Merge branch 'rustybird-read-pass'

2025-01-13 08:19:43 -05:00 · 2022-02-10 18:41:13 -08:00 · 2022-02-10 18:41:13 -08:00 · 9602d1c058
commit 9602d1c058
parent 10fe4a9428 dacd90704f
4 changed files with 38 additions and 26 deletions
--- a/user/how-to-guides/backup-emergency-restore-v2.md
+++ b/user/how-to-guides/backup-emergency-restore-v2.md
@ -40,11 +40,17 @@ encrypted and compressed.
    dom0-home/dom0user.000.hmac
    ~~~

-2. Verify the integrity of the `private.img` file which houses your data.
+2. Set the backup passphrase environment variable. While this isn't strictly
+   required, it will be handy later and will avoid saving the passphrase in
+   the shell's history.
+
+       [user@restore ~]$ read -r backup_pass
+
+3. Verify the integrity of the `private.img` file which houses your data.

    ~~~
    [user@restore ~]$ cd vm1/
-    [user@restore vm1]$ openssl dgst -sha512 -hmac "your_passphrase" private.img.000
+    [user@restore vm1]$ openssl dgst -sha512 -hmac "$backup_pass" private.img.000
    HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
    [user@restore vm1]$ cat private.img.000.hmac
    (stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
@ -58,17 +64,17 @@ encrypted and compressed.
  complete list of supported message digest algorithms can be found with
  `openssl list-message-digest-algorithms`.

-3. Decrypt the `private.img` file.
+4. Decrypt the `private.img` file.

    ~~~
-    [user@restore vm1]$ openssl enc -d -pass pass:your_passphrase -aes-256-cbc -in private.img.000 -out private.img.dec.000
+    [user@restore vm1]$ openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -in private.img.000 -out private.img.dec.000
    ~~~

  **Note:** For multi-part files, a loop can be used:

  ~~~
  find -name 'private.img.*' | sort -V | while read f; do
-    openssl enc -d -pass pass:your_passphrase -aes-256-cbc -in $f -out
+    openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -in $f -out
  ${f/.img/.img.dec}
  done
  ~~~
@ -78,7 +84,7 @@ encrypted and compressed.
  list of supported cipher algorithms can be found with `openssl
  list-cipher-algorithms`.

-4. Decompress the decrypted `private.img` file.
+5. Decompress the decrypted `private.img` file.

    ~~~
    [user@restore vm1]$ zforce private.img.dec.*
@ -88,7 +94,7 @@ encrypted and compressed.
  **Note:** If your backup was compressed with a program other than `gzip`, you
  must substitute the correct compression program.

-5. Untar the decrypted and decompressed `private.img` file.
+6. Untar the decrypted and decompressed `private.img` file.

    ~~~
    [user@restore vm1]$ tar -M -xvf private.img.dec.000
@ -110,7 +116,7 @@ encrypted and compressed.
    3. `tar --new-volume-script=./new-volume-script -xvf private.img.dec.000`.
        (The `--new-volume-script` option enables multi-volume untaring.)

-6. Mount the private.img file and access your data.
+7. Mount the private.img file and access your data.

    ~~~
    [user@restore vm1]$ sudo mkdir /mnt/img
--- a/user/how-to-guides/backup-emergency-restore-v3.md
+++ b/user/how-to-guides/backup-emergency-restore-v3.md
@ -38,10 +38,16 @@ any GNU/Linux system with the following procedure.
        dom0-home/dom0user.000
        dom0-home/dom0user.000.hmac

- 2. Verify the integrity of the `backup-header` file, which contains basic
+ 2. Set the backup passphrase environment variable. While this isn't strictly
+    required, it will be handy later and will avoid saving the passphrase in
+    the shell's history.
+
+        [user@restore ~]$ read -r backup_pass
+
+ 3. Verify the integrity of the `backup-header` file, which contains basic
    information about your backup.

-        [user@restore ~]$ openssl dgst -sha512 -hmac "your_passphrase" backup-header
+        [user@restore ~]$ openssl dgst -sha512 -hmac "$backup_pass" backup-header
        HMAC-SHA512(backup-header)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c
        [user@restore ~]$ cat backup-header.hmac
        (stdin)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c
@ -52,13 +58,13 @@ any GNU/Linux system with the following procedure.

    **Note:** If your backup was hashed with a message digest algorithm other
    than `sha512`, you must substitute the correct message digest command. This
-    information is contained in the `backup-header` file (see step 3), however
+    information is contained in the `backup-header` file (see step 4), however
    it is not recommended to open this file until its integrity and
    authenticity has been verified (the current step). A complete list of
    supported message digest algorithms can be found with `openssl
    list-message-digest-algorithms`.

- 3. Read the `backup-header`. You'll need some of this information later. The
+ 4. Read the `backup-header`. You'll need some of this information later. The
    file will look similar to this:

        [user@restore ~]$ cat backup-header
@ -72,10 +78,10 @@ any GNU/Linux system with the following procedure.
    **Note:** If you see `version=2` here, go to [Emergency Backup Recovery -
    format version 2](/doc/backup-emergency-restore-v2/) instead.

- 4. Verify the integrity of the `private.img` file which houses your data.
+ 5. Verify the integrity of the `private.img` file which houses your data.

        [user@restore ~]$ cd vm1/
-        [user@restore vm1]$ openssl dgst -sha512 -hmac "your_passphrase" private.img.000
+        [user@restore vm1]$ openssl dgst -sha512 -hmac "$backup_pass" private.img.000
        HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
        [user@restore vm1]$ cat private.img.000.hmac
        (stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
@ -86,21 +92,21 @@ any GNU/Linux system with the following procedure.

    **Note:** If your backup was hashed with a message digest algorithm other
    than `sha512`, you must substitute the correct message digest command. This
-    information is contained in the `backup-header` file (see step 3). A
+    information is contained in the `backup-header` file (see step 4). A
    complete list of supported message digest algorithms can be found with
    `openssl list-message-digest-algorithms`.

- 5. Decrypt the `private.img` file.
+ 6. Decrypt the `private.img` file.

-        [user@restore vm1]$ find -name 'private.img.*[0-9]' | sort -V | xargs cat | openssl enc -d -pass pass:your_passphrase -aes-256-cbc -out private.img.dec
+        [user@restore vm1]$ find -name 'private.img.*[0-9]' | sort -V | xargs cat | openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -out private.img.dec

    **Note:** If your backup was encrypted with a cipher algorithm other than
    `aes-256-cbc`, you must substitute the correct cipher command. This
-    information is contained in the `backup-header` file (see step 3). A
+    information is contained in the `backup-header` file (see step 4). A
    complete list of supported cipher algorithms can be found with `openssl
    list-cipher-algorithms`.

- 6. Decompress the decrypted `private.img` file.
+ 7. Decompress the decrypted `private.img` file.

        [user@restore vm1]$ zforce private.img.dec
        private.img.dec -- replaced with private.img.dec.gz
@ -108,26 +114,26 @@ any GNU/Linux system with the following procedure.

    **Note:** If your backup was compressed with a program other than `gzip`,
    you must substitute the correct compression program. This information is
-    contained in the `backup-header` file (see step 3). For example, if you
+    contained in the `backup-header` file (see step 4). For example, if you
    used `bzip2`, then you should do this:

        [user@restore vm1]$ mv private.img.dec private.img.dec.bz2
        [user@restore vm1]$ bunzip2 private.img.dec.bz2

- 7. Untar the decrypted and decompressed `private.img` file.
+ 8. Untar the decrypted and decompressed `private.img` file.

        [user@restore vm1]$ tar -xvf private.img.dec
        vm1/private.img

- 8. Mount the private.img file and access your data.
+ 9. Mount the private.img file and access your data.

        [user@restore vm1]$ sudo mkdir /mnt/img
        [user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/
        [user@restore vm1]$ cat /mnt/img/home/user/your_data.txt
        This data has been successfully recovered!

- 9. Success! If you wish to recover data from more than one VM in your backup,
-    simply repeat steps 4--8 for each additional VM.
+10. Success! If you wish to recover data from more than one VM in your backup,
+    simply repeat steps 5--9 for each additional VM.

    **Note:** You may wish to store a copy of these instructions with your
    Qubes backups in the event that you fail to recall the above procedure
--- a/user/how-to-guides/backup-emergency-restore-v4.md
+++ b/user/how-to-guides/backup-emergency-restore-v4.md
@ -111,7 +111,7 @@ Emergency Recovery Instructions
    required, it will be handy later and will avoid saving the passphrase in
    the shell's history.

-        [user@restore ~]$ read backup_pass
+        [user@restore ~]$ read -r backup_pass

 3. Verify the integrity of `backup-header`. For compatibility reasons,
    `backup-header.hmac` is an encrypted *and integrity protected*
--- a/user/security-in-qubes/yubi-key.md
+++ b/user/security-in-qubes/yubi-key.md
@ -72,7 +72,7 @@ To use this mode you need to:
    (This way your password will not leak to the terminal command history file.)

    ```
-    read password
+    read -r password
    ```

    Now run the following command to calculate your hashed password.