi
        rm -f "$file.gpg" # if the gpg file already exists, remove it
+
        # shellcheck disable=SC2086
-        if $gpgcmd --encrypt $cmdline "$file" ; then
+        if [ "$sign" = 1 ]; then
+            $gpgcmd $cmdline --passphrase-fd 0 "$file" <<< "$SIGNING_KEY_PASSPHRASE"; ret=$?
+        else
+            $gpgcmd $cmdline "$file"; ret=$?
+        fi
+
+        if [ "$ret" = 0 ]; then
            encryption_worked=1
            shred -u "$file" 2>/dev/null || rm -f "$file"
        else
--- a/doc/sphinx/administration/configuration/osh-backup-acl-keys_conf.rst
+++ b/doc/sphinx/administration/configuration/osh-backup-acl-keys_conf.rst
@ -31,7 +31,15 @@ These options configure the backup policy to apply

 - `DESTDIR`_
 - `DAYSTOKEEP`_
+
+Encryption and signing options
+------------------------------
+
+These options configure how the script uses GPG to encrypt and sign the ttyrec files
+
 - `GPGKEYS`_
+- `SIGNING_KEY`_
+- `SIGNING_KEY_PASSPHRASE`_

 Remote backup options
 ---------------------
@ -88,6 +96,9 @@ DAYSTOKEEP

 Number of days to keep the old backups on the filesystem before deleting them.

+Encryption and signing
+----------------------
+
 GPGKEYS
 *******

@ -99,6 +110,24 @@ GPGKEYS

 List of public GPG keys to encrypt to (see ``gpg --list-keys``), these must be separated by spaces. Note that if this option is empty or omitted, backup artefacts will NOT be encrypted!

+SIGNING_KEY
+***********
+
+:Type: ``string, GPG key ID in short or long format``
+
+:Default: ``(none)``
+
+ID of the GPG key used to sign the ttyrec files. The key must be in the local root keyring, check it with ``gpg --list-secret-keys``. If empty, the archives will not be signed, but encrypted only (using the GPGKEYS configuration above).
+
+SIGNING_KEY_PASSPHRASE
+**********************
+
+:Type: ``string``
+
+:Default: ``(none)``
+
+This passphrase should be able to unlock the SIGNING_KEY defined above. As a side note, please ensure this configuration file only readable by root (0640), to protect this passphrase. As a security measure, the script will refuse to read the configuration otherwise.
+
 Remote backup
 -------------

--- a/etc/bastion/osh-backup-acl-keys.conf.dist
+++ b/etc/bastion/osh-backup-acl-keys.conf.dist
@ -1,9 +1,16 @@
-###################################################################
+######################################################################
 ## Config for /opt/bastion/bin/cron/osh-backup-acl-keys.sh, the script
 ## responsible for backing up the needed files to be able to rebuild
 ## this bastion from scratch.
+##
+## Any file in /etc/bastion/osh-backup-acl-keys.conf.d will also be
+## sourced, in alphabetical order, and take precedence over any
+## option specified in this file.
+##
+## Please ensure this file is only readable by root.
+##
 ## As it'll be sourced, THIS FILE MUST BE A VALID SHELL SCRIPT.
-###################################################################
+######################################################################
 #
 # > Logging
 # >> These options configure the way the script logs its actions
@ -32,12 +39,25 @@ DESTDIR=""
 # DEFAULT: 90
 DAYSTOKEEP=90
 #
+# > Encryption and signing
+# >> These options configure how the script uses GPG to encrypt and sign the ttyrec files
+#
 # GPGKEYS (string, space-separated list of GPG keys IDs)
-# DESC: List of public GPG keys to encrypt to (see ``gpg --list-keys``), these must be separated by spaces. Note that if this option is empty or omitted, backup artefacts will NOT be encrypted!
+#    DESC: List of public GPG keys to encrypt to (see ``gpg --list-keys``), these must be separated by spaces. Note that if this option is empty or omitted, backup artefacts will NOT be encrypted!
 # EXAMPLE: "41FDB9C7 DA97EFD1 339483FF"
 # DEFAULT: ""
 GPGKEYS=""
 #
+# SIGNING_KEY (string, GPG key ID in short or long format)
+#    DESC: ID of the GPG key used to sign the ttyrec files. The key must be in the local root keyring, check it with ``gpg --list-secret-keys``. If empty, the archives will not be signed, but encrypted only (using the GPGKEYS configuration above).
+# DEFAULT: (none)
+SIGNING_KEY=""
+#
+# SIGNING_KEY_PASSPHRASE (string)
+#    DESC: This passphrase should be able to unlock the SIGNING_KEY defined above. As a side note, please ensure this configuration file only readable by root (0640), to protect this passphrase. As a security measure, the script will refuse to read the configuration otherwise.
+# DEFAULT: (none)
+SIGNING_KEY_PASSPHRASE=""
+#
 # > Remote backup
 # >> These options configure how the script should push the encrypted backups to a remote system
 #
--- a/etc/bastion/osh-encrypt-rsync.conf.dist
+++ b/etc/bastion/osh-encrypt-rsync.conf.dist
@ -2,6 +2,13 @@
 ## Config for /opt/bastion/bin/cron/osh-encrypt-rsync.pl, the script
 ## responsible for signing and encrypting with GPG, then rotating and
 ## pushing to an external system the produced ttyrec files.
+##
+## Any file in /etc/bastion/osh-encrypt-rsync.conf.d will also be
+## parsed, in alphabetical order, and take precedence over any
+## option specified in this file.
+##
+## Please ensure this file is only readable by root.
+##
 ## This is a JSON file. Verify the syntax with the following command:
 ## ``/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test``
 ###################################################################