## LEAP Encryption Access Project
### Platform Workshop
#### While you wait
If you want to use `Vagrant` during this session
please start right away with downloading the
`LEAP/jessie` vagrantbox:
:thumbsup:
### vagrant box add LEAP/jessie
---
## LEAP Encryption Access Project
### Provider Installation Workshop
Varac (LEAP, Pixelated)
```notes
```
---
## LEAP Encryption Access Project
### Provider Installation Workshop
### What to expect
- Short introduction to LEAP
- Install LEAP provider that offers encrypted email (for real or for locally using vagrant)
- Test encrypted email using Bitmask client with new provider (sorry, Linux only)
```note
- Rush through the first part, then show more details during deploy phase (~20 mins)
- Focus on encrypted mail, VPN: Requires a second IP
```
---
## Prerequisites
- Have a working (!) Vagrant setup
or a remote sever/VM installed with fresh Debian stable OS
- A public/private ssh keypair to login your host
```notes
- We cannot help you / debug your vagrant issues here
- Otherwise, please pair with your neighbour
- When you are stuck, pls tell us - if it can be fixed easily, great. If not, pls just continue to watch the demo,
we can help you out later.
- Who wants to use vagrant/a remote sever ?
```
---
## Overview
- "Provider in a box"
- Make encryption as easy to use as possible
- Strict client encryption
- Bitmask client: A client that works smoothly with any LEAP provider.
- LEAP Platform: A toolkit to make it easy for you to run a federated service provider.
- New protocols: So that users don't need to trust the provider.
---
## Current Services: VPN
- Route all your internet traffic through an encrypted channel.
- Prevent eavesdropping (thiefs in the public network, police, ...).
- Circunvent censorship, surveillancec and geoblocking
- Prevent leaks (DNS, IPv6, ...).
---
## Current Services: email
- Transparent end-to-end encryption using OpenPGP.
- Automatic key discovery and validation.
- Service provider has no access to user data.
- Strong protection for metadata, whenever possible.
- Cloud synchronized for high availability on multiple devices.
---
## Bitmask client
- currently available for Android (VPN) and Linux (VPN + Email)
- Windows and Mac OS coming soon
![Image-Absolute](https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/bitmask-icon.png)
## Bitmask client
![Image-Absolute](https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/bitmask.png)
---
## Bitmask Mail
![Image-Absolute](https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/bitmask_mail.png)
---
## LEAP Platform
- Configuration Management using puppet
- Installs and configures the servers
- leap_cli is the tool to deploy to the servers
---
## LEAP Platform Example: Setup single node email provider
```
sudo gem install leap_cli
leap new example --domain example.org
cd example
leap add-user --self
leap cert ca
leap cert csr
leap node add blackbox \
services:couchdb,webapp,soledad,mx ip_address:1.1.1.3
leap init node
leap deploy
```
---
## LEAP Platform: Install and configure the server(s)
- Email: Postfix, spamassassin, clamav
- Database: couchdb, stunnel
- Webserver: apache
- Encrypting remailer: leap-mx
- Synchronisation: soledad
- Account management, issue tracking: leap-webapp
- Firewall: shorewall
- Monitoring: nagios, check_mk
- ...
---
## Server-side techstack
- PLatform: Puppet
- leap_cli: ruby
- leap_web: Ruby on Rails
- leap_mx, soledad: Python 2/Twisted
---
## Client-side techstack
- Bitmask client: Python 2, Twisted, React JS
- Bitmask Mail (a.k.a. Pixelated Useragent): Python 2, Twisted, FlightJS
---
## Soledad
- Acronym for "Synchronization Of Locally Encrypted Data Among Devices"
- Searchable client-encrypted synchronized database
---
## Key management
- Automated keylookup and validation.
---
## LEAP Webapp
- API for user registration and authentication
- User Management
- Integrated Issue Tracker
- Payment processing
- Customisable
---
## LEAP Webapp Main Page
![Image-Absolute](https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/leap-webapp1.png)
---
## LEAP Webapp Account Management
![Image-Absolute](https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/leap-webapp2.png)
---
## LEAP Encryption Access Project
### Platform Workshop
---
## Bitmask Client
- Formerly Python/Twisted
- Currently rewritten with Python/Javascript
- Only for Ubuntu/Debian Linux (VPN+Email) or Android (VPN)
- Windows and MacOS coming soon (with your help even faster!)
---
## Where to deploy to
Vagrant | Remote Server
:-------------: | :-------------:
Locally on your laptop, for testing | Out there, for testing or real
Requires Vagrant >= 1.5 and Virtualbox or other hypervisor | Physical or paravirtualized Server (KVM, Xen, OpenStack, Amazon, but not VirtualBox or OpenVZ)
---
# Tutorials
These slides: https://leap.se/slides/33c3/
## Vagrant
- https://leap.se/en/docs/platform/tutorials/vagrant
## Single node email provider
- https://leap.se/en/docs/platform/tutorials/quick-start
- https://leap.se/en/docs/platform/tutorials/single-node-email
---
# Install prerequisites
- Install leap-cli on your workstation/laptop, NOT on the server !
## Debian & Ubuntu
```
$ sudo apt install git ruby ruby-dev rsync \
openssh-client openssl rake make bzip2
```
## Mac OS
```
$ brew install ruby-install
$ ruby-install ruby
```
```notes
- `workstation$` indicates this command should be run on your laptop
```
---
## Install the LEAP command-line utility
```
$ sudo gem install leap_cli
$ leap --version
leap 1.9, ruby 2.3.3
...
```
---
# Prepare provider config
Use `example.org` for testing, or pick your own domain.
```
$ mkdir -p ~/leap/example.org
$ cd ~/leap/example.org
```
---
# Checkout stable version of platform
Leap Platform Build Status: [![Build Status](https://0xacab.org/leap/platform/badges/master/build.svg)](https://0xacab.org/leap/platform/commits/master)
If the last build failed, we need to checkout the last stable version of the leap_platform:
```
git clone https://0xacab.org/leap/platform.git \
../leap_platform
git checkout -b 0.9.0 0.9.0
```
```notes
```
---
# Create provider config
```
$ leap new .
The primary domain of the provider: |example.org|
The name of the provider: |Example|
File path of the leap_platform directory: |/home/varac/leap_platform|
Default email address contacts: |root@example.org|
The platform directory "/home/varac/leap/leap_platform" does not exist.
Do you want me to create it by cloning from the
git repository https://leap.se/git/leap_platform.git? y
...
```
```notes
Just accept the default values
```
---
# Add your ssh key
```
$ leap add-user varac --self
```
---
# SSL certificates
Create SSL certificate authority, to self-sign host certificates:
```
$ leap cert ca
$ leap cert csr
```
---
# Option A: Add your local vagrant node
```
$ leap node add --local wildebeest services:webapp,couchdb,soledad,mx
$ leap list
$ leap local start wildebeest
$ leap local status
```
---
# Option B: Add an existing remote server
```
$ leap node add wildebeest ip_address:0.1.2.3 \
services:webapp,couchdb,soledad,mx
```
```notes
```
---
# Option C: Create a new server in the cloud
- Currently works only with AWS ec2
- `cloud.json` needed for AWS config and credentials
- https://leap.se/en/docs/platform/guide/virtual-machines for details
```
$ leap vm add wildebeest services:webapp,couchdb,soledad,mx
$ leap vm status
```
```notes
- Only reocmmended for testing
`leap vm key-register` is needed if you haven't done it already
cp ~/leap/git/bitmask/cloud.json .
grep -v aws_ cloud.json
leap vm status | ts
- Takes 4 mins to finish - questions ?
- Otherwise show next slide while bootstrapping VM,
and help out with vagrant
```
---
# Time to deploy !
```
$ leap list
$ leap node init wildebeest
$ leap deploy wildebeest
```
```notes
unbuffer leap node init wildebeest | ts
unbuffer leap deploy wildebeest | ts
- Takes ~10 min to finish on AWS
- We'll setup DNS meanwhile
```
---
# Setup DNS
We are using a fake domain here, so we need to override our DNS resolution.
- Open another terminal and:
```
cd ~/leap/example.org
leap compile hosts
```
You need to edit your `hosts` file with admin privileges and add the output of above command to it.
* Linux: `sudo editor /etc/hosts`
* MacOS: `sudo nano /etc/hosts`
see [Quick start tutorial/Setup DNS](https://leap.se/en/docs/platform/tutorials/quick-start#setup-dns) for details.
---
# Questions so far ?
```notes
- Time for Q&A, explain more about platform
- We'll wait until deploy finishes
```
---
# Test if things work correctly
```
$ leap test
```
---
# Use Bitmask
- Register a user at https://example.org (accept self-signed provider cert)
```notes
Show:
- Mail to myself
- Mail to/from other workshop participants
- Mail from outside (cat swaks -t varac@example.org -s IP)
...
```
---
## Pixelated
- Encrypted Webmail on top of LEAP
- No installation hassle
- Private key will be unlocked on server
- Looking for maintainers/contributors
---
# Try more
- LEAP: https://mail.bitmask.net
- Bitmask: https://bitmask.net
- Pixelated: https://try.pixelated-project.org/ (no outbound mail)
---
# Contribute
- Please consider to contribute - any help with QA or other is appreciated !
:heart:
- UX
- Python / Twisted
- JS / React
- MacOS
- Windows
- Puppet
https://leap.se/en/docs/get-involved
https://leap.se/en/docs/get-involved/project-ideas
---
# Thanks!
- LEAP Encryption Access Project: [https://leap.se](https://leap.se)
- Bitmask Application: [https://bitmask.net](https://bitmask.net)
- Github: [https://github.com/leapcode](https://github.com/leapcode)
- Twitter: [https://twitter.com/leapcode](https://twitter.com/leapcode)
- https://pixelated-project.org/
- IRC: #leap@freenode