panda/gpg-quorum
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
gpg-quorum/README.md
panda 2806bfc0d1 added to readme
2021-08-01 01:29:09 +02:00

174 lines
5.4 KiB
Markdown
Raw Blame History

# gpg-quorum
or: digital testament encryption management
### needs:
Sometimes we find ourselves managing pieces of software/infrastructure/etc with all the passwords/knowledge and everything well encrypted,
the question I've asked myself is: what if for some reason we unwillingly disappear, what happens to all these data?
Maybe it's a shared service with others but on your machines, maybe it's your data that should be nice to make accessible to your significant other (but the other does not have a tech knowledge enough to be able to do it).
So I wanted something capable of encrypting a file/archive/furryporn/whatever in a way that it was encrypted for N persons but only a willi quorum of X persons was needed to decypher it.
I looked into "Shamir secret sharing" but I find that generating a new secret that should be distributed among the interested parties could be the key for failure.
### requirements:
* for encryption needs to use something you use (read: refresh) often
* needs to be a technology/piece of software that should survive for some years
* needs to be fairly customizable
* needs to be mostrly hassle-free
### output:
this bash script is set to take N recipients and encrypt four file to make sure only with the quorum of at least 3 recipients the file will be opened
the logic behind that is really simple, it generates the various possible unique combinations:
```
#the combination matrix for a quorum of 3 recipients on 5:
#recipients: A,B,C,D,E
#
#A,B,C
#A,B,D
#A,B,E
#A,C,D
#A,C,E
#A,D,E
#B,C,D
#B,C,E
#B,D,E
#C,D,E
```
in this way only if at least 3 recipients agree to decrypt the file they will be able to
### requirements:
in the file emails.txt:
list the recipient's emails you want encrypt for
in the main script gpg-quorum_3of5.sh:
edit the debug variable to add your email address (if you want) for debugging purposes
### usage:
./gpg-quorum_3of5.sh your_file_to_encrypt.ext
your output will be a file named
your_file_to_encrypt.ext.ENCRYPTED
### thoughts:
I think that the archive or file encrypted with this method should be offline and held by a person that's not one of the ones that can decrypt the file,
or could be online but protected by a symmetric password so only another party can make the data available to be decrypted.
I don't have a clear idea about that right now.
### customization:
see the example in _Examples/gpg-quorum_4of5.sh
if you want to increase the number of people needed to decrypt the file to 4 for example,
edit this block of code from:
```
#main loop:
for ((idxA=0; idxA<max; idxA++)); do # iterate idxA from 0 to length
for ((idxB=idxA; idxB<max; idxB++)); do # iterate idxB from idxA to length
for ((idxC=idxB; idxC<max; idxC++)); do # iterate idxC from idxB to length
if [ "${emails[$idxA]}" == "${emails[$idxB]}" ] || [ "${emails[$idxB]}" == "${emails[$idxC]}" ] || [ "${emails[$idxA]}" == "${emails[$idxC]}" ]; then
echo "A, B or C are the same"
continue
else
#custom execution for first run:
if [ "$counter" == 0 ]; then
gpg -ea -r "${emails[$idxA]}" -r "${emails[$idxB]}" -r "${emails[$idxC]}" "$debug" --output $workdir/$file.step$counter $file
#custom execution for last run:
elif [ "$counter" == $((ans-1)) ]; then
gpg -ea -r "${emails[$idxA]}" -r "${emails[$idxB]}" -r "${emails[$idxC]}" "$debug" --output $file.ENCRYPTED $workdir/$file.step$((counter-1))
#normal execution:
else
gpg -ea -r "${emails[$idxA]}" -r "${emails[$idxB]}" -r "${emails[$idxC]}" "$debug" --output $workdir/$file.step$counter $workdir/$file.step$((counter-1))
fi
#increase loop counter:
((counter++))
fi
done
done
done
```
```
#main loop:
for ((idxA=0; idxA<max; idxA++)); do # iterate idxA from 0 to length
for ((idxB=idxA; idxB<max; idxB++)); do # iterate idxB from idxA to length
for ((idxC=idxB; idxC<max; idxC++)); do # iterate idxC from idxB to length
for ((idxD=idxC; idxD<max; idxD++)); do # iterate idxD from idxC to length
if [ "${emails[$idxA]}" == "${emails[$idxB]}" ] || [ "${emails[$idxB]}" == "${emails[$idxC]}" ] || [ "${emails[$idxA]}" == "${emails[$idxC]}" ] || [ "${emails[$idxA]}" == "${emails[$idxD]}" ] || [ "${emails[$idxB]}" == "${emails[$idxD]}" ] || [ "${emails[$idxC]}" == "${emails[$idxD]}" ]; then
#echo "A, B, C or D are the same"
continue
else
#custom execution for first run:
if [ "$counter" == 0 ]; then
gpg -ea -r "${emails[$idxA]}" -r "${emails[$idxB]}" -r "${emails[$idxC]}" -r "${emails[$idxD]}" "$debug" --output $workdir/$file.step$counter $file
#custom execution for last run:
elif [ "$counter" == $((ans-1)) ]; then
gpg -ea -r "${emails[$idxA]}" -r "${emails[$idxB]}" -r "${emails[$idxC]}" -r "${emails[$idxD]}" "$debug" --output $file.ENCRYPTED $workdir/$file.step$((counter-1))
#normal execution:
else
gpg -ea -r "${emails[$idxA]}" -r "${emails[$idxB]}" -r "${emails[$idxC]}" -r "${emails[$idxD]}" "$debug" --output $workdir/$file.step$counter $workdir/$file.step$((counter-1))
fi
#increase loop counter:
((counter++))
fi
done
done
done
done
```
and then adjust the variable "combinate" to 4:
```
combinate=4
```
### thanks to:
* encrypt
Reference in a new issue View git blame Copy permalink