arver is a tool to manage encrypted harddisks.
It is tailored for fine-grained access control to LUKS encrypted harddisks by
many users. Additionally it supports automation through scripts and facilitates
As an example it can be used in an organisation to grant access to encrypted
partitions to a team of admins.
In a traditional setup with multiple LUKS devices most organisations resort
to password sharing. This has multiple drawbacks, which arver tries to address:
- In case of an emergency or scheduled password change, everyone needs to learn
a bunch of new passwords and changing them is cumbersome and time consuming.
- If the password is leaked, all disks are compromised.
- As the amount of passwords grows with the number of disks, password patterns
are common. This has the drawback that you can’t grant per-disk access to others.
Further arver can ease many associated tasks:
- Arver is scriptable – all actions support script hooks, which means that you can
recover much faster from outages.
- Revoking all access for an admin can be done with only one command.
- Since arver keys are encrypted using publickey cryptography it is very easy to
safely distribute arver keys.
arver ships with a detailed man page, describing the usage in detail.
The easiest way to install arver is by gemsudo gem install arver
This will install all required dependecies automatically. If your distributions
contains an arver package we recommend installation by your package manager.
The following ruby gems are required for arver:
- gpgme 2
- activesupport 2
For development you will need the following additional gems:
arver only works with cryptsetup-luks >= 1.0.5 as previous versions do not
support key slots properly for our usage.
- arver only supports LUKS as backend.
- arver supports only up to 8 users as LUKS has only 8 key slots (LUKS NUMKEYS).
GPGME and gpg-agent
If arver asks you multiple times for the password, you might consider to use
gpg-agent, so you can decrypt your keypair once and the use it for all your
You can test gpg-agent by trying to decrypt an encrypted file for your user in
data/keys/USERNAME/key_X . It will tell you about possible gpg-erorrs.
Configuring gpg-agent is quite simple and you find information on the following
If you install gpg-agent like dougbarton recomends, you need to further verify
that the environment variable GPG_AGENT_INFO is accessible within the arver
script. An option is to add the following entry to your .bashrc
(The MIT License)
Copyright © 2010 arver
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
‘Software’), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.