Skip to content
This repository was archived by the owner on Sep 16, 2021. It is now read-only.

Configuration

Jump to bottom
Maxim Ermilov edited this page Sep 7, 2017 · 6 revisions

Estimated Time: 5-10 minutes

All paths are from the top of the unrolled Cauliflower Vest tarball.

Client and Server

Edit the following file:

cauliflowervest/settings.py

Replace the SUBDOMAIN string value with your application identifier.

DOMAIN is likely already the correct value for your site, "appspot.com".

For example, the result might look like:

SUBDOMAIN = 'my-app-id'
DOMAIN = 'appspot.com'

If you wish to host using your Google Apps domain the DOMAIN settings must also change:

SUBDOMAIN = 'my-app-id'
DOMAIN = 'example.com'

Client

Edit the following file:

cauliflowervest/client/settings.py

There is a large string named called INTRO_TEXT which you should edit to send the appropriate message to your users when they are first introduced to Cauliflower Vest. Edit this text to say whatever you want. Whether text markup (e.g. html) is supported is unknown.

For example, the default looks like this:

INTRO_TEXT = """
Cauliflower Vest will encrypt the entire disk on this Mac.

It will also back up the recovery key for emergency purposes, like if you
forget your password. It's very important that disk encryption is enabled by
Cauliflower Vest and *NOT* manually, to ensure that the recovery key is backed up.

Upon success, you will see a final dialog box indicating that Cauliflower Vest has
encrypted your drive, stored the recovery key remotely, and that you should
restart.

If you do not see this final success message, you may not be secure. Please
contact Tech Support if you are not sure.
""".strip()

Change the text within the triple quotation marks to be whatever you like.

Note: Below this string you will find a root CA certificate chain stored in a variable. Do NOT change this string unless if you really know what you are doing. The certificate chain protects your clients against SSL hijacking.

Additionally you will see these lines:

# must be filled in for authentication to work!
OAUTH_CLIENT_SECRET = ''

and

# must be filled in for authentication to work!
OAUTH_CLIENT_ID = ''

in cauliflowervest/settings.py

There are no default values; you must provide them in order for the client to be able to communicate correctly with the server. Open the Google Developer's Console and select the App Engine server application that you've set up for Cauliflower Vest. Open the "APIs & auth" section on the left, and the "Credentials" section under that.

Create a new Client ID, for an installed application.

If this is the first time, you must completely configure the consent screen which will be used for OAuth authentication, including at a minimum the application name and support email address. You'll see the Client ID and Client secret listed after the credential is correctly configured. The client ID will be a long value ending in .apps.googleusercontent.com while the secret will be a shorter random string. Both of these values must be set in the client/settings.py before building the client package.

Server

You may need to make some significant choices about how to secure your escrow service. Please review the ServerKeys wiki for the full background on this topic.

To get started immediately for testing purposes, or to use the existing stored key code in the release, open the following file:

cauliflowervest/server/settings.py

Edit the following structure:

DEMO_KEYS = [
    {'versionNumber': 1,
     'aesKeyString': base64.urlsafe_b64encode('16_byte_string__'),
     'aesKeySize': 128,
     'hmacKeyString': base64.urlsafe_b64encode(
         '32_byte_string_bbbbbbbbbbbbbbbbb'),
     'hmacKeySize': 256,
     'status': 'PRIMARY',
    },
]

aesKeyString

The dictionary key aesKeyString expects to have a value in base64 string format. Supply the base64 encode function a string which is which is 16 bytes (aesKeySize = 128 bits) long.

If you just want to get started, you could obtain a value from the following:

dd if=/dev/random bs=1k count=1 | md5 | cut -c 1-16

Use the partial md5 output string as the input parameter to the base64 encode method.

Note that this is NOT best practice for key generation and you should use appropriate, cryptographically secure tools instead. Use these methods only to make a test configuration.

hmacKeyString

The hmacKeyString also expects to have a value in base64 string format. Supply the urlsafe_b64encode function a string which is 32 bytes (hmacKeySize = 256 bits) long.

If you just want to get started, again you could obtain a value by doing:

dd if=/dev/random bs=1k count=1 | md5

Use the md5 output string as the input parameter to the base64 encode method.

Note that this is NOT best practice for key generation and you should use appropriate, cryptographically secure tools instead. Use these methods only to make a test configuration.

Clone this wiki locally