[encryption] Keep Your Data Safe
Abstract
- System’s built-in full disk encryption should be always the first choice, windows - BitLocker, macos - FileVault, linux - LUKS.
- VeraCrypt should be the first choice for drive encryption software, when no built-in full disk encryption is supported, or utilizing the system’s built-in drive encryption has several restrictions.
- 7-zip should be your first choice for file encryption software.
- Cryptomator is worth to use when the requirement is a transparent encryption about cloud storage, like GDrive/OneDrive etc.
- Encfs is a light way to satisify with the requirements about transparent encrypted data under a directory, it can use as a transparent encryption for cloud storage.
- ECryptfs should not be the first choice in all the encryption scenarios, it’s not user friendly.
- git-crypt is a transparent encryption tool that compitatible with git protocol, it use PGP to encrypte data.
- The most crucial thing is to keep your recovery key and password secure.
Encrypted Software
| Software | Platform | Mount | Type | Algorithm | Open Source | PBA |
|---|---|---|---|---|---|---|
| BitLocker | windows | Y | drive | aes | N | Y |
| FileVault | macos | Y | drive | aes | N | Y |
| LUKS | linux | Y | drive | aes(v1),argon2(v2) | Y | Y |
| VeraCrypt | all | Y | drive, volume | aes | Y | Y |
| Encfs | all | Y | filesystem | aes | Y | N |
| Cryptomator | all | Y | filesystem | aes | Y | N |
| 7-zip | all | N | directory,file | aes | Y | N |
| git-crypt | all | N | directory,file | aes-256-ctr | Y | N |
more details: archlinux - Data Encryption Comparison Table
BitLocker - Drive Encryption
1. Introduction
BitLocker uses AES-XTS (default) to encrypte drive. When BitLocker uses with TPM, it’s not possible to decrypte the encrypted disk in other computer with password, but you can use Recovery Key to solve this.
2. Usage
Follow the step show on the GUI to encrypte the disk. make sure the recovery key has been safely backup.
3. Reference
FileVault - Drive Encryption
1. Introduction
Mac computers offer FileVault, a built-in encryption capability, to secure all data at rest. FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices.
2. Usage
Follow the GUI.
3. Reference
LUKS - Drive Encryption
1. Introduction
LUKS can be use to encrypt full disk, inlcude boot partition, it supported resize whe used with LVM or RAID.
LUKS1 uses PBKDF2 (default), so the max avalible length of password is 64 bytes, base on rfc2898 ?
LUKS2 uses Argon2 (default).
LUKS done en- and decryption by hijacking the data path between filesystem and block device, which was done by dm-crypt.
Data Path:
- Without LUKS: data -> filesystem -> block device
- With LUKS: data -> filesystem -> device mapper (dm-crypt) -> block device
2. Usage
When install linux system, it’s easy to follow the GUI guard to configurate disk encryption.
archlinux - LUKS Encrypting_an_entire_system
3. Reference
- wiki - LUKS
- archlinux - LUKS Encrypting_an_entire_system
- archlinux - Resizing_LVM-on-LUKS
- archlinux - LUKS Encrypt_an_existing_unencrypted_file_system
- archlinux - Dm-crypt
VeraCrypt - Drive Encryption
1. Introduction
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. Brought to you by IDRIX (https://www.idrix.fr) and based on TrueCrypt 7.1a.
2. Usage
Follow the step show on the GUI.
3. Reference
EncFS
1. Introduction
EncFS - mounts or creates an encrypted virtual filesystem, it uses the FUSE kernel driver and library as a backend.
EncFS hijacking the data path between virtual filesystem and filesystem, the en- and decryption was done between virtual filesystem and filesystem.
Both file’s content and name were encrypted.
Then encrypted data that store in system filesystem has the same directory structure with the decrypted data show in the EncFS provided virtual filesystem, but the file name was encrypted.
Data Path:
- Without EncFS: data -> filesystem -> block device
- With EncFS: data -> virtual filesystem -> filesystem -> block device
Example: read operation in EncFS
- use read file from EncFS mount point, with file’s name
- EncFS program encrypte the file’s name, and use the encrypted file path to lookup file in system filesystem
- if the file exist and everything ok (system checking), EncFS read data from that file which data was encrypted
- EncFS decrypte the data
- EncFS response user with the decrypted data
Notice:
- EncFS can be a way of transparent encryption of cloud storage, like GDrive/OneDrve etc.
- when the encryption mode is block mode, the encrypted file name will be large than original file name, which will trigger the max path length limitation of filesystem.
2. Usage
Install
apt-get install encfs
Configuration
# crate encrypted mount point
encfs ~/.encfs ~/encfs
# /etc/fstab
encfs#/path/.encfs /path/encfs fuse noauto,user,nonempty 0 0
# auto unmount filesystems after user logout
# if any user still login, auto unmout will be failed
# ${HOME}/.bash_logout
`mount | grep -q "/path/encfs"` && /usr/bin/fusermount -u /path/encfs
Manually:
# mount
mount /path/encfs
# unmount
fusermount -u /path/encfs
3. Reference
ECryptfs
1. Introduction
ECryptfs cryptographic filesystem (utilities). ECryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux.
It’s not as user friendly as EncFS
2. Usage
3. Reference
Cryptomator - cloud storage transparent encryption
1. Introduction
Cryptomator offers multi-platform transparent client-side encryption of your files in the cloud.
Works with Dropbox, Google Drive, OneDrive, MEGA, pCloud, ownCloud, Nextcloud and any other cloud storage service which synchronizes with a local directory.
The way to create virtual system:
- FUSE: linux and macos
- WebDAV: a standardized protocol, some system has built-in support, others need additional program to mount WebDAV Server as filesystem
- Dokany: windows only
2. Usage
Install and Follow the UI and cryptomator - docs to completed.
3. Reference
7-zip
1. Introduction
Credit: _mohemiv twitter post
when created encrypted zip file, the length of password should not longer than 64 bytes, or it will be decreased into 20 bytes.
The pseudorandom functions that zip used is PBKDF2 (HMAC-SHA-1)
An example pseudorandom function for PBKDF2 (Section 5.2) is HMAC- SHA-1.
In particular, when the key is longer than 512 bits, HMAC-SHA-1 will first hash it to 160 bits.
Both the long and short password can be used to decrypted the zip file that encrypted with the long password using AES.
root@localhost:~$ echo -ne "Nev1r-G0nna-G2ve-Y8u-Up-N5v1r-G1nna-Let-Y4u-D1wn-N8v4r-G5nna-D0sert-You" | shasum
706b4838613041714e62486364773847726d5370 -
root@localhost:~$ echo -ne "Nev1r-G0nna-G2ve-Y8u-Up-N5v1r-G1nna-Let-Y4u-D1wn-N8v4r-G5nna-D0sert-You" | shasum | cut -f1 -d' ' | xxd -r -p
pkH8a0AqNbHcdw8GrmSp
7z default using ZipCrypto encrypted zip file, use -mem=AES256 to use AES
Use ZipCrypto, if you want to get archive compatible with most of the ZIP archivers. AES-256 provides stronger encryption, but now AES-256 is supported only by 7-Zip, WinZip and some other ZIP archivers.
Compatibility: ZipCrypto > AES (now, most common zip tools support AES) Strength: AES > ZipCrypto
2. Usage
# create zip file with AES encryption algorithm
7z a file.zip /path/files -mem=AES256 -p
3. Reference
git-crypt
1. Introduction
git-crypt enables transparent encryption and decryption of files in a git repository. git-crypt relies on git filters, only the files that matched the rule will be encrypted. when the requirement is full repo encryption, git-remote-gcrypt is the best choice.
git-crypt hijacking the data path between local and remote repo, the en- and decryption was done after commited and checked out.
2. Usage
Install
### 1. pre-requirements
##### 1.1 install
apt-get install git-crypt
Configuration
##### 1.2 generate gpg key
gpg --full-generate-key
##### 1.2.1 backup/import gpg key
archive .gnupg directory
backup directory `${HOME}/.gnupg`
export/import gpg public/private key
$ gpg --export *your key-ID* > /path/backup/public.gpg
$ gpg --export-secret-keys *your key-ID* > /path/backup/private.gpg
$ gpg --import /path/backup/public.gpg
$ gpg --import /path/backup/private.gpg
### 2. configurate repo
##### 2.1 init repo
git-crypt init
##### 2.2 add pgp key (search pgp key from pgp-agent with uid)
git-crypt add-gpg-user --trusted user@example.com
##### 2.3 ".gitattributes" configurate the rules of encryption
encrypt/* filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
##### 2.4 git ops under this repo like the normal repo
git add/commit/push ...
##### 2.5 show encrypted files
git-crypt status -e
##### 2.6 decrypte repo
git-crypt unlock
Notice:
- encrypted data on remote repo is encrypted, which show as binary format
- encrypted data on local repo is decrypted, like normal repo
- pgp tool need to use /dev/pts/0, make sure the file’s owner match with the operation user. (change use after login will cause permission wrong).
Info:
.gitattributesand.gitignorehas same format.git/git-crypt/keys/defaultstore the gpg key
3. Reference
Conclusion
Design - Transparent Encryption
The key point of Transparent is hijacking some points in the path.
1. Introduction
All transparent encryption was done by hijacking the data syncing path between two endpoints.
The way to hijacking the data path:
- user-mode: create new virtual filesystem, and hijacking virtual filesystem and filesystem
- kernel-mode: device mapper (dm-crypt) or ebpf
- hijacking the syscall from application use LD_PRELOAD
If the hijacking change the UI, program need to create a new UI to make sure user has a way to access the decrypted data, like create a virtual filesystem using FUSE/WebDAV/Dokany.
