« Previous 1 2 3 Next »
Encrypting Files
7-Zip
7-Zip is an open source tool for creating archives, compressing them, and encrypting them (much like zip). It has several algorithms for data compression:
- LZMA – Default; an improved and optimized version of the LZ77 algorithm.
- LZMA2 – An improved version of LZMA.
- PPMD – Dmitry Shkarin’s PPMdH with small changes.
- PCJ – A converter for 32-bit x86 executables.
- PCJ2 – A converter for 32-bit x86 executables.
- Bzip2 – The standard BWT algorithm.
- Deflate – The standard LZ77-based algorithm.
7-Zip also supports AES-256 for encryption and can encrypt file names and directory names.
Using 7-Zip is pretty easy and is very similar to using zip. Here, I encrypt the simple text file hpc_001.html:
[laytonjb@home4 TEMP]$ ls -s total 7288 196 hpc_001.html 7092 MFS2007.pdf [laytonjb@home4 TEMP]$ 7z a -p hpc_001.html.7z hpc_001.html 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU) Scanning Creating archive hpc_001.html.7z Enter password (will not be echoed) : Verify password (will not be echoed) : Compressing hpc_001.html Everything is Ok [laytonjb@home4 TEMP]$ ls -s total 7308 196 hpc_001.html 20 hpc_001.html.7z 7092 MFS2007.pdf
The options I used are: a, create archive, and -p, set password. By just specifying -p, 7-Zip (p7zip, the command-line version of 7-Zip) will prompt for the passphrase so that it won’t be copied into the shell history. However, you can input the passphrase on the command line.
A key point to note is that p7zip leaves the original file in place and creates a copy with a .7z extension. This might seem subtle, but it can be important. I like leaving the original file alone because if the encryption process goes sideways, I still have it available. I also like to decrypt the file and do a diff between the original file and the decrypted file. It might seem pointless to do this, but I like to make sure that the encryption and decryption processes worked correctly, AND I remember my passphrase.
To decrypt the file, you just use the -e (extract) option:
[laytonjb@home4 TEMP]$ 7z e hpc_001.html.7z 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU) Processing archive: hpc_001.html.7z Enter password (will not be echoed) : Extracting hpc_001.html Everything is Ok Size: 198510 Compressed: 18945
As you can tell, p7zip gives you some detail about the decryption of the file. Also don’t forget that as part of the extraction, p7zip also uncompresses the file.
OpenSSL
SSL and its successor TLS were protocols developed to provide communication security over a network using cryptography. You are probably most familiar with the protocol in web browsers for websites beginning with https. You can take advantage of the encryption in SSL or TLS to encrypt your data.
The most common implementation of SSL is OpenSSL, an open-source community project for a full-featured toolkit implement of SSL and TLS, as well as general-purpose cryptography. It was subject of the infamous Heartbleed vulnerability that primarily affected the communication encryption aspect of OpenSSL. The cryptography library aspect of OpenSSL is still extremely useful.
OpenSSL has a number of ciphers, cryptographic hash functions, and public key encryption algorithms.
- Ciphers
- AES
- Blowfish
- Camellia
- SEED
- CAST-128
- DES
- IDEA
- RC2
- RC4
- RC5
- Triple DES
- GOST 28147-89
- Cryptographic hash functions
- MD5
- MD4
- MD2
- SHA-1
- SHA-2
- RIPEMD-160
- MDC-2
- GOST R 34.11-94
- Public-key cryptography
- RSA
- DSA
- Diffie–Hellman key exchange
- Elliptic curve
- GOST R 34.10-2001
OpenSSL really focuses on encryption and decryption and not compression. Consequently, you shouldn’t expect the encrypted file to be smaller than the original file.
Using OpenSSL requires a few more arguments than the typical encryption tool:
[laytonjb@home4 TEMP]$ ls -s total 7288 196 hpc_001.html 7092 MFS2007.pdf [laytonjb@home4 TEMP]$ openssl aes-256-cbc -salt -in hpc_001.html -out hpc_001.html.enc enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: [laytonjb@home4 TEMP]$ ls -s total 7484 196 hpc_001.html 196 hpc_001.html.enc 7092 MFS2007.pdf
The first option I use is aes-256-cbc, which tells OpenSSL to use the 256-bit key with OpenSSL, along with the AES cipher. The -in option specifies the input file, and -out specifies the output (encrypted) file.
The option -salt is added to the command line because it can be very important for improving security. Classically, a salt is a random bit of data that is used as an additional input to a one-way function that hashes the passphrase. It protects against dictionary attacks and against precomputed rainbow table attacks. The reason is that without the salt, the same password always generates the same encryption key. When the salt is used with OpenSSL, the first 8 bytes of the encrypted data are reserved for the salt (i.e., the random bit of data). When the file is decrypted, the salt is read from the encrypted file and used for decryption.
Notice that OpenSSL does not echo the passphrase, so it can’t be captured in the shell history. Also, notice that OpenSSL doesn’t have a standard file extension. I chose .enc to show that the file is encrypted.
As I mentioned earlier, OpenSSL is just an encryption tool. It doesn’t do file compression. Consequently, the file size of the encrypted text file in the previous example is roughly the same as the original text file. OpenSSL can operate on a compressed file as well, but in a step that is done separately:
[laytonjb@home4 TEMP]$ openssl aes-256-cbc -salt -in hpc_001.html.gz \ -out hpc_001.html.gz.enc enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: [laytonjb@home4 TEMP]$ ls -s total 7336 196 hpc_001.html.enc 24 hpc_001.html.gz 24 hpc_001.html.gz.enc 7092 MFS2007.pdf
In this case, I used gzip to compress the file before using OpenSSL. Otherwise the process is the same. Notice the size difference between the encrypted compressed file, and the encrypted but uncompressed file.
Decrypting a file is also fairly easy using the -d option on the command line:
[laytonjb@home4 TEMP]$ openssl aes-256-cbc -d -in hpc_001.html.enc -out hpc_001.html.2 enter aes-256-cbc decryption password: [laytonjb@home4 TEMP]$> ls -s total 7680 196 hpc_001.html 196 hpc_001.html.2 196 hpc_001.html.enc 7092 MFS2007.pdf
« Previous 1 2 3 Next »