cryptoboned man page

cryptoboned — The Crypto Bone Daemon




cryptoboned is used to store the message keys and other secret information for use by the Crypto Bone control program. While the encrypted data base is stored in the Linux file system, the master key which is necessary to decrypt this secret information will be read during the boot process and stored in memory only.

While the machine is booting the daemon has access to an encrypted file system in which the master key is stored for a short time of 120 seconds.  Once the master key has been read, this file system will be unmounted and a new one will be mounted in the same place. From this point in time  the master key is now active in the daemon's main memory and is not visible in the  system's file system. This raises the bar for an attacker to compromise the master key, because it will be necessary to issue commands in a root shell to recover the unmounted, encrypted file system instead of plain read access to a file.

After the boot process has finished, a restart of the daemon is no longer possible. This is to further protect the master key while the daemon is running for normal operations.

While the daemon is running, it communicates with the cbcontrol program via a socket that is accessible to root only. The daemon checks, whether or not the process trying to communicate is /usr/lib/cryptobone/cbcontrol or not. It will stop all communications if the request originates from a different program.

Processes like encryption or decryption that require secrets are done inside the cryptobone daemon, so that the results can be transferred through the socket. All communications between a legitimate cbcontrol program - that has been invoked by the graphical user interface - resembles the communication between an external crypto bone and the control program.

The maximum size of the information stored in the encrypted data base is 250000 bytes.




The cryptobone daemon responses to the following commands that can be sent through the socket:


Prints a list of all keys that are used to store secret values.

check pathname

Analyses the encryption method of a PGP-encrypted file.  Prints "AES encrypted data" if AES is used.

decrypt pathname.asc password

Attempts to decrypt a PGP-encrypted file with the password and stores the plain text in a file without the extension "asc".

encrypt base64string password

PGP-encrypts the base64-decoded plaintext with the password using AES and stores the result in the file "/usr/lib/cryptobone/cryptobone/encryptedmessage.asc". The password must be greater than 19 and less than 65 characters. Plain text messages are limited to 50000 characters.

get-element key

Prints the value of the secret stored under the key in the secrets data base.


Creates the secrets database if it does not already exist. Does not overwrite an existing data base.

remove key

Destroys the secret value stored under the key in the data base.

replace key new_value

Replaces the stored value with a new value. If the key is not already used, the value is created  under the key.

write key value

Creates a new entry in the data base. Does not overwrite an existing value stored under the key.



See Also

libcl(3), cbcontrol(8)


cryptoboned has been written by Ralf Senderek <>.
The core cryptographic library which is used by cryptoboned has been written by 
Peter Gutmann <>.


Of course there aren't bugs, but if you find any, please sent them to

Referenced By

cbcontrol(8), cryptobone(8), external-cryptobone-admin(8).

Ralf Senderek