1cryptoboned(8) cryptoboned(8)
2
6 cryptoboned - The Crypto Bone Daemon
7
9 /usr/lib/cryptobone/cryptoboned
10
13 cryptoboned is used to store the message keys and other secret informa‐
14 tion for use by the Crypto Bone control program. While the encrypted
15 data base is stored in the Linux file system, the master key which is
16 necessary to decrypt this secret information will be read during the
17 boot process and stored in memory only.
18 While the machine is booting the daemon has access to an encrypted file
20 system in which the master key is stored for a short time of 120 sec‐
21 onds. Once the master key has been read, this file system will be
22 unmounted and a new one will be mounted in the same place. From this
23 point in time the master key is now active in the daemon's main memory
24 and is not visible in the system's file system. This raises the bar
25 for an attacker to compromise the master key, because it will be neces‐
26 sary to issue commands in a root shell to recover the unmounted,
27 encrypted file system instead of plain read access to a file.
28 After the boot process has finished, a restart of the daemon is no
30 longer possible. This is to further protect the master key while the
31 daemon is running for normal operations.
32 While the daemon is running, it communicates with the cbcontrol program
34 via a socket that is accessible to root only. The daemon checks,
35 whether or not the process trying to communicate is /usr/lib/crypto‐
36 bone/cbcontrol or not. It will stop all communications if the request
37 originates from a different program.
38 Processes like encryption or decryption that require secrets are done
40 inside the cryptobone daemon, so that the results can be transferred
41 through the socket. All communications between a legitimate cbcontrol
42 program - that has been invoked by the graphical user interface -
43 resembles the communication between an external crypto bone and the
44 control program.
45 The maximum size of the information stored in the encrypted data base
47 is 250000 bytes.
48
50 none
51
54 The cryptobone daemon responses to the following commands that can be
55 sent through the socket:
56 all-keys
59 Prints a list of all keys that are used to store secret values.
60 check pathname
63 Analyses the encryption method of a PGP-encrypted file. Prints
64 "AES encrypted data" if AES is used.
65 decrypt pathname.asc password
68 Attempts to decrypt a PGP-encrypted file with the password and
69 stores the plain text in a file without the extension "asc".
70 encrypt base64string password
73 PGP-encrypts the base64-decoded plaintext with the password
74 using AES and stores the result in the file "/usr/lib/crypto‐
75 bone/cryptobone/encryptedmessage.asc". The password must be
76 greater than 19 and less than 65 characters. Plain text messages
77 are limited to 50000 characters.
78 get-element key
81 Prints the value of the secret stored under the key in the
82 secrets data base.
83 init
86 Creates the secrets database if it does not already exist. Does
87 not overwrite an existing data base.
88 remove key
91 Destroys the secret value stored under the key in the data base.
92 replace key new_value
95 Replaces the stored value with a new value. If the key is not
96 already used, the value is created under the key.
97 write key value
100 Creates a new entry in the data base. Does not overwrite an
101 existing value stored under the key.
102
106 /usr/lib/cryptobone/cryptoboned
107 /usr/lib/cryptobone/database
108 /usr/lib/cryptobone/libclr.so.3.4.5
109 /etc/init.d/cryptoboned
110 /etc/systemd/system/cryptoboned.service
111
114 libcl(3), cbcontrol(8)
115
118 cryptoboned has been written by Ralf Senderek <innovation@senderek.ie>.
119 The core cryptographic library libclr.so which is used by cryptoboned has been written by
120 Peter Gutmann <pgut001@cs.auckland.ac.nz>.
121
124 Of course there aren't bugs, but if you find any, please sent them to innovation@senderek.ie.
125Ralf Senderek cryptoboned(8)