Tag Archives: encryption

Plasma Vault Makes It Easy to Create Encrypted Folders on the KDE Desktop

kde plasma vaultPlasma Vault makes it quick and easy to create an encrypted folder on the KDE Plasma desktop in which to store files and other data you wish to keep private.

This post, Plasma Vault Makes It Easy to Create Encrypted Folders on the KDE Desktop, was written by Joey Sneddon and first appeared on OMG! Ubuntu!.

Read More

Secure Text Editor EncryptPad Sees New Release

EncryptPad, a free, open source text editor for sensitive information, was updated to version 0.3.2.5 recently, bringing numerous bug fixes along with some minor new features.


EncryptPad

EncryptPad is a text editor that can be used to save private information, such as passwords, credit card info and so on, and access the files by using a password, key files, or both. It can also be used to encrypt binary files as well, like images or videos, etc. The application is available for Linux, Windows and Mac.
For a bit more about EncryptPad, see our initial article: EncryptPad: Secure Text Editor That Protects Files With Passwords, Keys, Or Both

Changes in EncryptPad 0.3.2.5 include:

  • in the File Encryption dialog, a radio button was added to select between EPD and GPG. Previously the user had to edit the extension manually to output to the GPG format;
  • there are now more properties in the preferences to control default encryption parameters: key file random sequence length, key file encryption properties, default file encryption properties (cipher, s2k, iterations, compression), the number of encryption keys to save or load without prompting the passphrase again;
  • the default number of iterations has been changed to 1015808
  • bug fix: if a decrypted passphrase-only EPD file contained less than 4 characters, the content was ignored and EncryptPad produced an empty file;
  • bug fix: when opening a plain-text file and saving it as encrypted, the encryption parameters did not reset to the default values but used the parameters of the last encrypted file;
  • bug fix: the encryptpad file command line parameter did not support non ASCII characters;
  • bug fix: when multiple EncryptPad instances were opened and preferences updated, the last instance overwrote the preferences changed in other instances on closing;
  • more.

A complete changelog can be found HERE.

Install EncryptPad in Ubuntu or Linux Mint

To make it easier to install EncryptPad in Ubuntu or Linux Mint, I’ve uploaded it to the main WebUpd8 PPA. Since security is very important for an encryption app, you may want to verify the PPA source integrity. The EncryptPad GitHub page explains exactly how to do this (but note that it’s for an older EncryptPad version, hopefully it will be updated soon).
To add the PPA and install EncryptPad in Ubuntu 16.10, 16.04 or 14.04 / Linux Mint 18 or 17, use the following commands:
sudo add-apt-repository ppa:nilarimogard/webupd8
sudo apt update
sudo apt install encryptpad encryptcli
If you don’t want to add the PPA, you can download the binaries from HERE (you’ll need both encryptpad and encryptcli).
To download the source, AppImage, Windows or Mac binaries (as well as the source), see the EncryptPad GitHub page.

Read More

EncryptPad: Secure Text Editor That Protects Files With Passwords, Keys, Or Both

EncryptPad is a free and open source text editor for sensitive information, which protects files with passwords, key files, or both, available for Linux, Windows and Mac. The app can also be used to encrypt binary files, such as images, videos, and so on.

EncryptPad

EncryptPad uses symmetric encryption algorithm, and it uses the “most widely chosen quality file format OpenPGP RFC 4880“.

Features:

  • graphical user interface as well as command line interface to encrypt and decrypt files;
  • portable (on Mac and Linux it can also be built with dynamic linking to libraries);
  • password and key file protection, which can be used separately or combined for double protection;
  • random key file and password generator;
  • encryption of binary files (images, videos, archives etc.);
  • read only mode to prevent accidental file modification;
  • can use cURL to automatically download keys from a remote storage;
  • UTF8 text encoding;
  • Windows/Unix configurable line endings;
  • supports GPG and EPD (EncryptPad specific format) file formats;
  • cipher algorithms: CAST5, TripleDES, AES128, AES256;
  • hash algorithms: SHA-1, SHA256;
  • integrity protection: SHA-1;
  • compression: ZLIB, ZIP.

The application is useful for storing passwords, credit card information, and so on, either for personal use or for sharing a private file with someone.
Since files can be protected with both a key and a password in the same time, it means EncryptPad is a good solution for cases in which you need to store sensitive information on uprotected media, such as a laptop, a memory stick, or unencrypted cloud storage.
It’s important to mention that EncryptPad stores unencrypted text in memory. For this reason, the application developer recommends to close EncryptPad when not in use.
The EncryptPad website provides pretty much any information you may need about the app, including when you should and shouldn’t use the application, how to use the command line interface, how to check the EncryptPad integrity, and much more, so check it out HERE.
You may also want to read the EncryptPad tutorials.

Download EncryptPad

Download EncryptPad (binaries available for Mac and Windows, along with source code)

For how to build EncryptPad from source or install it in Arch Linux via AUR, see THIS page.

Install EcryptPad in Ubuntu or Linux Mint via PPA

Security is important for an encryption app, so I’ll explain how to check if the source in the PPA matches the one on GitHub. Also, if you don’t want to use a PPA to install EncryptPad, and you want to build it from source to create portable binaries, I’ll provide instructions for that as well.
If you want to make sure the PPA package source matches the one on GitHub, download the source from the WebUpd8 PPA, place it in your home directory, and use the following command:
sha256sum ~/encryptpad_0.3.2.2.orig.tar.gz
Next, download the EncryptPad source from GitHub (the src.tar.gz archive), place it in your home directory, and use the command below:
sha256sum ~/encryptpad0_3_2_2_src.tar.gz

The output of these commands should be identical.

The GitHub downloads can also be verified and the developer provides exact instructions HERE.
To add the PPA and install EncryptPad in Ubuntu 16.04, 15.10 or 14.04 / Linux Mint 18 or 17.x (and derivatives), use the following commands:
sudo add-apt-repository ppa:nilarimogard/webupd8
sudo apt update
sudo apt install encryptpad encryptcli

You can also download the debs without adding the PPA.

Build EncryptPad from source in Debian, Ubuntu or Linux Mint (portable)

To build EncryptPad (portable) from source in Debian, Ubuntu, Linux Mint and derivatives, follow the steps below.
1. Download the EncryptPad source (the src.tar.gz archive) and extract it in your home folder.
2. Install the packages required to build EncryptPad without dynamic linking to libraries (portable):
sudo apt install build-essential qt5-default python

3. Build EncryptPad

cd ~/encryptpad*
./configure.sh --all

Note that the first command above assumes you’ve extracted the EncryptPad source in your home folder and that there are no other folders names that start with “encryptpad”.

That’s it. You should find the EncryptPad binaries in the EncryptPad folder (“encryptpad0_3_2_2_src” for the latest version at the time I’m writing this article), under bin/release.

Read More

Encrypt DNS Traffic In Ubuntu With DNSCrypt [Ubuntu PPA]

This article was posted a while back but I’ve decided to repost it because there’s a new PPA that you can use to install dnscrypt-proxy in Ubuntu (14.10, 14.04 and 12.04) and also, some parts of the article needed to be updated.

DNSCrypt is a protocol for securing communications between a client and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks. To use it, you’ll need a tool called dnscrypt-proxy, which “can be used directly as your local resolver or as a DNS forwarder, authenticating requests using the DNSCrypt protocol and passing them to an upstream server“.

Thanks to Pascal Mons (work based on  Sergey “Shnatsel” Davidoff’s initial PPA, which doesn’t have packages for Ubuntu 14.04 or 14.10 right now), you can easily install it Ubuntu. His packages use 127.0.0.2 as the local IP address so it doesn’t interfere with Ubuntu’s default setup. Also, for extra security, the packages use a dedicated system user, with no privileges – DNSCrypt will chroot to this user’s home directory and drop root privileges for this user’s uid as soon as possible.
The default DNSCrypt-enabled resolver used by Pascal’s package is DNSCrypt.eu Resolver #1 @ The Hague, Holland, but this, along with other settings, can be changed by editing the /etc/default/dnscrypt-proxy configuration file (use “sudo service dnscrypt-proxy restart” after making changes to the configuration file). A list of public DNS resolvers supporting DNSCrypt can be found HERE (note that to get to the actual provider name, address and public key, you need to scroll to the right – annoying, I know).

According to Pascal, he didn’t use the US based OpenDNS resolver, because it keeps logs of the websites you visit and it hijacks the homepage on all browsers, redirecting any URL bar search to its own servers in some cases, which does not happen with the DNSCrypt.eu servers.

If you want to add DNSCrypt support to your own public or private resolver, check out DNSCrypt-Wrapper, a server-side dnscrypt proxy that works with any name resolver.

Install DNSCrypt (dnscrypt-proxy) in Ubuntu / Linux Mint via PPA

1. To add Pascal’s DNSCrypt PPA and install dnscrypt-proxy in Ubuntu, Linux Mint, elementary OS or other Ubuntu-based Linux distributions, use the following commands:
sudo add-apt-repository ppa:anton+/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxy
Note: the PPA description provides information on how to check the authenticity of the code used for building the packages.

2. After installing DNSCrypt, you need to set your network connection DNS server to 127.0.0.2. 

To do this in Unity, from the Network Manager indicator select Edit Connections, then select the connection and click Edit, switch to the IPv4 Settings tab and:

– if you’re using Manual (static IP) as the “Method”, enter “127.0.0.2” under “DNS servers” (and remember / note your original DNS server in case you want to go back to it), then click “Save”:

– if you’re using “Automatic (DHCP)” as the “Method”, switch it to “Automatic (DHCP) addresses only” and enter “127.0.0.2” under “DNS servers”, then click “Save”:

3. And finally, restart your network connection (under Unity: select Network indicator > Enable Networking twice to disable and then re-enable it) and web browser.
You may want to check if the “127.0.0.2” DNS is actually in use (it needs to be the only DNS) – to do this in Unity, from the Network indicator select Connection Information.
Because the dnscrypt-proxy packages from Pascal’s PPA don’t use OpenDNS, you can’t check to see if the DNS are used via the “dig txt debug.opendns.com” command or by visiting OpenDNS’ test pages. However, you can check this by visiting https://dnsleaktest.com/ and running a DNS check – if you didn’t change the default dnscrypt-proxy package resolver, it should display something like this:

Another way of checking if dnscrypt-proxy is working is by using the following command:

sudo tcpdump -i NETWORK-INTERFACE dst host 176.56.237.171

… and then visiting some website in your web browser.

(where NETWORK-INTERFACE is your active network interface like eth0, p5p1, etc. – you can find it using “ifconfig” -, and “176.56.237.171” is the default resolver used by Pascal’s packages – if you’ve used a different one, change it in the command above with yours!)

The command output should look like this:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p5p1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:14:53.142488 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.142514 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.291372 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.291450 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.464624 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.464641 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.751950 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.815789 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512

Tip: DNSCrypt can be used with Unbound or dnsmasq (I didn’t test it though) – for this and other tips, see THIS ArchWiki entry.
For more information on DNSCrypt / dnscrypt-proxy, check out the following links:

seen @ desdelinux.net, thanks to Pascal Mons for the PPA!

Read More

EncFS 1.8 RC1 Available For Download

EncFS is a FUSE-based cryptographic filesystem which encrypts individual files. As some of you might know, an EncFS security audit that was conducted in February 2014, revealed some potential vulnerabilities:

EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.

And that’s understandable since the last stable EncFS version was released back in December 2011. But that also means that the tool needs an update badly and a first step in this direction was made recently, with the release of EncFS 1.8 RC1.

The first EncFS 1.8 release candidate fixes two of the potential vulnerabilities mentioned in the security audit and brings a few other improvements:
  • improve automatic test converage: also test reverse mode (make test)
  • add per-file IVs based on the inode number to reverse mode to improve security
  • add automatic benchmark (make benchmark)
  • compare MAC in constant time
  • add –nocache option
  • lots of fixes to make building on OSX easier

Unfortunately, EncFS 1.8 RC1 doesn’t fix all the potential vulnerabilities, but more should come with future release candidates – see the EncFS GitHub issues page for more information.

More information on EncFS:

The tool is especially useful to encrypt private files before syncing them with various cloud storage services such as Dropbox (without encrypting the whole cloud storage folder):

GNOME EncFS Manager

Note: EncFS doesn’t come with a GUI, the tool in the screenshot above is called GNOME EncFS Manager.

Build EncFS 1.8 RC1 in Ubuntu or Linux Mint

As I said above, there are still some potential vulnerabilities so you may want to wait until all are fixed. But if you want to install the latest EncFS 1.8 RC1 anyway, here’s how to build it under Ubuntu or Linux Mint.

1. Enable source code repositories:

  • in Ubuntu: enable “Source code” in Software & Updates (Ubuntu Software tab), then run “sudo apt-get update”;
  • in Linux Mint: under Software Sources, check the box next to “Enable source code repositories” (Official Repositories tab), then run “sudo apt-get update”.

2. Download the latest EncFS and extract it.

3. In the extracted EncFS directory, run the following commands to build EncFS:
sudo apt-get build-dep encfs
autoreconf -if
./configure --prefix=/usr --with-boost-libdir=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)
make

4. Install EncFS 1.8 RC1

Now you can either install it directly or create a deb (using checkinstall) and install that, so it’s easier to remove / upgrade.
To create an EncFS 1.8 deb and install it, use the following commands (in the EncFS 1.8 folder):
sudo apt-get install checkinstall
sudo checkinstall
And follow the steps. Important: when prompted, change the package name from “encfs-1.8” to just “encfs” and the version from “rc1” to “1.8~rc1”.

Or, to install it directly, simply use (in the EncFS 1.8 folder):

sudo make install

Read More

Encrypt Everything: Encrypt data using GPG and save passwords

Data security is an important concern these days and encryption is a very powerful tool to secure the data. In my previous post I talked about how to encrypt a disk. Now we are going to talk about how to encrypt files using GNU Privacy Guard (GPG).

GPG uses public key cryptography. This means that instead of having one key to encrypt and decrypt, there are two keys. One of these keys can be publicly shared and hence is known as public key. The other key is to be kept secret and is known as private key. Anything encrypted with public key can only be decrypted with private key.
How to encrypt files?
Assuming a scenario that user “test” wants to send an encrypted file to me, the user just has to find my public key, encrypt the data and send it to me where I will be able to decrypt the file using my private key and obtain the data. Note that user “test” doesn’t need to have GPG keys generated in order to encrypt and send data to me.
Step1: Let us create a text file which we’ll encypt:
test$ echo "This is a secret message." > secret.txt
Step2: User “test” needs to find my keys. There are many public servers where one can share their public key in case someone else wants to encrypt the data. One such server is run by MIT at http://pgp.mit.edu.
test$ gpg --keyserver pgp.mit.edu --search-keys aditya@adityapatawari.com
Step3: Once the user obtains my public key, then encrypting data is really easy.
test$ gpg --output secret.txt.gpg --encrypt --recipient aditya@adityapatawari.com secret.txt
The command above will create an encrypted file named secret.txt.gpg which can be shared via email or any other means. Once I get the encrypted file, I can decrypt it using my private key
aditya$ gpg --output secret.txt --decrypt secret.txt.gpg
How to create GPG keys to receive data?
Now assume a scenario where “test” user wants to create a set of GPG keys in order to share the public key and receive encrypted data.
Step1: Generate a key pair. The command will present you some options (stick to defaults if you are not sure) and ask for some data like your name and email address etc.
test$ gpg --gen-key
Step2: Check the keys.

test$ gpg --list-secret-keys
/home/test/.gnupg/secring.gpg
-----------------------------
sec   2048R/E46749BB 2014-11-23
uid                  Aditya TestKeys (This is not a valid key)
ssb   2048R/C5E57FF2 2014-11-23


Step3: Upload the key to a public server using the id from the above.
test$ gpg --keyserver pgp.mit.edu --send-key E46749BB
Now others can search for the key, use it to encrypt the data and send it to the “test” user. 
To use GPG for saving password, have a look at pass utility. It uses GPG to encrypt passwords and other data and store it in a hierarchical format. 

Read More

Encrypt Everything: How to encrypt the disk to protect the data

Recently, at BrowserStack.com, some of our services got compromised. We use Amazon Web Services extensively. The person (or group) who attacked us mounted one of our backups and managed to steal some of the data. We could have prevented this simply by ensuring that we use encrypted disks which would have made this attack useless. Learning from our mistakes, we have recently started encrypting everything and I am going to show you how to do that. One point worth noting here is that Amazon AWS does provide encryption support for the EBS volumes but that is transparent and would not help in case of the account getting compromised. I am going to use dm-crypt which is supported by Linux kernel so the steps are quite generic and would work on any kind of disk, on any kind of environment, including Amazon AWS, Google Compute Engine, physical disks in your datacenter.

Our goal is to encrypt /home. To achieve this, we’ll attach a disk, encrypt it, move the entire /home data to this disk and create a symbolic link to /home.

Step1: We are going to use Linux Unified Key Setup. For that we need to install cryptsetup package.
# yum install cryptsetup

Step2: While using AWS, never attach the volume to be encrypted while launching the instance. If we do so, the instance will fail to boot up next time because it’ll ask for decryption password while booting up which is not possible to supply in AWS. Still if it is absolutely mandatory to do this then I suggest trying to remove entries from fstab and crypttab but it is much easier to just attach the disk after the launching of the instance is done. Assuming that the attached disk is available at /dev/xvdf, we’ll setup the encryption now.
# cryptsetup -y -v luksFormat /dev/xvdf
WARNING!
========
This will overwrite data on /dev/xvdf irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:

Command successful.


We can verify the encryption parameters as well. Default is AES 256 bit.
# cryptsetup luksDump /dev/xvdf

Step3: We’ll open the device and map it to /dev/mapper/home so that we can use it.
# cryptsetup luksOpen /dev/xvdf home
Enter passphrase for /dev/xvdf:

Step4: This step is optional. To further protect our data, we can zero out the entire disk before even creating the filesystem.
# dd if=/dev/zero of=/dev/mapper/home

Step5: Now we’ll create a filesytem
# mkfs.ext4 /dev/mapper/home

Step6: Let us mount and copy the data from /home
# mkdir /myhome
# mount /dev/mapper/home /myhome
# cp -a /home/* /myhome/
# rm -rf /home
# ln -s /myhome /home

Great! Our /home directory is encrypted. But wait a minute.. this approach has a short coming. We have deliberately designed it so that the disk won’t auto-mount during the boot because there is no way to give it a password in cloud environment during the boot. Since the disk won’t mount, we won’t be able to ssh into the machine because the authorized_keys file is kept inside the home directory of the user. To address this problem, either change the “AuthorizedKeysFile” in sshd_config or create a user with home directory in /var/lib or /opt and grant sudo for cryptsetup and mount commands. So after reboot, if we take the first approach, we would be able to ssh without any problem or we’ll ssh via other user, mount the encrypted drive and then use it normally.

$ ssh mountuser@
$ sudo /sbin/cryptsetup luksOpen /dev/xvdf home
$ sudo /bin/mount /dev/mapper/home /myhome/

Couple of points to remember:

  • Do not forget the LUKS password. It cannot be retrieved, if lost.
  • Try it a couple of times on staging machines before doing it on the machines that matter.

Read More