Connecting encrypted TrueCrypt partitions using Asterisk IP telephony server

Foreword

Part of my work is to mount TrueCrypt containers daily on a remote server.
The morning routine bothered me: turn on the laptop, connect to the server, enter the multi-digit password in TrueCrypt, disconnect from the server, turn off the laptop, pack up and go to work.
The thought came about using Asterisk, it was necessary to implement this.

Decision

The hardware configuration is as follows:

1. Asterisk server - Ubuntu Server 10.04, Asterisk v1.6.
2. terminal server - Windows Server 2003 R2, TrueCrypt v6.1a, two hard drives with TrueCrypt partitions.

The logical chain of thought was this:

1. TrueCrypt allows you to manage yourself from the command line.
2. Asterisk allows you to run any scripts, just register them in extensions.conf.
3. There is a Windows psexec.exe utility that allows you to start processes on a remote Windows computer from the command line.
4. Asterisk is installed on Ubunte, which means a psexec analogue for Linux is needed - winexe is found ( ready-made packages for various distributions are available here ).

Next I bring the scripts themselves.

extentions.conf :

...
exten => 777777,1,Playback(beep)
exten => 777777,n,Read(auth,,3,5)
exten => 777777,n,GotoIf($["${auth}" = "123"]?m:u)
exten => 777777,n(m),System(/etc/asterisk/scripts/mount.sh)
exten => 777777,n,Goto(end)
exten => 777777,n(u),GotoIf($["${auth}" = "321"]?ok:end)
exten => 777777,n(ok),System(/etc/asterisk/scripts/umount.sh)
exten => 777777,n(end),Playback(vm-goodbye)
exten => 777777,n,Hangup
...

Explanation: we
call the internal number 777777, enter the password 123, execute the mount.sh script (mount partitions) or enter the password 321 and execute the umount.sh script (unmount partitions, the so-called “RED BUTTON”)

mount.sh :

#!/bin/sh
/etc/asterisk/scripts/winexe -U DOMAIN\LOCALROOT%PASS //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /v \Device\Harddisk1\Partition1 /lE /a /p "CJIo}i{HbIU'napoJIb" /q /s'
/etc/asterisk/scripts/winexe -U DOMAIN\LOCALROOT%PASS //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /v \Device\Harddisk2\Partition1 /lF /a /p "CJIo}i{HbIU'napoJIb" /q /s'

/ etc / asterisk / scripts / winexe - path to the winexe utility located in the script folder.
DOMAIN is the name of your domain,
LOCALROOT is the local admin on the terminal server,
PASS is the password of the local admin,
IPADDRESS is the IP address of the terminal server, then the
path to TrueCrypt.exe on the terminal server with parameters
\ Device \ Harddisk1 \ Partition1 is hard disk 1 ( in order to determine the path to the partition, start TrueCrypt and click Select Device /),
/ lE - drive letter (E: \)
/ p “CJIo} i {HbIU'napoJIb” - password for the TrueCrypt partition,
\ Device \ Harddisk2 \ Partition1 - hard drive 2 onwards, similar to the first drive.

umount.sh

#!/bin/sh
/etc/asterisk/scripts/winexe -U "DOMAIN\LOCALROOT%PASS" //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /d E /q /s /w /f'
/etc/asterisk/scripts/winexe -U "DOMAIN\LOCALROOT%PASS" //IPADDRESS 'c:\Progra~1\TrueCrypt\TrueCrypt.exe /d F /q /s /w /f'
# Варианты удаления либо перезаписи содержимого файлов со скриптами:
# 1. Использование urandom
# dd if=/dev/urandom of=/etc/asterisk/scripts/mount.sh bs=512 count=1 
# dd if=/dev/urandom of=/etc/asterisk/scripts/umount.sh bs=512 count=1
# 2. Использование shred, который забивает файл случайными числами из /dev/urandom (рекомендуется)
shred -f /etc/asterisk/scripts/{mount,umount}.sh
# или полное удаление скриптов (не рекомендуется)
# rm -f /etc/asterisk/scripts/*mount.sh

Here, forced silent unmounting of the E: \ and F: \ partitions and random writing to the contents of scripts to hide information occurs.

All scripts and winexe are in the scripts folder (/ etc / asterisk / scripts /)

Total

As a result of these manipulations, you can call your work phone anytime, anywhere, dial an additional 777777 and enable / disable TrueCrypt partitions.
Using Asterisk + scripts can significantly simplify life and expand the capabilities of the system administrator, for example, creating a backup or restarting services on a call.

UPD . The criticism that erupted in the comments leads to the conclusion that in real conditions the security of this circuit is rather low, only convenience remains)).