Now that i am thinking about it, it seems unusual that i dont know.
Is there an app that allows me to encypt data with std in/out/error? perhaps something like
appname -c AES -k MyTextKey (or -kh for a key made from hex data) -o stdout -i stdin
I never bothered learning how to use one outside of .NET and it would be annoying to do it for each language. Signing would be good too
appname -s salt_text -in file.blah -o key.sig
On windows but i'd like a linux solution as well.
-edit- gpg does not look like a solution. I looked but cant see how to encrypt something with cipher using a password and not use public/private keys which seem to be the only way it can encrypt.
You can use openssl for this.
On most linux flavors you can use gpg.
GPG website
Here's an example in .net of the GnuPG calls wrapped in managed .net code. The encryption / decryption occurs by writing / reading to the console process using streamreader / streamwriter calls.
http://www.codeproject.com/KB/security/gnupgdotnet.aspx
Related
I am working on an embedded Linux project that can run on multiple
platforms. One uses e.MMC for storage and another NAND flash. I want
to encrypt all the filesystems (mainly to protect against someone
unsoldering the flash chips and putting them in a reader). I want to
try and maintain a common approach across both hardware types as far
as possible. One big difference between the two is the wear levelling
is in the hardware for the e,MMC whereas for NAND I'll be using UBI.
For the root filesystem I am thinking of using squashfs which is
protected using dm-crypt. For the NAND device I have tried this out
and I can layer dm-crypt on top of ubiblock then use the device mapper
to load the squashfs. This maps nicely to the e.MMC world with the
only difference being that the device mapper is on a gpt partition
rather than a ubiblock device.
My challenge is for other read/ write filesystems. I want to mount an
overlay filesystem on top of the read-only root and a data partition.
I want both of these to also be encrypted. I have been investigating
how fscrypt can help me. (I believe dm-crypt won't work with ubifs).
For filesystems on the e.MMC I will be using ext4 and for NAND
ubifs. The documentation says both of these support fscrypt. I've struggled
a bit to find detailed documentation about how to use this with ubifs
(there is a lot more for the ext4) but I think that there are some
differences between how this has been implemented on each and I'd like
those who know more to confirm this.
On the NAND side I have only been able to get it to work by using the
fscryptctl tool (https://github.com/google/fscryptctl
) as opposed to the fuller featured fscrypt tool
(https://github.com/google/fscrypt). This was following instructions I
found in a patch to add fscrypt support to mkfs.ubifs here:
https://patchwork.ozlabs.org/project/linux-mtd/cover/20181018143718.26298-1-richard#nod.at/
This appears to encrypt all the files on the partition using the
supplied key. When I look at fscrypt on ext4 it seems here that you
can't do this. The root directory cannot itself be encrypted, only
sub-directories. Reading here:
https://www.kernel.org/doc/html/v4.17/filesystems/fscrypt.html it
says:
"Note that the ext4 filesystem does not allow the root directory to be
encrypted, even if it is empty. Users who want to encrypt an entire
filesystem with one key should consider using dm-crypt instead."
So this is different. It also seems that with ubifs I can't apply
encryption to the subdirectories like I could in ext4. The README.md
here https://github.com/google/fscryptctl gives an example using ext4.
This encrypts a subdirectory called test. I don't see how to do the
same thing using ubifs. Could someone help me?
I've been using the NANDSIM kernel module for testing. At the end of
this post is a script for building an encrypted overlay ubifs
filesystem. As you can see the mkfs.ubifs is taking the key directly
and it appears to apply it to all the files on the partition. You
can't then apply policies to any sub-directories as they are already
encrypted.
I would like to use some of the other features that the userspace
fscrypt tool provides e.g. protectors (so I don't need to use the
master key directly). I can't however see any way to get the userspace fscrypt
tool to setup encryption on a ubifs. The userspace fscrypt command
creates a .fscrypt directory in the root of the
partition to store information about policies and protectors. This
seems to fit more with the ext4 implementation where the root itself isn't encrypted.
When I try to set-up an unencrypted ubifs with "fscrypt setup" I run
into trouble as making a standard ubifs seems to create a v4 ubifs format
version rather than the required v5. This means the "fscrypt encrypt"
command fails. (Errors like this are seen in the dmesg output
[12022.576268] UBIFS error (ubi0:7 pid 6006): ubifs_enable_encryption
[ubifs]: on-flash format version 5 is needed for encryption).
Is there some way to get mkfs.ubifs to create an unencrypted v5 formatted
filesystem? Or does v5 mean encrypted?
Here is my script to create an encrypted ubifs using the fscryptctl tool:
#!/bin/bash
MTD_UTILS_ROOT=../../mtd-utils
FSCRYPTCTL=../../fscryptctl/fscryptctl
MOUNTPOINT=./mnt
dd if=/dev/urandom of=overlay.keyfile count=64 bs=1 # XTS needs a 512bit key
descriptor=`$FSCRYPTCTL get_descriptor < overlay.keyfile`
$MTD_UTILS_ROOT/mkfs.ubifs --cipher AES-256-XTS --key overlay.keyfile
-m 2048 -e 129024 -c 32 -r ./overlay -o overlay.enc.img
$MTD_UTILS_ROOT/ubiupdatevol /dev/ubi0_6 overlay.enc.img
# Try it out
$FSCRYPTCTL insert_key < overlay.keyfile
key=`keyctl show | grep $descriptor | awk '{print $1}'`
mount -t ubifs /dev/ubi0_6 $MOUNTPOINT
ls $MOUNTPOINT
umount $MOUNTPOINT
keyctl unlink $key
NB I've been working with mtd-utils v2.1.2 on a 5.4 kernel.
I'm looking into SOPS as a possible solution for us to encrypt secrets and push them to our repo.
I've been playing around with it and it's exactly what I need, except for a small issue. I'm hoping this is me just not finding the right documentation.
For the sake of simplicity let's say we have 2 AWS accounts, A and B.
In account A we've got:
Our "human" users who will be encrypting/decrypting secrets from their local machines.
KMS key
Role that users from other accounts can assume to use that KMS key.
In account B:
User a Jenkins script will use to decrypt secrets
To encrypt a file with my local user I'm doing:
sops --kms arnofthekey -e -i filename.yaml
And to decrypt it:
sops --kms arnofthekey -d -i filename.yaml
Works like a charm.
If I do it as my Jenkins user:
sops --kms arnOfTheKey+arnOfTheRole -e -i filename.yaml
sops --kms arnOfTheKey+arnOfTheRole -d -i filename.yaml
Everything works like a charm as long as I encrypt/decrypt in the same place.
I then tried to encrypt with Jenkins and decrypt locally. I got an error informing me I'm not allowed to asssume the role Jenkins used. Which is absolutely true.
Here's what I don't understand, the KMS key is the same one in both cases. However, I can see the encrypted file keeps a record of the role. I thought since the key is the same, this should work.
Is there some sort of configuration I'm missing?
Thanks!
Digging a bit more I found an open ticket from a year ago. I guess, at the moment, this is something that can't be done directly with sops.
https://github.com/mozilla/sops/issues/555
The solution I found was allowing my human users to assume the same role Jenkins does. Should've thought about it earlier :)
I am currently working on Swfit. For safe, the op ask me to set password for rsync.
While, as we use Swift, we just set rsync work as server with "/etc/rsync.conf" , then Swift works as the client without password.
So, my question is, if i start the rsync with "secrets file" option, which set the user:password. Then, how to set Swift with the password?
Read the Swift code about the rsync in replicator, i can't find the option to set the password.
Or, Swift doesn't support the function?
Luckly, by reading the source code, i find the way to support rsync with 'secrets file' option:
By adding the '--password-file=/your_passwd_file_path' to rsync order in this two function:
swift/common/db_replicator.py/_rsync_file() and swift/obj/replicator/rsync()
Then, restart your swift, it will work right.
I downloaded the openssl-1.0.2l.tar.gz source package from https://www.openssl.org/source/ and made a fresh x64 build for Windows. I use the openssl application to encrypt a file using the following command:
openssl enc -aes-128-cbc -a -salt -in data.txt -kfile key.txt -out encrypted.txt -p
Now, I would like to consume the encrypted file in a .NET application (written in C#). I read the encrypted file (which is encoded using Base64, because of the -a switch), decode it, and extract the first 16 bytes in order to get the salt that was generated by OpenSSL... this works fine so far; the salt is prefixed with Salted__, the following 8 bytes are the actual salt value.
What I have learned so far is that OpenSSL reads the first line of the given key file and uses that string for the passphrase. The actual key and initialization vector gets derived from the passphase, the salt and some hashing, which is not officially documented.
The -p switch gave me the key and initialization vector that is used for the encryption, but I would like to know, how I can reproduce that data from the known passphrase and the salt... Everything I have tried gives me key and vector data that is different from what the openssl application gave me.
Of course, I already found similar questions (and answers) at stackoverflow and crypto.stackexchange, but none of the solutions seem to work, or are related to aes-256-cbc... not sure, if that makes a difference?
What needs to be done to properly derive the key and initialization vector?
It's documented here or here, but you have to know what to look for. The function is called EVP_BytesToKey and uses a hash function to stretch the salt and password into a key and IV.
Note that OpenSSL switched from MD5 to SHA-256 in version 1.1.0 (source). The iteration count is 1 and the output size depends on the chosen key size and block size.
I need to encrypt data while we take mysqldump from database through command prompt. My OS is windows7. Please help me.
Can't you just pipe the dump output directly though your encryption tool?
ie:
mysqldump mydb | some-encryption-tool.sh
btw, the only reason I suggested piping directly through an encryption tool is to the (unsafe) plain-text version never exists on disk, which is the only interpretation of the question that makes sense. Otherwise, just save the dump to a file and encrypt it - there is nothing to "answer".