google / cauliflowervest Goto Github PK

App Engine-based escrow solution for enterprise management of disk encryption technologies for OS X (FileVault 2), Windows (BitLocker), and Linux (LUKS).

License: Apache License 2.0

Python 78.35% CSS 0.11% HTML 5.49% JavaScript 7.26% Starlark 8.79%

cauliflowervest's Introduction

Overview

**Note: Cauliflower Vest is being Archived

On April 15, 2021, Cauliflower Vest will be archived. Cauliflower Vest has not had active development in quite some time, so we think it’s time for the repository to reflect that state. The code will remain available, but the GitHub project will be archived and our developers will no longer be maintaining or updating this project. You can, of course, continue to fork from this project and develop your own tools.

Let us know at [email protected] if you have any questions or concerns.

Thank you, Cauliflower Vest Eng Team

Note: OAUTH_CLIENT_ID moved from src/cauliflowervest/client/settings.py to cauliflowervest/settings.py

Cauliflower Vest is a recovery key escrow solution. The project initially started with end-to-end Mac OS X FileVault 2 support, and later added support for BitLocker (Windows), LUKS (Linux), Duplicity, and Firmware/BIOS passwords (Mac & Linux). The goal of this project is to streamline cross-platform enterprise management of disk encryption technologies.

Cauliflower Vest offers the ability to:

Forcefully enable FileVault 2 encryption.
Automatically escrow recovery keys to a secure Google App Engine server.
Delegate secure access to recovery keys so that volumes may be unlocked or reverted.
Sync BitLocker recovery keys from Active Directory.

Components:

A Google App Engine based service which receives and securely escrows recovery keys.
A GUI client running on the OS X user machines, which enables FileVault 2 encryption, obtains the recovery key, and sends it to the escrow service.
A CLI tool which runs on Linux, for use with LUKS and Duplicity.
A script to sync BitLocker recovery keys from Active Directory.

Getting Started

Full source is available for all components.

To get started, begin with the Introduction wiki page.

Warning

Upon releasing the update to App Engine, start the schema update (/ui/#/admin/) otherwise search and key retrieval will break. Progress can be monitored in App Engine logs. Logs will contain

UpdateSchema complete for VOLUME_TYPE with N updates!

for each volume type after successful migration.

Contact

Please search, join, and/or email the discussion list with questions at [email protected]. To reach only engineers on the project, email [email protected].

Thanks to Dorothy Marczak for the logo.

cauliflowervest's People

Contributors

Stargazers

Watchers

cauliflowervest's Issues

Python27 Error

After running the make release command I get the following error:

appcfg.py --version=0-9-4 update gae_bundle/
Error parsing yaml file:
Unable to assign value 'python27' to attribute 'runtime':
Value 'python27' for key runtime does not match expression '^python$'
in "gae_bundle/app.yaml", line 3, column 10
make: *** [release] Error 1

Please assist.

App Engine Upload Error

After uploading the cauliflower vest server code to an app engine instance (using google cloud SDK shell on both mac and windows) I get the following traceback when visiting my appspot URL

it seems it cant find the cailiflowervest module, has any one come across this before?

Traceback (most recent call last):
File "/base/alloc/tmpfs/dynamic_runtimes/python27/8882c914eb6132e9_unzipped/python27_lib/versions/1/google/appengine/runtime/wsgi.py", line 240, in Handle
handler = _config_handle.add_wsgi_middleware(self._LoadHandler())
File "/base/alloc/tmpfs/dynamic_runtimes/python27/8882c914eb6132e9_unzipped/python27_lib/versions/1/google/appengine/runtime/wsgi.py", line 299, in _LoadHandler
handler, path, err = LoadObject(self._handler)
File "/base/alloc/tmpfs/dynamic_runtimes/python27/8882c914eb6132e9_unzipped/python27_lib/versions/1/google/appengine/runtime/wsgi.py", line 85, in LoadObject
obj = import(path[0])
ImportError: No module named cauliflowervest

RuntimeError: Previous version of google-api-python-client detected

After performing "make release" the following error will occur on the webpage for Cauliflower Vest. Running the suggested "pip install -I google-api-python-client" does not resolve the issue, and it occurs on every machine with fresh OS installs we attempted to compile on.

Traceback (most recent call last):
File "/base/data/home/runtimes/python27_experiment/python27_lib/versions/1/google/appengine/runtime/wsgi.py", line 240, in Handle
handler = _config_handle.add_wsgi_middleware(self._LoadHandler())
File "/base/data/home/runtimes/python27_experiment/python27_lib/versions/1/google/appengine/runtime/wsgi.py", line 299, in _LoadHandler
handler, path, err = LoadObject(self._handler)
File "/base/data/home/runtimes/python27_experiment/python27_lib/versions/1/google/appengine/runtime/wsgi.py", line 96, in LoadObject
import(cumulative_path)
File "/base/data/home/apps/sproject-name/0137redacted.deploymentid788948/cauliflowervest/server/main.py", line 22, in
from cauliflowervest.server.handlers import apple_firmware
File "/base/data/home/apps/sproject-name/0137redacted.deploymentid788948/cauliflowervest/server/handlers/apple_firmware.py", line 26, in
from cauliflowervest.server.models import firmware
File "/base/data/home/apps/sproject-name/0137redacted.deploymentid788948/cauliflowervest/server/models/firmware.py", line 21, in
from cauliflowervest.server import encrypted_property
File "/base/data/home/apps/sproject-name/0137redacted.deploymentid788948/cauliflowervest/server/encrypted_property.py", line 29, in
from cauliflowervest.server import cloud_kms
File "/base/data/home/apps/sproject-name/0137redacted.deploymentid788948/cauliflowervest/server/cloud_kms.py", line 28, in
from apiclient import discovery
File "/base/data/home/apps/sproject-name/0137redacted.deploymentid788948/apiclient/init.py", line 11, in
'Previous version of google-api-python-client detected; due to a '
RuntimeError: Previous version of google-api-python-client detected; due to a packaging issue, we cannot perform an in-place upgrade. To repair, remove and reinstall this package, along with oauth2client and uritemplate. One can do this with pip via
pip install -I google-api-python-client

appcfg.py error

Test-Mac:cauliflowervest test123$ bazel run cauliflowervest/server:main.deploy
INFO: Analysed target //cauliflowervest/server:main.deploy (1 packages loaded).
INFO: Found 1 target...
Target //cauliflowervest/server:main.deploy up-to-date:
bazel-bin/cauliflowervest/server/main_deploy.sh
bazel-bin/cauliflowervest/server/main.deploy
INFO: Elapsed time: 4.531s, Critical Path: 0.06s
INFO: Build completed successfully, 1 total action

INFO: Running command line: bazel-bin/cauliflowervest/server/main.deploy
Usage: appcfg.py [options] update | [file, ...]

appcfg.py: error: Expected -A app_id when application property in file app.yaml is not set.
ERROR: Non-zero return code '2' from command: Process exited with status 2

Manually adding application setting to app.yaml yields:

INFO: Analysed target //cauliflowervest/server:main.deploy (1 packages loaded).
INFO: Found 1 target...
Target //cauliflowervest/server:main.deploy up-to-date:
bazel-bin/cauliflowervest/server/main_deploy.sh
bazel-bin/cauliflowervest/server/main.deploy
INFO: Elapsed time: 4.514s, Critical Path: 0.06s
INFO: Build completed successfully, 1 total action

INFO: Running command line: bazel-bin/cauliflowervest/server/main.deploy
03:41 PM Application: st-cauliflower; version: 1
03:41 PM Host: appengine.google.com
03:41 PM Starting update of app: st-cauliflower, version: 1
03:41 PM Getting current resource limits.

Process hangs at this stage.

update make dmg to use pkgbuild

As packagemaker is no longer used or available, is it possible to update to pkgutil?

Deployment gcloud app

During deployment, I have this error issue.
I tried to see what is in 'T' folder but there is no war.p06n1daH as in the screenshot...
I saw google App limit to 35 MB but why do I got a 100+MB project ?

Weak Cryptographic Hash

We found a problem about Weak Cryptographic Hash in cauliflowervest-master/cauliflowervest/server/models/base.py

Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts.

Blobstore backup is deprecated.

Since the backup to Blobstore is deprecated and will be down in September. The way cauliflowervest backup its data should be using Cloud Storage as well instead of Blobstore. https://cloud.google.com/appengine/docs/deprecations/blobstore_backups

Cauliflowervest using deprecated mechanism on Macs - loginhook?

I have just had a quick read of the Wiki and as far as I can see the Mac client for CauliflowerVest to enforce FileVault encryption and to escrow the recovery key to the CauliflowerVest server still uses a loginhook as the means for executing upon a user login.

For several years now Apple have been actively discouraging the use of loginhooks (and logouthooks). It is the case that the main alternative of a loginagent that is run via launchd is not able to run with the needed root privilege level to execute fdesetup. However in more recent times Apple has provide a new mechanism that could be used instead which is a native authorization plugin. See https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html

It is my understanding that Crypt an alternative FileVault2 escrow solution does now use such a native authorization plugin to manage FileVault encryption and escrow.

I would therefore suggest that CauliflowerVest be updated to include such an approach for the client instead.

'make dmg' pkg fails to install

Using PackageMaker 3.0.6 on Sierra 10.12.5 results in a DMG that fails to install.

Error from console during installation:

(com.apple.xpc.launchd.domain.pid.IDECacheDeleteAppExtension.686): Path not allowed in target domain: type = pid, path = /Applications/Xcode.app/Contents/SharedFrameworks/LLDB.framework/Versions/A/XPCServices/RootDebuggingXPCService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Xcode.app/Contents/PlugIns/IDECacheDeleteAppExtension.appex

Cron job /cron/group_sync is causing NotImplementedError

I don't understand this part. The cron job /cron/group_sync is turned on but the actually method is not implemented, which causes NotImplementedError.
I think if it's not implemented yet, it' better to turn off the cron job.
Because, for now, it is has errors log every 60 minutes in the App Engine.