Connecting encrypted TrueCrypt partitions using Asterisk IP telephony server

Foreword

Part of my job is to mount TrueCrypt containers on a remote server daily.

The morning order of action strained me: turn on the laptop, connect to the server, enter a multi-valued password in TrueCrypt, disconnect from the server, turn off the laptop, pack up and go to work.

The thought came about using Asterisk, it was necessary to implement it.

Decision

The configuration of the equipment is as follows:

1. Asterisk Server - Ubuntu Server 10.04, Asterisk v1.6.
2. terminal server - Windows Server 2003 R2, TrueCrypt v6.1a, two hard disks with TrueCrypt partitions.

The logical chain of thought was this:

1. TrueCrypt allows you to control yourself from the command line.
2. Asterisk allows you to run any scripts, just register them in extensions.conf.
3. There is a Windows psexec.exe utility that allows you to run processes on a remote Windows computer from the command line.
4. Asterisk is on Ubunte, which means that psexec is necessary for Linux - found by winexe (ready packages for various distributions are available here ).

Further I bring scripts.



extentions.conf :

... exten => 777777,1,Playback(beep) exten => 777777,n,Read(auth,,3,5) exten => 777777,n,GotoIf($["${auth}" = "123"]?m:u) exten => 777777,n(m),System(/etc/asterisk/scripts/mount.sh) exten => 777777,n,Goto(end) exten => 777777,n(u),GotoIf($["${auth}" = "321"]?ok:end) exten => 777777,n(ok),System(/etc/asterisk/scripts/umount.sh) exten => 777777,n(end),Playback(vm-goodbye) exten => 777777,n,Hangup ... 

Explanation:

call internal number 777777, enter password 123, execute mount.sh script (mount partitions) or enter password 321 and run umount.sh script (unmount partitions, so-called “RED BUTTON”)

')

mount.sh :

 #!/bin/sh /etc/asterisk/scripts/winexe -U DOMAIN\LOCALROOT%PASS //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /v \Device\Harddisk1\Partition1 /lE /a /p "CJIo}i{HbIU'napoJIb" /q /s' /etc/asterisk/scripts/winexe -U DOMAIN\LOCALROOT%PASS //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /v \Device\Harddisk2\Partition1 /lF /a /p "CJIo}i{HbIU'napoJIb" /q /s' 

/ etc / asterisk / scripts / winexe - the path to the winexe utility, which is located in the scripts folder.

DOMAIN - your domain name,

LOCALROOT - local admin on the terminal server,

PASS - local admin password,

IPADDRESS - IP address of the terminal server,

further the path to TrueCrypt.exe on the terminal server with parameters

\ Device \ Harddisk1 \ Partition1 - hard disk 1 (in order to determine the path to the partition, start TrueCrypt and click on Select Device),

/ lE - letter assigned to the disk (E: \)

/ p "CJIo} i {HbIU'napoJIb" - password to the TrueCrypt section,

\ Device \ Harddisk2 \ Partition1 - hard disk 2 and further by analogy with the first disk.



umount.sh

 #!/bin/sh /etc/asterisk/scripts/winexe -U "DOMAIN\LOCALROOT%PASS" //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /d E /q /s /w /f' /etc/asterisk/scripts/winexe -U "DOMAIN\LOCALROOT%PASS" //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /d F /q /s /w /f' #        : # 1.  urandom # dd if=/dev/urandom of=/etc/asterisk/scripts/mount.sh bs=512 count=1 # dd if=/dev/urandom of=/etc/asterisk/scripts/umount.sh bs=512 count=1 # 2.  shred,       /dev/urandom () shred -f /etc/asterisk/scripts/{mount,umount}.sh #     ( ) # rm -f /etc/asterisk/scripts/*mount.sh 

Here there is a forced silent unmounting of sections E: \ and F: \ and a random entry into the contents of scripts to hide information.



All scripts and winexe are in the scripts folder (/ etc / asterisk / scripts /)

Total

As a result of this manipulation, at any time and from any place you can call a work phone, dial an additional 777777, and connect / disconnect TrueCrypt sections.

Using a bunch of Asterisk + scripts can significantly simplify the life and extend the capabilities of the system administrator, for example, creating a backup or restarting services on a call.



UPD . The criticism that broke out in the comments leads to the conclusion that in real conditions the security of this scheme is rather low, only convenience remains)).