Key Escrow Service

Note: Our development of the key escrow service has been put on hold. However, the code was function and is available on this site. This development was performed with a previous version of TrueCrypt.

Purpose

Secure your organization's data using TrueCrypt without the risk of losing data due to forgotten passwords.

Credits

The libwfu Key Escrow Service was built to support TrueCrypt. TrueCrypt is a "Free open-source disk encryption software..." http://www.TrueCrypt.org/

The client/server communication was developed using sample programs from the OpenSSL project: http://www.OpenSSL.org/

Other projects used in this work: http://www.MySQL.org/ and http://www.OpenLDAP.org/

Introduction

This document covers the main components of the escrow process: the Linux server, the Linux escrow/restore client and the Windows client.

Linux Server		A C program that runs as an xinetd service. The server interfaces with a MySQL database and may be used to authenticate against an LDAP system.
Linux Escrow Client		The TrueCrypt program with the ability to escrow the encryption keys.
Linux Restore Client		The TrueCrypt program with the ability to escrow the encryption keys and the ability to restore the keys.
Windows Escrow Client		A Windows build of the TrueCrypt program with the ability to escrow the encryption keys.

This page provides a pictorial overview of how the system works.

Many security measures help protect this system. However, these also add complexity to the install process.

SSL

- OpenSSL provides encrypted communications between the client and server.
- The client verifies the identity of the server by validating the server's SSL certificate.

If you have never set up your own Certificate Authority, you should learn how to do this before continuing with this installation.

RSA Encryption

- The TrueCrypt encryption keys are encrypted with an RSA public key before leaving the user's computer.
- The encrypted key data remains on the server in this encrypted form. The server does not have the ability to decrypt this data.

You should be familiar with RSA public/private key encryption. You will need to use OpenSSL to create these keys.

Authorized Restore

- Only authorized users can retrieve data from the server.
- Authorized users must be connected to an authorized network.
- The restore requires the RSA private key to decrypt the key data.

- You must implement a strategy to keep the RSA private key safe.
- The restore client and escrow client will have different configuration files.
- You must implement a strategy to manage the configuration files.

Prerequisites

The Linux clients will require the XML library and the OpenSSL library. The server will require XML, OpenSSL, LDAP and MySQL. Both will be compiled with gcc. Install these utilities if you do not have them.

The Windows client will require a Windows build of the OpenSSL library and the Microsoft Driver Development Kit.

The following yum commands will install the Linux prerequisites:

  yum -y install gcc
  yum -y install openssl
  yum -y install openssl-devel
  yum -y install libxml2
  yum -y install libxml2-devel
  yum -y install openldap
  yum -y install openldap-devel
  yum -y install mysql
  yum -y install mysql-server
  yum -y install mysql-devel

Setup (do not skip this step)

This section will guide you through the setup process. This includes the configuration parameters for your environment and the database server.

The server and the Linux clients read from an XML configuration file. The configuration files on the various systems will contain different data. For example, the RSA private key will only exist on the restore client. The absence of the private key on the server reduces the risk if the server were compromised. These differences will be specified later. For now, we will create a complete configuration file to use as a reference.

The Windows client also reads its configuration from an XML file. The format of this file is different than that of the Linux client. The Windows XML configuration file provides the additional ability for customization of dialog messages. Deployment of the Windows client in a new managed envrionment should only require a few customizations to this configuration file. The difference in format is illustrated in the Windows TrueCrypt Client section.

We will use the directory /usr/local/wfu to store most of the files for the Linux Server and Linux Client.
To begin the configuration, create the /usr/local/wfu directory.

mkdir /usr/local/wfu

This page will help you create a complete configuration file and setup the database. (Do not skip this section!)

Download

The server code and client patches are available in wfu.tar.gz.

The API documentation is available here.

Install

The Linux client and server components share much code in common. To accommodate this, the majority of the code is implemented as a library file called libwfu.a. The Linux client and server statically link with this library. The Windows client also uses a portion of the libwfu.a code.

The configure script accepts the following options:

--enable-server	include code for the server API in libwfu.a
--enable-client	include code for the client API in libwfu.a
--enable-restore	include code for the restore API in the libwfu.a
--enable-inetd	compile the inetd server
--enable-auth=ARG	Arguments: `ldap, passwd, shadow, true` `ldap` will build the functions to authenticate with and LDAP server. This will require the OpenLDAP library and header files. `passwd` will use the /etc/password file for authentication. `shadow` will use the /etc/shadow file for authentication. This will require the server to run as the root user. `true` will return true most of the time. Do not use this option!! This is only for testing and development.
--enable-log=ARG	Arguments: `syslog, file, stdout, none` `syslog` log information will be written to syslog. `file` log information will be written to a text file. `stdout` log information will be written to standard output. `none` log information will not be recorded.
--with-openssl=PATH	specify the path to openssl headers (default /usr/include/)
--with-libxml=PATH	specify the path to xmlreader.h (default /usr/include/libxml2/)
--with-mysql=PATH	specify the path to the mysql_config file

Server Install

Linux Server Install: How to compile and install the server.

Linux TrueCrypt Client

Escrow Client:	How to compile and install the Linux escrow client.
Restore Client:	How to compile and install the Linux restore client.
Usage:	How to use the Linux escrow and restore clients.

Windows TrueCrypt Client

Escrow Client: How to build and deploy the Windows TrueCrypt escrow client.

Final Thoughts

Remove the /usr/local/wfu/template.xml file.
Make sure the RSA private key is not stored on the server.
Remember to setup xinetd and mysql to start upon boot.
Be sure to fully exit TrueCrypt before modifying the parameters in the Windows XML configuration file.