rLUKSd is written to control luks (linux unified key setup) containers remotely.It uses udp datagrams to make it harder for network scanners to detect an internetfacing system.
It's running completely in silent mode. That means it's waiting for authenticationmessages containing a valid signature. After the message signature verification,a random key for symmetric encryption/decryption will be generated and send to the client.The shared secret will be encrypted by an asymmetric encryption using the same public keyas for signature verification.
After a succcessful key exchange the client is allowed to request information about the stateof luks containers and can send a key to decrypt one of them.
rluksd provides a lean way to secure your data on remote machines like servers hosted in any kindof datacenter. It's designed to prevent opening ssh for the public and aimes to use as lessdependencies as possible.
Last but not least the whole rluksd setup is shipped in two separated binaries to ensurethat only the part that requires root privileges runs as root. The network communicationcan be done in an unprivileged user context.
- each peer has it's own shared secret
- package replay protection by using nonce for authentication
- no broadcasting (it only responds to authenticated peers when they requesting something
- privilege separation
- less dependencies
git clone https://github.com/esno/rluksd.gitmkdir build; cd buildcmake .. && make
luksd is the container management daemon. It opens anunix socket and waits for incoming requests.It is a seperate daemon to avoid running an application as root that will be available through theinternet.
./luksd <socketOwner> <socketGroup> [<socket>]