Request for code review and support

The Crypto Bone software has first been released in December 2014 and has been licensed under a BSD license. It may contain bugs and may have undetected security issues in its current version 2.0, released in May 2025.

So it is essential that the Crypto Bone software and design gets serious code review from independent researchers. I hope you'll find the project promising and will spend some time to scrutinize the source code and publish your comments on the project.

Over the past few months the project has changed in its design. Now you will be able to run a local software-based Crypto Bone on your main Linux machine without the need to use an external device. The storage of secrets on the main Linux machine has improved with the introduction of the cryptobone daemon process.

There are many different ways to use external devices to further secure the message key data base. You can use a separate Linux computer, a Raspberry Pi 3 or any other hardware that installs the CryptoBone software as a separate device to protect your database in an isolated environment. The software for the external device is an integral part of the main cryptobone RPM package, which is the same on all the different hardware platforms.

The external device also has its own daemon process (cryptoboneexternd) that protects access to the encrypted data base. In contrast to the normal cryptobone daemon on the main machine, this daemon waits for the arrival of the masterkey which is sent from the main machine via the secure ssh tunnel. So the external Crypto Bone daemon gets its decryption key from outside while the normal Crypto Bone daemon will read the decryption key during a small time frame from a protected part of the local file system, directly after the boot process starts. This separation of the decryption key (master key) and the encrypted data base is the foundation of additional security you can achieve by using an external device.

Recent Improvements

The Crypto Bone has changed substantially during the year 2015 and 2016, as I tried to reduce the complexity of the system to a bare minimum. Eventually I got rid of the GnuPG binary that was formerly used to create OpenPGP messages.

This last improvement is most notable, because the cryptographic core functions will now be located in one single library, cryptlib-3.4.8, a masterpiece written and maintained by Peter Gutmann. All peer-review, that went into scrutinizing cryptlib will now benefit the Crypto Bone project. Because of the fact that the Crypto Bone uses only a tiny fraction of Cryptlib's functionality, the symmetric AES encryption and the high-level interface, it was possible to reduce the effective source code considerably.

I have added detailed comments in all core scripts of the software to ensure that the processes in the background can be better understood and code review may be easier now in version 2.0.

Code Review

How can you help?

The most important help would be peer-review of the Crypto Bone's core source code. Any comment in relation to the code and the message protocol is valuable and will be considered to improve the Crypto Bone. If you wish to contribute, I'd like to hear from you and you can send me confidential messages through this link.

Support

But if you are not a crypto expert, there are a number of support options to help improving the Crypto Bone:

• Check the latest Crypto Bone software for functionality and report bugs and usability issues. It's important that many people figure out whether or not the Crypto Bone is working as expected, with a fresh and independent view on the results.

• Help to write parts of the documentation that you feel are still missing or are incomplete.

• Spread the word and tell your friends and colleagues about the Crypto Bone project - and ask them to support it, too.

Thank you.