A Django webapp to escrow filevault keys sent by the Crypt client app.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
docker
docs
functional_tests
fvserver
server
setup
site_static
static
templates
.gitignore
Dockerfile
LICENSE
NOTICE
README.md
crypt.wsgi
docker.sh
generate_keyczart.py
manage.py
smtp.sh

README.md

Crypt-Server

Crypt is a system for centrally storing FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys.

This Docker image contains the fully configured Crypt Django web app. A default admin user has been preconfigured, use admin/password to login. If you intend on using the server for anything semi-serious it is a good idea to change the password or add a new admin user and delete the default one.

Changes in this version

  • 10.7 is no longer supported.
  • Improved logging on errors.
  • Improved user feedback during long operations (such as enabling FileVault).

Client

The client is written in Pyobjc, and makes use of the built in fdesetup on OS X 10.8 and higher. An example login hook is provided to see how this could be implemented in your organisation.

Features

  • If escrow fails for some reason, the recovery key is stored on disk and a Launch Daemon will attempt to escrow the key periodically.
  • If the app cannot contact the server, it can optionally quit.
  • If FileVault is already enabled, the app will quit.

Installation instructions

It is recommended that you use Docker to run this, but if you wish to run directly on a host, installation instructions are over on the in the docs directory

Settings

  • SEND_EMAIL - Crypt Server can send email notifcations when secrets are requested and approved. Set SEND_EMAIL to True, and set HOST_NAME to your server's host and URL scheme (e.g. https://crypt.example.com). For configuring your email settings, see the Django documentation.

  • APPROVE_OWN - By default, users with approval permissons can approve their own key requests. By setting this to False in settings.py (or by using the DOCKER_CRYPT_APPROVE_OWN environment variable with Docker), users cannot approve their own requests.

  • ALL_APPROVE - By default, users need to be explicitly given approval permissions to approve key retrieval requests. By setting this to True in settings.py (or by using the DOCKER_CRYPT_ALL_APPROVE environment variable with Docker), all users are given this permission when they log in.

  • ROTATE_VIEWED_SECRETS - With a compatible client (such as Crypt 3.2.0 and greater), Crypt Server can instruct the client to rotate the secret and re-escrow it when the secret has been viewed. Enable by setting this to True or by using DOCKER_CRYPT_ROTATE_VIEWED_SECRETS and setting to true.

New features in latest release

  • Records Bonjour Name of Macs submitting keys
  • Introduces the can_approve permission - users must have this permission to authorise key retrieval
  • Key retrievals are logged

Todo

  • Email user when their request is approved or denied
  • Move 7 day allowance into settings.py so it can be changed

Screenshots

Main Page: Crypt Main Page

User Computer Info: User computer info

Admin Computer Info: Admin computer info

User Key Request: Userkey request

Manage Requests: Manage Requests

Approve Request: Approve Request

Key Retrieval: Key Retrieval