cryptoboned - Man Page

/usr/lib/cryptobone/cryptoboned

The daemon cryptoboned is used to store the message keys and other secret information for use by the Crypto Bone control program (cbcontrol). While the encrypted data base is stored in the Linux file system, the master key which is necessary to decrypt this secret information will be read during the boot process and stored in memory only.

While the machine is booting the daemon has access to an encrypted file system in which the master key is stored for a short time.  Once the master key has been read, this file system will be unmounted and a second one will be mounted in the same place. From this point in time  the master key is now active in the daemon's main memory and is not visible in the  system's file system. This raises the bar for an attacker to compromise the master key, because it will be necessary to issue commands in a root shell to recover the unmounted, encrypted file system instead of plain read access to a file.

After the boot process has finished, a restart of the daemon is no longer possible. This is to further protect the master key while the daemon is running for normal operations.

While the daemon is running, it communicates with the cbcontrol program via a socket that is accessible to root only. The daemon checks, whether or not the process trying to communicate is /usr/lib/cryptobone/cbcontrol or not. It will stop all communications if the request originates from a different program.

Processes like encryption or decryption of messages and attachment files which require AES keys are done with the program /usr/lib/cryptobone/bin/claes that receives encryption keys via standard input.

The maximum size of the information stored in the encrypted data base is 250000 bytes.

none

The cryptobone daemon responses to the following commands that can be sent through the socket:

all-keys

Prints a list of all keys that are used to store secret values.

get-element key

Prints the value of the secret stored under the key in the secrets data base.

init

Creates the secrets database if it does not already exist. Does not overwrite an existing data base.

remove key

Destroys the secret value stored under the key in the data base.

replace key new_value

Replaces the stored value with a new value. If the key is not already used, the value is created  under the key.

write key value

Creates a new entry in the data base. Does not overwrite an existing value stored under the key.

/usr/lib/cryptobone/cryptoboned
/usr/lib/cryptobone/database
/usr/lib/cryptobone/bin/claes
/usr/lib/systemd/system/cryptoboned.service

libcl (3), cbcontrol (8)

cryptoboned has been written by Ralf Senderek <innovation@senderek.ie>.
The core cryptographic library libcl.so which is used by cryptoboned has been written by 
Peter Gutmann <pgut001@cs.auckland.ac.nz>.

Of course there aren't bugs, but if you find any, please sent them to innovation@senderek.ie.

cbcontrol(8), cryptobone2(8), external-cryptobone-admin(8).