Encrypting files

Safe Files

Bcrypt

Another encryption option is bcrypt [19]. Bcrypt uses the Blowfish [20] encryption algorithm with passphrases of between 8 and 56 characters. It also uses an internal 448-bit hashed key. The Blowfish algorithm itself seems to provide a good level of encryption if you don't use weak keys (use longer passwords), but the Bcrypt code itself hasn't been updated in a while. However, various versions of Bcrypt exist for many operating systems, including Linux, *nix, Windows, OS X, and others.

Encrypting a file using bcrypt is very simple:

$ bcrypt hpc_001.html
Encryption key:
Again:

Notice that the encryption process did not leave the original file in place, but it reduced the size of the encrypted file relative to the original file size.

You should also note that Bcrypt does not echo the passphrase to stdout, so the shell history will not capture it. Decrypting is also very similar:

$ bcrypt hpc_001.html.bfe
Encryption key:

Bcrypt is a symmetric cipher, that is, it can detect whether the file is encrypted and then decrypt it. Hence, it does not need a decrypt option.

MCrypt

Another replacement option for crypt is mcrypt [21]. It has a very large number of cryptography algorithms. A few of these include:

Blowfish
DES
Loki
Mars
Rijndael (up to 256 block size)
Twofish
Triple DES

MCrypt has several modes of encryption that provide additional capability beyond just a straight block cipher. You can read about that at an online MCrypt man page [22]. Using mcrypt is very similar to the other Crypt replacement tools (Listing 11).

Listing 11

Using MCrypt

$ ls -s
total 7288
 196 hpc_001.html  7092 MFS2007.pdf
$ mcrypt hpc_001.html
Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase:
Enter passphrase:
File hpc_001.html was encrypted.
$ ls -s
total 7484
 196 hpc_001.html   196 hpc_001.html.nc  7092 MFS2007.pdf

In contrast to Ccrypt and Bcrypt, MCrypt creates an encrypted file that is different from the original file; however, the encrypted text file is basically the same size as the unencrypted file. Also note that like the other Crypt tools, MCrypt does not echo the passphrase to stdout.

Summary

I didn't want this article to be just a survey of command-line tools for encrypting files, but I think it's important to compare the tools with one another so you can see the various features (or quirks) and how they might affect your workflow and your security. It's not a complete list of all tools available. For example, I did not cover the ability of Vim to encrypt files [23] while editing them, nor did I cover commercial tools – only open source. However, I hope I have covered the tools that illustrate the various capabilities.

As I said, I'm not a security expert, but I do take security seriously. In examining command-line tools that encrypt and decrypt, I have developed a few general principles to follow, including:

Passphrase length: The length of the passphrase is very important. Try to make it as long as you can because a long length makes it more difficult to crack. One suggestion I have is to take a long-ish sentence or quote or movie line that you can remember and use that as your passphrase. You can also take two shorter phrases and combine them into a single phrase.
Passphrase variety: If your data is important to you, I would recommend using several different passphrases and rotating them. You don't have to have a large number of passphrases, but you shouldn't use the same passphrase all of the time. By having different passphrases, if one of them happens to be cracked, then you won't lose all of your data.
Character combinations: As with passwords, I would also suggest you use a combination of uppercase, lowercase, numbers, and special characters in your passphrase. Some rules of thumb are floating around the web that you should not use groups of words followed by a short group of numbers such as "111" because some cracking tools look for these patterns. However, don't complicate your passphrases to the point you will easily forget them.
Practice: Before you start encrypting files on a regular basis as part of a process, practice with your passphrases. Make sure you can remember what the passphrase is so that you won't lose any data.
Keys: Consider using keys rather than passphrases to make life a bit easier. You can also put the keys on a simple USB stick, encrypt them, and put them in a safe location (or lock them up). In the case of GPG, you should also use 64-bit key IDs.
Echo passphrase: If possible, do not put the passphrase on the command line because the shell history will pick it up. If someone can gain access to the history file, they will have your passphrase. Also, make sure the encryption tool does not echo the passphrase to stdout.
Large hash key: Use a cipher with the longest possible hash key for the best encryption. In general, the longer the hash key, the more difficult it will be to decrypt a file. I tend to like 256 bits, but I would like to go larger. However, just be aware that the larger the key, the more CPU resources, and possibly memory, it will take to encrypt the file.
What to encrypt: What files you encrypt or not is completely up to you. Personally, I like to use command-line encryption rather than encrypted filesystems because I don't want, nor do I need, to encrypt everything. For example, I'm not going to encrypt my desktop background pictures because I don't view them as sensitive in any way. However, I will encrypt special tax information or email I consider sensitive and personal. Just please don't encrypt your cat pictures.

Notice in this list that I didn't mention anything about data compression. It's really your choice if you want to encrypt a file as well as compress it using tools such as Zip or p7zip – or to use compression tools before and separate from encrypting the file. I like to compress my files before encrypting them so I can save as much space as possible. I will also use tar as often as possible to collect the files into a single archive.

In my opinion, encryption can be a very important tool to protect your privacy. Think about making encryption a part of your everyday processes.

Infos

NSA and GHCQ SIM card access: http://www.theregister.co.uk/2015/02/19/nsa_and_gchq_hacked_worlds_largest_sim_card_company_to_steal_keys_to_kingdom/
Lenovo malware: http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/
Hardware-based full-disk encryption: http://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
GPG: https://www.gnupg.org/
OpenPGP specification: http://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP
IETF standards: http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force
GPG hybrid encryption: http://en.wikipedia.org/wiki/GNU_Privacy_Guard
CAST5 cypher: http://en.wikipedia.org/wiki/CAST-128
Evil 32: https://evil32.com
Web of Trust: https://www.mywot.com/
Unattended key generation: https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
ZIP: http://en.wikipedia.org/wiki/Zip_(file_format)
7-Zip: http://www.7-zip.org/
OpenSSL: https://www.openssl.org/docs/apps/enc.html
Heartbleed: http://en.wikipedia.org/wiki/OpenSSL#Heartbleed
Salt: http://en.wikipedia.org/wiki/Salt_%28cryptography%29
Rainbow table attacks: http://en.wikipedia.org/wiki/Rainbow_table4504
Ccrypt: http://ccrypt.sourceforge.net/
Bcrypt: http://bcrypt.sourceforge.net/
Blowfish: http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
MCrypt: http://mcrypt.sourceforge.net/
MCrypt man page: http://linux.die.net/man/1/mcrypt
Vim encryption: http://www.mkyong.com/linux/how-to-encrypt-text-file-in-linux-vim/

The Author

Jeff Layton has been in the HPC business for almost 25 years (starting when he was 4 years old). He can be found lounging around at a nearby Frys enjoying the coffee and waiting for sales.

« Previous 1 2 3