1external-cryptobone-admin(8)                      external-cryptobone-admin(8)
2
3
4

NAME

6       external-cryptobone-admin  - Administration tool for an external Crypto
7       Bone device to store message keys
8

SYNOPSIS

10       /usr/bin/external-cryptobone-admin
11
12

DESCRIPTION

14       The program cryptobone is the graphical user  interface  for  a  secure
15       messaging system that makes sure a user's email is always encrypted. In
16       its default mode the cryptobone program uses an encrypted data base  of
17       keys  that  are  stored on the same machine (ALL-IN-ONE mode).  The GUI
18       has access to these message encryption keys via the  cryptobone  daemon
19       running on the same machine.
20
21       Additional  protection  of  the message keys can be achieved by using a
22       second, external device for storing the encryption keys,  the  external
23       Crypto  Bone.  This external device can be another Linux computer dedi‐
24       cated to this task or a Beagle Bone or a Raspberry Pi.
25
26       The program external-cryptobone-admin is used  for  all  administrative
27       tasks to turn a Linux computer into an external Crypto Bone that can be
28       used from a different machine with the cryptobone GUI.  While both com‐
29       ponents,  the  ALL-IN-ONE  Crypto Bone and the EXTERNAL Crypto Bone are
30       distributed in the same package, they are designed to run on  different
31       computer  systems. When only one computer system is used for the Crypto
32       Bone, using the ALL-IN-ONE version is recommended, because it  communi‐
33       cates directly to the cryptobone daemon via a UNIX socket.
34
35       After installation the external Crypto Bone is not enabled.
36
37       When  the external Crypto Bone is enabled through the program external-
38       cryptobone-admin, the system will create three secrets that need to  be
39       transferred  to the Linux computer on which the cryptobone GUI is used.
40       After enabling the external Crypto Bone,  the  system  tries  to  write
41       these  secrets  to a mounted disk partition with the "BOOT" label, so a
42       USB memory key with a file system, labeled "BOOT", must be inserted  in
43       the  computer  when  the  daemon  is enabled. Use this USB partition to
44       transfer the secrets manually to the main computer where  you  run  the
45       cryptobone GUI.
46
47       When  the  system hosting the external Crypto Bone boots a second time,
48       the secrets are reliably destroyed on this system. In normal  operation
49       the  master  key used to decrypt the message key data base must be pro‐
50       vided from outside the system via the encrypted ssh link  to  the  main
51       machine.
52
53       The  administration  tool  also allows to replace the standard firewall
54       daemon with a more restrictive firewall configuration that isolates the
55       machine  on which the external Crypto Bone is running as much as possi‐
56       ble.
57
58       In additon to that the secure shell daemon can be hardened to  disallow
59       password  login  and  root  login via port 22. The external Crypto Bone
60       will be contacted via ssh  using  the  RSA  public  key  authentication
61       method  only. The necessary RSA private key is one of the three secrets
62       and must be transferred to the main Linux computer via USB.
63
64       Note, that enabling the restrictive firewall and hardening sshd,  would
65       impede  the use as a general-purpose computer, but that is exactly what
66       is intended, when a system is used  as  an  isolated,  external  Crypto
67       Bone.
68
69       Finally,  the  external  Crypto  Bone  can  be reset, in which case the
70       encrypted data base and all access information for the  ssh  tunnel  is
71       lost.  Be  extra  careful  when  using  this reset button, because this
72       option is for the unlikely event that you willfully want to destroy all
73       external Crypto Bone data to re-start pristinely .
74

OPTIONS

76       none
77
78

FILES

80       /usr/bin/external-cryptobone-admin
81
82

SEE ALSO

84       libclr(3), cryptoboned(8), cryptobone(8)
85
86

AUTHORS

88       cryptobone has been written by Ralf Senderek <innovation@senderek.ie>.
89       The core cryptographic library libclr.so which is used by the cryptobone daemon
90       has been written by Peter Gutmann <pgut001@cs.auckland.ac.nz>.
91
92

BUGS

94       Of course there aren't bugs, but if you find any, please sent them to innovation@senderek.ie.
95
96
97
98Ralf Senderek                                     external-cryptobone-admin(8)
Impressum