The Crypto Bone

privacy and secure communication
under your control

    

Crypto Bone Software Installation

Crypto Bone ALL-IN-ONE

Before you are going to install the external Crypto Bone image file on your SD card or prepare a second Linux computer, please make sure that you have a running "cryptobone" GUI program on your main Linux computer. All you need to do is to install the ALL-IN-ONE software package on your local Linux computer. See the download page for full information about the available packages.

On Fedora and other RPM-based Linux you can download the 64bit RPM package and install it by typing (as root):

[root@laptop]# dnf install cryptobone-1.1.x86_64.rpm

If you use Ubuntu or Debian-like Linux you can download the DEB package and install it by typing (as root):

[root@laptop]# dpkg --install cryptobone_1.0_amd64.deb
[root@laptop]# apt-get -f install

The second command is necessary only if you don't have all dependencies installed. This is done by the second command.

This RPM or DEB package will download the python tkinter and ssh-askpass packages that are needed to run the cryptobone GUI program. When you run the GUI for the first time after installation, you are asked for the login name of the user that should be allowed to use the Crypto Bone, because this user must be able to contact the cryptobone daemon as root. While using the GUI you'll be asked for your login password from time to time, because your GUI will access the cryptobone daemon as root via the sudo mechanism.

If you don't want to use an external device, that's all you need to install. Type "cryptobone" in a terminal window and enter your login password on request. Now you're ready for secure communications.

Installation of an External Device

At the moment there are three options to use an external device. All three options require slightly different setup steps before you can use the external device within your GUI program.

We describe the different setup procedures in this order.

The second, dedicated Linux Computer

The most comfortable option is to use a second Linux computer as the external device. All you need to install is the main RPM software package (cryptobone-1.1.x86_64.rpm) which has been developed and tested on a Fedora OS.

You can install this RPM package by typing (as root):

[root@laptop]# dnf install cryptobone-1.1.x86_64.rpm

The external Crypto Bone software is not enabled after installation, because it should only be run on a dedicated, second Linux machine. To activate the external software part you can run the command "external-cryptobone-admin", a GUI that assists you to set up the second machine. But be aware that activating the external software can isolate the separate Linux computer, so that it will no longer be usable for internet browsing due to its restrictive firewall setting. But after all, this is not what you want to use it for, do you?

Don't activate the external software part on your main computer, as the ALL-IN-ONE Crypto Bone daemon is active there already.

Once you have enabled the external Crypto Bone on your second Linux computer, three secrets will be created and the computer will try to write these three secrets to an USB drive. So make sure that a USB drive with a prepared file system label "BOOT" is present in the machine.

You can prepare a USB stick with the following command (as root) replace <device file> with the device file of your USB memory drive:

[root@laptop]# mkfs -t ext4 -L BOOT <device file>

Please make sure that you know which device file to use, don't kill a hard drive partition accidentally.

After the secrets have been written to the USB memory stick, put the USB stick into your main Linux computer and proceed with the transfer of these keys to your main computer as described below. Make sure that the USB stick is either locked away safely (as a backup) or re-inserted in the second Linux machine where the secrets will be erased during the next boot.

The Beagle Bone

If you wish to prepare a fresh SD card with the latest Crypto Bone image for use with the Beagle Bone you may have downloaded this large image file (cbb-latest.img.xz, 299774652 bytes) already. Please make sure that you have a Beagle Bone before you download this large file.

After you have verified the sha256 fingerprint of the compressed image file, you are ready to write the image to a SD card. Please note, that your SD card may contain partitions already, that show up when you insert your SD card into your card reader on your computer. The compressed image file "cbb-latest.img.xz" will overwrite the whole content of your existing SD card and will create a new bootable Master Boot Record (MBR) and a partition table with three partitions.

First, you need to find out the name of your device file, because you have to be absolutely sure that you'll write the image to the correct device, in order not to destroy anything on your computer. If I insert a SD card into my laptop, it'll show up as /dev/mmcblk0p1, this is the first partition on my SD card. So, it's crucial that I use /dev/mmcblk0 as the device to write the image to and not the partition device.

Chances are, your SD card may show up as /dev/sdb1, so /dev/sdb would be the correct device for writing the image. Double check the correct device name you'll need to use, before you proceed.

To write the uncompressed image file to the SD card use the following command:
(and replace /dev/mmcblk0 with your device name)

xzcat cbb-latest.img.xz > /dev/mmcblk0

This process will take some minutes to complete. Now your SD card is ready for the first boot.

First Boot of the Beagle Bone or Raspberry Pi 3

On first boot, the Crypto Bone will generate three secrets, the "masterkey", a "local.key" and a Secure Shell private key "cbb". After a while the Beagle Bone will shutdown automatically, so be patient until the lights go out.

All three secrets will be written into the first partition on the SD card which is labeled "BOOT", so you can eject the SD card from your Beagle Bone after the first boot and you can copy these three secrets to your main Linux computer with the help of the GUI program. You may have noticed the Button "Setup EXTERNAL Keys" in the setup section of the "cryptobone" GUI. Press this button to automatically copy the new keys from the SD card to the local computer's hard disk for use by the cryptobone daemon process.

Please be aware of the fact, that when you insert the SD card into the Beagle Bone again, the three secrets will be wiped from the SD card because under no circumstances should these secrets remain in the Crypto Bone's file system, permanently. They are written to the first partition only to give you the chance to copy them to your main Linux computer, to separate them from the external Crypto Bone.

It's essential to know that these secrets must be stored separately from the Crypto Bone to ensure that the internal database cannot be used when the external Crypto Bone may be stolen.

So please make sure you have copied these secrets to the local Linux computer, before you insert the SD card into the Beagle Bone or Raspberry Pi 3 for a second time.

The Raspberry Pi 3

If you wish to prepare a fresh SD card with the latest Crypto Pi image for use with the Raspberry Pi 3 you may have downloaded this large image file (cpi-latest.img.xz, 304331936 bytes) already. Please make sure that you have a Raspberry Pi 3 (arm7) before you download this large file.

After you have verified the sha256 fingerprint of the compressed image file, you are ready to write the image to a SD card.

Please make sure you know the name of your device file exactly as described in the section for the Beagle Bone above. Double-check your device name before you proceed with the compressed image file as described in this section.

xzcat cpi-latest.img.xz > /dev/mmcblk0

Booting your Raspberry Pi for the first time will result in the same procecure as descibed above for the Beagle Bone.

Transferring the Keys to Your Main Linux Computer

You may have noticed that on the first boot, after the lights go dark, the Beagle Bone or Raspberry Pi begins to flash several times, indicating that the three secrets have been generated and the microcomputer is ready to shut down. Wait two minutes and then power off the device. Eject the SD card.

Now you can insert the SD card into your local Linux computer. Once the "cryptobone" GUI has recognized the BOOT partion on the SD card, hitting the button "Setup EXTERNAL Keys" will transfer the keys from the SD card to your Linux computer's hard disk. More precisely, it will transfer the keys into your encrypted database, where they remain until they are written into an encrypted filesystem by the cryptobone daemon process during the next boot. So you have to reboot your main Linux computer to make the new keys available for the cryptobone daemon. Please note, that the encrypted file system is only accessible by the daemon process at boot time for a brief moment, later the keys will only be present in memory.

The Crypto Bone's IP address will automatically be written into a local configuration file "cbb.config", when the GUI program is used. Later the cryptobone GUI can use this stored information for the day-to-day work with your Crypto Bone. Because of the fact that your router will allocate a suitable IP address for your external Crypto Bone, a network scan is necessary to find out which IP address had been reserved for your external device. Please ensure, that the router is going to provide the same IP address to your external device every time in the future.

Using the "cryptobone" GUI Program

Now it's time to contact your running Crypto Bone from the cryptobone GUI program.

To switch from using the ALL-IN-ONE Crypto Bone to your external Crypto Bone you have to push the button "Use EXTERNAL Bone" in the left corner of the setup section once.

Have you noticed that the Crytop Bone's boot process starts with all lights on, at the time the lights go dark, the Crypto Bone has activated the internal firewall. After that it flashes twice in intervals to indicate that it is waiting for the masterkey. The Crypto Pi will flash three times to indicate that it's waiting for the master key.

The masterkey will automatically be uploaded to the Crypto Bone once you use it and the IP address will appear in the status line above. The exernal Crypto Bone will then start to flash all LEDs in a row.

When you switch to the external Crypto Bone for the fist time a long process will work in the background, because at that time the Crypto Bone's IP adress is not known to the GUI program. So a network scan is being started that will find out the IP address and store it in the configuration file for further use by the GUI.

Setup

Before you can send messages out to a correspondent, you need to tell the Crypto Bone how you will download your email messages from the email account you are using. You will need an email account for the purpose of collecting encrypted messages that are sent to you by your correspondents.

Fortunately you have to tell the Crypto Bone only once how this email account can be accessed to read incoming emails. You can specify the necessary information in the "SETUP" menu of the cryptobone GUI.

There are three pieces of information you'll need to complete the incoming email server setup: a server name, where your email account is hosted, the user name, which is your email address, and the password for the email account. Enter these information into the form behind the button "Update Mailserver Setup". You can overwrite these settings whenever you decide to use a different email account for incoming messages.

Now your Crypto Bone can fetch messages that arrive at your email account, and it can send messages out by using the mail server as the entry point into the internet. Note, that all messages the Crypto Bone will send are encrypted, nothing will leave the Crypto Bone unprotected. The messages that arrive at your email address, will all be downloaded to the Crypto Bone (encrypted or not), but only those that can be decrypted successfully, will pop up as messages, all other emails will be ignored.

Registration of new contacts

The Crypto Bone helps you to maintain encryption keys, but it is your job to exchange an initial secret with the person you'd like to communicate with and to tell the Crypto Bone which email address is associated with which initial secret. You can register a new contact in the "KEYS" menu.

If you have given the initial key to your correspondent on a piece of paper, you can select the name NN1, NN2 or NN3 and simply enter the correspondent's mail address. The key will be linked to your correspondent's email address and another new key for NN1, NN2 or NN3 will be generated. Check the button "Generate New Key" to see which keys you can give to other people.

If you got the initial key from your correspondent, you have to enter the key and your correspondent's email address here.

Please be aware that any initial secret belongs to only one single email address, so you cannot re-use any initial secret for a different email address. But you can generate new keys whenever you want, so you won't run out of new keys that you can give to other people. But be careful when you handle this key information.