Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ko1nksm/easy-rsa-shell

Easy and secure shell for manage a PKI CA using EasyRSA
https://github.com/ko1nksm/easy-rsa-shell

easyrsa easyrsa3

Last synced: about 1 month ago
JSON representation

Easy and secure shell for manage a PKI CA using EasyRSA

Host: GitHub
URL: https://github.com/ko1nksm/easy-rsa-shell
Owner: ko1nksm
License: mit
Created: 2019-12-02T10:26:50.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2020-01-14T16:19:28.000Z (almost 5 years ago)
Last Synced: 2024-10-12T02:11:26.404Z (2 months ago)
Topics: easyrsa, easyrsa3
Language: Shell
Homepage:
Size: 25.4 KB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # easy-rsa-shell

Easy and secure shell for manage a PKI CA using EasyRSA

**Project status:** Public Beta

## How it works

Build a docker image at first run. It contains EasyRSA3, zuluCrypt and other tools.

You will login to docker container after build. The encrypted data file will be

mounted at home directory (/root). The home directory is prepared for EasyRSA.

You can work freely under /root. All files under the directory are encrypted.

## Supported OS

* Windows (Available batch file and shell script for WSL)

* Linux

* macOS

Requirements: docker

## Login

```console

$ easy-rsa-shell DATAFILE

```

**Demo**

```console

$ ./easy-rsa-shell datafile

Building easy-rsa-shell docker image. Wait a minute...

Create encrypted volume

Enter passphrase:

Re enter passphrase:

Wait a few seconds...

SUCCESS: volume opened successfully

The encrypted volume was mounted at the '/var/data' directory

Make CA directory [/var/data/ca]

The CA directory was merged the '/root' directory using by unionfs

======================================================================

|| easy_rsa shell                                                   ||

======================================================================

The files under the '/root' directory are encrypted. The directories

'/root', '/var/data' and '/tmp' are writable. Others are read-only.

Commands:

  help    See this message.

  cheat   See cheat sheet.

  exit    Exit with commit changes.

  abort   Exit with discard changes.

root@ca:~# ls -al

total 29

drwx------ 1 root root 1024 Jan 11 05:48 .

drwxr-xr-x 1 root root 4096 Jan 11 08:08 ..

-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc

-rw-r--r-- 1 root root  148 Aug 17  2015 .profile

lrwxrwxrwx 1 root root   27 Jan 11 04:40 easyrsa -> /usr/share/easy-rsa/easyrsa

-rw-r--r-- 1 root root 4652 Jan 11 04:40 openssl-easyrsa.cnf

-rw-r--r-- 1 root root 8576 Jan 11 04:40 vars

lrwxrwxrwx 1 root root   30 Jan 11 04:40 x509-types -> /usr/share/easy-rsa/x509-types

root@ca:~#

```

## How to securely transfer certificate and key files

### 1. SSH / SCP

You can use ssh and scp inside of easy-rsa-shell.

### 2. OpenSSL S/MIME

You can export S/MIME encripted file.

#### Create certificate

* The recipient creates the certificate.

* You can skip if already have certificate.

Create self-signed certificate from id_rsa

```console

$ openssl req -new -key id_rsa > id_rsa.csr

$ openssl x509 -days 3650 -req -signkey id_rsa < id_rsa.csr > id_rsa.crt

```

#### Export

```console

$ easy-rsa-shell.sh DATAFILE smime NAME < id_rsa.crt

$ easy-rsa-shell DATAFILE export NAME -f tgz -e openssl:smime > NAME.tgz.encrypted

```

#### Decode

```console

$ openssl smime -decrypt -in NAME.tgz.encrypted -inkey id_rsa -o NAME.tgz

```

### 3. OpenSSL Secret key encryption

#### Export

```console

$ easy-rsa-shell.sh DATAFILE password NAME

$ easy-rsa-shell DATAFILE export NAME -f tgz -e openssl:password -m -aes-256-cbc > NAME.tgz.encrypted

```

#### Decode

```console

$ openssl enc -d -aes-256-cbc -in NAME.tgz.encrypted -o NAME.tgz

```

### 4. Password protected ZIP

#### Export

```console

$ easy-rsa-shell.sh DATAFILE password NAME

$ easy-rsa-shell DATAFILE export NAME -f zip -e password -r > NAME.zip

```

## Customize easy-rsa-shell

Create `docker/root/.onbuild` if you want to customize easy-rsa-shell (e.g. install other package).

The `.onbuild` script is invoked at building docker image stage.

And also you can place various files freely in the `docker/root/` directory.

## Envrionment variables

| name                               | description                  |

| ---------------------------------- | ---------------------------- |

| EASY_RSA_SHELL_PASSWORD            | The password to login        |

| EASY_RSA_SHELL_ALLOW_WEAK_PASSWORD | Set 1 to allow weak password |

## Rescue data without easy-rsa-shell

The data file is encrypted with VeraCrypt and use NTFS. Therefore you can mount

with [VeraCrypt](https://www.veracrypt.fr/)