diff --git a/README.md b/README.md index be852c6..d46ce79 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # luksrku -luksrku is a tool that allows you to remotely unlock LUKS disks during bootup +luksrku is a tool that allows you to remotely unlock LUKS disks during boot up from within your initrd. The intention is to have full-disk-encryption with LUKS-rootfs running headlessly. You should be able to remotely unlock their LUKS cryptographic file systems when you know they have been (legitimately) @@ -9,7 +9,7 @@ This works as follows: The luksrku client (which needs unlocking) and luksrku server (which holds all the LUKS keys) share a secret. The client either knows the address of the server or it can issue a broadcast in the network to find the correct one. With the help of the shared secret, a TLS connection is -established betweem the client and a legitimate server (who also knows the same +established between the client and a legitimate server (who also knows the same secret). The server then tells the client all the LUKS passphrases, which performs luksOpen on all volumes. @@ -51,8 +51,8 @@ While it might seem nonsensical to encrypt memory and have the key right next to the encrypted data, the reason for this this is to thwart cold-boot attacks. A successful cold-boot attack would require a complete and perfect 1 MiB snapshot of the pre-key (or an acquisition in the short timeframe where the -keyvault is open) -- something that is difficult to do because of naturally -occuring bit errors during cold boot acquisition. +key vault is open) -- something that is difficult to do because of naturally +occurring bit errors during cold boot acquisition. ## Dependencies OpenSSL v1.1 is required for luksrku as well as pkg-config. @@ -69,7 +69,7 @@ Available commands: ./luksrku server Start a key server process ./luksrku client Unlock LUKS volumes by querying a key server -For futher help: ./luksrku (command) --help +For further help: ./luksrku (command) --help luksrku version v0.02-45-gf01ec97d6b-dirty ``` @@ -80,7 +80,7 @@ Then, for each command, you have an own help page: $ ./luksrku edit --help usage: luksrku edit [-v] [filename] -Edits a luksrks key database. +Edits a luksrku key database. positional arguments: filename Database file to edit. diff --git a/argparse_client.c b/argparse_client.c index 0ca499c..fede6df 100644 --- a/argparse_client.c +++ b/argparse_client.c @@ -5,7 +5,7 @@ * * Do not edit it by hand, your changes will be overwritten. * - * Generated at: 2019-10-25 11:06:30 + * Generated at: 2019-10-25 20:39:16 */ #include diff --git a/argparse_client.h b/argparse_client.h index f2b4b57..e556547 100644 --- a/argparse_client.h +++ b/argparse_client.h @@ -5,7 +5,7 @@ * * Do not edit it by hand, your changes will be overwritten. * - * Generated at: 2019-10-25 11:06:30 + * Generated at: 2019-10-25 20:39:16 */ #ifndef __ARGPARSE_CLIENT_H__ diff --git a/argparse_edit.c b/argparse_edit.c index d5ff33d..94531ff 100644 --- a/argparse_edit.c +++ b/argparse_edit.c @@ -5,7 +5,7 @@ * * Do not edit it by hand, your changes will be overwritten. * - * Generated at: 2019-10-25 11:06:30 + * Generated at: 2019-10-25 20:39:15 */ #include @@ -110,7 +110,7 @@ bool argparse_edit_parse(int argc, char **argv, argparse_edit_callback_t argumen void argparse_edit_show_syntax(void) { fprintf(stderr, "usage: luksrku edit [-v] [filename]\n"); fprintf(stderr, "\n"); - fprintf(stderr, "Edits a luksrks key database.\n"); + fprintf(stderr, "Edits a luksrku key database.\n"); fprintf(stderr, "\n"); fprintf(stderr, "positional arguments:\n"); fprintf(stderr, " filename Database file to edit.\n"); diff --git a/argparse_edit.h b/argparse_edit.h index b261c57..f87226d 100644 --- a/argparse_edit.h +++ b/argparse_edit.h @@ -5,7 +5,7 @@ * * Do not edit it by hand, your changes will be overwritten. * - * Generated at: 2019-10-25 11:06:30 + * Generated at: 2019-10-25 20:39:15 */ #ifndef __ARGPARSE_EDIT_H__ diff --git a/argparse_server.c b/argparse_server.c index aa6c494..05699a7 100644 --- a/argparse_server.c +++ b/argparse_server.c @@ -5,7 +5,7 @@ * * Do not edit it by hand, your changes will be overwritten. * - * Generated at: 2019-10-25 11:06:30 + * Generated at: 2019-10-25 20:39:15 */ #include diff --git a/argparse_server.h b/argparse_server.h index 09d2456..41a2e06 100644 --- a/argparse_server.h +++ b/argparse_server.h @@ -5,7 +5,7 @@ * * Do not edit it by hand, your changes will be overwritten. * - * Generated at: 2019-10-25 11:06:30 + * Generated at: 2019-10-25 20:39:15 */ #ifndef __ARGPARSE_SERVER_H__ diff --git a/codegen/TwoColPrint.py b/codegen/TwoColPrint.py deleted file mode 100644 index 25b0a88..0000000 --- a/codegen/TwoColPrint.py +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/python3 -# -# TwoColPrint - Print text in two columns, wrap as appropriate. -# Copyright (C) 2011-2012 Johannes Bauer -# -# This file is part of jpycommon. -# -# jpycommon is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; this program is ONLY licensed under -# version 3 of the License, later versions are explicitly excluded. -# -# jpycommon is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with jpycommon; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Johannes Bauer -# -# File UUID c2de9b77-c699-490d-930f-21689e04b12f - -import sys -import textwrap -import collections - -_Row = collections.namedtuple("Row", [ "left", "right", "annotation" ]) - -class TwoColPrint(object): - def __init__(self, prefix = "", total_width = 120, spacer_width = 3, width_ratio = 0.25): - self._rows = [ ] - self._prefix = prefix - self._total_width = total_width - self._spacer_width = spacer_width - self._width_ratio = width_ratio - - def addrow(self, left_col, right_col, annotation = None): - self._rows.append(_Row(left = left_col, right = right_col, annotation = annotation)) - return self - - def __iter__(self): - text_width = self._total_width - len(self._prefix) - self._spacer_width - assert(text_width > 2) - left_width = round(self._width_ratio * text_width) - right_width = text_width - left_width - assert(len(self._prefix) + left_width + self._spacer_width + right_width == self._total_width) - - spacer = " " * self._spacer_width - for row in self._rows: - left_break = textwrap.wrap(row.left, width = left_width) - right_break = textwrap.wrap(row.right, width = right_width) - - if len(left_break) < len(right_break): - left_break += [ "" ] * (len(right_break) - len(left_break)) - elif len(left_break) > len(right_break): - right_break += [ "" ] * (len(left_break) - len(right_break)) - - for (leftline, rightline) in zip(left_break, right_break): - - yield ("%s%-*s%s%s" % (self._prefix, left_width, leftline, spacer, rightline), row.annotation) - - def print(self, f = None): - if f is None: - f = sys.stdout - for (line, annotation) in self: - print(line, file = f) - -if __name__ == "__main__": - t = TwoColPrint(prefix = " ") - t.addrow("foobar", "This is the first piece, which is foobar. A foobar is very cool! This is the first piece, which is foobar. A foobar is very cool!") - t.addrow("barfjdiojf", "And here's a barwhatever And here's a barwhatever And here's a barwhatever") - t.addrow("x", "Cool, a x.") - t.addrow("And here's a barwhatever And here's a barwhatever And here's a barwhatever", "barfjdiojf") - t.print() - - - diff --git a/codegen/print_help b/codegen/print_help deleted file mode 100755 index 9e646da..0000000 --- a/codegen/print_help +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/python3 -import textwrap - -class HelpPagePrinter(object): - def __init__(self): - self._entries = [ ] - self._lcolsize = None - - def add(self, lhs, rhs): - if isinstance(lhs, str): - lhs = (lhs, ) - else: - lhs = (", ".join(lhs), ) - if isinstance(rhs, str): - rhs = (rhs, ) - self._entries.append((lhs, rhs)) - - def _format_entry(self, entry): - (lhs, rhs) = entry - lhs = list(lhs) - rhs = list(rhs) - - right_lines = [ ] - for block in rhs: - right_lines += textwrap.wrap(block, width = 86 - self._lcolsize) - - if len(lhs) < len(right_lines): - lhs += [ "" ] * (len(right_lines) - len(lhs)) - elif len(lhs) > len(right_lines): - right_lines += [ "" ] * (len(lhs) - len(right_lines)) - for (left, right) in zip(lhs, right_lines): - yield "%-*s %s" % (self._lcolsize, left, right.replace("\xa0", " ")) - - def _determine_lcolsize(self): - self._lcolsize = 0 - for (lhs, rhs) in self._entries: - for line in lhs: - self._lcolsize = max(self._lcolsize, len(line)) - - def format_params(self): - lines = [ "" ] - for (lhs, rhs) in self._entries: - par = lhs[0].strip() - - newline = lines[-1] + (" (%s)" % (par)) - if len(newline) < 80: - lines[-1] = newline - else: - lines.append("(%s)" % (par)) - yield from lines - - - def format_help(self): - self._determine_lcolsize() - for entry in self._entries: - yield from self._format_entry(entry) - -hpp = HelpPagePrinter() -hpp.add([ "-c", "--client-mode" ], "Specifies client mode, i.e., that this host will unlock the LUKS disk of a different machine.") -hpp.add([ "-s", "--server-mode" ], "Specifies server mode, i.e., that this host will announce its presence via UDP broadcasts and then receive the LUKS credentials from a peer.") -hpp.add([ "-k", "--keydb=FILE" ], "Gives the binary key database file which will be used. In server mode, this contains only one entry (specifying the UUID of the host, the PSK and the UUIDs and names of the disks to be unlocked), while in client mode this may contain multiple entries (to unlock many different peers) and also contains the LUKS credentials for the respective disks.") -hpp.add([ "-u", "--unlock=CNT" ], "Specifies the maximum number of unlocking actions that are taken. In client mode, this defaults to 1. In server mode, it defaults to infinite (or until all disks have successfully been unlocked). Zero means infinite.") -hpp.add([ "-p", "--port=PORT" ], "Specifies the port on which is listened for UDP broadcasts and also the port on which TCP requests are sent out (the two are always identical). Default port ist 23170.") -hpp.add([ "--max-bcast-errs=CNT" ], "This is the number of UDP broadcast attempts luksrku will make before giving up. Usually this is because sendto(2) fails when the network is configured improperly. Giving up in this case enables manual key entry. This defaults to 5 tries.") -hpp.add([ "-v", "--verbose" ], "Increase logging verbosity.") -for (index, line) in enumerate(hpp.format_params()): - if index == 0: - print(" fprintf(stderr, \"%%s%s\\n\", pgmname);" % (line)) - else: - print(" fprintf(stderr, \" %s\\n\");" % (line)) -print(" fprintf(stderr, \"\\n\");") -for line in hpp.format_help(): - print(" fprintf(stderr, \" %s\\n\");" % (line)) -print(" fprintf(stderr, \"\\n\");") - - -#examples = [ -# ("--client-mode ", -# "Converts {device} to a LUKS partition with default parameters."), -# ("-d {device} --resume-file myresume.dat", -# "Converts {device} to a LUKS partition with default parameters and store resume information in myresume.dat in case of an abort."), -# ("-d {device} -k /root/secure_key/keyfile.bin --luksparams='-c,twofish-lrw-benbi,-s,320,-h,sha256'", -# "Converts {device} to a LUKS partition and stores the initially used keyfile in /root/secure_key/keyfile.bin. Additionally some LUKS parameters are passed that specify that the Twofish cipher should be used with a 320 bit keysize and SHA-256 as a hash function."), -# ("-d {device} --resume --resume-file /root/resume.bin", -# "Resumes a crashed LUKS conversion of {device} using the file /root/resume.bin which was generated at the first (crashed) luksipc run."), -# ("-d {device} --readdev /dev/mapper/oldluks", -# "Convert the raw device {device}, which is already a LUKS container, to a new LUKS container. For example, this can be used to change the encryption parameters of the LUKS container (different cipher) or to change the bulk encryption key. In this example the old container is unlocked and accessible under /dev/mapper/oldluks."), -#] -#print("fprintf(stderr, \"Examples:\\n\");") -#for (cmd, desc) in examples: -# print("fprintf(stderr, \" %%s %s\\n\", argv[0]);" % (cmd.replace("{device}", device))) -# for line in textwrap.wrap(desc.replace("{device}", device), width = 80): -# print("fprintf(stderr, \" %s\\n\");" % (line)) diff --git a/parsers/parser_edit.py b/parsers/parser_edit.py index 4d146e7..9310c2c 100755 --- a/parsers/parser_edit.py +++ b/parsers/parser_edit.py @@ -1,4 +1,4 @@ import argparse -parser = argparse.ArgumentParser(prog = "luksrku edit", description = "Edits a luksrks key database.", add_help = False) +parser = argparse.ArgumentParser(prog = "luksrku edit", description = "Edits a luksrku key database.", add_help = False) parser.add_argument("-v", "--verbose", action = "count", default = 0, help = "Increase verbosity. Can be specified multiple times.") parser.add_argument("filename", metavar = "filename", nargs = "?", type = str, help = "Database file to edit.")