add nc-encrypt

Signed-off-by: nachoparker <nacho@ownyourbits.com>

bin/ncp-provisioning.sh

@@ -64,4 +64,12 @@ BKP="$( ls -1t /var/www/nextcloud-bkp_*.tar.gz 2>/dev/null | head -1 )"
   ncp-restore "$BKP_NEW" && rm "$BKP_NEW"
 }
 
+## Check for encrypted data and ask for password
+if needs_decrypt; then
+  echo "Detected encrypted instance"
+  a2dissite ncp nextcloud
+  a2ensite ncp-activation
+  apache2ctl -k graceful
+fi
+
 exit 0

bin/ncp/CONFIG/nc-datadir.sh

@@ -100,6 +100,7 @@ configure()
   # datadir
   ncc config:system:set datadirectory --value="$DATADIR"
   ncc config:system:set logfile --value="$DATADIR/nextcloud.log"
+  set_ncpcfg datadir "${datadir}"
   restore_maintenance_mode
 }
 

bin/ncp/SECURITY/nc-encrypt.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+# Data at rest encryption for NextCloudPi
+#
+# Copyleft 2021 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+# GPL licensed (see end of file) * Use at your own risk!
+#
+# More at: nextcloudpi.com
+#
+
+is_active()
+{
+  mount | grep ncdata_enc | grep -q gocryptfs
+}
+
+install()
+{
+  apt_install gocryptfs
+}
+
+configure()
+{
+(
+  set -eu -o pipefail
+  local datadir parentdir encdir tmpdir
+  datadir="$(get_ncpcfg datadir)"
+  [[ "${datadir}" == "null" ]] && datadir=/var/www/nextcloud/data
+  parentdir="$(dirname "${datadir}")"
+  encdir="${parentdir}/ncdata_enc"
+  tmpdir="$(mktemp -u -p "${parentdir}" -t nc-data-crypt.XXXXXX))"
+
+  [[ "${ACTIVE}" != "yes" ]] && {
+    if ! is_active; then
+      echo "Data not currently encrypted"
+      return 0
+    fi
+    save_maintenance_mode
+    trap restore_maintenance_mode EXIT
+    echo "Decrypting data..."
+    mkdir "${tmpdir}"
+    chown www-data: "${tmpdir}"
+    pkill tail # prevents from umounting in docker
+    mv "${datadir}"/* "${datadir}"/.[!.]* "${tmpdir}"
+    fusermount -u "${datadir}"
+    rmdir "${datadir}"
+    mv "${tmpdir}" "${datadir}"
+    rm "${encdir}"/gocryptfs.*
+    rmdir "${encdir}"
+    echo "Data no longer encrypted"
+    return
+  }
+
+  if is_active; then
+    echo "Encrypted data already in use"
+    return
+  fi
+
+  # Just mount already encrypted data
+  if [[ -f "${encdir}"/gocryptfs.conf ]]; then
+    echo "${PASSWORD}" | gocryptfs -allow_other -q "${encdir}" "${datadir}" 2>&1 | sed /^Switch/d
+
+    # switch to the regular virtual hosts after we decrypt, so we can access NC and ncp-web
+    a2ensite ncp nextcloud
+    a2dissite ncp-activation
+    apache2ctl -k graceful
+
+    echo "Encrypted data now accessible"
+    return
+  fi
+  mkdir -p "${encdir}"
+  echo "${PASSWORD}" | gocryptfs -init -q "${encdir}"
+  save_maintenance_mode
+  trap restore_maintenance_mode EXIT
+
+  mv "${datadir}" "${tmpdir}"
+
+  mkdir "${datadir}"
+  echo "${PASSWORD}" | gocryptfs -allow_other -q "${encdir}" "${datadir}" 2>&1 | sed /^Switch/d
+
+  echo "Encrypting data..."
+  mv "${tmpdir}"/* "${tmpdir}"/.[!.]* "${datadir}"
+  chown -R www-data: "${datadir}"
+  rmdir "${tmpdir}"
+
+  set_ncpcfg datadir "${datadir}"
+
+  echo "Data is now encrypted"
+)
+}
+
+# License
+#
+# This script is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this script; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+# Boston, MA  02111-1307  USA
+

bin/nextcloud-domain.sh

@@ -2,6 +2,12 @@
 
 source /usr/local/etc/library.sh
 
+# wait until user decrypts the instance first
+while :; do
+  needs_decrypt || break
+  sleep 1
+done
+
 # wicd service finishes before completing DHCP
 while :; do
   local_ip="$(get_ip)"

build/docker/docker-compose.yml

@@ -10,6 +10,12 @@ services:
     volumes:
      - ncdata:/data
      - /etc/localtime:/etc/localtime:ro
+    # for nc-encrypt
+    devices:
+      - /dev/fuse:/dev/fuse
+    # for nc-encrypt # NOTE: take a look at this https://github.com/docker/for-linux/issues/321#issuecomment-677744121
+    cap_add:
+      - SYS_ADMIN
     container_name: nextcloudpi
 
 volumes:

build/docker/nextcloud/020nextcloud

@@ -58,6 +58,14 @@ bash /usr/local/bin/ncp-provisioning.sh
 echo "Starting notify_push daemon"
 start_notify_push
 
+if needs_decrypt; then
+  echo "Waiting for user to decrypt instance"
+  while :; do
+    sleep 1
+    needs_decrypt || break
+  done
+fi
+
 echo "Configuring Domain"
 # Trusted Domain (local/public IP)
 bash /usr/local/bin/nextcloud-domain.sh

changelog.md

@@ -1,7 +1,13 @@
 
-[v1.42.3](https://github.com/nextcloud/nextcloudpi/commit/2d804cb) (2021-10-25) nextcloud-domain: fix variable collision
+[v1.43.0](https://github.com/nextcloud/nextcloudpi/commit/9bad41c) (2021-10-22) add nc-encrypt
 
-[v1.42.2](https://github.com/nextcloud/nextcloudpi/commit/9ff21bb) (2021-10-23) nc-backup-auto: ncc path
+[v1.42.5](https://github.com/nextcloud/nextcloudpi/commit/f0abbbc) (2021-10-27) letsencrypt: sync ncp and nc cert paths
+
+[v1.42.4 ](https://github.com/nextcloud/nextcloudpi/commit/f7e28c2) (2021-10-27) small trusted domains refactor
+
+[v1.42.3 ](https://github.com/nextcloud/nextcloudpi/commit/b1e7323) (2021-10-25) nextcloud-domain: fix variable collision
+
+[v1.42.2 ](https://github.com/nextcloud/nextcloudpi/commit/9ff21bb) (2021-10-23) nc-backup-auto: ncc path
 
 [v1.42.1 ](https://github.com/nextcloud/nextcloudpi/commit/e11ce59) (2021-10-22) ncp-web: fix log download bug
 

etc/library.sh

@@ -32,7 +32,7 @@ command -v jq &>/dev/null || {
   PHPVER=$(     jq -r .php_version       < "$NCPCFG")
   RELEASE=$(    jq -r .release           < "$NCPCFG")
 }
-command -v ncc &>/dev/null && NCVER="$(ncc status | grep "version:" | awk '{ print $3 }')"
+command -v ncc &>/dev/null && NCVER="$(ncc status 2>/dev/null | grep "version:" | awk '{ print $3 }')"
 
 function configure_app()
 {
@@ -481,6 +481,29 @@ function restore_maintenance_mode()
   fi
 }
 
+function needs_decrypt()
+{
+  local active
+  active="$(find_app_param nc-encrypt ACTIVE)"
+  (! is_active_app nc-encrypt) && [[ "${active}" == "yes" ]]
+}
+
+function set_ncpcfg()
+{
+  local name="${1}"
+  local value="${2}"
+  local cfg
+  cfg="$(jq '.' "${NCPCFG}")"
+  cfg="$(jq ".${name} = \"${value}\"" <<<"${cfg}")"
+  echo "$cfg" > "${NCPCFG}"
+}
+
+function get_ncpcfg()
+{
+  local name="${1}"
+  jq -r ".${name}" < "${NCPCFG}"
+}
+
 # License
 #
 # This script is free software; you can redistribute it and/or modify it

etc/ncp-config.d/nc-encrypt.cfg

@@ -0,0 +1,22 @@
+{
+  "id": "nc-encrypt",
+  "name": "Nc-encrypt",
+  "title": "nc-encrypt",
+  "description": "Data at rest encryption for NCP",
+  "info": "The encryption password will be needed after every reboot.\nThis will increase CPU usage.",
+  "infotitle": "",
+  "params": [
+    {
+      "id": "ACTIVE",
+      "name": "Active",
+      "value": "no",
+      "type": "bool"
+    },
+    {
+      "id": "PASSWORD",
+      "name": "Password",
+      "value": "ownyourbits",
+      "type": "password"
+    }
+  ]
+}

ncp-web/activate/index.php

@@ -1,11 +1,25 @@
 <?php
-// disallow once activated
+  // disallow once activated
-exec("a2query -s ncp-activation", $output, $ret);
+  exec("a2query -s ncp-activation", $output, $ret);
-if ($ret != 0) {
+  if ($ret != 0) {
-  http_response_code(404);
+    http_response_code(404);
-  exit();
+    exit();
-}
+  }
-session_start();
+  ini_set('session.cookie_httponly', 1);
+  if (isset($_SERVER['HTTPS']))
+    ini_set('session.cookie_secure', 1);
+  session_start();
+
+  // security headers
+  header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
+  header("X-XSS-Protection: 1; mode=block");
+  header("X-Content-Type-Options: nosniff");
+  header("X-Robots-Tag: none");
+  header("X-Permitted-Cross-Domain-Policies: none");
+  header("X-Frame-Options: DENY");
+  header("Cache-Control: no-cache");
+  header('Pragma: no-cache');
+  header('Expires: -1');
 ?>
 <!DOCTYPE html>
 <html class="ng-csp" data-placeholder-focus="false" lang="en">
@@ -63,7 +77,7 @@ HTML;
   </div>
   <footer role="contentinfo">
   <p class="info">
-  <a href="https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/" target="_blank" rel="noreferrer noopener">NextCloudPi</a> – Keep your data close</p>
+  <a href="https://nextcloudpi.com" target="_blank" rel="noreferrer noopener">NextCloudPi</a> – Keep your data close</p>
   </footer>
   <?php
     include('../csrf.php');

ncp-web/decrypt/CSS.css

@@ -0,0 +1,259 @@
+/* 
+ * NextCloudPi Web Panel style sheets. Based on official Nextcloud 12 datasheets
+ *
+ * Copyleft 2018 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+ * GPL licensed (see end of file) * Use at your own risk!
+ *
+ * More at https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/
+*/
+
+
+html,body {
+ height:100%
+}
+article,aside,dialog,figure,footer,header,hgroup,nav,section {
+ display:block
+}
+body {
+ text-align: center;
+ line-height:1.5
+}
+a {
+ border:0;
+ color:#fff;
+ text-decoration:none;
+ cursor:pointer
+}
+a * {
+ cursor:pointer
+}
+select,.button span,label {
+ cursor:pointer
+}
+body {
+ background-image: url(../img/background.png);
+ background-color:#0082c9;
+ font-weight:400;
+ line-height:1.6em;
+ font-family:'Open Sans', Frutiger, Calibri, 'Myriad Pro', Myriad, sans-serif;
+ color:#fff;
+ height:auto
+}
+#nojavascript {
+ position:fixed;
+ top:0;
+ bottom:0;
+ height:100%;
+ width:100%;
+ z-index:9000;
+ text-align:center;
+ background-color:rgba(0, 0, 0, 0.5);
+ color:#fff;
+ line-height:125%;
+ font-size:24px
+}
+#nojavascript div {
+ display:block;
+ position:relative;
+ width:50%;
+ top:35%;
+ margin:0px auto
+}
+#nojavascript a {
+ color:#fff;
+ border-bottom:2px dotted #fff
+}
+#nojavascript a:hover,#nojavascript a:focus {
+ color:#dbdbdb
+}
+::-webkit-scrollbar {
+ width:5px
+}
+::-webkit-scrollbar-track-piece {
+ background-color:transparent
+}
+::-webkit-scrollbar-thumb {
+ background:#dbdbdb;
+ border-radius:3px
+}
+select,button,input,textarea {
+ width: 3em;
+ min-height:32px;
+ box-sizing:border-box;
+ text-align: center;
+}
+select,button,.button,input:not([type='range']),textarea,#quota,.pager li a {
+ margin:3px 3px 3px 0;
+ padding:7px 6px;
+ font-size:13px;
+ background-color:#fff;
+ color:#545454;
+ border:1px solid #dbdbdb;
+ outline:none;
+ border-radius:3px;
+}
+select:not(:disabled):not(.primary),button:not(:disabled):not(.primary),.button:not(:disabled):not(.primary),input:not([type='range']):not(:disabled):not(.primary),textarea:not(:disabled):not(.primary),#quota:not(:disabled):not(.primary),.pager li a:not(:disabled):not(.primary) {
+}
+select:not(:disabled):not(.primary):not(#quota):hover,button:not(:disabled):not(.primary):not(#quota):hover,.button:not(:disabled):not(.primary):not(#quota):hover,input:not([type='range']):not(:disabled):not(.primary):not(#quota):hover,textarea:not(:disabled):not(.primary):not(#quota):hover,#quota:not(:disabled):not(.primary):not(#quota):hover,.pager li a:not(:disabled):not(.primary):not(#quota):hover,select:not(:disabled):not(.primary):focus,button:not(:disabled):not(.primary):focus,.button:not(:disabled):not(.primary):focus,input:not([type='range']):not(:disabled):not(.primary):focus,textarea:not(:disabled):not(.primary):focus,#quota:not(:disabled):not(.primary):focus,.pager li a:not(:disabled):not(.primary):focus,select:not(:disabled):not(.primary).active,button:not(:disabled):not(.primary).active,.button:not(:disabled):not(.primary).active,input:not([type='range']):not(:disabled):not(.primary).active,textarea:not(:disabled):not(.primary).active,#quota:not(:disabled):not(.primary).active,.pager li a:not(:disabled):not(.primary).active {
+ border-color:#0082c9;
+ outline:none
+}
+select:not(:disabled):not(.primary):active,button:not(:disabled):not(.primary):active,.button:not(:disabled):not(.primary):active,input:not([type='range']):not(:disabled):not(.primary):active,textarea:not(:disabled):not(.primary):active,#quota:not(:disabled):not(.primary):active,.pager li a:not(:disabled):not(.primary):active {
+ outline:none;
+ background-color:#fff
+}
+select:disabled,button:disabled,.button:disabled,input:not([type='range']):disabled,textarea:disabled,#quota:disabled,.pager li a:disabled {
+ background-color:#ebebeb;
+ color:rgba(0, 0, 0, 0.4);
+ cursor:default;
+ opacity:0.5
+}
+select.primary,button.primary,.button.primary,input:not([type='range']).primary,textarea.primary,#quota.primary,.pager li a.primary {
+ border:1px solid #0082c9;
+ background-color:rgba(0, 130, 201, .7);
+ color:#fff;
+ cursor:pointer
+}
+select.primary:not(:disabled):hover,button.primary:not(:disabled):hover,.button.primary:not(:disabled):hover,input:not([type='range']).primary:not(:disabled):hover,textarea.primary:not(:disabled):hover,#quota.primary:not(:disabled):hover,.pager li a.primary:not(:disabled):hover,select.primary:not(:disabled):focus,button.primary:not(:disabled):focus,.button.primary:not(:disabled):focus,input:not([type='range']).primary:not(:disabled):focus,textarea.primary:not(:disabled):focus,#quota.primary:not(:disabled):focus,.pager li a.primary:not(:disabled):focus {
+ background-color:rgba(0, 130, 201, .85)
+}
+select.primary:not(:disabled):active,button.primary:not(:disabled):active,.button.primary:not(:disabled):active,input:not([type='range']).primary:not(:disabled):active,textarea.primary:not(:disabled):active,#quota.primary:not(:disabled):active,.pager li a.primary:not(:disabled):active {
+ background-color:rgba(0, 130, 201, .7)
+}
+select.primary:disabled,button.primary:disabled,.button.primary:disabled,input:not([type='range']).primary:disabled,textarea.primary:disabled,#quota.primary:disabled,.pager li a.primary:disabled {
+ background-color:rgba(0, 130, 201, .7);
+ color:#bababa
+}
+input {
+}
+input:not([type='radio']):not([type='checkbox']):not([type='range']):not([type='submit']):not([type='button']):not([type='reset']):not([type='color']):not([type='file']):not([type='image']) {
+ -webkit-appearance:textfield;
+ -moz-appearance:textfield
+}
+select,button,.button,input[type='button'],input[type='submit'],input[type='reset'] {
+ padding:6px 12px;
+ width:auto;
+ min-height:34px;
+ cursor:pointer;
+ box-sizing:border-box;
+ background-color:#f7f7f7
+}
+button,.button,input[type='button'],input[type='submit'],input[type='reset'] {
+ font-weight:bold;
+}
+button::-moz-focus-inner,.button::-moz-focus-inner,input[type='button']::-moz-focus-inner,input[type='submit']::-moz-focus-inner,input[type='reset']::-moz-focus-inner {
+ border:0
+}
+button,.button {
+}
+button > span[class^='icon-'],.button > span[class^='icon-'],button > span[class*=' icon-'],.button > span[class*=' icon-'] {
+ display:inline-block;
+ vertical-align:text-bottom;
+ opacity:0.5
+}
+textarea {
+ color:#545454;
+ cursor:text;
+ font-family:inherit;
+ height:auto
+}
+textarea:not(:disabled):active,textarea:not(:disabled):hover,textarea:not(:disabled):focus {
+ border-color:#dbdbdb !important;
+ background-color:#fff !important
+}
+select {
+ -webkit-appearance:none;
+ -moz-appearance:none;
+ appearance:none;
+ background:url('../../../core/css/../img/actions/triangle-s.svg') no-repeat right 4px center;
+ background-color:inherit;
+ outline:0;
+ padding-right:24px !important
+}
+button img,.button img {
+ cursor:pointer
+}
+input[type='checkbox'].radio,input[type='radio'].radio,input[type='checkbox'].checkbox,input[type='radio'].checkbox {
+ position:absolute;
+ left:-10000px;
+ top:auto;
+ width:1px;
+ height:1px;
+ overflow:hidden
+}
+#header {
+ color: white;
+}
+h2 {
+ font-size:20px;
+ font-weight:300;
+ margin-bottom:12px;
+ line-height:140%
+}
+h3 {
+ font-size:15px;
+ font-weight:300;
+ margin:12px 0
+}
+em {
+ font-style:normal;
+ -ms-filter:'progid:DXImageTransform.Microsoft.Alpha(Opacity=50)';
+ opacity:0.5
+}
+dl {
+ padding:12px 0
+}
+dt,dd {
+ display:inline-block;
+ padding:12px;
+ padding-left:0
+}
+dt {
+ width:130px;
+ white-space:nowrap;
+ text-align:right
+}
+kbd {
+ padding:4px 10px;
+ border:1px solid #ccc;
+ box-shadow:0 1px 0 rgba(0, 0, 0, .2);
+ border-radius:3px;
+ display:inline-block;
+ white-space:nowrap
+}
+
+hr { border: solid 1px white; }
+
+#ncp-logo { margin-top: 24px; }
+
+#loading-gif { display: none; }
+
+#ncp-pwd,#nc-pwd{ width:30em; }
+
+img { vertical-align: middle; }
+
+.info {
+  text-shadow: 0 0 2px rgba(0, 0, 0, .4);
+  font-size: 80%;
+}
+
+.info a {
+  font-weight: 600;
+}
+
+.table-wrapper {
+  width: 80%;
+  max-width: 450px;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.table-wrapper table {
+  width: 100%;
+  max-width: 450px;
+  margin: 0 auto;
+}
+
+.table-wrapper input[type='text'], .table-wrapper input[type='password'] {
+  width: 90%;
+}

ncp-web/decrypt/JS.js

@@ -0,0 +1,81 @@
+///
+// NextCloudPi Web Panel javascript library
+//
+// Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+// GPL licensed (see end of file) * Use at your own risk!
+//
+// More at https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/
+///
+
+var MINI = require('minified');
+var $ = MINI.$, $$ = MINI.$$, EE = MINI.EE;
+
+function errorMsg()
+{ 
+  $('#error-box').fill("Something went wrong. Try refreshing the page"); 
+}
+
+function decrypt_ok_cb(result) 
+{
+  var ret = $.parseJSON(result);
+  $('#loading-gif').hide();
+  if ( ret.token )
+    $('#csrf-token').set( { value: ret.token } );
+  if ( ret.ret == '0' ) {
+    $('#error-box').fill("OK"); 
+      var url = window.location.protocol + '//' + window.location.hostname;
+      window.location.replace( url );
+  } else {
+    $('#error-box').fill("Password error"); 
+    $('#decrypt-btn').show();
+  }
+}
+
+function decrypt()
+{
+  // request
+  $.request('post', '../ncp-launcher.php', { action: 'launch',
+                                             ref   : 'nc-encrypt', 
+                                             config: '{ "ACTIVE": "yes", "PASSWORD":"' + $('#encryption-pass').get('.value') + '" }',
+                                             csrf_token: $('#csrf-token').get('.value') } 
+  ).then(decrypt_ok_cb).error(errorMsg);
+}
+
+// Show password button
+$( '.pwd-btn' ).on('click', function(e)
+  {
+    var input = this.trav('previousSibling', 1);
+    if ( input.get('.type') == 'password' )
+      input.set('.type', 'text');
+    else if ( input.get('.type') == 'text' )
+      input.set('.type', 'password');
+  });
+
+$(function() 
+{
+  $('#decrypt-btn').on('click', function(e)
+  {
+    $('#decrypt-btn').hide();
+    $('#loading-gif').set( { $display: 'inline' } );
+    decrypt();
+  } );
+
+  $$('#encryption-pass').focus();
+} );
+
+// License
+//
+// This script is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by
+// the Free Software Foundation; either version 2 of the License, or
+// (at your option) any later version.
+//
+// This script is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this script; if not, write to the
+// Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+// Boston, MA  02111-1307  USA

ncp-web/decrypt/index.php

@@ -0,0 +1,92 @@
+<?php
+  // disallow once unlocked
+  exec("a2query -s ncp-activation", $output, $ret);
+  if ($ret != 0) {
+    http_response_code(404);
+    exit();
+  }
+  ini_set('session.cookie_httponly', 1);
+  if (isset($_SERVER['HTTPS']))
+    ini_set('session.cookie_secure', 1);
+  session_start();
+
+  // security headers
+  header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
+  header("X-XSS-Protection: 1; mode=block");
+  header("X-Content-Type-Options: nosniff");
+  header("X-Robots-Tag: none");
+  header("X-Permitted-Cross-Domain-Policies: none");
+  header("X-Frame-Options: DENY");
+  header("Cache-Control: no-cache");
+  header('Pragma: no-cache');
+  header('Expires: -1');
+?>
+<!DOCTYPE html>
+<html class="ng-csp" data-placeholder-focus="false" lang="en">
+<head>
+  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+  <meta charset="utf-8">
+  <title> Unlock NextCloudPi </title>
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="referrer" content="never">
+  <meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0">
+  <meta http-equiv="cache-control" content="no-cache">
+  <meta http-equiv="pragma" content="no-cache">
+  <link rel="icon" type="image/png" href="../img/favicon.png"/>
+  <link rel="stylesheet" href="CSS.css">
+</head>
+<body id="body-login">
+  <noscript>
+    <div id="nojavascript">
+    <div>
+    This application requires JavaScript for correct operation. Please <a href="https://www.enable-javascript.com/" target="_blank" rel="noreferrer noopener">enable JavaScript</a> and reload the page.		</div>
+    </div>
+  </noscript>
+  <div class="wrapper">
+    <div class="v-align">
+      <header role="banner">
+        <div id="header">
+          <img id="ncp-logo" src="../img/ncp-logo.svg">
+<?php
+    echo <<<HTML
+          <h1>NextCloudPi</h1>
+          <p>Encrypted instance</p>
+
+          <div id="decrypt-config-box" class="content-box table-wrapper">
+          <form>
+            <table><tbody>
+              <tr>
+                <td>
+                  <input type="password" id="encryption-pass" name="Password" class="directory" default="" placeholder="password" size="40">
+                  &nbsp;
+                  <img class="pwd-btn" title="show password" src="../img/toggle-white.svg">
+                </td>
+              </tr>     
+            </tbody></table>
+
+            <div class="config-button-wrapper">
+              <button id="decrypt-btn" type="submit" class="config-button">Decrypt</button>
+              <img id="loading-gif" src="../img/loading-small.gif">
+              <div class="circle-retstatus icon-red-circle"></div>
+              <div id="error-box"></div>
+           </div>
+        </form>
+        </div>
+HTML;
+?>
+        </div>
+      </header>
+    </div>
+  </div>
+  <footer role="contentinfo">
+  <p class="info">
+  <a href="https://nextcloudpi.com" target="_blank" rel="noreferrer noopener">NextCloudPi</a> – Keep your data close</p>
+  </footer>
+  <?php
+    include('../csrf.php');
+    echo '<input type="hidden" id="csrf-token" name="csrf-token" value="' . getCSRFToken() . '"/>';
+  ?>
+  <script src="../js/minified.js"></script>
+  <script src="JS.js"></script>
+</body>
+</html>

ncp-web/img/toggle-white.svg

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   version="1.1"
+   viewbox="0 0 16 16"
+   width="16"
+   height="16"
+   id="svg4"
+   sodipodi:docname="toggle-white.svg"
+   inkscape:version="1.1.1 (3bf5ae0d25, 2021-09-20)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <metadata
+     id="metadata10">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs8" />
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="2560"
+     inkscape:window-height="1080"
+     id="namedview6"
+     showgrid="false"
+     inkscape:zoom="14.75"
+     inkscape:cx="8.1016949"
+     inkscape:cy="7.9661017"
+     inkscape:window-x="1440"
+     inkscape:window-y="1087"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg4"
+     inkscape:pagecheckerboard="0" />
+  <path
+     opacity="0.5"
+     d="M8 3C4.89 3 2.073 4.72 0 7.5 2.073 10.28 4.89 12 8 12c3.11 0 5.927-1.72 8-4.5C13.927 4.72 11.11 3 8 3zm0 1.5a3 3 0 1 1 0 6 3 3 0 0 1 0-6zM8 6a1.5 1.5 0 1 0 0 3 1.5 1.5 0 0 0 0-3z"
+     id="path2"
+     style="fill:#ffffff;fill-opacity:1;opacity:1" />
+</svg>

ncp-web/index.php

@@ -8,15 +8,45 @@
  More at https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/
 
 **/
+ob_start();
+
+// check for encrypted data to present unlock dialog
+exec("bash -c 'source /usr/local/etc/library.sh; needs_decrypt'", $output, $ret);
+if ($ret == 0) {
+  header("Location: decrypt");
+  exit();
+}
 
 // redirect to activation first time
-ob_start();
 exec("a2query -s ncp-activation", $output, $ret);
 if ($ret == 0) {
   header("Location: activate");
   exit();
 }
 
+ini_set('session.cookie_httponly', 1);
+if (isset($_SERVER['HTTPS']))
+  ini_set('session.cookie_secure', 1);
+session_start();
+
+include('elements.php');
+$modules_path = '/usr/local/etc/ncp-config.d/';
+$l10nDir = "l10n";
+
+// security headers
+header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
+header("X-XSS-Protection: 1; mode=block");
+header("X-Content-Type-Options: nosniff");
+header("X-Robots-Tag: none");
+header("X-Permitted-Cross-Domain-Policies: none");
+header("X-Frame-Options: DENY");
+header("Cache-Control: no-cache");
+header('Pragma: no-cache');
+header('Expires: -1');
+
+// HTTP2 push headers
+header("Link: </js/minified.js>; rel=preload; as=script;,</js/ncp.js>; rel=preload; as=script;,</css/ncp.css>; rel=preload; as=style;,</img/ncp-logo.svg>; rel=preload; as=image;, </img/loading-small.gif>; rel=preload; as=image;, rel=preconnect href=ncp-launcher.php;");
+
 ?>
 
 <!DOCTYPE html>
@@ -28,31 +58,6 @@ if ($ret == 0) {
     <meta name="referrer" content="never">
     <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0">
     <meta name="mobile-web-app-capable" content="yes">
-<?php
-    ini_set('session.cookie_httponly', 1);
-    if (isset($_SERVER['HTTPS']))
-      ini_set('session.cookie_secure', 1);
-    session_start();
-
-    include('elements.php');
-    $modules_path = '/usr/local/etc/ncp-config.d/';
-    $l10nDir = "l10n";
-
-    // security headers
-    header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
-    header("X-XSS-Protection: 1; mode=block");
-    header("X-Content-Type-Options: nosniff");
-    header("X-Robots-Tag: none");
-    header("X-Permitted-Cross-Domain-Policies: none");
-    header("X-Frame-Options: DENY");
-    header("Cache-Control: no-cache");
-    header('Pragma: no-cache');
-    header('Expires: -1');
-
-    // HTTP2 push headers
-    header("Link: </js/minified.js>; rel=preload; as=script;,</js/ncp.js>; rel=preload; as=script;,</css/ncp.css>; rel=preload; as=style;,</img/ncp-logo.svg>; rel=preload; as=image;, </img/loading-small.gif>; rel=preload; as=image;, rel=preconnect href=ncp-launcher.php;");
-
-  ?>
     <link rel="icon" type="image/png" href="img/favicon.png"/>
     <link rel="stylesheet" href="css/ncp.css">
 </head>