185 lines
6.9 KiB
Text
185 lines
6.9 KiB
Text
********************************************
|
|
* CryptoBox v0.3.xx *
|
|
********************************************
|
|
|
|
$Id$
|
|
|
|
This file describes the webserver CryptoBox.
|
|
The CryptoBox enables you to control the plaintext or encrypted harddisks of
|
|
your server via a webinterface.
|
|
Read on if you want to install the CryptoBox-server package on your computer.
|
|
|
|
For more information, see the website:
|
|
http://cryptobox.org
|
|
|
|
Table of contents:
|
|
1) Requirements
|
|
2) Installation
|
|
3) Setup
|
|
4) Usage
|
|
5) Data access
|
|
6) Development
|
|
7) Acknowledgements
|
|
8) Licence
|
|
|
|
--------------------------------------------
|
|
|
|
1) Requirements
|
|
- Linux 2.6
|
|
- super (to selectively gain root privileges)
|
|
- Python 2.4
|
|
- some python packages:
|
|
clearsilver 0.10 for python
|
|
python-configobj 4.x
|
|
cherrypy 2.x
|
|
|
|
|
|
2) Installation
|
|
For Debian, Ubuntu and other derivates you should use the debian package:
|
|
see http://systemausfall.org/toolforge/debian/
|
|
|
|
Please follow the /usr/share/doc/cryptobox-server/README.Debian for
|
|
any special steps regarding Debian.
|
|
|
|
There are currently no official rpm packages of the CryptoBox.
|
|
|
|
For source installation follow these steps:
|
|
Get the source:
|
|
http://cryptobox.org/download
|
|
|
|
Extract tarball and change to the new directory:
|
|
tar xzf cryptobox-0.?.?.tar.gz
|
|
|
|
Install the program:
|
|
python setup.by install
|
|
|
|
The installed pyhton modules can be found in your local python installation directory.
|
|
The default location should be:
|
|
/usr/lib/python2.4/site-packages/cryptobox/
|
|
The data files are (by default) installed to:
|
|
/usr/share/cryptobox-server/
|
|
|
|
As some actions of the cryptobox require root privileges, you have to add the
|
|
following line to /etc/super.tab:
|
|
CryptoBoxRootActions /usr/bin/CryptoBoxRootActions cryptobox
|
|
The script /usr/bin/CryptoBoxRootActions is used to execute all actions
|
|
requiring root privileges. Please check it to make sure, that your system will
|
|
not get compromised.
|
|
|
|
|
|
3) Setup
|
|
|
|
a) Start at bootup
|
|
Set NO_START in /etc/default/cryptobox-server to "0".
|
|
The CryptoBox webserver will get started by its runlevel control script
|
|
after bootup.
|
|
|
|
b) Define managed devices
|
|
You may restrict which blockdevices should be accessible to the CryptoBox.
|
|
Simply set [Main]->AllowedDevices in /etc/cryptobox-server/cryptobox.conf
|
|
to a comma separated list of device prefixes: e.g. /dev/sd gives access to
|
|
all SCSI devices, while /dev/hda3 restricts it to this single partition.
|
|
The user executing the webserver (by default: 'cryptobox') must have write
|
|
access to these devices. Usually the cryptobox user is member of the 'disk'
|
|
group. This gives control over most devices.
|
|
Be careful with this setting, as you may expose important data to public
|
|
read and write access.
|
|
|
|
c) Listening port and interface
|
|
By default, the CryptoBox webserver listens to tcp port 8080 on all network
|
|
interfaces. You can change this setting in /etc/default/cryptobox-server.
|
|
Also take a look at your firewall settings.
|
|
|
|
d) Disable plugins
|
|
The CryptoBox contains a lot of plugins. As some of them could expose
|
|
unwanted features to your users, you should carefully select which plugins
|
|
to disable.
|
|
Quite likely candidates for disabling are:
|
|
- shutdown: poweroff or reboot the computer
|
|
- network: change IP, gateway or dns settings of the server
|
|
- partition: partition blockdevices
|
|
- volume_format_fs: format a disk/partition (plaintext/encrypted)
|
|
Take a look at /usr/share/cryptobox-server/plugins for the list of
|
|
other plugins.
|
|
The setting [Main]->DisabledPlugins in /etc/cryptobox-server/cryptobox.conf
|
|
is a comma separated list of plugin names. Capitalization is important!
|
|
|
|
e) Separate configuration partition
|
|
The CryptoBox webserver requires a writeable directory for proper
|
|
operation. If your root filesystem is not writeable (e.g. booting from a
|
|
cdrom, read-only mounted flash memory, ...) you may use a seperated
|
|
partition to store runtime settings. The CryptoBox will automatically
|
|
creates it, when you use partition one of your disks with its interface.
|
|
The setting [Main]->UseConfigPartition (see
|
|
/etc/cryptobox-server/cryptobox.conf) defines, whether you want to use a
|
|
separate partition (value "1") or if you want to store your runtime
|
|
settings in the root filesystem (typically below
|
|
/var/cache/cryptobox-server).
|
|
|
|
f) Samba/WebDAV/NFS/??? integration (aka. event script handling)
|
|
The CryptoBox allows you to add event handling scripts for most of the
|
|
interesting events: bootup/shutdown of the webserver and mount/umount
|
|
of single volumes.
|
|
If you want to automatically publish your mounted volumes with samba
|
|
or similar fileservers, then you should take a closer look at the
|
|
example scripts for samba and apache-webdav in
|
|
/usr/share/doc/cryptobox-server/event-scripts.
|
|
You may also just publish the mount directory of the CryptoBox. This
|
|
will expose all mounted volumes very easily. Review the configuration
|
|
file for the setting [Locations]->MountParentDir.
|
|
|
|
g) Take a close look at the configuration file to check all other options
|
|
before you start the CryptoBox webserver.
|
|
|
|
|
|
4) Usage
|
|
Use your favourite web browser to go to http://localhost:8080 and browse the
|
|
webinterface of the CryptoBox.
|
|
Some parts of the interface are restricted to administrative access. The
|
|
default access combination is the user 'admin' and the password 'admin'. Please
|
|
change this setting immediately.
|
|
The plugin 'user_manager' allows you to add users and to change passwords.
|
|
The plugin 'plugin_manager' lets you configure, which plugins require
|
|
administrative authentication.
|
|
|
|
|
|
5) Data access
|
|
Before you can access your plaintext or encrypted data on a volume, you have to
|
|
open it. To accomplish this, you have to go to the webinterface, select the
|
|
appropriate volume and click on "Open volume" in the "Activation" tab.
|
|
|
|
If you are running the CryptoBox locally, then you can access all open volumes
|
|
below the 'MountDir' as specified in the configuration file
|
|
(/etc/cryptobox-server/cryptobox.conf). The default mount location is
|
|
/var/cache/cryptobox/mnt.
|
|
|
|
If the CryptoBox package is running on a networking server, then you have to
|
|
configure your favourite fileserver (e.g. samba, webdav, nfs, ftp, ...) to
|
|
publish the subdirectories of the 'MountDir' (see above).
|
|
If you want to customize the publishing of volumes, then you may use the
|
|
event script feature fo the CryptoBox. See event-scripts/README for details.
|
|
|
|
|
|
6) Development
|
|
bug reports: please use our issue tracker
|
|
https://systemausfall.org/trac/cryptobox/newticket
|
|
|
|
email:
|
|
cryptobox@systemausfall.org
|
|
|
|
The CryptoBox project is mainly driven by sense.lab (http://senselab.org).
|
|
|
|
|
|
7) Acknowledgements
|
|
Besides the core development team, these people helped a lot:
|
|
Clavdia Horvat, Tadej Brce & Dušan Rebolj - slovenian translation
|
|
rike - french translation
|
|
|
|
We also want to thank the numerous developers of the Free Software, the
|
|
CryptoBox depends on and that was used in development.
|
|
|
|
|
|
8) Licence
|
|
All scripts are GPL code (v2.0 or above).
|
|
The documentation is licenced under "Creative Commons 2.5 share-alike" (http://creativecommons.org/licenses/by-sa/2.5/).
|
|
|