The idea of adding encryption support natively to ext4 originated in Google for the Android platform. However, ext4 arguably being the most popular Linux filesystem today, the patch found its right place in the Linux kernel too. Continue reading ext4 encryption support
AES Crypt is a multi-platform open source encryption solution for those who are looking for a well-maintained TrueCrypt alternative. Of course, there’s VeraCrypt which is based on TrueCrypt but AES Crypt has a wider platform support and desktop integration (for Gnome & KDE). AES Crypt is a good alternative to utilities like ccrypt or mcrypt. Continue reading AES Crypt: cross platform file encryption
Would you want to upload files with confidential information unencrypted to cloud storage services? If you care about security and privacy you wouldn’t. What can you do about it? A good approach would to encrypt your files using a local tool like ccrypt and then upload it to the cloud. However, you may not have your laptop with you all the time. InstantCryptor is a webapp to solve this problem.
InstantCryptor works with Dropbox and Google Drive at the time of writing. It is free of cost and claims to have 0 knowledge of your data as all files are encrypted (or decrypted) on the local device. InstantCryptor works directly from the browser, you do not need to install anything on your device. Continue reading InstantCryptor: encrypt, upload files to cloud
ccrypt is an encryption utility similar to mcrypt which we explored in an earlier article. ccrypt can encrypt and decrypt single files and streams. It intends to be a replacement of the crypt utility which uses weak algorithm for encryption. Continue reading ccrypt: cmdline encryption utility
dislocker is a tool to decrypt Microsoft’s BitLocker encrypted volumes from Linux or OSX. dislocker uses a fuse based mechanism to decrypt the volume and mount it so that the user can access (read or write) the files within the volume. Continue reading dislocker: decrypt BitLocker encrypted volumes
XOR is an extremely commonplace operation in cyphers. The reason is the output of encryption can be decrypted using the same XOR function. In other words:
A ⊕ B = C
C ⊕ B = A
C ⊕ A = B
fxor is a simple tool that uses the same logic to encrypt and decrypt files using a key file from the user. Te tool does a byte by byte XOR and can take care of situations where the key is larger than input and vice versa. fxor can even handle binary files or size 50GB.
To install fxor on Ubuntu, run:
$ git clone https://github.com/abderraouf-adjal/fxor.git $ cd fxor $ make $ sudo make install
Syntax: $ fxor IN_FILE KEY_FILE $ fxor IN_FILE KEY_FILE OUT_FILE [OPTION] Options: -r: Overwrite (destroy contents) OUT_FILE if it exists -s: Start output from OUT_FILE beginning and replace bytes, Perfect to encrypt/decrypt IN_FILE and output to IN_FILE!
To generate a key file, use any of the following methods:
$ openssl rand -out <FILE NAME> <FILE SIZE IN BYTES> OR $ openssl rand -engine rdrand -out <FILE NAME> <FILE SIZE IN BYTES> OR $ dd if=/dev/random of=<FILE NAME> bs=1M count=50 OR $ dd if=/dev/urandom of=<FILE NAME> bs=1M count=50
You can also use scripts/opssl_rand in the project tree to generate a key file same in size as <IN FILE>:
$ opssl_rand <IN FILE> <RANDOM KEY FILE>
On GitHub: fxor
In an earlier article we explored how to encypt text files with vim. There are several ways to encrypt binaries on Linux too; using GnuPG, external tools like VeraCrypt etc. mcrypt is a similar utility that works as a frontend to libemcrypt.
To install mcrypt on Ubuntu, run:
$ sudo apt-get install mcrypt
- List the algorithms supported
$ mcrypt --list
We will use arcfour for our example.
- List hashing algorithms supported
$ mcrypt --list-hash
The hash is a digest added to an encrypted file, in order to detect corruption. We will use sha384.
- Compression options
-z : gzip -p : bzip2
- Compress a file
$ mcrypt -a arcfour -h sha384 -p webcheck.dat
-a : algorithm to use [optional]
-h : hashing algorithm to use [optional]
-p : use bzip2 compression [optional]
mcrypt will prompt you for the key (or password).
The file is saved as webcheck.dat.bz2.nc.
- Decrypt the above file
$ mcrypt -d webcheck.dat.bz2.nc OR $ mdecrypt webcheck.dat.bz2.nc
Extract the bz2 archive to get the original file
$ bunzip2 webcheck.dat.bz2
- Encrypt multiple files
$ mcrypt file1 file2
- mcrypt can handle files only. To encrypt a directory archive and compress it first
$ tar -jcvf mydir.tar.bz2 mydir/ $ mcrypt mydir.tar.bz2
- It is possible to pass a key in the cmdline using the
-kparameter or in mcrypt configuration file (~/.mcryptrc) but these are not advisable as the key is exposed.
What if you want to hide the contents of a file from the root user? Encryption is the answer. If it is a plaintext file, you do not need any additional software to encrypt it, vim has the ability to encrypt files using several algorithms. Currently vim supports 3 encryption methods:
zip: weak [default method for backward compatibility]
blowfish2: best [supported from v7.4.399]
To use an encryption method other than zip (which is the default) set it explicitly in vim command mode:
You can encrypt a file in 2 ways:
- Open the file in vim and before quitting press
:Xin command mode. Note that after setting the password (or key) you must apply it using
:wbefore you quit.
- Add password to the file using
$ vim +X myfile
Encryption is a one time operation. You can update the file as many times as you want without changing the password. To reset a password, use any of the two methods above and just press
Enter when prompted for new password. You can also empty the key from vim command mode:
vim will ask for the password every time you open the encrypted file. You will not be able to view the original contents of the file using any other external editor either. If you enter the wrong password while opening the file in vim, you will see gibberish content. In the latest versions of vim (mine is 7.4.52) saving the file in this state does not corrupt the original content. While editing, the text in the swap file, undo file, and backup files are also encrypted; however, the text in memory is not encrypted.
Tomb is a Linux encryption API wrapper script providing a simple cmdline interface for end users who want to encrypt their files. Tomb manages encrypted directories protected by encrypted key files in addition to a password. While Ubuntu provides a very easy interface for volume encryption, using the cmdline to create and manage encrypted directories is still not easy for the average user. Tomb is a Zsh script which does all the work by encapsulating intimidating commands and procedures. It also provides an optional system tray icon.
- Uses standard filesystem tools
- Supports cryptsetup and LUKS using cryptographic API of the Linux kernel
- Can generate machine parsable output for use inside graphical applications
- Create, open, close, delete tombs (encrypted directories)
- Forge keys protected by a password (GnuPG symmetric encryption) which can be stored in separate media
- Once open, the tombs are just like normal folders and can contain different files, plus they offer advanced functionalities like bind and execution hooks and fast search, or they can be slammed close even if busy
- Use multiple tombs simultaneously, directories and files inside them can be bound to files and directories inside home directory
- Both the secure key and a password are required to open a tomb
- Takes care of several details to improve user’s behaviour and the security of tombs in everyday usage
- Open source and free
Tomb requires the following packages (available in the default repositories of most major distributions):
- pinentry-curses (and/or -gtk-2, -x11, -qt)
Download the latest stable version of Tomb. Then execute the following commands:
$ tar -xvf Tomb-$version.tar.gz $ cd Tomb-$version $ sudo make install
To install a Gtk-tray skull icon for managing tombs change to directory
- make sure libnotify and gtk+-3.0 dev packages are available
makeinside the directory to build
sudo make install(default PREFIX is
tomb-gtk-tray tombnameafter the tomb is open
- Create a 100MB tomb, generate key and lock it
$ tomb dig -s 100 secret.tomb $ tomb forge secret.tomb.key $ tomb lock secret.tomb -k secret.tomb.key
- Open a tomb
$ tomb open secret.tomb -k secret.tomb.key
- Close a tomb
$ tomb close
- Close all open tombs immediately, killing all applications using them
$ tomb slam all
- Hide a key inside an image and extract it later
$ tomb bury -k secrets.tomb.key nosferatu.jpg $ tomb open -k nosferatu.jpg secrets.tomb
Full list of tomb commands and options:
Syntax: tomb [options] command [arguments] Commands: // Creation: dig create a new empty TOMB file of size -s in MB forge create a new KEY file and set its password lock installs a lock on a TOMB to use it with KEY // Operations on tombs: open open an existing TOMB index update the search indexes of tombs search looks for filenames matching text patterns list list of open TOMBs and information on them close close a specific TOMB (or 'all') slam slam a TOMB killing all programs using it resize resize a TOMB to a new size -s (can only grow) // Operations on keys: passwd change the password of a KEY (needs old pass) setkey change the KEY locking a TOMB (needs old key and pass) // Backup on paper: engrave makes a QR code of a KEY to be saved on paper // Steganography: bury hide a KEY inside a JPEG image (for use with -k) exhume extract a KEY from a JPEG image (prints to stout) Options: -s size of the tomb file when creating/resizing one (in MB) -k path to the key to be used ('-k -' to read from stdin) -n don't process the hooks found in tomb -o mount options used to open (default: rw,noatime,nodev) -f force operation (i.e. even if swap is active) --kdf generate passwords armored against dictionary attacks -h print this help -v print version, license and list of available ciphers -q run quietly without printing informations -D print debugging information at runtime
oneway is a simple asymmetric encryption implementation in C++ and a tool to encrypt or decrypt files without having a complex setup like GPG. oneway uses the openssl library and can be used from the cmdline. The tool is compatible with the .NET utility (for Windows) AsymmetricCrypt.
oneway is to be used for data encryption on systems where storing password or key in plaintext is not desirable. It uses one of the strongest encryption techniques, AES256, to encrypt files and the key is randomly generated. AES256 key is encrypted using 4096 bit RSA and stored with the file. The structure of the encrypted file is:
4 bytes: signature "ASCR" 16 bytes: AES IV 512 bytes: RSA 4096-encrypted AES key rest: encrypted file contents
oneway has to be compiled from source. However, the procedure is simple due to minimal dependencies. Get the git source and compile it:
$ git clone https://github.com/galets/oneway-cpp.git $ cd oneway-cpp $ make
- Generate private key:
$ oneway --genkey private.key $ oneway --genkey >private.key
- Extract public key component from private key:
$ oneway --publickey private.key public.key $ oneway --publickey <private.key >public.key
- Encrypt file using public key:
$ oneway --encrypt public.key plaintext.txt encrypted.ascr $ oneway --encrypt public.key plaintext.txt >encrypted.ascr $ oneway --encrypt public.key <plaintext.txt >encrypted.ascr
- Decrypt file using private key:
$ oneway --decrypt private.key encrypted.ascr plaintext.txt $ oneway --decrypt private.key encrypted.ascr >plaintext.txt $ oneway --decrypt private.key <encrypted.ascr >plaintext.txt