I currently use two different file encryption methods, I'm wondering whether to simplify my life (slightly) by just using one. However I'm wondering if there is anything better out there, both as regards usability and effectiveness.
I use encfs for one directory tree of files which I only access occasionally, I have to re-remember the command line way to decrypt them for use but it doesn't usually take long. :-) There are some security problems with encfs but for *file* encryption what else is there?
For some files containing passwords I use vi[le]'s encryption which is known to be weak but it's very handy. I have a trivial script that wraps up the command sequence such that all I have to do is:-
nnnn <name of encrypted file>
... and I get prompted for the password, then vi[le] opens the file and I can read it (and edit if if needed).
I did try some encryption breaking software on the password files and it did a pretty bad job, it needs some 'clues' as in words that are present in the file to decrypt and, as the files don't contain many words as such, guessing these would be difficult.
Are there any alternatives? File system encryption doesn't really help as the machine in question is turned on all the time with the desktop open so it would spend its whole time with the file system decrypted. It's not a laptop so it doesn't have a big risk of being stolen or lost.
On 03/10/15 19:09, Chris Green wrote:
I currently use two different file encryption methods, I'm wondering whether to simplify my life (slightly) by just using one. However I'm wondering if there is anything better out there, both as regards usability and effectiveness.
I use encfs for one directory tree of files which I only access occasionally, I have to re-remember the command line way to decrypt them for use but it doesn't usually take long. :-) There are some security problems with encfs but for *file* encryption what else is there?
For some files containing passwords I use vi[le]'s encryption which is known to be weak but it's very handy. I have a trivial script that wraps up the command sequence such that all I have to do is:-
nnnn <name of encrypted file>... and I get prompted for the password, then vi[le] opens the file and I can read it (and edit if if needed).
I did try some encryption breaking software on the password files and it did a pretty bad job, it needs some 'clues' as in words that are present in the file to decrypt and, as the files don't contain many words as such, guessing these would be difficult.
Are there any alternatives? File system encryption doesn't really help as the machine in question is turned on all the time with the desktop open so it would spend its whole time with the file system decrypted. It's not a laptop so it doesn't have a big risk of being stolen or lost.
Alternatives: I don't know. Simplifying: Well you say you have to remember how to decrypt the directory tree so just put it into a script that prompts for a password. That's simpler.
I think the first question is what you're trying to protect and from whom. If the machine's on, does it have a screensaver with a password on it or do you leave it logged in unprotected?
Files containing Passwords? You could put them into a password protecting app like LastPass perhaps.
On Sat, Oct 03, 2015 at 11:20:34PM +0100, steve-ALUG@hst.me.uk wrote:
On 03/10/15 19:09, Chris Green wrote:
Are there any alternatives? File system encryption doesn't really help as the machine in question is turned on all the time with the desktop open so it would spend its whole time with the file system decrypted. It's not a laptop so it doesn't have a big risk of being stolen or lost.
Alternatives: I don't know.
No, I don't think there isn't anythin much 'mainstream' out there.
Simplifying: Well you say you have to remember how to decrypt the directory tree so just put it into a script that prompts for a password. That's simpler.
Yes, though it would expose it *slightly* more to an attacker by making it immediately clear how it was encrypted.
I think the first question is what you're trying to protect and from whom. If the machine's on, does it have a screensaver with a password on it or do you leave it logged in unprotected?
I'm not worried about physical access so much, we're in a fairly remote location with very little crime and the house is occupied all the time. So, no, there's no screen lock. However I do have (well protected) remote ssh access so, if anything, I'm protecting against remote break-in. A screen lock won't help at all in this case - and I do need to keep it accessible to me as that's how I read my E-Mail, Usenet, etc. The ssh is pretty secure, only allows access from two specific IPs where I have ssh access so I need two passwords to get in. An intruder would either need to know two passwords or have an account on one of the intermediate hosts and guess my home password from there.
Having broken in (ssh or some other sort of exploit, the only other port open is SMTP) the attacker would then have to break the encrytion on my (vi encrypted) password etc. files or the encfs encrypted file system.
More likely is loss of laptop where I do have the encrypted password files as well. Not much use having them at home if I happen not to have internet access and/or I need the passwords to connect! :-)
Files containing Passwords? You could put them into a password protecting app like LastPass perhaps.
How secure are these (there are quite a few password utilities) compared with encfs or even vi's crypt?
My argument for using vi's weak encryption is that you can't brute force it in any way without having some significant part of the encrypted data 'in clear'. It's not like brute forcing /etc/passwd where you *do* have the 'result'. All you have to do is guess passwords and encrypt them until you get a match for the encrypted string in /etc/shadow.
On 04/10/15 09:57, Chris Green wrote:
On Sat, Oct 03, 2015 at 11:20:34PM +0100, steve-ALUG@hst.me.uk wrote:
On 03/10/15 19:09, Chris Green wrote:
{}
No, I don't think there isn't anythin much 'mainstream' out there. Simplifying: Well you say you have to remember how to decrypt the directory tree so just put it into a script that prompts for a password. That's simpler.
Yes, though it would expose it *slightly* more to an attacker by making it immediately clear how it was encrypted.
If and only if they found the script to unencrypt. You could make the same argument against the unencrypting your password files script.
I think the first question is what you're trying to protect and from whom. If the machine's on, does it have a screensaver with a password on it or do you leave it logged in unprotected?
I'm not worried about physical access so much, we're in a fairly remote location with very little crime and the house is occupied all the time. So, no, there's no screen lock. However I do have (well protected) remote ssh access so, if anything, I'm protecting against remote break-in. A screen lock won't help at all in this case - and I do need to keep it accessible to me as that's how I read my E-Mail, Usenet, etc. The ssh is pretty secure, only allows access from two specific IPs where I have ssh access so I need two passwords to get in. An intruder would either need to know two passwords or have an account on one of the intermediate hosts and guess my home password from there.
Have you considered adding denyhosts or fail2ban? Failed ssh login attempts result in the source IP address being blocked for a while.
Having broken in (ssh or some other sort of exploit, the only other port open is SMTP) the attacker would then have to break the encrytion on my (vi encrypted) password etc. files or the encfs encrypted file system.
More likely is loss of laptop where I do have the encrypted password files as well. Not much use having them at home if I happen not to have internet access and/or I need the passwords to connect! :-)
Files containing Passwords? You could put them into a password protecting app like LastPass perhaps.
How secure are these (there are quite a few password utilities) compared with encfs or even vi's crypt?
I think they're pretty secure, but it may be someone else's proprietary system out of your control. It is another possible source of attack. Possibly more secure than Vi though.
My argument for using vi's weak encryption is that you can't brute force it in any way without having some significant part of the encrypted data 'in clear'. It's not like brute forcing /etc/passwd where you *do* have the 'result'. All you have to do is guess passwords and encrypt them until you get a match for the encrypted string in /etc/shadow.
Sounds like you're basically happy and you just want to simplify. Simply put a script somewhere e.g. one of the bin directories, var, usr, ~/documents or somewhere like that. Just don't call it unencrypt.sh!
-
Chris Green -
steve-ALUG@hst.me.uk