First look at Crypt

Since the release of Google’s Cauliflower Vest, one of the wishlist items that a number of Mac admins have wanted is to use Cauliflower Vest’s capabilities without needing to use Google App Engine as the server backend. Crypt, a new open-source project being developed by Graham Gilbert, looks like a step in the right direction. See below the jump for details.

Like Cauliflower Vest, Crypt is designed to:

• Allow individual recovery keys to be automatically generated and escrowed for each Mac
• Force-enable FileVault 2 encryption on a Mac
• Provide secure access to recovery keys

Crypt comes in two parts. Crypt is a client application that would be installed on your Mac(s). Crypt-Server is a Django web app that receives and stores the escrowed FileVault 2 recovery keys.

Prep work

Before starting with anything else, I set up an Ubuntu 12.0.4 LTS server to act as the Crypt-Server key escrow server. Crypt should be able to run on anything that supports Python and Django, but the Crypt-Server setup instructions assume that the host OS is Ubuntu 12.0.x LTS.

Setting up the Crypt-Server software

Installing the foundation software

1. Log into the Ubuntu server using an account that has sudo privileges

2. Check to see if git is installed on the Ubuntu server by running the following command.

which git

3. If git is not installed, install it by running the following command:

sudo apt-get install git

4. Following the installation of git, install the Python setup tools

sudo apt-get install python-setuptools

5. After installing the Python setup tools, check to see if virtualenv is installed. virtualenv is a tool to create isolated Python environments and it’s used by Crypt-Server.

To check for virtualenv, run the following command:

virtualenv –version

6. If virtualenv is not installed, install it using the following command:

sudo easy_install virtualenv

  

7. Once installed, verify that virtualenv is now installed by running the following command:

virtualenv –version

Creating a non-admin service account and group for Crypt-Server

8. Create the Crypt cryptuser service account by running the following command:

sudo useradd cryptuser

9. Create the Crypt cryptgroup group by running the following command:

sudo groupadd cryptgroup

10. Add the cryptuser service account to the cryptgroup group by running the following command:

sudo usermod -g cryptgroup cryptuser

11. Verify that the cryptuser service account is now a member of the cryptgroup group by running the following command:

id cryptuser

The gid and groups values should both report cryptgroup.

Create the Python virtual environment

Next, we’ll be using virtualenv to create a Python virtual environment for Crypt-Server. This will allow the Django software to be installed in a contained environment that won’t interfere with the system Python installation’s packages.

12. Change directories to /usr/local, as that’s where we’ll be installing the virtual environment, by running the following command:

cd /usr/local

13. Create the Python virtual environment for Crypt-Server by running the following command:

sudo virtualenv crypt_env

14. Give the cryptuser service account read and write access to the crypt_env virtual environment by running the following command:

sudo chown -R cryptuser crypt_env

15. Verify that the cryptuser service account is set as the owner of the crypt_env directory by running the following command:

ls -al

At this point, because we’ll be switching into the cryptuser service account and running it with a bash shell, it’s a good idea to use sudo to drop into a root shell first. That will simplify the various account and shell switching we’ll need to do because the root user has total access to the system.

16. To switch to a root shell, run the following command:

sudo -s

17. Switch to the cryptuser service account by running the following command:

su cryptuser

18. The virtualenv tool is expecting to be run from bash, so switch to a bash shell by running the following command:

bash

19. Change directories to the crypt_env directory by running the following command:

cd crypt_env

20. Activate the virtual environment by running the following command:

source bin/activate

21. Install Django in the virtual environment by running the following command:

pip install django

22. Install South in the virtual environment by running the following command:

pip install south

23. Install the Django Bootstrap Toolkit in the virtual environment by running the following command:

pip install django-bootstrap_toolkit

Installing Crypt-Server from Github and configuring it

At this point, all the software that Crypt-Server runs on has been installed, so it’s time to install the actual Crypt-Server software and configure it.

24. While still inside the crypt_env virtual environment, use git to clone the current version of Crypt-Server by running the following command:

git clone https://github.com/grahamgilbert/Crypt-Server.git crypt

25. Change directories to the fvserver directory inside of the newly-cloned crypt directory by running the following command:

cd crypt/fvserver

26. Copy the example_settings.py sample configuration file to a new settings.py file by running the following command:

cp example_settings.py settings.py

The settings.py file is used by Crypt-Server to store its config settings.

27. Open settings.py for editing by using the following command:

nano settings.py

While in settings.py, edit the following settings:

Set ADMINS to an administrative name and email

Set TIME_ZONE to the appropriate timezone

See the screenshots below for how I edited mine.

Initializing the Django database and creating an admin user

28. Change directories to the crypt directory by running the following command:

cd /usr/local/crypt_env/crypt

29. Initialize the the Django database by running the following command:

python manage.py syncdb

When prompted, create an admin user.

I used cryptuser for mine.

29. Migrate the database by running the following command:

python manage.py migrate

30. Stage the static files by running the following command:

python manage.py collectstatic

When prompted about overwriting existing files, type yes.

31. Exit out of the virtual environment. To do this, type exit at the prompts until you’re back at the root@servername prompt.

Web Server setup

To run Crypt in a production environment, a webserver needs to be setup and configured. Ubuntu uses Apache, so we’ll be using that. The Apache libapache2-mod-wsgi module will need to be installed in order to allow Django to communicate correctly with Apache.

32. Install libapache2-mod-wsgi by running the following command:

apt-get install libapache2-mod-wsgi

Creating an Apache virtualhost

The term “Virtual Host” refers to the practice of running more than one web site on a single machine. Since Crypt-Server may not be running on a dedicated server, it’s a good idea to set up an Apache virtualhost for Crypt-Server.

To set up a new virtualhost for Crypt-Server on Ubuntu, make a new file called crypt.conf at /etc/apache2/sites-available. You can do this by running the following command:

nano /etc/apache2/sites-available/crypt.conf

Here’s an example virtualhost that accepts connections from any IP on port 80:

<VirtualHost *:80>
ServerName crypt.yourdomain.com
WSGIScriptAlias / /usr/local/crypt_env/crypt/crypt.wsgi
WSGIDaemonProcess crypt user=cryptuser group=cryptgroup
Alias /static/ /usr/local/crypt_env/crypt/static/
<Directory /usr/local/crypt_env/crypt>
       WSGIProcessGroup crypt
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
</Directory>
</VirtualHost>

Final stretch

Once the virtualhost file has been created, the last part will be configuring a .wsgi file to to get our Django-powered Crypt-Server site running under Apache.

33. Switch back to the cryptuser service account by running the following command:

su cryptuser

34. Switch to a bash shell by running the following command:

bash

35. Running the following command to create a new crypt.wsgi file inside /usr/local/crypt_env/crypt/:

nano /usr/local/crypt_env/crypt/crypt.wsgi

The crypt.wsgi file should have the following contents:

import os, sys
import site

CRYPT_ENV_DIR = '/usr/local/crypt_env'

# Use site to load the site-packages directory of our virtualenv
site.addsitedir(os.path.join(CRYPT_ENV_DIR, 'lib/python2.7/site-packages'))

# Make sure we have the virtualenv and the Django app itself added to our path
sys.path.append(CRYPT_ENV_DIR)
sys.path.append(os.path.join(CRYPT_ENV_DIR, 'crypt'))
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "fvserver.settings")
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()

36. Enable the crypt.conf virtualhost configuration by running the following command:

a2ensite crypt.conf

37. Restart Apache and have it re-read its configuration settings by running the following command:

service apache2 reload

38. Verify that you can access the Crypt server website by going to your server’s DNS address in a web browser.

Setting up the Crypt client

Once the server end is set up, it’s time to set up the client end. The Crypt project folks have a pre-made Crypt_Client.pkg installer available at the following location:

https://github.com/grahamgilbert/Crypt/raw/master/Build/Crypt_Client.pkg

The Crypt client will need to be launched by some outside source. The Crypt project folks recommend using a loginhook for this. I used their pre-written loginhook script and it worked well for my test setup.

Encrypting the Mac using Crypt

To set up your Mac to be encrypted, you’ll need to install the Crypt installer package, set the location of your Crypt server and also set up your loginhook.

To set the location of the Crypt server for the Crypt client, I ran the following command:


sudo defaults write /Library/Preferences/FVServer ServerURL "http://crypt.domain.com"


Once the server location was set, I stored my loginhook script in /Library/Scripts and named it filevault.sh.

Next, I ran the following command to set my loginhook:


sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/filevault.sh


Last, but not least, I installed the Crypt client software in my test VM.

Once the software was installed, I restarted my VM and then logged in with my rtrouton account at the login screen. This triggered the loginhook to run /Library/Scripts/filevault.sh.

The script detected that my Mac was not encrypted, so the Crypt warning came up and I was then prompted to authenticate

After authenticating, Crypt initialized FileVault 2 encryption on my Mac and automatically restarted it.

On restart, my rtrouton account was enabled and showed up at the FileVault 2 pre-boot login screen

I logged in at the pre-boot login screen with my account credentials and the boot process continued.

Once my desktop came up, I checked the FileVault preference pane and saw that encryption was proceeding normally.

Getting my recovery key

Since encryption is only half of what I want to accomplish here, I went next to my Crypt website to get my Mac’s recovery key.

After authenticating with the cryptuser account’s username and password, I was given access to a listing for my encrypted Mac with the recovery key displayed.

Wrap up

Overall, I’m happy with what I’m seeing so far with Crypt. It’s not ready for production as it stands, but it works as advertised and I was able to get it running by following the directions on the wiki. As a work in progress, the project itself shows a lot of promise.