arver 0.0.5

data/lib/arver/open_action.rb

@@ -0,0 +1,70 @@
+module Arver
+  class OpenAction < Action
+    def initialize( target_list )
+      super( target_list )
+      self.open_keystore
+    end
+
+    def verify?( partition )
+      if( Arver::LuksWrapper.open?(partition).execute )
+        Arver::Log.error( partition.name+" already open. skipping." )
+        return false
+      end
+      return false unless load_key( partition )
+      true
+    end
+
+    def execute_partition( partition )
+      Arver::Log.info( "opening: "+partition.path )
+      caller = Arver::LuksWrapper.open( partition )
+      unless( caller.execute( key ) )
+        if( Arver::LuksWrapper.was_wrong_key?( caller ) )
+          Arver::Log.error( "Your key for "+partition.name+" is no longer valid. Maybe it was revoked. skipping." )
+        else
+          Arver::Log.error( "Aborting: Something went wrong when opening "+partition.name+":\n"+caller.output )
+          throw( :abort_action )
+        end
+      end
+    end
+
+    def pre_host( host )
+      return if host.pre_open.nil?
+      Arver::Log.info( "Running script: " + host.pre_open + " on " + host.name )
+      c = Arver::SSHCommandWrapper.create( host.pre_open, [] , host, true )
+      unless c.execute
+        Arver::Log.error( "Aborting: pre_open on #{host.name} failed:\n"+c.output )
+        throw( :abort_action )
+      end
+    end
+
+    def pre_partition( partition )
+      return if partition.pre_open.nil?
+      Arver::Log.info( "Running script: " + partition.pre_open + " on " + partition.parent.name )
+      c = Arver::SSHCommandWrapper.create( partition.pre_open, [] , partition.parent, true )
+      unless c.execute
+        Arver::Log.error( "Aborting: pre_open on #{partition.name} failed:\n"+c.output )
+        throw( :abort_action )
+      end
+    end
+
+    def post_partition( partition )
+      return if partition.post_open.nil?
+      Arver::Log.info( "Running script: " + partition.post_open + " on " + partition.parent.name )
+      c = Arver::SSHCommandWrapper.create( partition.post_open, [] , partition.parent, true )
+      unless c.execute
+        Arver::Log.error( "Aborting: post_open on #{partition.name} failed:\n"+c.output )
+        throw( :abort_action )
+      end
+    end
+
+    def post_host( host )
+      return if host.post_open.nil?
+      Arver::Log.info( "Running script: " + host.post_open + " on " + host.name )
+      c = Arver::SSHCommandWrapper.create( host.post_open, [] , host, true )
+      unless c.execute
+        Arver::Log.error( "Aborting: post_open on #{host.name} failed:\n"+c.output )
+        throw( :abort_action )
+      end
+    end
+  end
+end

data/lib/arver/partition.rb

@@ -0,0 +1,53 @@
+class Arver::Partition
+
+  include Arver::PartitionHierarchyNode
+  include Arver::NodeWithScriptHooks
+
+  attr_accessor :device
+
+  def initialize(name, host)
+    self.name = name
+    self.device = ''
+    self.parent = host
+  end
+
+  def each_partition(&blk)
+    yield self
+  end
+
+  def ==(other_partition)
+    return name == other_partition.name && device == other_partition.device if other_partition.is_a?(Arver::Partition)
+    false
+  end
+
+  def to_yaml
+    yaml = ""
+    yaml += "'device': '#{device}'\n"
+    yaml += script_hooks_to_yaml
+    yaml.chop
+  end
+
+  def from_hash( hash )
+    script_hooks_from_hash( hash )
+    hash.each do | name, data |
+      self.device= data if name == "device"
+    end
+  end
+
+  def pre_execute( action )
+    return action.pre_run_execute_partition(self)
+  end
+
+  def run_action( action )
+    if( action.verify?( self ) )
+      action.pre_partition(self)
+      action.execute_partition(self)
+      action.post_partition(self)
+    end
+  end
+
+  def device_path
+    return self.device if self.device =~ /^\/dev\//
+    "/dev/#{self.device}"
+  end
+end

data/lib/arver/partition_hierarchy_node.rb

@@ -0,0 +1,112 @@
+require 'active_support/core_ext'
+
+module Arver
+  module PartitionHierarchyNode
+        
+    attr_writer :name
+    attr_reader :parent
+    
+    def initialize(a_name, parent_node)
+      @name = a_name
+      self.parent = parent_node
+    end
+    
+    def name
+      @name
+    end
+    
+    def path
+      parent.path<<"/"<<@name
+    end
+    
+    def parent=(parent_node)
+      @parent = parent_node
+      parent_node.add_child(self)
+    end
+    
+    def children
+      @children ||= {}
+    end
+    
+    def add_child(child)
+      children[child.name] = child
+    end
+    
+    def child(name)
+      children[name]
+    end
+    
+    def each_node(&blk)
+      yield self
+      children.each_value do | child |
+        child.each_node(&blk)
+      end
+    end
+    
+    def each_partition(&blk)
+      children.each_value do | child |
+        child.each_partition(&blk)
+      end
+    end
+    
+    def target?( list )
+      list.any? do |target|
+        self.has_child?( target ) || self.has_parent?( target )
+      end
+    end
+    
+    def has_child?( child )
+      return true if self.equal?( child )
+      children.each_value do | my_child |
+        return true if my_child.has_child?( child )
+      end
+      false
+    end
+    
+    def has_parent?( node )
+      return true if self.equal?( node )
+      return false if parent.nil?
+      return self.parent.has_parent?( node )
+    end
+  
+    def find( name )
+      found = []
+      self.each_node do | node |
+        found += [ node ] if ( node.name == name || node.path.ends_with?( name ) )
+      end
+      found
+    end
+    
+    def to_ascii
+      list = ""
+      children.each do | name, child |
+        list += "+- "+name+"\n"
+        list += ( child.to_ascii.indent_once ) +"\n" unless child.to_ascii.empty?
+      end
+      list.chop
+    end
+        
+    def == other_node
+      equals = true
+      children.each do | name, child |
+        equals &= child == other_node.child( name )
+      end
+      equals
+    end
+    
+    def to_yaml
+      yaml = ""
+      children.each do | name, child |
+        yaml += "'"+name+"':\n"
+        yaml += ( child.to_yaml.indent_once ) +"\n"
+      end
+      yaml.chop
+    end
+    
+    def run_action( action )
+      self.children.each_value do | child |
+        action.run_on( child )
+      end
+    end
+  end
+end

data/lib/arver/runtime_config.rb

@@ -0,0 +1,22 @@
+module Arver
+  class RuntimeConfig 
+    
+    #this Config Object holds the runtime config (i.e. commandline switches etc..)
+    
+    include Singleton
+
+    attr_accessor :test_mode, :dry_run, :force, :violence, :ask_password, :trust_all
+    
+    instance.test_mode= false
+    instance.dry_run= false
+    instance.force= false
+    instance.violence= false
+    instance.ask_password= false
+    instance.trust_all= false
+
+    def trust_all
+      # in test mode trust all keys since running arver in cucumber creates a fresh gpg-keyring
+      @trust_all || @test_mode
+    end
+  end
+end

data/lib/arver/ssh_command_wrapper.rb

@@ -0,0 +1,21 @@
+module Arver
+  class SSHCommandWrapper < CommandWrapper
+    
+    attr_accessor :host, :user, :port, :as_root
+    
+    def self.create( cmd, args, host, as_root = false )
+      c = SSHCommandWrapper.new
+      c.host= host
+      c.as_root= as_root
+      c.command= cmd
+      c.arguments_array= args
+      c
+    end
+    
+    def escaped_command
+      return Escape.shell_command( [ "ssh", "-p #{host.port}", "#{host.username}@#{host.address}", "sudo", super ] ) if( as_root && host.username != "root" )
+      Escape.shell_command( [ "ssh", "-p #{host.port}", "#{host.username}@#{host.address}", super ] ) 
+    end
+    
+  end
+end

data/lib/arver/string.rb

@@ -0,0 +1,8 @@
+class String
+  
+  # Returns an indented string, all lines of string will be indented with count of chars
+  def indent_once
+    ("  ") + gsub(/(\n+)/) { $1 + ("  ") }
+  end
+
+end

data/lib/arver/target_list.rb

@@ -0,0 +1,33 @@
+module Arver
+  class TargetList
+    def self.get_list( names )
+      
+      return [] if names.nil?
+
+      tree = Arver::Config.instance.tree
+      
+      return [ tree ] if names.eql? "ALL"
+
+      targets = []
+
+      names.split( "," ).each do |target_name|
+        target = tree.find( target_name )
+        if( target.size == 0 )
+          Arver::Log.error( "No such target "+target_name )
+          next
+        end
+        if( target.size > 1 )
+          Arver::Log.error( "Target not unique. Found:" )
+          target.each do |t|
+            Arver::Log.error( t.path )
+          end
+          next
+        end
+        targets += [ target[0] ]
+      end
+
+      targets
+    end
+  end
+end
+  

data/lib/arver/test_config_loader.rb

@@ -0,0 +1,21 @@
+module TestConfigLoader
+
+  def load_sample_tree
+    Arver::Config.instance.tree= Arver::Tree.new
+    @hg = Arver::Hostgroup.new "testG"
+    @hg2 = Arver::Hostgroup.new "testG2"
+    @h = Arver::Host.new "testH", @hg
+    @h2 = Arver::Host.new "testH2", @hg2
+    @h3 = Arver::Host.new "testH3", @hg2
+    @d = Arver::Partition.new "testP1", @h
+    @d2 = Arver::Partition.new "testP2", @h2
+    @d3 = Arver::Partition.new "testP3", @h3
+    @d4 = Arver::Partition.new "testP4", @h3
+  end
+  
+  def load_test_config
+    Arver::LocalConfig.instance.config_dir= "spec/data"
+    config = Arver::Config.instance
+    config.load
+  end
+end

data/lib/arver/test_partition.rb

@@ -0,0 +1,9 @@
+module Arver
+  class TestPartition < Partition
+  
+    def initialize(name)
+      super(name,Arver::Host.new('foo.host',Arver::Hostgroup.new('foo')))
+    end
+    
+  end
+end

data/lib/arver/tree.rb

@@ -0,0 +1,32 @@
+module Arver
+  class Tree
+
+    include PartitionHierarchyNode
+    
+    def initialize
+    end
+    
+    def name
+      ""
+    end
+    
+    def path
+      ""
+    end
+    
+    def add_host_group(host_group)
+      add_child(host_group)
+    end
+    
+    def from_hash hash
+      hash.each do | name, data |
+        hg = Arver::Hostgroup.new( name )
+        hg.from_hash( data )
+      end
+    end
+    
+    def clear
+      @children = {}
+    end
+  end
+end

data/lib/arver/version.rb

@@ -0,0 +1,3 @@
+module Arver
+  VERSION = '0.0.5'
+end

data/man/arver.5

@@ -0,0 +1,429 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "ARVER" "5" "April 2012" "" ""
+.
+.SH "NAME"
+\fBarver\fR \- LUKS on the loose
+.
+.SH "SYNOPSIS"
+.
+.nf
+
+arver [\-u user] [\-c arverdata] [OPTIONS] \-t TARGET ACTION
+arver [\-u user] [\-c arverdata] [OPTIONS] ACTION
+.
+.fi
+.
+.SH "DESCRIPTION"
+arver is a tool that helps you to manage large amount of encrypted harddisks over mutliple servers and locations\. Furthermore, it helps you to mange access policies to encrypted harddisks of a bunch of people\.
+.
+.P
+By default \fBarver\fR requires a specific action and (for most actions) a target to work\.
+.
+.SH "OPTIONS"
+There are some generic command line options:
+.
+.TP
+\fB\-u USER\fR, \fB\-\-user USER\fR
+By default \fBarver\fR will read \fB~/\.arver\fR to get your username\. Using \fB\-u USER\fR you can override or specify it aswell\.
+.
+.TP
+\fB\-c PATH\fR, \fB\-\-config\-dir PATH\fR
+By default \fBarver\fR will assume your data storage in \fB~/\.arverdata\fR\. However, if you have multiple data storage or you want to put it to a different location you can use the \fB\-c PATH\fR option\.
+.
+.SH "ACTIONS"
+The following actions are supported:
+.
+.TP
+\fB\-\-create TARGET\fR
+Creates LUKS partitions for \fBarver\fR on all targeted disks\.
+.
+.TP
+\fB\-o\fR, \fB\-\-open TARGET\fR
+Opens all targeted disks\.
+.
+.TP
+\fB\-\-close TARGET\fR
+Closes all targeted disks\.
+.
+.TP
+\fB\-a\fR, \fB\-\-add\-user USER TARGET\fR
+Adds permissions for USER on all targeted disks\.
+.
+.TP
+\fB\-d\fR, \fB\-\-del\-user USER TARGET\fR
+Removes permissions for USER on all targeted disks\.
+.
+.TP
+\fB\-i\fR, \fB\-\-info TARGET\fR
+Display the LUKS configuration of all targeted disks\.
+.
+.TP
+\fB\-l\fR, \fB\-\-list\-targets\fR
+List all possible targets\.
+.
+.TP
+\fB\-k\fR, \fB\-\-keys TARGET\fR
+List available keys for the target\.
+.
+.TP
+\fB\-g\fR, \fB\-\-garbage\-collect\fR
+Cleans old entries from your \fBarver\fR keys\.
+.
+.SH "TARGETS"
+All Targets are defined in the \fBdisks\fR config file\. See the section \fBDisks\fR for more details\. A complete target looks like this:
+.
+.IP "" 4
+.
+.nf
+
+/location_name/host_name/disk_name
+.
+.fi
+.
+.IP "" 0
+.
+.P
+But the TARGET option accepts also partial names and lists\. E\.g
+.
+.IP "" 4
+.
+.nf
+
+\-t location1,location2/host2,host4,disk3
+.
+.fi
+.
+.IP "" 0
+.
+.P
+targets all disks at location1, all disks on host2 at location2, all disks on host4 and disk3\. If any of the provided target names are not unique \fBarver\fR will quit with an error message stating all matching targets\.
+.
+.P
+To run an action on all possible disks use \fBALL\fR as target\.
+.
+.SH "Working with arver"
+Working with arver is quite simple and straight forward\. Within the next paragraphs you\'ll find a detailed overview on the concept of arver, as well as how to set it up and what the different actions are doing exactly\.
+.
+.SH "Concept"
+To setup arver we only need to define in the corresponding configuration files our (admin\-)users and our disks\.
+.
+.P
+Arver\'s configuration files are contained in a single directory which contains all the necessary (non\-private) information to manage your disks\. This directory will be referred to as \fBarverdata\fR\. We recommend you to share that directory amongs your group of admins with a distributed version control system such as git\.
+.
+.P
+Eeach admin will be assigned one global LUKS slot\. Arver will use this information to grant or revoke privileges to other users\. See the \fBManaging users\fR section for a detailed descripton of how this is done\.
+.
+.P
+The \fBarverdata\fR directory contains the following files and directories:
+.
+.IP "" 4
+.
+.nf
+
+keys/            <\- contains the users `arver` keyrings
+users            <\- yaml file containing all users configuration (see `Users`)
+disks            <\- yaml file containing all disk configuration (see `Disks`)
+keys/public/     <\- contains gpg public keys of the admins (managed by arver)
+.
+.fi
+.
+.IP "" 0
+.
+.SS "Users"
+The \fBuser\fR config file contains all your admins in the following structure:
+.
+.IP "" 4
+.
+.nf
+
+foo1:
+  slot: 0
+  gpg: BEAFAFFEBEAFAFFEBEAFAFFEBEAFAFFEBEAFAFFE
+foo2:
+  slot 1
+  gpg: AFFEBEAFAFFEBEAFAFFEBEAFAFFEBEAFAFFEBEAF
+.
+.fi
+.
+.IP "" 0
+.
+.P
+\fBfoo1\fR is the identifier of one of your admins\. \fBslot\fR referes to the LUKS slot which is used for this admin\. This has to be a unique number between 0 and 7\. If you\'d like to migrate existing LUKS devices take care to avoid the currently used slot number (usually 0)\. \fBgpg\fR is the gpg\-fingerprint of the public key for \fBfoo1\fR\. We recommend to use a dedicated gpg key just for \fBarver\fR\.
+.
+.SS "Disks"
+The \fBdisks\fR file contains the following hash tree in yaml notation:
+.
+.IP "" 4
+.
+.nf
+
+ \'hostgroup1\':
+   \'host1\':
+     \'address\' : \'host1\.example\.com\'
+     \'pre_open\': \'pre_open_host_script\.sh\'
+     \'disk1\'   :
+       \'device\'   : \'storage/disk1\'
+       \'post_open\': \'post_open_disk_script\.sh\'
+     \'disk2\'   :
+       \'device\'   :  \'sdb1\'
+   \'host2\':
+     \'address\': \'host2\.example\.com\'
+     \'port\'   : \'2222\'
+     \'mails\'  :
+       \'device\'  : \'nonraid/mails\'
+       \'pre_open\': \'pre_open_disk_script\.sh\'
+ \'hostgroup2\':
+   \'host3\':
+     \'address\' : \'host3\.example\.com\'
+     \'username\': \'foo\'
+     \'secure\'  :
+       \'device\'  : \'storage/secure\'
+.
+.fi
+.
+.IP "" 0
+.
+.P
+As you can see this allows you to organize your disks and servers in a tree structure, which will enable you to manage your disks more efficiently within the later commands\.
+.
+.P
+\fBhostgroup1\fR and \fBhostgroup2\fR is just a logical container which can contain any amount of hosts\. You can name them as you like\. This is interesting if you have for example multiple hosts in one location and you need to quickly recover from a power outage from this location\.
+.
+.P
+Invoking
+.
+.IP "" 4
+.
+.nf
+
+arver \-\-list\-targets
+.
+.fi
+.
+.IP "" 0
+.
+.P
+will present you the tree of the various targets in your \fBdisks\fR configuration file\.
+.
+.P
+\fBhost1\fR, \fBhost2\fR and \fBhost3\fR are identifiers for different hosts\. These host\- objects can contain multiple disks and can have further information such as the \fBaddress\fR of the host or the ssh\-\fBport\fR number if the ssh daemon is not running on the standart port\.
+.
+.P
+You can also add script hooks to any host or disk\. Those will be run during the \fBopen\fR and \fBclose\fR actions at the appropriate time\. The possible options are: \fBpre_open\fR, \fBpre_close\fR, \fBpost_open\fR and \fBpost_close\fR\.
+.
+.P
+Any other entry within the hosts\-object are actual disks entries of that particular host\. These disks are represented by an identifier and at least a \fBdevice\fR entry pointing to the actual disk path\. So for example the disks on \fBhost1\fR are: \fB/dev/storage/disk1\fR identified by \fBdisk1\fR and \fB/dev/sdb1\fR idetified by \fBdisk2\fR\. The prefix \fB/dev/\fR is alays added to the disk path\.
+.
+.SH "Bootstrapping a new arverdata"
+How do you start and bootstrap a new \fBarverdata\fR, so you can use arver for your storage?
+.
+.P
+First you need to create the basic structure for your \fBarverdata\fR:
+.
+.IP "" 4
+.
+.nf
+
+$ mkdir ~/\.arverdata # the location is configurable\. We use the default one\.
+$ gpg \-\-gen\-key      # create a dedicated gpg key for arver
+$ vi users           # add your user and the key\-id of your new public gpg\-key
+$ vi disks           # add your hostgroups, hosts and disks
+$ echo "\'username\': \'<your_arver_username>\' > ~/\.arver  #set your default user
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Then we can create the encrypted harddisk:
+.
+.SH "Action Create"
+To initially create an arver managed LUKS device you first need to add the device to the disks config\. See above for various examples\. You can create the LUKS device by invoking the following command:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-create TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+What\'s happening behind the scene?
+.
+.P
+Arver creates a new LUKS device with a random password in your LUKS slot on the server\. The password is then encrypted with your public key (defined in \fBusers\fR) and stored in \fBarverdata/keys/USERNAME/xxxx\fR
+.
+.SH "Action Open"
+To open a LUKS device managed by arver you can invoke the \fB\-\-open\fR action on any target:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-open TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+arver retrieves the password by decrypting the keys in data/keys/YOURUSERNAME and uses this to open the LUKS device on the server\.
+.
+.P
+See the section \fBTARGET\fR on how to open multiple disks at once\.
+.
+.P
+You can define script hooks to be executed before and after the open command\. See \fBDisks\fR for details\. The hooks are run in the following order:
+.
+.IP "\(bu" 4
+pre_open of host
+.
+.IP "\(bu" 4
+pre_open of disk1
+.
+.IP "\(bu" 4
+open disk1
+.
+.IP "\(bu" 4
+post_open of disk1
+.
+.IP "\(bu" 4
+pre_open of disk2
+.
+.IP "\(bu" 4
+open disk2
+.
+.IP "\(bu" 4
+post_open of disk1
+.
+.IP "\(bu" 4
+post_open of host
+.
+.IP "" 0
+.
+.P
+Those scripts have to be present at the actual host\.
+.
+.P
+If you don\'t have a key for any of the disks that you wish to open it will be skipped (along with its script hooks)\.
+.
+.SH "Action Close"
+Closing luks devices is simply done by invoking
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-close TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+For this action you can define hooks as well\. See \fBDisks\fR and \fBAction Open\fR for details\.
+.
+.SH "Managing users"
+To add another user to one of the disks you need to have the public key of that user\. Just import his key into your gpg keyring\.
+.
+.P
+If you manage your \fB\.arverdata\fR in a version controll system, you\'ll likely have the key already in \fB\.arverdata/keys/public/USERNAME\fR where it will be imported automatically\.
+.
+.P
+Granting the user access to any disk is done by invoking the following command:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-add\-user USERNAME TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+For this command to work, you have to trust the gpg key of USERNAME\. See \fBman gpg\fR section \-\-edit\-key\. You should always verify that you have the correct key, e\.g\. by comparing the fingerprint over a trusted channel\. Alternately you can run \fBarver\fR with \fB\-\-trust\-all\fR option\.
+.
+.P
+\fBarver\fR will create a random password for the specific user and add it to the user\-slot on the targeted disks\. Furthermore, the password is encrypted with the public key of the specific user and stored in the data storage under \fBarverdata/keys/USERNAME/\fR\.
+.
+.P
+For the other user to receive those new privileges he has to copy the new keys to his own \fBarverdata\fR\. So if you use a version controll system you should now commit the new keys\.
+.
+.P
+If you are migrating from an existing LUKS infrastructure and want to add an initial user to the LUKS device, you will need to use the \fB\-\-ask\-password\fR option, to provide an existing password\.
+.
+.P
+To remove the permissions of a certain user you can simply run
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-del\-user USERNAME TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Which will remove the password stored in the LUKS slot of that device\. Remember that you can also invoke this command on a whole hostgroup or even on all your managed devices (using \fB\-t ALL\fR)\. This will help you to quickly and savely removing any access to encrypted devices of one user immediately amongst the whole infrastructure\.
+.
+.P
+By design it is not possible to know who has access to which disks by just looking at the \fBarverdata\fR\. All arver keys including the information on which disks they fit are encrypted with the users public key\. So without the corresponding private key it is not possible to see the privileges\.
+.
+.P
+You can however display the targets \fBinformation\fR to see which slots are used\. But to do this you need access to the server and the \fBusers\fR config\.
+.
+.SH "Information about targets"
+To gather various information about the different targets you can invoke
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-i TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Which will display you the current configuration of all devices, as well as different parameters of the LUKS device and slot usage\.
+.
+.SH "Garbage collection"
+As you might add and remove users to disks or reset access to disks the amount of generated key files with random passwords might grow and not all might be needed anymore\. Furthermore it is likely that due to various actions it might be obvious or at least reconstructable to which devices a certain user might have access\.
+.
+.P
+To address this problem \fBarver\fR provides a garbage collection process, which will rearrange all your own keyfiles\. (Only your own as you are not able to read the others key files\.)
+.
+.P
+You can do that by invoking the following command:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-g
+.
+.fi
+.
+.IP "" 0
+.
+.P
+If you use a version controll system to store your \fBarverdata\fR you should do this always before commiting the \fBarverdata\fR\.
+.
+.SH "SEE ALSO"
+\fBcryptsetup\fR(8)\. \fBgnupg\fR(7)\.
+.
+.P
+Arver project site: \fIhttps://git\.codecoop\.org/projects/arver/\fR
+.
+.P
+YAML website: \fIhttp://www\.yaml\.org/\fR