Some TrueCrypt sugar for Linux

Intro

Currently we have a fast growing trend called "Clouds". In the Clouds we can store about everything and be sure that we are able to get it back anywhere and anytime. The only thing is Clouds do not belong to us. That's why we should think critical when we upload a very-very private data there. This way of thinking leads us to use various file encryption tools like encfs, TrueCrypt and other.

I like TrueCrypt. It is installed on my every Linux workstation. But sometimes I am not the only user of such workstations. There could be several concurrent users who are able to browse computer's filesystem. Do you remember the default behavior of TrueCrypt when it is asked (I mean double-click inside File Manager) to mount an encrypted volume? Right! By default it mounts a specified container somewhere to /mnt (/media) directory which could be browsed by other online users. That means they are able to see my private data stored in the mounted TrueCrypt container! Nein, I do not want this! I want to make double-click on a TrueCrypt container and be the only viewer of it's contents.

That's why I have written a kind of mounter of TrueCrypt containers which connects decrypted volume to user's home folder.

In Action

Suppose that our encrypted volumes have ".private" extension in the filename. To make them always be opened with the mounter we should make a corresponding file association:

Make TrueCrypt container association with the truecrypt-mount application

TrueCrypt mounter (simple wrapper over TrueCrypt) is located in /usr/bin:

Specify an absolute path to truecrypt-mount application

Then TrueCrypt asks for the password:

Enter container's password to unlock the data

User-Locally (!) mounted container is immediately shown in a new window of File Manager. Please notice the path where the container is mounted to.

Immediate browsing of mounted TrueCrypt volume

If there is an attempt to mount already connected TrueCrypt's volume with truecrypt-mount application there will be a corresponding error message:

Already mounted TrueCrypt volume error message

In details

truecrypt-mount as I have already mentioned above is a simple wrapper over TrueCrypt itself. The wrapper is just a POSIX shell script which redirects volume mount requests from the user to TrueCrypt application with the "correct" arguments.

truecrypt-mount is configured through /etc/default/truecrypt file. The following options are supported:

TRUECRYPT_BINARY -- path where TrueCrypt itself is installed. By default points to /usr/bin/truecrypt.

USER_MOUNT_ROOT -- path where will be created user-specific mounts.

EXPLORE_MOUNTED_VOLUME -- boolean value which specifies should be a newly mounted TrueCrypt volume shown in the File Browser or not.

ERROR_REPORTING_CHANNEL -- specifies how errors while mounting are shown.

Download

The wrapper is available for download from the git repository http://git.thekondor.net
truecrypt-mount is a part of truecrypt-extra package since there is not the only thing how the experience with TrueCrypt could be improved (see below).

The application as well as the package is distributed in the terms on GNU GPL v3.0+ license.

As a benefit

Exploring volume in XFCE

Have you ever tried to launch TrueCrypt from a command line with '--explore' option being in XFCE? If you have, you must have also probably received an error that "Nautilus" is not found. Accordingly to the source codes of TrueCrypt it knows nothing about Thunar! Then you possibly tried to work around the problem by creating a fake Nautilus "application".

Thanks to EXPLORE_MOUNTED_VOLUME option for truecrypt-mount there is no need in such workarounds anymore; we get it just for free! By calling /usr/bin/xdg-open there will be opened default File Manager.

Sleep means Sleep

That's all about being kinda paranoid :). What if a laptop while hibernated is stolen? What if there are several mounted TrueCrypt volumes? That means that a Bad Guy having a hibernation image is able to retrieve sensitive data from those volumes because they were not disconnected! To prevent this kind of hole user should always unmount its TrueCrypt volumes when laptop is sent to sleep/hibernate mode.

truecrypt-extra package provides PM-Utils script 20_unmount-truecrypt-containers which unmounts ALL connected TrueCrypt volumes in the user's system when it goes sleep/hibernate. This behavior could be disabled by UNMOUNT_ON_SLEEP option.

Not a summary

I still have several ideas about improving TrueCrypt experience in Linux which might be implemented in the terms on truecrypt-extra package. So stay tuned and send your feedback regarding the package if any.

WebApy -- webserver for easy and rapid REST API imitation

Have been developing an application which depends on a remote REST (stands for Representational State Transfer) API of one of popular services I ran into the need to use it [API] more intensively while testing/debugging the code. Not all remote services provide developers with SandBox`ed environments to play in. And not all services may tolerate frequently repeated requests to their REST API; they may just ban your access.

The best way to avoid such problems is to imitate remote API locally.

WebApy -- is a simple lightweight python Webserver built on the top on BaseHTTPServer. WebApy allows easily to create REST API which pretends like original one.

When it might required

1. To develop Unit tests for a library/application which interacts with remote REST API;
2. To debug such library/application more intensively and not being dependent on remote service availability;
3. To make a fast dirty prototype of REST API for your service.

How it works

1. Create a file (or several ones) called "hook" -- a regular Python file with pre-defined structure (the sample of such hook is available in hooks/ dir; "hooks" must have "hooks.py" filename extension);
2. Implement canHandleRequest() static method which tells WebApy that the hook can handle this request;
3. Implement code(), headers() and data() methods to return corresponding response values on the passed request;
4. Run WebApy server instance to serve your application/library with imitated REST API.

Example
Last.Fm is world's largest and well known online music catalogue. It has a remote XML API to access to theirs music information database. Before start working with the API a client application should perform several authentication steps:

1. Retrieve an Auth token;
2. Retrieve an Auth session (providing user's credentials and obtained Auth token).

Lets see how to make WebApy hook which imitate the first step -- to provide a client with an Auth token.

Accordingly to Last.Fm developer's documentation an Auth token retrieving is performed via auth.getToken request. It has only one mandatory parameter -- "api_key" (a Last.Fm API key; it can be received upon request to Last.Fm).

Step 1
First we should check inside the hook if it can handle received API request. The hook can handle request if the following conditions are met:

• The request is GET [type];
• There is "method" argument passed;
• The value of "method" argument is "auth.gettoken".

Lets implement canHandleRequest():

    @staticmethod
    def canHandleRequest(request):
        if "GET" != request.method:
            return False

        return "auth.gettoken" == request.simpleQuery.get("method", [None])[0]

Step 2
Second and final step: implement a logic to return a corresponding response to REST API client. Suppose only a client with Last.fm API key b25b959554ed76058ac220b7b2e0a026 is able to get Auth token. For other ones an error must be returned:

    def __makeResponse(self):
        apiKey = self.request.simpleQuery.get("api_key", [None])[0]

        if self.isValidApiKey(apiKey):
            self.__response = make_authenhicated_response(authToken = "cf45fe5a3e3cebe168480a086d7fe481")
        else:
            ### Error code "10" stands for invalid API key
            self.__response = make_failed_authenhicated_response(errorCode = 10)

The final code will look like:

import string
RESPONSE_TPL = string.Template("<?xml version=\"1.0\" encoding=\"utf-8\"?><lfm status=\"${code}\">${body}</lfm>")

def make_authenhicated_response(authToken):
    return RESPONSE_TPL.substitute(code = "ok", body = "<token>%s</token>" % authToken)

def make_failed_authenhicated_response(errorCode):
    return RESPONSE_TPL.substitute(code = errorCode, body = str())

class RequestHook:
    @staticmethod
    def canHandleRequest(request):
        if "GET" != request.method:
            return False

        return "auth.gettoken" == request.simpleQuery.get("method", [None])[0]

    def __init__(self):
        self.__response = None
        self.__makeResponse()
          
    def __makeResponse(self):
        apiKey = self.request.simpleQuery.get("api_key", [None])[0]

        if self.isValidApiKey(apiKey):
            self.__response = make_authenhicated_response(authToken = "cf45fe5a3e3cebe168480a086d7fe481")
        else:
            ### Error code "10" stands for invalid API key
            self.__response = make_failed_authenhicated_response(errorCode = 10)

    def code(self):
        return 200

    def headers(self):
        return {}

    def data(self):
        return self.__response

    @staticmethod
    def isValidApiKey(key):
        return "b25b959554ed76058ac220b7b2e0a026" == key

Seems pretty easy.

Test
Lets use "curl" utility to test how "our" API works. A malformed request:

$~ curl 'http://localhost:8080/?method=auth.gettoken'

And the correct one:

$~ curl 'http://localhost:8080/?method=auth.gettoken&api_key=b25b959554ed76058ac220b7b2e0a026'
cf45fe5a3e3cebe168480a086d7fe481

Distribution
WebApy REST API webserver can be directly downloaded from the git repository: http://git.thekondor.net/webapy.git. The software is licensed in terms of GNU GPL v3 and higher.

General notes

Imitated REST API can return JSON as well as XML responses (actually anything; depends on your needs).  WebApy is not intended to serve production environment, for debugging and testing purposes only since it was developed as an accessorial part of another project of mine. Hence it has some limitations and things to improve (especially I want to replace canHandleRequest() with the declarative description). Documentation is coming soon.

Anyway please feel free to submit your bug reports if any.

Serna accepted to Debian!

Thanks to amazing work of Joachim Breitner Serna finally is officially accepted to the one of my favorite Linux distros -- Debian GNU/Linux! Hope it will be in Ubuntu soon as well.

Of course, some things may work not as expected or may not work at all :), but it is just a beginning. Please feel free to contribute your patches and bug-reports directly to serna-developers mailing list or to http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=serna.

Serna OSSO Help plugin announce

This post can be considered as a logical continue of the previous one.

I am pleased to announce my implemented vision of solution to make life easier for Maemo help/documentation authors. Since Syntext Serna WYSIWYG xml editor is free (free as beer!) and it is really crossplatform (written using Nokia/Trolltech Qt framework; currently it is avaialble for Linux, MacOS X, Windows, and even Sun Solaris), I decided to use it as a platform to create such solution.

What has been done:

1. Schema files

   I've researched sources of OSSO Help framework to get more knowledge about all available elements. Also distribution help files placed in /usr/share/osso-help/en_GB were researched to get more information about elements order. The result: DTD file was written from the scratch which allow to make elements validation and completion.

2. Stylesheets

   All visual appearance for Serna is made using XSLT Stylesheets. So, special XSLT stylesheets have been written which allow to represent OSSO help files "as is".

3. Documentation

   As it was mentioned in the previous post, there is no really good documentation about help authoring for Maemo, so some intros were written. Actually they are not so good as I want and imagine, but it is just a first step, is not it?

Plugin's homepage is http://thekondor.net/osso-help-plugin where documentation, tutorial and download links can be found. Of course, plugin is free of charge; licensed in terms of GNU Lesser GPL v3.


Some screenshots

There is how help file looks like being opened in Serna:



There is a final representation being viewed in Maemo. Impressing, right?
I hope this beta will be useful and there are ideas to improve it in the following ways:

1. Schema files
2. Visual representation (XSLT stylesheets)
3. Usability (want to use a power Serna customization to make help authoring for Maemo more easier)
4. Publishing. Make a possibility to generate PDF/HTML files directly from Serna.
   

Feedback about OSSO Help Plugin is welcome.

Stay tuned!