Skip to content
Andrea Barisani edited this page Mar 28, 2022 · 10 revisions

Welcome to the INTERLOCK wiki!

The INTERLOCK application is a file encryption front-end developed, but not limited to, usage with the USB armory.

The goal of the package is to expose a web-based file manager for an encrypted partition running on the device hosting the JSON application server (i.e. USB armory).

The file manager allows uploading/downloading of files to/from the encrypted partition, as well as additional symmetric/asymmetric cryptographic operations on the individual files.

Documentation

The official documentation is included in the README file of the project repository.

Contributed tutorials

  • Andrea Covello of scip AG published two excellent tutorials on setting up INTERLOCK on the USB armory: part 1, part 2

Releases

Tips & Tricks

Linux: Trusting INTERLOCK TLS certificates in your browser

  1. Obtain the certificate file in PEM format either directly from your INTERLOCK installation, by exporting it from your browser (and convering its format if necessary) or using openssl 's_client' helper.

  2. Import the certificate in your browser and mark it as trusted (example assumes INTERLOCK installation reachable on address "10.0.0.1"):

certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "10.0.0.1" -i cert.pem

Example systemd unit configuration

The pre-execution of the setcap command allows INTERLOCK configurations that bind privileged port 443.

[Unit]
Description=INTERLOCK file encryption front-end
Documentation=https://github.com/usbarmory/interlock/blob/master/README.md
Requires=network.target
After=network.target

[Service]
PermissionsStartOnly=true
ExecStartPre=/sbin/setcap 'cap_net_bind_service=+ep' /usr/local/sbin/interlock
ExecStart=/usr/local/sbin/interlock -c /etc/interlock/interlock.conf
User=interlock
Group=interlock
PrivateTmp=yes

[Install]
WantedBy=multi-user.target

SCCv2 driver character device permissions

The /dev/scc2_aes character device, exposed by the Security Controller (SCCv2) mxc-scc2 driver, can be granted access to INTERLOCK (assuming execution by interlock user) with the following udev rule:

KERNEL=="scc2_aes", SUBSYSTEM=="crypto", MODE="0600", OWNER="interlock"