A modern security system for secret data in your cloud
A modern security system for secret data in your cloud
For online active private secrets
Convenient and secure, for the IT serenity
Free, open-source and collaborative
Creates a protected directory in the user home. This protected directory is encrypted and is only clear-text in the server\’s RAM. This encryption is virtually transparent for performance and the data content.
Additionally, Conserity setups the access and configures the server for maximum security.
The encryption key is not located in the server, but remotely and securely read from others small servers. With the Shamir sharing option, Conserity can automatically setup the remote instances which are holding a share of the encryption secret.
You can easily protect any web application running in a virtual or a dedicated server.
Designed to be run on a fresh new machine, this setups everything for security and protects a user path.
The server can be fully backup or snapshot, and the sensitive data are fully encrypted. The data are protected, there are only exposed inside the server, in RAM, and the access to the server is restricted and secured.
The entire project is collaborative, open and free. All the software and scripts are under GPLv3 license.
Get more info on :
https://conserity.org
Can be used to protect the following apps :
A Debian 10-11 or Ubuntu 18.04-20.04 system
with its IP on a domain
You must create an A record for your domain that points to the IP address of the server instance. If your server is behind a NAT, then you need to forward port # 80 to your instance.
If you choose the Shamir secret split of the encryption key in several remote servers, you need to have and provide all VPS providers API key.
Note : There\’s a “proxy” branch, which removes all parts related to disk encryption. It is useful to easily configure a HTTP server : it configures SSH access, HTTP server, setup TLS certificate and their renawal, and secure the access and the services. All what the master branch does, except the encrypted directory and its remote key.
OS : Linux based
VPS instance providers :
Web services protected :
Only internal web server for now.
wget https://codeload.github.com/bitlogik/Conserity/tar.gz/mastertar -xzf mastercd Conserity-masterchmod +x run-conserity.shchmod +x getpwdchmod +x shamir/split_secret.pychmod +x shamir/recover_secret.pychmod +x vps-drivers/create-*.sh
or with git
apt-get install -y gitgit clone https://github.com/BitLogiK/Conserity.gitcd Conserity
If you plan to use the Shamir split secret, you need to have the API keys of the VPS providers (such as DigitalOcean, Vultr, Linode, Scaleway,…).
Else, you just need a single remote Apache web server (a different server from where you install Conserity).
Run Conserity in the main server :
./run-conserity.sh
Follow the instructions. You can choose :
Conserity performs the following :
At the end it is advised to reboot, at least to update the kernel version.
If you choose the option to use “one existing remote web server”, setup that remote server files as displayed at the end before rebooting.
The remote instance names are using an host ID as follow :
cat /etc/machine-id | sha256sum | cut -c1-8
After running Conserity, you now have an encrypted directory in /home/USER/protected_files. Every single directory and file inside this protected_files is fully protected by Conserity.
Also, the server is secured with infosec best practices (Web server, SSH, firewall,…)
What does it protect ?
Conserity strengthens your server security and encrypts your data on the disk. It protects against :
What does it NOT protect ?
It does NOT protect against :
Why is my email address needed ?
Your email address is asked by certbot for the LetsEncrypt certificate ACME server. This is required to register an account, and useful in the event of server key loss or account compromise, also to receive notices about revocation of your certificates.
Why I get a security alert when I connect again on SSH ? Is it an intermediate system in the link spying or analyzing the data link?
Absolutely not, you still connect directly to your server SSHd and without anything in the middle. Conserity just generates new SSH keys to be sure the used ones are robust. So the SSH keys are changed and thus eventually triggering an alert about the server has changed its host key.
Because of the focus on high security, some configuration are causing some issues.
You can’t get from another server using git or SSH with your local agent. The agent forwarding is blocked by the configuration. If you need to auth with your local agent, to an other SSH service, through the current server installed, change AllowAgentForwarding to “yes” in /etc/ssh/sshd_config. This is common when you get some softwares with git clone, and auth with your agent, right after a Conserity installation.
If your web application has some Javacript “eval”, it is blocked by the NGINX proxy configuration. You can change or remove Content-Security-Policy header in /etc/nginx/nginx.conf and restart nginx “service nginx restart”. We advise you to better remove all evals and let as teh config is.
On some cloud providers using LAN routing such as ScaleWay, the current configuration makes the cnetwork connection drops after the DHCP lease time (mostly 24h). You need to make this modification in /etc/sysctl.conf and disable IPv6 in web console server configuration interface.
net.ipv4.conf.all.accept_redirects = 1net.ipv4.conf.all.send_redirects = 1net.ipv4.conf.all.accept_source_route = 1
Then “sysctl -p” to apply (or reboot).
If there an issue during the Conserity run that you don’t understand, look at the log file for further details : log/output.log
email : support@conserity.org
Join our mailing list by sending an email to
conserity-request@freelists.org
with ‘subscribe’ in the Subject field or
by visiting http://www.freelists.org/list/conserity
Interested in joining, testing, supporting or developing?
email : project@conserity.org