src/helpers/vyos-config-encrypt.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276

#!/usr/bin/env python3
#
# Copyright (C) 2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os
import re
import shutil
import sys

from argparse import ArgumentParser
from cryptography.fernet import Fernet
from tempfile import NamedTemporaryFile
from tempfile import TemporaryDirectory

from vyos.tpm import clear_tpm_key
from vyos.tpm import init_tpm
from vyos.tpm import read_tpm_key
from vyos.tpm import write_tpm_key
from vyos.util import ask_input
from vyos.util import ask_yes_no
from vyos.util import cmd

persistpath_cmd = '/opt/vyatta/sbin/vyos-persistpath'
mount_paths = ['/config', '/opt/vyatta/etc/config']
dm_device = '/dev/mapper/vyos_config'

def is_opened():
    return os.path.exists(dm_device)

def get_current_image():
    with open('/proc/cmdline', 'r') as f:
        args = f.read().split(" ")
        for arg in args:
            if 'vyos-union' in arg:
                k, v = arg.split("=")
                path_split = v.split("/")
                return path_split[-1]
    return None

def load_config(key):
    if not key:
        return

    persist_path = cmd(persistpath_cmd).strip()
    image_name = get_current_image()
    image_path = os.path.join(persist_path, 'luks', image_name)

    if not os.path.exists(image_path):
        raise Exception("Encrypted config volume doesn't exist")

    if is_opened():
        print('Encrypted config volume is already mounted')
        return

    with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
        f.write(key)
        key_file = f.name

    cmd(f'cryptsetup -q open {image_path} vyos_config --key-file={key_file}')

    for path in mount_paths:
        cmd(f'mount /dev/mapper/vyos_config {path}')
        cmd(f'chgrp -R vyattacfg {path}')

    os.unlink(key_file)

    return True

def encrypt_config(key, recovery_key):
    if is_opened():
        raise Exception('An encrypted config volume is already mapped')

    # Clear and write key to TPM
    try:
        clear_tpm_key()
    except:
        pass
    write_tpm_key(key)

    persist_path = cmd(persistpath_cmd).strip()
    size = ask_input('Enter size of encrypted config partition (MB): ', numeric_only=True, default=512)

    luks_folder = os.path.join(persist_path, 'luks')

    if not os.path.isdir(luks_folder):
        os.mkdir(luks_folder)

    image_name = get_current_image()
    image_path = os.path.join(luks_folder, image_name)

    # Create file for encrypted config
    cmd(f'fallocate -l {size}M {image_path}')

    # Write TPM key for slot #1
    with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
        f.write(key)
        key_file = f.name

    # Format and add main key to volume
    cmd(f'cryptsetup -q luksFormat {image_path} {key_file}')

    if recovery_key:
        # Write recovery key for slot 2
        with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
            f.write(recovery_key)
            recovery_key_file = f.name

        cmd(f'cryptsetup -q luksAddKey {image_path} {recovery_key_file} --key-file={key_file}')

    # Open encrypted volume and format with ext4
    cmd(f'cryptsetup -q open {image_path} vyos_config --key-file={key_file}')
    cmd('mkfs.ext4 /dev/mapper/vyos_config')

    with TemporaryDirectory() as d:
        cmd(f'mount /dev/mapper/vyos_config {d}')

        # Move /config to encrypted volume
        shutil.copytree('/config', d, copy_function=shutil.move, dirs_exist_ok=True)

        cmd(f'umount {d}')

    os.unlink(key_file)

    if recovery_key:
        os.unlink(recovery_key_file)

    for path in mount_paths:
        cmd(f'mount /dev/mapper/vyos_config {path}')
        cmd(f'chgrp vyattacfg {path}')

    return True

def decrypt_config(key):
    if not key:
        return

    persist_path = cmd(persistpath_cmd).strip()
    image_name = get_current_image()
    image_path = os.path.join(persist_path, 'luks', image_name)

    if not os.path.exists(image_path):
        raise Exception("Encrypted config volume doesn't exist")

    key_file = None

    if not is_opened():
        with NamedTemporaryFile(dir='/dev/shm', delete=False) as f:
            f.write(key)
            key_file = f.name

        cmd(f'cryptsetup -q open {image_path} vyos_config --key-file={key_file}')

    # unmount encrypted volume mount points
    for path in mount_paths:
        if os.path.ismount(path):
            cmd(f'umount {path}')

    # If /config is populated, move to /config.old
    if len(os.listdir('/config')) > 0:
        print('Moving existing /config folder to /config.old')
        shutil.move('/config', '/config.old')

    # Temporarily mount encrypted volume and migrate files to /config on rootfs
    with TemporaryDirectory() as d:
        cmd(f'mount /dev/mapper/vyos_config {d}')

        # Move encrypted volume to /config
        shutil.copytree(d, '/config', copy_function=shutil.move, dirs_exist_ok=True)
        cmd(f'chgrp -R vyattacfg /config')

        cmd(f'umount {d}')

    # Close encrypted volume
    cmd('cryptsetup -q close vyos_config')

    # Remove encrypted volume image file and key
    if key_file:
        os.unlink(key_file)
    os.unlink(image_path)

    try:
        clear_tpm_key()
    except:
        pass

    return True

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print("Must specify action.")
        sys.exit(1)

    parser = ArgumentParser(description='Config encryption')
    parser.add_argument('--disable', help='Disable encryption', action="store_true")
    parser.add_argument('--enable', help='Enable encryption', action="store_true")
    parser.add_argument('--load', help='Load encrypted config volume', action="store_true")
    args = parser.parse_args()

    tpm_exists = os.path.exists('/sys/class/tpm/tpm0')

    key = None
    recovery_key = None
    need_recovery = False

    question_key_str = 'recovery key' if tpm_exists else 'key'

    if tpm_exists:
        if args.enable:
            key = Fernet.generate_key()
        elif args.disable or args.load:
            try:
                key = read_tpm_key()
                need_recovery = False
            except:
                print('Failed to read key from TPM, recovery key required')
                need_recovery = True
    else:
        need_recovery = True

    if args.enable and not tpm_exists:
        print('WARNING: VyOS will boot into a default config when encrypted without a TPM')
        print('You will need to manually login with default credentials and use "encryption load"')
        print('to mount the encrypted volume and use "load /config/config.boot"')

        if not ask_yes_no('Are you sure you want to proceed?'):
            sys.exit(0)

    if need_recovery or (args.enable and not ask_yes_no(f'Automatically generate a {question_key_str}?', default=True)):
        while True:
            recovery_key = ask_input(f'Enter {question_key_str}:', default=None).encode()

            if len(recovery_key) >= 32:
                break

            print('Invalid key - must be at least 32 characters, try again.')
    else:
        recovery_key = Fernet.generate_key()

    try:
        if args.disable:
            decrypt_config(key or recovery_key)

            print('Encrypted config volume has been disabled')
            print('Contents have been migrated to /config on rootfs')
        elif args.load:
            load_config(key or recovery_key)

            print('Encrypted config volume has been mounted')
            print('Use "load /config/config.boot" to load configuration')
        elif args.enable and tpm_exists:
            encrypt_config(key, recovery_key)

            print('Encrypted config volume has been enabled with TPM')
            print('Backup the recovery key in a safe place!')
            print('Recovery key: ' + recovery_key.decode())
        elif args.enable:
            encrypt_config(recovery_key)

            print('Encrypted config volume has been enabled without TPM')
            print('Backup the key in a safe place!')
            print('Key: ' + recovery_key.decode())
    except Exception as e:
        word = 'decrypt' if args.disable or args.load else 'encrypt'
        print(f'Failed to {word} config: {e}')