external-cryptobone-admin - Man Page

/usr/bin/external-cryptobone-admin

The program cryptobone2 is the graphical user interface (GUI) for a secure messaging system that makes sure a user's messages and attachment files are always AES end-to-end encrypted.  In its default mode the cryptobone2 program uses an encrypted data base of keys that are stored on the same machine (ALL-IN-ONE mode). The GUI has access to these message encryption keys via a cryptobone daemon running on the same machine as a process with root permission.

Additional protection of the message keys can be achieved by using a second, external device for storing the encryption keys, the external Crypto Bone. This external device can be another Linux computer dedicated to this task or a Raspberry Pi or any other device capable of installing the  Crypto Bone software.

The program external-cryptobone-admin is used for all administrative tasks to turn a Linux computer into an external Crypto Bone that can be used from a different machine with the cryptobone2 GUI. While both components, the ALL-IN-ONE Crypto Bone and the EXTERNAL Crypto Bone are distributed in the same package, they are designed to run on different computer systems. When only one computer system is used for the Crypto Bone, using the ALL-IN-ONE version is recommended, because it communicates directly to the cryptobone daemon via a UNIX socket.

After installation the external Crypto Bone is not enabled.

When the external Crypto Bone is enabled through the program external-cryptobone-admin, the system will create three secrets that need to be transferred to the Linux computer on which the cryptobone2 GUI is running. After enabling the external Crypto Bone, the external device writes these secrets into the device's ramdisk (/dev/shm/BOOT).

After generation of these secrets they need to be transferred to the client machine where the  cryptobone2 GUI is active. For details refer to the comments in the file "ext/initialkeysetup" and "ext/README.external".

The administration tool also allows to replace the standard firewall daemon with a more restrictive  firewall configuration that isolates the device on which the external Crypto Bone is running as much as possible.

In additon, the secure shell daemon can be hardened to disallow password login and root login via port 22, when it is no longer needed.  The external Crypto Bone will be contacted via ssh using the RSA public key authentication method only from the main machine.  The necessary RSA private key is one of the three secrets and must be transferred to the main Linux computer manually before the secure shell daemon is hardened on the external device.

Note, that enabling the restrictive firewall and hardening sshd, would impede the use as a general-purpose computer, but that is exactly what is intended, when a system is used as an isolated, external Crypto Bone.

Finally, the external Crypto Bone can be reset, in which case the encrypted data base and all access information for the ssh tunnel is lost. Be extra careful when using this reset button, because this option is for the unlikely event that you willfully want to destroy all external Crypto Bone data to re-start pristinely.

none

/usr/bin/external-cryptobone-admin

libcl (3), cryptoboned (8), cryptobone2 (8)

external-cryptobone-admin has been written by Ralf Senderek <innovation@senderek.ie>.
The core cryptographic library libcl.so which is used by the cryptobone daemon
has been written by Peter Gutmann <pgut001@cs.auckland.ac.nz>.

Of course there aren't bugs, but if you find any, please sent them to innovation@senderek.ie.

external-cryptobone(8).