1external-cryptobone-admin(8) external-cryptobone-admin(8)
2
6 external-cryptobone-admin - Administration tool for an external Crypto
7 Bone device to store message keys
8
10 /usr/bin/external-cryptobone-admin
11
14 The program cryptobone is the graphical user interface for a secure
15 messaging system that makes sure a user's email is always encrypted. In
16 its default mode the cryptobone program uses an encrypted data base of
17 keys that are stored on the same machine (ALL-IN-ONE mode). The GUI
18 has access to these message encryption keys via the cryptobone daemon
19 running on the same machine.
20 Additional protection of the message keys can be achieved by using a
22 second, external device for storing the encryption keys, the external
23 Crypto Bone. This external device can be another Linux computer dedi‐
24 cated to this task or a Beagle Bone or a Raspberry Pi.
25 The program external-cryptobone-admin is used for all administrative
27 tasks to turn a Linux computer into an external Crypto Bone that can be
28 used from a different machine with the cryptobone GUI. While both com‐
29 ponents, the ALL-IN-ONE Crypto Bone and the EXTERNAL Crypto Bone are
30 distributed in the same package, they are designed to run on different
31 computer systems. When only one computer system is used for the Crypto
32 Bone, using the ALL-IN-ONE version is recommended, because it communi‐
33 cates directly to the cryptobone daemon via a UNIX socket.
34 After installation the external Crypto Bone is not enabled.
36 When the external Crypto Bone is enabled through the program external-
38 cryptobone-admin, the system will create three secrets that need to be
39 transferred to the Linux computer on which the cryptobone GUI is used.
40 After enabling the external Crypto Bone, the system tries to write
41 these secrets to a mounted disk partition with the "BOOT" label, so a
42 USB memory key with a file system, labeled "BOOT", must be inserted in
43 the computer when the daemon is enabled. Use this USB partition to
44 transfer the secrets manually to the main computer where you run the
45 cryptobone GUI.
46 When the system hosting the external Crypto Bone boots a second time,
48 the secrets are reliably destroyed on this system. In normal operation
49 the master key used to decrypt the message key data base must be pro‐
50 vided from outside the system via the encrypted ssh link to the main
51 machine.
52 The administration tool also allows to replace the standard firewall
54 daemon with a more restrictive firewall configuration that isolates the
55 machine on which the external Crypto Bone is running as much as possi‐
56 ble.
57 In additon to that the secure shell daemon can be hardened to disallow
59 password login and root login via port 22. The external Crypto Bone
60 will be contacted via ssh using the RSA public key authentication
61 method only. The necessary RSA private key is one of the three secrets
62 and must be transferred to the main Linux computer via USB.
63 Note, that enabling the restrictive firewall and hardening sshd, would
65 impede the use as a general-purpose computer, but that is exactly what
66 is intended, when a system is used as an isolated, external Crypto
67 Bone.
68 Finally, the external Crypto Bone can be reset, in which case the
70 encrypted data base and all access information for the ssh tunnel is
71 lost. Be extra careful when using this reset button, because this
72 option is for the unlikely event that you willfully want to destroy all
73 external Crypto Bone data to re-start pristinely .
74
76 none
77
80 /usr/bin/external-cryptobone-admin
81
84 libclr(3), cryptoboned(8), cryptobone(8)
85
88 cryptobone has been written by Ralf Senderek <innovation@senderek.ie>.
89 The core cryptographic library libclr.so which is used by the cryptobone daemon
90 has been written by Peter Gutmann <pgut001@cs.auckland.ac.nz>.
91
94 Of course there aren't bugs, but if you find any, please sent them to innovation@senderek.ie.
95Ralf Senderek external-cryptobone-admin(8)