SElink is a software which allows to establish secure connections using the SEcube open-source security platform. There is no need to adopt specific SEcube-enabled software, as SElink can encrypt connections from any existing application transparently.
The software is made of two main components:
In order to establish a secure communication, a properly configured host running the client software must initiate a connection towards a properly configured host running the server software.
In most cases the user will only need to install and configure the client software.
Client requirements:
Server requirements:
* SElink can be used without a SEcube device, for testing purposes or custom configurations.
** Daemon mode not yet supported on Windows.
There are three components to be installed for the software to function properly:
The provided setup executable installs all the components at once. Refer to the installer source for manual installation instructions.
Since the driver is not signed, Windows needs to run in Test Mode to install the driver.
bcdedit /set TESTSIGNING ON
Finally, run selink-setup.exe
.
The SElink client software can be easily configured through the GUI application.
Access the device configuration window by left-clicking the tray icon and choosing Device
The current status of the service and the device is shown on the top.
Connect
buttonLogin
buttonPress the Disconnect
button
Access the filter rules configuration window by left-clicking the tray icon and choosing Filter rules
.
Filter rules are used to manage outgoing connections, to decide which will be encrypted and with which key. A filter rule is made of:
In order for a condition to match a connection, all the parameters must match. An empty parameter stands for any value.
Within the GUI you may define a list of filter rules, to select different actions for different connections. For example, you may assign a different encryption key to each application you are going to use.
Note that the order in which rules appear is important: the first matching rule is chosen, regardless of the following rules.
If a connection does not match any rule, it is allowed (not encrypted) by default.
Create a new rule by doing any of the following:
Insert after
or Insert before
The rules’ fields must comply with the following constraints:
first port
, last port
must be both natural numbers lesser than 65536, or both emptyfirst port
must be lesser than or equal to last port
Tip: you can override the default action by adding a rule with empty condition fields at the end of the list.
Drag and drop a row over the desired position.
Right-click on a row and select Delete
.
Install g++ and the boost development libraries for your system
e.g # pacman -S base-devel boost
on Arch Linux
cd
into the SElink source code directory and build the SElink gateway
$ make
Install
Default installation
# make install
/opt/selink/
/opt/selink/keys.json
/usr/lib/systemd/system/selinkgw.service
Custom installation
bin/selinkgw
and any needed configuration file to a directory of your choiceStart the daemon: # systemctl start selinkgw
Stop the daemon: # systemctl stop selinkgw
The configuration is made of a list of port mappings. Each entry contains:
You may configure the SElink gateway in two ways
bottle
, jsonschema
on your system# pacman -S python python-bottle python-jsonschema
on Arch Linuxcd
into the gwconfig
directory and run the Web UI as root (assumes a default installation)# python3 gwconfig.py --use-token
Press Add
and insert the rule
The mappings’ fields must comply with the following constraints:
Listen port
and Redirect port
must be natural numbers lesser than 65536Redirect host
must be a valid ipv4 or ipv6 addressPress the trash icon in the last column of the row to delete
Press the Apply
button. The configuration will be saved and applied immediately.
example/selinkgw.json
for an example.# systemctl reload selinkgw
The driver can be configured to only filter connections with destination ports within a port range, and allow anything else, regardless of whether the service is running.
The driver configuration is stored in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\selinkflt\Parameters
Name | Type | Description |
---|---|---|
PortFirst |
REG_DWORD |
First port of filtered port range |
PortLast |
REG_DWORD |
Last port of filtered port range |
ServicePort |
REG_DWORD |
Port on which the service is listening for redirected connections |
Any path starting with :
is relative to the executable’s path. For example, if the executable is in C:\SElink\selinksvc.exe
, then :selinksvc.json
points to C:\SElink\selinksvc.json
.
Any relative path is relative to the current working directory, which depends on how the process was created.
Command line options for the SElink service and SElink gateway may be specified either by passing them as parameters on the command line, or setting them in special configuration files.
For SElink service, create a file named selinksvc.ini
in the same directory as the executable.
For SElink gateway, create a file named selinkgw.ini
in the same directory as the executable.
Example ini file:
provider=soft
keys=:keys.json
Only long options are allowed in the configuration file
Option | Value | Description |
---|---|---|
--help , -h |
(None) | Show a help message |
--log , -l |
log file path | Set the location of the log file. Defaults to :selinksvc.log when running as service, or none when running in foreground. |
--config , -c |
configuration file path | Set the location of the filter rules configuration file. Defaults to :selinksvc.json . |
--provider , -p |
provider type | Set the provider type. Can be one of soft , secube . |
--keys , -k |
path to key collection file | Set the keys. Only required if the provider is of type soft . |
--port , -w |
port | Set the driver connection redirection port. See SElink driver parameters |
--foreground , -f |
(None) | Run in foreground instead of running as a service. |
Option | Value | Description |
---|---|---|
--help , -h |
(None) | Show a help message |
--log , -l |
log file path | Set the location of the log file. Defaults to /var/log/selinkgw.log when running as service, or none when running in foreground. |
--config , -c |
configuration file path | Set the location of the filter rules configuration file. Defaults to :selinkgw.json . |
--provider , -p |
provider type | Set the provider type. Can be one of soft , secube . |
--keys , -k |
path to key collection file | Set the keys. Only required if the provider is of type soft . |
--serial-number , -s |
path to key collection file | Set the keys. Only required if the provider is of type soft . |
--pin , -z |
path to pin file | The user pin to log into the SEcube device will be read from the specified file. Only required if the provider is of type secube . |
--foreground , -f |
(None) | Run in foreground instead of running as daemon. |
Option | Value | Description |
---|---|---|
--help , -h |
(None) | Show a help message |
--host |
host | Host on which the web UI server will listen |
--port |
port | Port on which the web UI server will listen |
--config , -c |
configuration file path | Path to gateway configuration file |
--pidfile |
pidfile path | Path to gateway pidfile |
--use-token |
(None) | Generate a random token to restrict access to the web UI |
--debug |
(None) | Enable debug mode |
Refer to the schema rules-schema.json.
Refer to the schema config-schema.json.
Refer to the schema keys-schema.json.
Refer to the Inno Setup installer script found in installer/selink.iss