Configuration
Startup configuration
At the first start of the application you can login with this accounts:
| User | Password | Description |
|---|---|---|
root | root | Master account, with all rights ( right of manage on |
| the object application ). You must change his password ! | ||
| This account can be deleted after giving rights to somebody else. | ||
alice | alice | A normal user. usable for testing. |
bob | bob | A normal user. usable for testing. |
charlie | charlie | A normal user. usable for testing. |
All those users can be deleted.
Application configuration
All the application can be access by the Menu (left up button), then Administration, then Configuration.
This menu and the ability to modify the configuration is attach to the right of manage on the object application. The first configured user with this right is root.
General
| Field | Description | Comment |
|---|---|---|
Instance | Instance name | This field cannot be changed. It is just for information on the name of the instance. |
The application Name | Application's name | You can change here the application name in the main menu (top bar). |
A subtitle | Subtitle | Not used. |
Tel for contact | A phone number | In the signature of all emails, this is the contact phone number |
Email contact | An email | In the signature of all emails, this is the email for contact |
Logo | An image | You can upload an image (any format) for the logo. The image will be reduced and resize to fit the logo size. |
Favicon | An image | You can upload an icon (with the icon format .ico) to customize the favicon in web browsers |
Pooling interval | Delay | This is the cron pooling delay for emails and purge of DB, it can be a number followed by s (second) m(minutes) |
Notifications
This is the notification (chat between users and information from server) configuration.
| Field | Description | Comment |
|---|---|---|
Expiration | a delay | How much time you will keep any notifications. 0 mean no expiration. |
Server
This is the server configuration.
| Field | Description | Comment |
|---|---|---|
websockets | true or false | Say if you want websockets for speedup transfer. In some installations, websocket can be filtered |
Default IP restriction | IP Address CIDR Format | Select "accept" or "Deny". This system to filter connections by IP |
Rights
In this section, you can affect rights to specific groups, elements are clear enough to not go into the details for each one. Just understand that these rights are for the entire application.
Groups for validation
You can specify here a group which will validate any invitation.
Chat
| Field | Description | Comment |
|---|---|---|
enabled | enable the chat function | This is activated by default, but you can disabled the chat if you want to. |
Authentications
By default two authentication methods are configured : local and google.
But two others can by added which are : LDAP and AD.
Obviously, if you decide to work with LDAP, AD or Google authentications, users we'll be prompt at sign-up for a key passphrase. This passphrase is different from the authentication password, if a user loose his passphrase, he'll be able to connect to the application but will not be able to access any encrypted data.
For each of the following authentication type, you'll find these parameters :
| Field | Description | Comment |
|---|---|---|
Type | Type of authentication | Is one of the available methods |
enabled | enable or disable this authentication type | |
Groups by default | fallback group of all new users | All new users will be part of this group |
Local
Configuration fields for local authentication are :
| Field | Description | Comment |
|---|---|---|
| self signing users | ||
enable | enable / disable for self signing users | by default, it is set to true, you can disable it to forbid user to signing |
expiration | set the expiration delay for self signing users | 0 by default (no expiration) |
groups by default | Destination group for self signing users | No groups by default |
| invited users | ||
expiration | set the expiration delay for invited users | 0 by default (no expiration) |
groups by default | Destination group for invited users | No groups by default |
Google
So, the application can use external authentication (oauth2). The google authentication can be set up in this place
googleauthentication
first you must set up for your server a Identity provider. Go in google development interface :
https://console.developers.google.com/apis/
and fill a new identity with the following elements
- Create an
Id client Oauth - Select
Application web - fill the following fields :
| Field | Description |
|---|---|
Name | A name for this Oauth2 provider |
javascript origin | Your Server (example https://drive.lybero.net) |
callback redirect | the callback URL , your server/oauthcallback (example https://drive.lybero.net/oauthcallback) |
And Google provides you two fields clientId and a client Secret:
Then you can enter in the configuration :
| Field | Description | Comment |
|---|---|---|
The clientID provided by Google | clientId | provided by Google |
The client secret provided by Google | client Secret | provided by Google |
WARNING Do not change the Url for connection and Callback url parameters unless you really know what you're doing.
LDAP
| Field | Description | Comment |
|---|---|---|
| Url for connection - endpoint | Endpoint in application | Do not change this setting this parameter will be removed in a future update |
| Url for connection | typically ldap:// | Url for connection to your LDAP |
| bindDN | domain name | like dc=example,dc=com |
| bindCredentials | the credentials for the app to authenticate | |
| searchBase | the search base of your LDAP users | |
| searchFilter | the search filter | to limit access |
| searchAttributes | ||
| tlsOptions |
AD
| Field | Description | Comment |
|---|---|---|
| Url for connection | ||
| baseDN | ||
| username | ||
| password |
Mail
This is the email server configuration, for sending emails (SMTP).
connexionconfigure the way to contact the email server (SMTP protocol)
| Field | Description | Comment |
|---|---|---|
Host | hostname or IP address | The SMTP server accepting connection from the app. |
Port | port number | 25, 587 or 465 in general. |
Secure | if you are using TLS | if true the connection will use TLS when connecting to server. If false (then TLS is used if server supports the STARTTLS extension. In most cases set this value to true if you are connecting to port 465. For port 587 or 25 keep it false |
ignoreTLS | refuse server TLS | if this is true and secure is false then TLS is not used even if the server supports STARTTLS extension |
auth User | the username | In case of a authenticated SMTP communication, the userName |
auth Password | the password | In case of a authenticated SMTP communication, the user password |
tls rejectUnauthorized | reject unknown certificates | If not false the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if requestCert is true. |
| Field | Description | Comment |
|---|---|---|
Subject prefix | Prefix in any subjects | You can add this string in the subject field (can be used for filtering by user) |
from | from email field | emil from |
replyTo | replyTo email field | replyTo email field |
Digest delay | delay | delay for digest email |
Error report configuration
You have the hability to send reports on application bug directly... where you want. Actually, only a Mattermost is available.
if you enable this feature, if a javascript bug occured, on a client or on the server, a report is pushed into a slack channel.
| Field | Description | Comment |
|---|---|---|
enable | Toggle to yes for enabling it | |
slack webhookURL | the URL provided by your slack configuration | it define the channel to post on your team slack configuration |
For sending your bugs directly to lybero.net, you can use this mattermost webhookURL :
https://mattermost.lybero.net/hooks/epp6ohionjgizpuqgog67xcrph
Theme
This part grant you the possibility to change some colors of Crypt n Drive, in order to keep it readable for everyone, we have a limited amount of possibilities, but this may change in a future update, to let you customize the app a little bit more.
In this section, get on one theme name and click the arrow to unfold properties.
| Field | Comment |
|---|---|
| Primary color | main accent of the app, in the top bar, the left menu |
| Secondary color | color for errors, suppression buttons |
| Other colors | |
| encrypted vaults | main accent in the "vaults" section (root of the app) |
| decrypted vaults | not used |
| invitations | color of the invitation badge |
| quorums | main accent in the quorum section |
| groups | main accent in the groups section |
| users | main accent in the users section |
Server Logs
All logs are managed by rsyslogd on the server. You can found it at
/var/log/<instance name>.log
Error reporting
Error reporting is usefull to find bugs on exotic configurations (browsers, architectures), wich cannot be tested in lab before publishing.
You can setup error reporting to lybero.net directly and permanently, or to your own server, or just during a debbuging session. as you want.
No sensitive datas are in the report (no password, passphrases, keys, files, etc...). only informations on the browser, the architecture, and the code file / line in trouble.
The error report contain the following information and nothing more (this is an example) :
<hostname>/<instanceName>
blob is undefined{
"navigator": {
"appCodeName": "Mozilla",
"appName": "Netscape",
"appVersion": "5.0 (X11)",
"cookieEnabled": true,
"language": "fr",
"oscpu": "Linux x86_64",
"product": "Gecko",
"userAgent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
},
"builder": "wallrich",
"commit": "e1f0fc3",
"builderhost": "kryha",
"server": {
"server": "kryha",
"instance": "developement",
"builder": "wallrich",
"commit": "e1f0fc3",
"builderhost": "kryha",
"login": "ANONYMOUS",
"userId": "0"
}
}
Mongodb backup
All datas (encrypted and clear ones) are stored in the mongodb database. The database must be backuped by any possible way.
We provide on tools for backup and one tool fore recover, based on mongodump and mongorestore
backup
backup can be done localy or via ssh on a remote server. You must provide basicaly the uri of the mongodb for reading, and the destination path for backup (and the ssh server if you want send them to a remote server).
script/backup.sh --help
for help on the backup tool
Making a full backup
A full (total) backup is a complete backup.
# local
sudo script/backup.sh --uri mongodb://localhost:27017/test /mnt/backup
# remote
sudo script/backup.sh --uri mongodb://localhost:27017/test --ssh=borg@borg /home/borg/mongoBackup
Will do a full backup at the place given in parameter. It return a timestamp needed for the next backup, the incremental one.
this is the following message :
Done
Backup done at 1586289229000 (in miliseconds). Use it for next backup (-t 1586289229000).
Making a incremental backup
An incremental backup is a diff from a previous backup. You must provide the timestamp of the previous backup to do an incremental one :
# local
$ sudo script/backup.sh -t 1586289229000 --uri mongodb://localhost:27017/test /mnt/backup
# remote
$ sudo script/backup.sh --timestamp 1586289229000 --uri mongodb://localhost:27017/test --ssh=borg@borg /home/borg/mongoBackup
Will add an incremental backup at the place given in parameter. It return a timestamp needed for the next backup, the incremental one.
this is the following message :
Done
Backup done at 1586289229000 (in miliseconds). Use it for next backup (-t 1586289229000).
and so on...
restore mongodb
Restoring from backup can be done with the restore command.
list available backup
$ sudo ./scripts/restore.sh --list /tmp/backups
doing list
totale at 1586272921000
relative(1) at 1586273013000
relative(2) at 1586273328000
totale at 1586273656000
In this example, in the /tmp/backups directory, you have 2 full backup and 2 incrementals ones, each one related to the previous.
restoring
restore must be done in the same time order than backup : the full, the relative(1), relative(2), ...
$ sudo ./scripts/restore.sh -t=1586272921000 --ssh localhost --db=test /tmp/backups
will do the first recover.
the -db=test is the name of the database (even if it is in the uri)
then apply the relative(1) (-t 1586273013000 ), and so on...