Skip to content

Home

Jump to bottom
Andrea Barisani edited this page Oct 25, 2016 · 10 revisions

Welcome to the INTERLOCK wiki!

The INTERLOCK application is a file encryption front-end developed, but not limited to, usage with the USB armory.

The goal of the package is to expose a web-based file manager for an encrypted partition running on the device hosting the JSON application server (i.e. USB armory).

The file manager allows uploading/downloading of files to/from the encrypted partition, as well as additional symmetric/asymmetric cryptographic operations on the individual files.

Documentation

The official documentation is included in the README file of the project repository.

Contributed tutorials

  • Andrea Covello of scip AG published two excellent tutorials on setting up INTERLOCK on the USB armory: part 1, part 2

Embedded INTERLOCK distribution for the USB armory

A set of Buildroot customizations allows cross-compilation of a minimal embedded Linux environment for the USB armory with INTERLOCK support.

Once installed on a microSD card for the USB armory, the Buildroot image allows quick and easy access to the INTERLOCK web application, exposing advanced interaction with an encrypted storage.

Tips & Tricks

Linux: Trusting INTERLOCK TLS certificates in your browser

  1. Obtain the certificate file in PEM format either directly from your INTERLOCK installation, by exporting it from your browser (and convering its format if necessary) or using openssl 's_client' helper.

  2. Import the certificate in your browser and mark it as trusted (example assumes INTERLOCK installation reachable on address "10.0.0.1"):

certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "10.0.0.1" -i cert.pem

Example systemd unit configuration

The pre-execution of the setcap command allows INTERLOCK configurations that bind privileged port 443.

[Unit]
Description=INTERLOCK file encryption front-end
Documentation=https://github.com/inversepath/interlock/blob/master/README.md
Requires=network.target
After=network.target

[Service]
PermissionsStartOnly=true
ExecStartPre=/sbin/setcap 'cap_net_bind_service=+ep' /usr/local/sbin/interlock
ExecStart=/usr/local/sbin/interlock -c /etc/interlock/interlock.conf
User=interlock
Group=interlock
PrivateTmp=yes

[Install]
WantedBy=multi-user.target

SCCv2 driver character device permissions

The /dev/scc2_aes character device, exposed by the Security Controller (SCCv2) mxc-scc2 driver, can be granted access to INTERLOCK (assuming execution by interlock user) with the following udev rule:

KERNEL=="scc2_aes", SUBSYSTEM=="crypto", MODE="0600", OWNER="interlock"
Clone this wiki locally