******************************************** * CryptoBox v0.3.xx * ******************************************** $Id$ This file describes the webserver CryptoBox. The CryptoBox enables you to control the plaintext or encrypted harddisks of your server via a webinterface. Read on if you want to install the CryptoBox-server package on your computer. For more information, see the website: http://cryptobox.org Table of contents: 1) Requirements 2) Installation 3) Setup 4) Usage 5) Data access 6) Development 7) Acknowledgements 8) Licence -------------------------------------------- 1) Requirements - Linux 2.6 - super (to selectively gain root privileges) - Python 2.4 - some python packages: clearsilver 0.10 for python python-configobj 4.x cherrypy 2.x 2) Installation For Debian, Ubuntu and other derivates you should use the debian package: see http://systemausfall.org/toolforge/debian/ Please follow the /usr/share/doc/cryptobox-server/README.Debian for any special steps regarding Debian. There are currently no official rpm packages of the CryptoBox. For source installation follow these steps: Get the source: http://cryptobox.org/download Extract tarball and change to the new directory: tar xzf cryptobox-0.?.?.tar.gz Install the program: python setup.by install The installed pyhton modules can be found in your local python installation directory. The default location should be: /usr/lib/python2.4/site-packages/cryptobox/ The data files are (by default) installed to: /usr/share/cryptobox-server/ As some actions of the cryptobox require root privileges, you have to add the following line to /etc/super.tab: CryptoBoxRootActions /usr/bin/CryptoBoxRootActions cryptobox The script /usr/bin/CryptoBoxRootActions is used to execute all actions requiring root privileges. Please check it to make sure, that your system will not get compromised. 3) Setup a) Start at bootup Set NO_START in /etc/default/cryptobox-server to "0". The CryptoBox webserver will get started by its runlevel control script after bootup. b) Define managed devices You may restrict which blockdevices should be accessible to the CryptoBox. Simply set [Main]->AllowedDevices in /etc/cryptobox-server/cryptobox.conf to a comma separated list of device prefixes: e.g. /dev/sd gives access to all SCSI devices, while /dev/hda3 restricts it to this single partition. The user executing the webserver (by default: 'cryptobox') must have write access to these devices. Usually the cryptobox user is member of the 'disk' group. This gives control over most devices. Be careful with this setting, as you may expose important data to public read and write access. c) Listening port and interface By default, the CryptoBox webserver listens to tcp port 8080 on all network interfaces. You can change this setting in /etc/default/cryptobox-server. Also take a look at your firewall settings. d) Disable plugins The CryptoBox contains a lot of plugins. As some of them could expose unwanted features to your users, you should carefully select which plugins to disable. Quite likely candidates for disabling are: - shutdown: poweroff or reboot the computer - network: change IP, gateway or dns settings of the server - partition: partition blockdevices - volume_format_fs: format a disk/partition (plaintext/encrypted) Take a look at /usr/share/cryptobox-server/plugins for the list of other plugins. The setting [Main]->DisabledPlugins in /etc/cryptobox-server/cryptobox.conf is a comma separated list of plugin names. Capitalization is important! e) Separate configuration partition The CryptoBox webserver requires a writeable directory for proper operation. If your root filesystem is not writeable (e.g. booting from a cdrom, read-only mounted flash memory, ...) you may use a seperated partition to store runtime settings. The CryptoBox will automatically creates it, when you use partition one of your disks with its interface. The setting [Main]->UseConfigPartition (see /etc/cryptobox-server/cryptobox.conf) defines, whether you want to use a separate partition (value "1") or if you want to store your runtime settings in the root filesystem (typically below /var/cache/cryptobox-server). f) Samba/WebDAV/NFS/??? integration (aka. event script handling) The CryptoBox allows you to add event handling scripts for most of the interesting events: bootup/shutdown of the webserver and mount/umount of single volumes. If you want to automatically publish your mounted volumes with samba or similar fileservers, then you should take a closer look at the example scripts for samba and apache-webdav in /usr/share/doc/cryptobox-server/event-scripts. You may also just publish the mount directory of the CryptoBox. This will expose all mounted volumes very easily. Review the configuration file for the setting [Locations]->MountParentDir. g) Take a close look at the configuration file to check all other options before you start the CryptoBox webserver. 4) Usage Use your favourite web browser to go to http://localhost:8080 and browse the webinterface of the CryptoBox. Some parts of the interface are restricted to administrative access. The default access combination is the user 'admin' and the password 'admin'. Please change this setting immediately. The plugin 'user_manager' allows you to add users and to change passwords. The plugin 'plugin_manager' lets you configure, which plugins require administrative authentication. 5) Data access Before you can access your plaintext or encrypted data on a volume, you have to open it. To accomplish this, you have to go to the webinterface, select the appropriate volume and click on "Open volume" in the "Activation" tab. If you are running the CryptoBox locally, then you can access all open volumes below the 'MountDir' as specified in the configuration file (/etc/cryptobox-server/cryptobox.conf). The default mount location is /var/cache/cryptobox/mnt. If the CryptoBox package is running on a networking server, then you have to configure your favourite fileserver (e.g. samba, webdav, nfs, ftp, ...) to publish the subdirectories of the 'MountDir' (see above). If you want to customize the publishing of volumes, then you may use the event script feature fo the CryptoBox. See event-scripts/README for details. 6) Development bug reports: please use our issue tracker https://systemausfall.org/trac/cryptobox/newticket email: cryptobox@systemausfall.org The CryptoBox project is mainly driven by sense.lab (http://senselab.org). 7) Acknowledgements Besides the core development team, these people helped a lot: Clavdia Horvat, Tadej Brce & DuĊĦan Rebolj - Slovenian translation rike - French translation Fabrizio Tarizzo - Italian translation kinneko - Japanese translation Andrzej S. Kaznowski - Polish translation Fadrique - Spanish translation Gilles Accad - French translation ASpr - Russian translation We also want to thank the numerous developers of the Free Software, the CryptoBox depends on and that was used in development. 8) License The code is licensed under the GPL v2.0 or above. The documentation and all graphics are licenced under "Creative Commons Attribution Share-Alike 2.5" (http://creativecommons.org/licenses/by-sa/2.5/). See the file 'copyright' for details.