-
Notifications
You must be signed in to change notification settings - Fork 17
/
secure_server.sh
executable file
·77 lines (60 loc) · 2.19 KB
/
secure_server.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/bin/bash
# The script consists of a two-step invocation
# 1 (required once): Encrypt a clear-text keyfile, and optionally delete the clear-text keyfile
# 2: Run the calimero server using the encryped keyfile, providing the decrypted content to the server
# Config path and name of encrypted file
keyfile_enc="keyfile.enc"
# Config path of the temporary decrypted keyfile passed to the started server instance
# The same path has to be set in the server configuration file
# TODO /dev/shm won't do it on FreeBSD or MacOS
keyfile_dec="/dev/shm/calimero-server-keyfile"
server_config_path="resources/server-config.xml"
run_server="./build/distributions/calimero-server-3.0-SNAPSHOT/bin/calimero-server"
# openssl option is not recognized on some platforms
sslOptionPbkdf2="-pbkdf2"
#sslOptionPbkdf2=""
if [ "$1" = "-?" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ];then
echo "Runs the calimero server using an encrypted keyfile"
echo Usage $0 "[-e keyfile]"
echo " -e encrypt a cleartext keyfile"
echo "Note: default settings assume you ran './gradlew build' and"
echo " extracted './build/distributions/calimero-server-3.0-SNAPSHOT.[tar|zip]'"
exit 0
fi
if [ "$1" = "-e" ]; then
cleartext="$2"
openssl aes-256-cbc $sslOptionPbkdf2 -in $cleartext -out $keyfile_enc
ret=$?
if [ $ret -ne 0 ]; then
exit 1
fi
read -p "Done. Remove '$cleartext' [y/N]: " remove
if [ "$remove" = "y" ] || [ "$remove" = "yes" ]; then
shred --remove $cleartext
fi
exit 0
fi
# shred is not available everywhere
# TODO could also check gshred as alternative
command -v shred >/dev/null 2>&1 || { echo "Command 'shred' not available, don't start keyfile decryption."; exit 1; }
#keyfile_dec=$(mktemp) || exit 1
touch "$keyfile_dec" || exit 1
chmod 600 "$keyfile_dec"
serverPid=-1
cleanup () {
[ -f "$keyfile_dec" ] && shred --remove $keyfile_dec
kill $serverPid
}
trap cleanup EXIT
openssl aes-256-cbc $sslOptionPbkdf2 -d -in "$keyfile_enc" -out "$keyfile_dec"
ret=$?
if [ $ret -ne 0 ]; then
echo "Keyfile decryption failed, server not started. Exit."
exit 1
fi
"$run_server" --no-stdin "$server_config_path" &
serverPid=$!
echo "Run calimero server, PID" $serverPid
sleep 5
shred --remove ${keyfile_dec}
wait $serverPid