LUKS_automount/crypt_tools.py

from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.backends import default_backend
import os
import base64
import getpass

def init_keys(private_key_file="private_key.pem", public_key_file="public_key.pem"):
    """
    Generate a new RSA private/public key pair and save them to files.
    """
    # Check if keys already exist
    if os.path.exists(private_key_file) and os.path.exists(public_key_file):
        print("Keys already exist. Skipping key generation.")
        return

    # Generate a private key
    private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )

    # Generate the public key
    public_key = private_key.public_key()

    # Serialize and save the private key
    with open(private_key_file, "wb") as f:
        f.write(
            private_key.private_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PrivateFormat.PKCS8,
                encryption_algorithm=serialization.NoEncryption()
            )
        )

    # Serialize and save the public key
    with open(public_key_file, "wb") as f:
        f.write(
            public_key.public_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PublicFormat.SubjectPublicKeyInfo
            )
        )

    print(f"Private key saved to {private_key_file}")
    print(f"Public key saved to {public_key_file}")


def encrypt_passphrase(passphrase, public_key_file="public_key.pem"):
    """
    Encrypt a passphrase using the public key.
    Returns the encrypted passphrase as a base64-encoded string.
    """
    # Load the public key
    with open(public_key_file, "rb") as f:
        public_key = serialization.load_pem_public_key(
            f.read(),
            backend=default_backend()
        )

    # Encrypt the passphrase
    encrypted = public_key.encrypt(
        passphrase.encode(),
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )

    # Return the encrypted passphrase as a base64-encoded string
    return base64.b64encode(encrypted).decode()

def decrypt_passphrase(encrypted_passphrase, private_key_file="private_key.pem"):
    """
    Decrypt an encrypted passphrase using the private key.
    Returns the decrypted passphrase as a string.
    """
    # Load the private key
    with open(private_key_file, "rb") as f:
        private_key = serialization.load_pem_private_key(
            f.read(),
            password=None,
            backend=default_backend()
        )

    # Decode the base64-encoded encrypted passphrase
    encrypted = base64.b64decode(encrypted_passphrase.encode())

    # Decrypt the passphrase
    decrypted = private_key.decrypt(
        encrypted,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )

    # Return the decrypted passphrase
    return decrypted.decode()

def create_luks_mount_config(config_file="luks_mount.conf", public_key_file="public_key.pem"):
    """
    Create a new luks_mount.conf file by interactively prompting for device, mount point, and password.
    If the configuration file already exists, provide an option to quit or append to the existing file.
    """
    mode = "w"
    if os.path.exists(config_file):
        print(f"Configuration file '{config_file}' already exists.")
        choice = input("Do you want to (a)ppend to it or (q)uit? ").strip().lower()
        if choice == 'q':
            print("Exiting without making changes.")
            return
        elif choice == 'a':
            mode = "a"
        else:
            print("Invalid choice. Exiting without making changes.")
            return

    with open(config_file, mode) as f:
        if mode == "w":
            f.write("# LUKS mount configuration file\n")
            f.write("# Format: UUID mount_point encrypted_passphrase\n")

        while True:
            device = input("Enter the device UUID (e.g., UUID): ").strip()
            mount_point = input("Enter the mount point (e.g., /media/<username>/luks-<UUID>): ").strip()
            passphrase = getpass.getpass("Enter the passphrase: ").strip()

            encrypted_passphrase = encrypt_passphrase(passphrase, public_key_file)
            f.write(f"{device} {mount_point} {encrypted_passphrase}\n")

            another = input("Do you want to add another entry? (y/n): ").strip().lower()
            if another != 'y':
                break

    print(f"Configuration saved to {config_file}")


# Example usage
if __name__ == "__main__":
    # Initialize keys (run this once to generate keys)
    init_keys()

    # Encrypt a passphrase
    #passphrases = ["5khbS4JFN25tPVrkzv2b2Q==", "kT3vPK09f+KhNWp7LpU1jg==", "3fhbN/Nt1YFPM5AUbJ4ERg=="]
    passphrases= ["4d6d6a45a6ae0cc673ca050767946158", "e104a9a052774d10b3c3dfbed6109435", "aac5ceb8a015c424951422f93dce68c5", "418e2ffba5f0af55b537311f2bd16574"]
    
#    print(decrypt_passphrase('fAqe02nfx1L+YZK/kLFbsd1nVCl5w/LJxxMeSRXLsEm+vq49dRI4eYSzjl3w2YqyPb4JeVXfMDWCTm523k9e/KI+GF8zAPisI1icWM/k+yzMCrW9Ga7rzwW092Uepm7IU4z7LwU4Z9t2wmQkeb6ulso6lcaYzVoCcIHRJ0gCkBZBb0nA1lXQvf2UNFfe9kkzX+DR1MCovY9SAsIndisCh6y0IxEBbfCTASU5VYIcngiKayS6flVtGuLOz/3S6Z+T5GDN7dLC97wf/yVBQJ2lPdgTcawv2qV59OcxDGUeHjwi340+UIramslrxmGpFMyBkmLYqcjKkWsVD6HF2msu6w=='))

    for passphrase in passphrases:
         encrypted = encrypt_passphrase(passphrase)
         print(f"Encrypted passphrase: {encrypted}")

         # Decrypt the passphrase
         decrypted = decrypt_passphrase(encrypted)
         print(f"Decrypted passphrase: {decrypted}")