After the installation described on the first part of this article series let’s dive into the secure storage configuration of the InterLock software for USB Armory.

Initial Configuration

First of all we need to connect to the InterLock web interface.

The GUI is divided in two parts: the left side is the file explorer/operations on the right one you’ll get the log and action protocols to verify the InterLock operations and messages.

On the login screen you may have noted the special flag that states dispose of the password after use ; this feature allows you to use a sort of one time password to access your encrypted volume on untrusted devices (internet café). To configure it you need to add one or more passwords to your encrypted volumes and keep track of the available password lists or just add one to burn it when necessary. Just follow the password change procedure selecting add instead of change and fill the web form inserting the volume name, a valid volume password and the new (disposal) password. You should get the following message on the application log window:

Performing LUKS key action luksAddKey

likewise once you’ll select a password for removal after usage, you’ll get the following message to confirm the password (key) removal:

Performing LUKS key action luksRemoveKey

Beware: those action may require 10-20 seconds to process, so be patient.

Files Operations

Now let’s get a look of the file operations available from the GUI.

Key Operations

Token Operations

Security Check

Let’s just make some standard security check, to assess the Armory system security settings. For this task I’ll use nmap for the network scan. Below are the results:

$ sudo nmap -p U:9,53,111,123,139,2049,T:1-65535 -A 10.0.0.1
Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:56 CEST
Nmap scan report for 10.0.0.1
Host is up (0.00070s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             Dropbear sshd 2016.73 (protocol 2.0)
4430/tcp open  ssl/rsqlserver?
| ssl-cert: Subject: commonName=10.0.0.1/organizationName=INTERLOCK
| Not valid before: 2015-10-13T10:00:01
|_Not valid after:  2020-10-13T10:00:01
1 service unrecognized despite returning data.
MAC Address: E6:4B:CB:xx:yy:zz (Unknown)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 10.0.0.1
OS and Service detection performed.
Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 202.40 seconds

Conclusion

As you’ve seen, we can deploy secure storage on a stick with a high degree of trust in the used securing technology because all used modules are open-sourced and testable by the community. Still, the USB Armory can do more, it’s versatile and can be used for several security applications like:

• Hardware Security Module (HSM)
• OpenSSH client and agent for untrusted hosts (kiosk)
• Router for end-to-end VPN tunneling
• Password manager with integrated web server
• Electronic wallet
• Authentication token
• Portable penetration testing platform
• Low-level USB security testing

I’d like to give my kudos to Andrea Barisani of Inverse Path for his passion in creating such an amazing project. This article wants to be a small contribution to the right cause in making the cyberspace a more secure place … you’re invited!

About the Author

Links

• http://nmap.org
• https://github.com/inversepath/interlock
• https://inversepath.com
• https://www.linkedin.com/in/lcars