Home > FileVault 2, Linux, Mac administration > First look at Crypt

First look at Crypt

Since the release of Google’s Cauliflower Vest, one of the wishlist items that a number of Mac admins have wanted is to use Cauliflower Vest’s capabilities without needing to use Google App Engine as the server backend. Crypt, a new open-source project being developed by Graham Gilbert, looks like a step in the right direction. See below the jump for details.

Like Cauliflower Vest, Crypt is designed to:

  • Allow individual recovery keys to be automatically generated and escrowed for each Mac
  • Force-enable FileVault 2 encryption on a Mac
  • Provide secure access to recovery keys

Crypt comes in two parts. Crypt is a client application that would be installed on your Mac(s). Crypt-Server is a Django web app that receives and stores the escrowed FileVault 2 recovery keys.

Prep work

Before starting with anything else, I set up an Ubuntu 12.0.4 LTS server to act as the Crypt-Server key escrow server. Crypt should be able to run on anything that supports Python and Django, but the Crypt-Server setup instructions assume that the host OS is Ubuntu 12.0.x LTS.

Setting up the Crypt-Server software

Installing the foundation software

1. Log into the Ubuntu server using an account that has sudo privileges

2. Check to see if git is installed on the Ubuntu server by running the following command.

which git

Screen Shot 2012-12-31 at 11.15.46 AM

3. If git is not installed, install it by running the following command:

sudo apt-get install git

Screen Shot 2012-12-31 at 11.18.19 AM

Screen Shot 2012-12-31 at 11.18.33 AM

4. Following the installation of git, install the Python setup tools

sudo apt-get install python-setuptools

Screen Shot 2012-12-31 at 11.19.35 AM

5. After installing the Python setup tools, check to see if virtualenv is installed. virtualenv is a tool to create isolated Python environments and it’s used by Crypt-Server.

To check for virtualenv, run the following command:

virtualenv –version

Screen Shot 2012-12-31 at 11.21.28 AM

6. If virtualenv is not installed, install it using the following command:

sudo easy_install virtualenv

Screen Shot 2012-12-31 at 11.22.18 AM  

7. Once installed, verify that virtualenv is now installed by running the following command:

virtualenv –version

Screen Shot 2012-12-31 at 11.22.38 AM

Creating a non-admin service account and group for Crypt-Server

8. Create the Crypt cryptuser service account by running the following command:

sudo useradd cryptuser

Screen Shot 2012-12-31 at 11.23.42 AM

9. Create the Crypt cryptgroup group by running the following command:

sudo groupadd cryptgroup

Screen Shot 2012-12-31 at 11.24.19 AM

10. Add the cryptuser service account to the cryptgroup group by running the following command:

sudo usermod -g cryptgroup cryptuser

Screen Shot 2012-12-31 at 11.24.55 AM

11. Verify that the cryptuser service account is now a member of the cryptgroup group by running the following command:

id cryptuser

Screen Shot 2012-12-31 at 11.25.33 AM

The gid and groups values should both report cryptgroup.

Create the Python virtual environment

Next, we’ll be using virtualenv to create a Python virtual environment for Crypt-Server. This will allow the Django software to be installed in a contained environment that won’t interfere with the system Python installation’s packages.

12. Change directories to /usr/local, as that’s where we’ll be installing the virtual environment, by running the following command:

cd /usr/local

Screen Shot 2012-12-31 at 11.26.04 AM

13. Create the Python virtual environment for Crypt-Server by running the following command:

sudo virtualenv crypt_env

Screen Shot 2012-12-31 at 11.26.33 AM

14. Give the cryptuser service account read and write access to the crypt_env virtual environment by running the following command:

sudo chown -R cryptuser crypt_env

Screen Shot 2012-12-31 at 11.26.55 AM

15. Verify that the cryptuser service account is set as the owner of the crypt_env directory by running the following command:

ls -al

Screen Shot 2012-12-31 at 11.27.19 AM

At this point, because we’ll be switching into the cryptuser service account and running it with a bash shell, it’s a good idea to use sudo to drop into a root shell first. That will simplify the various account and shell switching we’ll need to do because the root user has total access to the system.

16. To switch to a root shell, run the following command:

sudo -s

Screen Shot 2012-12-31 at 11.29.34 AM

17. Switch to the cryptuser service account by running the following command:

su cryptuser

Screen Shot 2012-12-31 at 11.29.47 AM

18. The virtualenv tool is expecting to be run from bash, so switch to a bash shell by running the following command:

bash

Screen Shot 2012-12-31 at 11.29.55 AM

19. Change directories to the crypt_env directory by running the following command:

cd crypt_env

20. Activate the virtual environment by running the following command:

source bin/activate

Screen Shot 2012-12-31 at 11.30.36 AM

21. Install Django in the virtual environment by running the following command:

pip install django

Screen Shot 2012-12-31 at 11.32.12 AM

22. Install South in the virtual environment by running the following command:

pip install south

Screen Shot 2012-12-31 at 11.32.39 AM

23. Install the Django Bootstrap Toolkit in the virtual environment by running the following command:

pip install django-bootstrap_toolkit

Screen Shot 2012-12-31 at 11.32.52 AM

Installing Crypt-Server from Github and configuring it

At this point, all the software that Crypt-Server runs on has been installed, so it’s time to install the actual Crypt-Server software and configure it.

24. While still inside the crypt_env virtual environment, use git to clone the current version of Crypt-Server by running the following command:

git clone https://github.com/grahamgilbert/Crypt-Server.git crypt

Screen Shot 2012-12-31 at 11.34.22 AM

25. Change directories to the fvserver directory inside of the newly-cloned crypt directory by running the following command:

cd crypt/fvserver

Screen Shot 2012-12-31 at 11.35.02 AM

26. Copy the example_settings.py sample configuration file to a new settings.py file by running the following command:

cp example_settings.py settings.py

Screen Shot 2012-12-31 at 11.35.22 AM

The settings.py file is used by Crypt-Server to store its config settings.

27. Open settings.py for editing by using the following command:

nano settings.py

Screen Shot 2012-12-31 at 11.35.39 AM

While in settings.py, edit the following settings:

Set ADMINS to an administrative name and email

Screen Shot 2012-12-31 at 11.37.17 AM

Set TIME_ZONE to the appropriate timezone

Screen Shot 2012-12-31 at 11.38.42 AM

See the screenshots below for how I edited mine.

Screen Shot 2012-12-31 at 11.38.11 AM

Screen Shot 2012-12-31 at 11.39.19 AM

Initializing the Django database and creating an admin user

28. Change directories to the crypt directory by running the following command:

cd /usr/local/crypt_env/crypt

Screen Shot 2012-12-31 at 11.43.11 AM

29. Initialize the the Django database by running the following command:

python manage.py syncdb

When prompted, create an admin user.

Screen Shot 2012-12-31 at 11.43.56 AM

I used cryptuser for mine.

Screen Shot 2012-12-31 at 11.44.33 AM

Screen Shot 2012-12-31 at 11.45.38 AM

29. Migrate the database by running the following command:

python manage.py migrate

Screen Shot 2012-12-31 at 12.10.31 PM

30. Stage the static files by running the following command:

python manage.py collectstatic

Screen Shot 2012-12-31 at 12.10.54 PM

When prompted about overwriting existing files, type yes.

Screen Shot 2012-12-31 at 12.11.02 PM

31. Exit out of the virtual environment. To do this, type exit at the prompts until you’re back at the root@servername prompt.

Screen Shot 2012-12-31 at 12.11.46 PM

Web Server setup

To run Crypt in a production environment, a webserver needs to be setup and configured. Ubuntu uses Apache, so we’ll be using that. The Apache libapache2-mod-wsgi module will need to be installed in order to allow Django to communicate correctly with Apache.

32. Install libapache2-mod-wsgi by running the following command:

apt-get install libapache2-mod-wsgi

Screen Shot 2012-12-31 at 12.12.34 PM

Creating an Apache virtualhost

The term “Virtual Host” refers to the practice of running more than one web site on a single machine. Since Crypt-Server may not be running on a dedicated server, it’s a good idea to set up an Apache virtualhost for Crypt-Server.

To set up a new virtualhost for Crypt-Server on Ubuntu, make a new file called crypt.conf at /etc/apache2/sites-available. You can do this by running the following command:

nano /etc/apache2/sites-available/crypt.conf

Screen Shot 2012-12-31 at 12.13.55 PM

Here’s an example virtualhost that accepts connections from any IP on port 80:


<VirtualHost *:80>
ServerName crypt.yourdomain.com
WSGIScriptAlias / /usr/local/crypt_env/crypt/crypt.wsgi
WSGIDaemonProcess crypt user=cryptuser group=cryptgroup
Alias /static/ /usr/local/crypt_env/crypt/static/
<Directory /usr/local/crypt_env/crypt>
       WSGIProcessGroup crypt
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
</Directory>
</VirtualHost>

Screen Shot 2012-12-31 at 12.15.24 PM

Final stretch

Once the virtualhost file has been created, the last part will be configuring a .wsgi file to to get our Django-powered Crypt-Server site running under Apache.

33. Switch back to the cryptuser service account by running the following command:

su cryptuser

Screen Shot 2012-12-31 at 12.16.53 PM

34. Switch to a bash shell by running the following command:

bash

Screen Shot 2012-12-31 at 12.17.00 PM

35. Running the following command to create a new crypt.wsgi file inside /usr/local/crypt_env/crypt/:

nano /usr/local/crypt_env/crypt/crypt.wsgi

Screen Shot 2012-12-31 at 12.17.29 PM

The crypt.wsgi file should have the following contents:


import os, sys
import site

CRYPT_ENV_DIR = '/usr/local/crypt_env'

# Use site to load the site-packages directory of our virtualenv
site.addsitedir(os.path.join(CRYPT_ENV_DIR, 'lib/python2.7/site-packages'))

# Make sure we have the virtualenv and the Django app itself added to our path
sys.path.append(CRYPT_ENV_DIR)
sys.path.append(os.path.join(CRYPT_ENV_DIR, 'crypt'))
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "fvserver.settings")
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()

Screen Shot 2012-12-31 at 12.18.30 PM

36. Enable the crypt.conf virtualhost configuration by running the following command:

a2ensite crypt.conf

Screen Shot 2012-12-31 at 12.19.40 PM

37. Restart Apache and have it re-read its configuration settings by running the following command:

service apache2 reload

Screen Shot 2012-12-31 at 12.21.22 PM

38. Verify that you can access the Crypt server website by going to your server’s DNS address in a web browser.

Screen Shot 2012-12-31 at 4.03.25 PM

Setting up the Crypt client

Once the server end is set up, it’s time to set up the client end. The Crypt project folks have a pre-made Crypt_Client.pkg installer available at the following location:

https://github.com/grahamgilbert/Crypt/raw/master/Build/Crypt_Client.pkg

The Crypt client will need to be launched by some outside source. The Crypt project folks recommend using a loginhook for this. I used their pre-written loginhook script and it worked well for my test setup.

Encrypting the Mac using Crypt

To set up your Mac to be encrypted, you’ll need to install the Crypt installer package, set the location of your Crypt server and also set up your loginhook.

To set the location of the Crypt server for the Crypt client, I ran the following command:


sudo defaults write /Library/Preferences/FVServer ServerURL "http://crypt.domain.com"

Screen Shot 2012-12-31 at 3.21.21 PM

Once the server location was set, I stored my loginhook script in /Library/Scripts and named it filevault.sh.

Next, I ran the following command to set my loginhook:


sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/filevault.sh

Screen Shot 2012-12-31 at 3.22.37 PM

Last, but not least, I installed the Crypt client software in my test VM.

Once the software was installed, I restarted my VM and then logged in with my rtrouton account at the login screen. This triggered the loginhook to run /Library/Scripts/filevault.sh.

The script detected that my Mac was not encrypted, so the Crypt warning came up and I was then prompted to authenticate

Screen Shot 2012-12-31 at 3.51.17 PM

After authenticating, Crypt initialized FileVault 2 encryption on my Mac and automatically restarted it.

On restart, my rtrouton account was enabled and showed up at the FileVault 2 pre-boot login screen

Screen Shot 2012-12-31 at 3.56.37 PM

I logged in at the pre-boot login screen with my account credentials and the boot process continued.

Once my desktop came up, I checked the FileVault preference pane and saw that encryption was proceeding normally.

Screen Shot 2012-12-31 at 4.07.30 PM

Getting my recovery key

Since encryption is only half of what I want to accomplish here, I went next to my Crypt website to get my Mac’s recovery key.

Screen Shot 2012-12-31 at 4.03.25 PM

After authenticating with the cryptuser account’s username and password, I was given access to a listing for my encrypted Mac with the recovery key displayed.

Screen Shot 2012-12-31 at 4.03.41 PM

Wrap up

Overall, I’m happy with what I’m seeing so far with Crypt. It’s not ready for production as it stands, but it works as advertised and I was able to get it running by following the directions on the wiki. As a work in progress, the project itself shows a lot of promise.

  1. Clayton
    January 1, 2013 at 10:03 am | #1

    Great post!! Really hoping I don’t have to deal with FileVault on a mass scale at my office.

  2. January 2, 2013 at 1:26 am | #2

    Great writeup Rich.

  3. Tom
    January 31, 2013 at 11:24 pm | #3

    Thanks for putting this together Rich! One question about the loginhook. Do you think it would be better to do a launchd item or something in the Launch Agents folder instead of changing the loginhook? I’ve heard as of 10.7, and therefore 10.8, that the loginhook can get overwritten by different applications which would remove the check at startup. Any thoughts? Thanks for any additional advice you can provide!

    • May 2, 2013 at 11:08 am | #4

      You could do this with a Launch Daemon, but Launch Agents run as the user – this needs to run as root. If you use something like Puppet to manage the loginhook, it getting overwritten isn’t an issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: