1cryptoboned(8)                                                  cryptoboned(8)
2
3
4

NAME

6       cryptoboned - The Crypto Bone Daemon
7

SYNOPSIS

9       /usr/lib/cryptobone/cryptoboned
10
11

DESCRIPTION

13       cryptoboned is used to store the message keys and other secret informa‐
14       tion for use by the Crypto Bone control program.  While  the  encrypted
15       data  base  is stored in the Linux file system, the master key which is
16       necessary to decrypt this secret information will be  read  during  the
17       boot process and stored in memory only.
18
19       While the machine is booting the daemon has access to an encrypted file
20       system in which the master key is stored for a short time of  120  sec‐
21       onds.   Once  the  master  key  has been read, this file system will be
22       unmounted and a new one will be mounted in the same  place.  From  this
23       point  in time the master key is now active in the daemon's main memory
24       and is not visible in the system's file system.  This  raises  the  bar
25       for an attacker to compromise the master key, because it will be neces‐
26       sary to issue commands in  a  root  shell  to  recover  the  unmounted,
27       encrypted file system instead of plain read access to a file.
28
29       After  the  boot  process  has  finished, a restart of the daemon is no
30       longer possible.  This is to further protect the master key  while  the
31       daemon is running for normal operations.
32
33       While the daemon is running, it communicates with the cbcontrol program
34       via a socket that is  accessible  to  root  only.  The  daemon  checks,
35       whether  or  not  the process trying to communicate is /usr/lib/crypto‐
36       bone/cbcontrol or not. It will stop all communications if  the  request
37       originates from a different program.
38
39       Processes  like  encryption or decryption that require secrets are done
40       inside the cryptobone daemon, so that the results  can  be  transferred
41       through  the socket.  All communications between a legitimate cbcontrol
42       program - that has been invoked  by  the  graphical  user  interface  -
43       resembles  the  communication  between  an external crypto bone and the
44       control program.
45
46       The maximum size of the information stored in the encrypted  data  base
47       is 250000 bytes.
48

OPTIONS

50       none
51
52

COMMANDS

54       The  cryptobone  daemon responses to the following commands that can be
55       sent through the socket:
56
57
58       all-keys
59              Prints a list of all keys that are used to store secret values.
60
61
62       check pathname
63              Analyses the encryption method of a PGP-encrypted file.   Prints
64              "AES encrypted data" if AES is used.
65
66
67       decrypt pathname.asc password
68              Attempts  to  decrypt a PGP-encrypted file with the password and
69              stores the plain text in a file without the extension "asc".
70
71
72       encrypt base64string password
73              PGP-encrypts the  base64-decoded  plaintext  with  the  password
74              using  AES  and  stores the result in the file "/usr/lib/crypto‐
75              bone/cryptobone/encryptedmessage.asc".  The  password  must   be
76              greater than 19 and less than 65 characters. Plain text messages
77              are limited to 50000 characters.
78
79
80       get-element key
81              Prints the value of the secret  stored  under  the  key  in  the
82              secrets data base.
83
84
85       init
86              Creates  the secrets database if it does not already exist. Does
87              not overwrite an existing data base.
88
89
90       remove key
91              Destroys the secret value stored under the key in the data base.
92
93
94       replace key new_value
95              Replaces the stored value with a new value. If the  key  is  not
96              already used, the value is created under the key.
97
98
99       write key value
100              Creates  a  new  entry  in  the data base. Does not overwrite an
101              existing value stored under the key.
102
103
104

FILES

106       /usr/lib/cryptobone/cryptoboned
107       /usr/lib/cryptobone/database
108       /usr/lib/cryptobone/libclr.so.3.4.5
109       /etc/init.d/cryptoboned
110       /etc/systemd/system/cryptoboned.service
111
112

SEE ALSO

114       libcl(3), cbcontrol(8)
115
116

AUTHORS

118       cryptoboned has been written by Ralf Senderek <innovation@senderek.ie>.
119       The core cryptographic library libclr.so which is used by cryptoboned has been written by
120       Peter Gutmann <pgut001@cs.auckland.ac.nz>.
121
122

BUGS

124       Of course there aren't bugs, but if you find any, please sent them to innovation@senderek.ie.
125
126
127
128Ralf Senderek                                                   cryptoboned(8)
Impressum