• Stars
    star
    120
  • Rank 289,122 (Top 6 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 11 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Django webapp to escrow filevault keys sent by the Crypt client app.

Crypt-Server

Crypt is a tool for securely storing secrets such as FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys.

This Docker image contains the fully configured Crypt Django web app. A default admin user has been preconfigured, use admin/password to login. If you intend on using the server for anything semi-serious it is a good idea to change the password or add a new admin user and delete the default one.

Features

  • Secrets are encrypted in the database
  • All access is audited - all reasons for retrieval and approval are logged along side the users performing the actions
  • Two step approval for retrieval of secrets is enabled by default
  • Approval permission can be given to all users (so just any two users need to approve the retrieval) or a specific group of users

Installation instructions

It is recommended that you use Docker to run this, but if you wish to run directly on a host, installation instructions are over in the docs directory

Migrating from versions earlier than Crypt 3.0

Crypt 3 changed it's encryption backend, so when migrating from versions earlier than Crypt 3.0, you should first run Crypt 3.2.0 to perform the migration, and then upgrade to the latest version. The last version to support legacy migrations was Crypt 3.2.

Settings

All settings that would be entered into settings.py can also be passed into the Docker container as environment variables.

  • FIELD_ENCRYPTION_KEY - The key to use when encrypting the secrets. This is required.

  • SEND_EMAIL - Crypt Server can send email notifcations when secrets are requested and approved. Set SEND_EMAIL to True, and set HOST_NAME to your server's host and URL scheme (e.g. https://crypt.example.com). For configuring your email settings, see the Django documentation.

  • EMAIL_SENDER - The email address to send emaiil notifications from when secrets are requests and approved. Ensure this is verified if you are using SES. Does nothing unless SEND_EMAIIL is True.

  • APPROVE_OWN - By default, users with approval permissons can approve their own key requests. By setting this to False in settings.py (or by using the APPROVE_OWN environment variable with Docker), users cannot approve their own requests.

  • ALL_APPROVE - By default, users need to be explicitly given approval permissions to approve key retrieval requests. By setting this to True in settings.py, all users are given this permission when they log in.

  • ROTATE_VIEWED_SECRETS - With a compatible client (such as Crypt 3.2.0 and greater), Crypt Server can instruct the client to rotate the secret and re-escrow it when the secret has been viewed. Enable by setting this to True or by using ROTATE_VIEWED_SECRETS and setting to true.

  • HOST_NAME - Set the host name of your instance - required if you do not have control over the load balancer or proxy in front of your Crypt server (see the Django documentation).

  • CSRF_TRUSTED_ORIGINS - Is a list of trusted origins expected to make requests to your Crypt instance, normally this is the hostname

Screenshots

Main Page: Crypt Main Page

Computer Info: Computer info

User Key Request: Userkey request

Manage Requests: Manage Requests

Approve Request: Approve Request

Key Retrieval: Key Retrieval

More Repositories

1

macscripts

A collection of random Mac scripts
Python
190
star
2

crypt

Go
159
star
3

vagrant-puppetmaster

Vagrant config for a testing setup with a Puppet Master, Puppet Dashboard and PuppetDB
Puppet
82
star
4

first-boot-pkg

A script that will build a package containing packages for first installation at first boot
Python
63
star
5

terraform-aws-munki-repo

A Terraform module to set up a Munki repo
HCL
56
star
6

automate_psu_2014

Scripts and packages used in my talk Automate yourself out of a job
Python
40
star
7

macnamer

A Django web app and Mac script to update a Mac's name.
Python
30
star
8

grahamgilbert-mac_facts

A collection of custom Facter facts to aid with the management of OS X Machines
Ruby
30
star
9

puppet-mac_admin

A Puppet module to administer Mac OS X Machines
Puppet
25
star
10

Profile-Manager-Enrollment

Package to enroll Macs with a Profile Manager server
Shell
25
star
11

munki-dnd

A 'do not disturb' menubar app for Munki
Swift
23
star
12

crypt-server-saml

A Docker container for Crypt Server that uses SAML
Python
19
star
13

imagr_server

JavaScript
17
star
14

chrome_update_notifier

Python
17
star
15

mactech_2014

Code from my talk at MacTech 2014
Python
14
star
16

autopkg-overrides

13
star
17

setup_script

A script to get a mac set up for my use
Shell
10
star
18

macadmins-postgres

Shell
9
star
19

imagr_macsysadmin_2016

The code used during 0-Imagr-ing in 45 Minutes
Python
8
star
20

InstaDMG-Catalogs

7
star
21

puppet-dockutil

Ruby
6
star
22

docker-puppetserver

Shell
5
star
23

puppet_psu_2013

Demo files used in the Managing Macs with Puppet presentation at PSU 2013
Ruby
5
star
24

munki_conditions

Conditions for Munki
Python
5
star
25

Munki-Bootstrap

Package to run munki when the client next reboots
Shell
5
star
26

macaduk_2016

Code from Puppet On OS X at MacAD.UK 2016
Ruby
4
star
27

termux-setup

Shell
4
star
28

Make-Recovery-HD

Creates a Recovery HD on Mac OS X Lion Machines
Shell
4
star
29

docker-nginx-s3

An nginx image with ngx_aws_auth
Makefile
3
star
30

docker-r10k

Shell
3
star
31

recovery-hd-mountain-lion

Create Mountain Lion Recovery HD
Shell
3
star
32

printer-pkginfo

Creates a nopkg style pkginfo file to install a printer with Munki
Python
3
star
33

osupdate

Go
3
star
34

puppet-grahamconfig

The module that actually contains my Puppet config
Python
3
star
35

puppet-outset

Puppet module to manage Outset scripts and packages
Puppet
2
star
36

termux-dotfiles

Shell
2
star
37

puppet-munki_certs

Puppet
2
star
38

blog

My Blog
HTML
2
star
39

buildCrankPkg

Build a package to deploy CrankD
Python
2
star
40

docker-imagr_server

Python
2
star
41

shorty

A statically generated URL shortener
Python
2
star
42

vagrant-docker-bsdpy

Shell
2
star
43

puppet

Puppet
1
star
44

puppet-desktop_picture

HTML
1
star
45

puppet-SetupAssistantProfiler

HTML
1
star
46

docker-sal-puppetserver

Python
1
star
47

macdevops_2019

Python
1
star
48

docker-bsdpy

Python
1
star
49

macdevops_2019_munkireport

HCL
1
star
50

osquery-puppet-ext

Go
1
star
51

bootstrapapp

Example Flask bootstrap app
Python
1
star
52

docker-s3fs

Shell
1
star
53

autopkg-recipes

Python
1
star
54

docker-pgbouncer

Shell
1
star
55

docker-git-fat

Shell
1
star
56

terraform-repo

HCL
1
star
57

the-luggage-post-201308

Example Makefiles for The Luggage post on grahamgilbert.com
Shell
1
star
58

grahamgilbert.github.io

grahamgilbert dot com
HTML
1
star
59

crostini_setup

Shell
1
star
60

Lion_Kerio

A webapp for Mac OS X 10.7 Server to let it co-exist with Kerio Connect
1
star
61

puppet-wordpress

Puppet Module to configure a wordpress blog
Puppet
1
star
62

Postgres-Backup-for-Lion-Server

Script to back up the Postgres databases included in Lion server.
Shell
1
star