Encrypting a file

Dusty · 2005-03-06 22:15:41

I know next to nothing about cryptography programs. I studied the algorithms, but haven't ever used anythnig besides SSH that actually uses them!

Basically, I want to encrypt a few sensitive files (plain text) on my HD so that if somebody did gain access to my user or root account they wouldn't be able to read them without a password or something.

So basically, I want to run a utility that takes a password and encrypts the file, and another that takes a password and decrypts it.

On the other hand, what really is the point in this? I could just set up another user account, chmod these files to that user, and then they'd only be readable if I su'd to that user anyway... same thing. I'm just curious if there is a Unix utility to do anything like this.

Dusty

cactus · 2005-03-06 22:28:14

gpg -- gnu privacy guard
http://www.gnupg.org/

something else really cool that used to work, with the linux crypto patches of old, was creating an encrypted loopback device, and mounting a file through it.
the encryption was totally transparent, you just mounted, used it, and unmounted..rinse repeat..
being a loopback mount, you had to throw a filesystem onto it, but it was truly trivial to get working once you had the correct kernel modules compiled and patched...

I haven't done this is quite a while, so i don't know what the status of the linux encrypted loopbacks are these days..

...so that if somebody did gain access to my user or root account they wouldn't be able to read them without a password or something....
On the other hand, what really is the point in this? I could just set up another user account, chmod these files to that user, and then they'd only be readable if I su'd to that user anyway... same thing.

no. you should know better. if, as you said earlier, someone were to get root on your box, then it wouldn't do much good simply being chmod'ed to someone else. If it was encrypted, then they would be up against the same wall..
ie. how much $$ and time do they have to try to get at your data..

There is an issue with someone having root access to your box that makes encryption issues complicated. if they have root, and are logging all keystrokes, then they can get your password. full surveilance.
if they have root and are watching your home dir for changes, and you unencrypt the file to read it yourself, then they can just snag the unecrypted file, or just dump it from ram..
*shrug*
but if someone managed to get their hands on your harddrive, or rooted your box when you were not viewing the file, then they would have a much harder time getting the data when it was encypted..

i3839 · 2005-03-07 02:58:59

As far as I know cryptoloop is in the main kernel, so it should be easy to setup.

Though cryptoloop and dmcrypt are in a sort of battle, meaning that the cryptoloop devs and the dmcrypt devs are throwing mud to eachother.

Dmcrypt seems to be meant for a whole device, and not a file, so when using it you'd need to mount it with loop, but then you can as well use cryptoloop...

Dusty · 2005-03-07 03:40:56

cactus wrote:

no. you should know better. if, as you said earlier, someone were to get root on your box, then it wouldn't do much good simply being chmod'ed to someone else. If it was encrypted, then they would be up against the same wall..

True enough. I wasn't actually worried about root so much as my own user account as I do get lazy and tend not to log out all the time. I lock my door, but its an apartment meaning the landlord has a key, and also that other people may have as well. Its nothing really serious, but I will try gnupg, thanks.

Dusty

mico · 2005-03-07 14:14:00

Dusty wrote:

I wasn't actually worried about root so much as my own user account as I do get lazy and tend not to log out all the time. I lock my door, but its an apartment meaning the landlord has a key, and also that other people may have as well. Its nothing really serious, but I will try gnupg, thanks.

Use a screensaver to auto lock the screen after some time of no mouse movement or keypress.

GPG is additional security and I have very pleasant experience with it. If you're using KDE, there's kgpg as frontend. If not, you can use some other GUI, just search at gpg homepage. The official GPG GUI is GPA. I already made PKGBUILD:

pkgname=gpa
pkgver=0.7.0
pkgrel=1
pkgdesc="A graphical user interface for the GnuPG"
url="http://www.gnupg.org/(en)/related_software/gpa/"
depends=('gnupg' 'gpgme>=0.4' 'gtk2')
makedepends=('gpgme>=0.4')
source=(ftp://ftp.gnupg.org/gcrypt/alpha/$pkgname/$pkgname-$pkgver.tar.gz)
md5sums=(44cb60cba64a48837588ed27f8db08b2)

build() {
  cd $startdir/src/$pkgname-$pkgver
  ./configure --prefix=/usr
  make || return 1
  make prefix=$startdir/pkg/usr install
}

You can of course just as well forget the GUI and use the CLI.

cmp · 2005-03-07 16:28:11

for the password/keylogger issue, just get yourself an usb stick. and then use cryptoloop with mount -p 0, as in:
cat /mnt/usbstick/pwd | mount -p 0 ~/private
before you have to actually create a file with dd and /dev/urandom, then create a loop device with the right cypher and create an filesystem on it - i think it has to be a non-journaling, but I'm not sure about this. then add the whole to your fstab.
to create the pwd file use either random or grab anything from random.org. I think this way it should be fairly safe.

for details, have a look at this

you may also want to have a look at stegfs, which hides the files completly by the cost that they may get overwritten.

Dusty · 2005-03-07 16:31:06

gpg on the command line was exactly what I was looking for, thanks.

I guess I should think about running xscreensaver to lock the screen, never thought of it.

Dusty

Snowman · 2005-03-07 17:08:53

Locking the screen with a sreensaver is not very safe if they have physical access to the machine because they can reboot it with a boot floppy or CD and gain root access this way. However, the screen saver is good to keep away the curious passer-by (or non-technical persons).

phrakture · 2005-03-07 17:14:24

Snowman wrote:

Locking the screen with a sreensaver is not very safe if they have physical access to the machine because they can reboot it with a boot floppy or CD and gain root access this way. However, the screen saver is good to keep away the curious passer-by (or non-technical persons).

pfft, no way, I love trying to guess people's screensaver passwords....

anyway, on the topic: at work I've taken to locking windows when I step away - not with a screensaver, but with that box that says "this can only be unlocked by jojo or an admin" - is there anything comparable for linux?

cactus · 2005-03-07 17:27:54

logout?

Dusty · 2005-03-07 17:31:43

how bout this:

http://www.thinkgeek.com/gadgets/security/698d/

cactus · 2005-03-07 17:38:32

*Software works with Windows 98/SE/ME/2000/XP
*Note: not designed for dual screen systems

it probably just activates the screensaver when you are out of range, and passes a password to it when you come back in range.

cmp · 2005-03-07 17:47:17

i think there is a way to specify to lock up the machine, if some device is missing (for example an usb device)

dp · 2005-03-07 17:52:15

cmp wrote:

i think there is a way to specify to lock up the machine, if some device is missing (for example an usb device)

hal - ivman - some lines of code

drojid · 2005-03-08 20:00:44

cmp wrote:

i think there is a way to specify to lock up the machine, if some device is missing

If You remove the CPU it certainly will lock up

To the original thread: I've been using cryptoloop for a long time but recently tried dmcrypt as it's told to be newer and cryptoloop is marked as deprecated in the kernel config. I found that using dmcrypt is quite uncomfortable, mounting/umounting is quite "difficult". Mounting a cryptoloop device is just one line in cli...

nggalai · 2005-03-08 20:42:22

I second the gpg vote. Works like a charm for individual files, especially in conjunction with seahorse which provides Nautilus with a nice encrypt/decrypt context menu.

93,
-Sascha.rb

cactus · 2005-03-15 01:44:34

gpg --output info.txt.gpg --symmetric info.txt
rm info.txt
gpg --decrypt into.txt.gpg

ps. make a backup copy first

Arch Linux

#1 2005-03-06 22:15:41

Encrypting a file

#2 2005-03-06 22:28:14

Re: Encrypting a file

#3 2005-03-07 02:58:59

Re: Encrypting a file

#4 2005-03-07 03:40:56

Re: Encrypting a file

#5 2005-03-07 14:14:00

Re: Encrypting a file

#6 2005-03-07 16:28:11

Re: Encrypting a file

#7 2005-03-07 16:31:06

Re: Encrypting a file

#8 2005-03-07 17:08:53

Re: Encrypting a file

#9 2005-03-07 17:14:24

Re: Encrypting a file

#10 2005-03-07 17:27:54

Re: Encrypting a file

#11 2005-03-07 17:31:43

Re: Encrypting a file

#12 2005-03-07 17:38:32

Re: Encrypting a file

#13 2005-03-07 17:47:17

Re: Encrypting a file

#14 2005-03-07 17:52:15

Re: Encrypting a file

#15 2005-03-08 20:00:44

Re: Encrypting a file

#16 2005-03-08 20:42:22

Re: Encrypting a file

#17 2005-03-15 01:44:34

Re: Encrypting a file

Board footer