« Previous 1 2 3
Encrypting files
Safe Files
Bcrypt
Another encryption option is bcrypt
[19]. Bcrypt uses the Blowfish [20] encryption algorithm with passphrases of between 8 and 56 characters. It also uses an internal 448-bit hashed key. The Blowfish algorithm itself seems to provide a good level of encryption if you don't use weak keys (use longer passwords), but the Bcrypt code itself hasn't been updated in a while. However, various versions of Bcrypt exist for many operating systems, including Linux, *nix, Windows, OS X, and others.
Encrypting a file using bcrypt
is very simple:
$ bcrypt hpc_001.html Encryption key: Again:
Notice that the encryption process did not leave the original file in place, but it reduced the size of the encrypted file relative to the original file size.
You should also note that Bcrypt does not echo the passphrase to stdout, so the shell history will not capture it. Decrypting is also very similar:
$ bcrypt hpc_001.html.bfe Encryption key:
Bcrypt is a symmetric cipher, that is, it can detect whether the file is encrypted and then decrypt it. Hence, it does not need a decrypt option.
MCrypt
Another replacement option for crypt is mcrypt
[21]. It has a very large number of cryptography algorithms. A few of these include:
- Blowfish
- DES
- Loki
- Mars
- Rijndael (up to 256 block size)
- Twofish
- Triple DES
MCrypt has several modes of encryption that provide additional capability beyond just a straight block cipher. You can read about that at an online MCrypt man page [22]. Using mcrypt
is very similar to the other Crypt replacement tools (Listing 11).
Listing 11
Using MCrypt
$ ls -s total 7288 196 hpc_001.html 7092 MFS2007.pdf $ mcrypt hpc_001.html Enter the passphrase (maximum of 512 characters) Please use a combination of upper and lower case letters and numbers. Enter passphrase: Enter passphrase: File hpc_001.html was encrypted. $ ls -s total 7484 196 hpc_001.html 196 hpc_001.html.nc 7092 MFS2007.pdf
In contrast to Ccrypt and Bcrypt, MCrypt creates an encrypted file that is different from the original file; however, the encrypted text file is basically the same size as the unencrypted file. Also note that like the other Crypt tools, MCrypt does not echo the passphrase to stdout.
Summary
I didn't want this article to be just a survey of command-line tools for encrypting files, but I think it's important to compare the tools with one another so you can see the various features (or quirks) and how they might affect your workflow and your security. It's not a complete list of all tools available. For example, I did not cover the ability of Vim to encrypt files [23] while editing them, nor did I cover commercial tools – only open source. However, I hope I have covered the tools that illustrate the various capabilities.
As I said, I'm not a security expert, but I do take security seriously. In examining command-line tools that encrypt and decrypt, I have developed a few general principles to follow, including:
- Passphrase length: The length of the passphrase is very important. Try to make it as long as you can because a long length makes it more difficult to crack. One suggestion I have is to take a long-ish sentence or quote or movie line that you can remember and use that as your passphrase. You can also take two shorter phrases and combine them into a single phrase.
- Passphrase variety: If your data is important to you, I would recommend using several different passphrases and rotating them. You don't have to have a large number of passphrases, but you shouldn't use the same passphrase all of the time. By having different passphrases, if one of them happens to be cracked, then you won't lose all of your data.
- Character combinations: As with passwords, I would also suggest you use a combination of uppercase, lowercase, numbers, and special characters in your passphrase. Some rules of thumb are floating around the web that you should not use groups of words followed by a short group of numbers such as "111" because some cracking tools look for these patterns. However, don't complicate your passphrases to the point you will easily forget them.
- Practice: Before you start encrypting files on a regular basis as part of a process, practice with your passphrases. Make sure you can remember what the passphrase is so that you won't lose any data.
- Keys: Consider using keys rather than passphrases to make life a bit easier. You can also put the keys on a simple USB stick, encrypt them, and put them in a safe location (or lock them up). In the case of GPG, you should also use 64-bit key IDs.
- Echo passphrase: If possible, do not put the passphrase on the command line because the shell history will pick it up. If someone can gain access to the history file, they will have your passphrase. Also, make sure the encryption tool does not echo the passphrase to stdout.
- Large hash key: Use a cipher with the longest possible hash key for the best encryption. In general, the longer the hash key, the more difficult it will be to decrypt a file. I tend to like 256 bits, but I would like to go larger. However, just be aware that the larger the key, the more CPU resources, and possibly memory, it will take to encrypt the file.
- What to encrypt: What files you encrypt or not is completely up to you. Personally, I like to use command-line encryption rather than encrypted filesystems because I don't want, nor do I need, to encrypt everything. For example, I'm not going to encrypt my desktop background pictures because I don't view them as sensitive in any way. However, I will encrypt special tax information or email I consider sensitive and personal. Just please don't encrypt your cat pictures.
Notice in this list that I didn't mention anything about data compression. It's really your choice if you want to encrypt a file as well as compress it using tools such as Zip or p7zip – or to use compression tools before and separate from encrypting the file. I like to compress my files before encrypting them so I can save as much space as possible. I will also use tar
as often as possible to collect the files into a single archive.
In my opinion, encryption can be a very important tool to protect your privacy. Think about making encryption a part of your everyday processes.
Infos
- NSA and GHCQ SIM card access: http://www.theregister.co.uk/2015/02/19/nsa_and_gchq_hacked_worlds_largest_sim_card_company_to_steal_keys_to_kingdom/
- Lenovo malware: http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/
- Hardware-based full-disk encryption: http://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
- GPG: https://www.gnupg.org/
- OpenPGP specification: http://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP
- IETF standards: http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force
- GPG hybrid encryption: http://en.wikipedia.org/wiki/GNU_Privacy_Guard
- CAST5 cypher: http://en.wikipedia.org/wiki/CAST-128
- Evil 32: https://evil32.com
- Web of Trust: https://www.mywot.com/
- Unattended key generation: https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- ZIP: http://en.wikipedia.org/wiki/Zip_(file_format)
- 7-Zip: http://www.7-zip.org/
- OpenSSL: https://www.openssl.org/docs/apps/enc.html
- Heartbleed: http://en.wikipedia.org/wiki/OpenSSL#Heartbleed
- Salt: http://en.wikipedia.org/wiki/Salt_%28cryptography%29
- Rainbow table attacks: http://en.wikipedia.org/wiki/Rainbow_table4504
- Ccrypt: http://ccrypt.sourceforge.net/
- Bcrypt: http://bcrypt.sourceforge.net/
- Blowfish: http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
- MCrypt: http://mcrypt.sourceforge.net/
- MCrypt man page: http://linux.die.net/man/1/mcrypt
- Vim encryption: http://www.mkyong.com/linux/how-to-encrypt-text-file-in-linux-vim/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)