revlis.nl

December 11, 2019 — 15:34

Author: silver Category: encryption linux windows Comments: Off

There are basically 3 different categories to choose from, depending on location of service and db: Local, "Cloud"/SaaS or selfhosted On-Premise.

For single user/home usage KeePass is fine or perhaps even the password manager included in web browsers. Using one of the SaaS options such as LastPass adds ease of access.

For company/enterprise usage sharing passwords in groups/teams should be supported and preferably an on-prem option.

KeePass (Local), good choice and free
PGP/pass (Local), cli
LastPass (Cloud)
1Password (Cloud)
Team Password Manager (On-prem), recommended
Bitwarden (On-prem), dotnet/mssql docker stack
Thycotic Secret Server supposedly also does "PAM"(?) (On-prem)

Windows Disk Encryption

November 26, 2016 — 14:35

Author: silver Category: encryption windows Comments: Off

Before I chose to replace TrueCrypt with VeraCrypt I was looking for/comparing alternatives.
I also use Bitlocker and EFS that are included with Windows.

BestCrypt
- Paid
- http://www.jetico.com/encryption-bestcrypt
CipherShed
- Free, Open Source
- Based on TrueCrypt
- https://www.ciphershed.org
DiskCryptor
- Free, Open Source
- Windows only
- https://diskcryptor.net
LibeCrypt
- Free, Open Source
- Windows only but supports dm-crypt/LUKS
- Uses unsigned drivers
- https://github.com/t-d-k/LibreCrypt
Symantec Endpoint Encryption
- Paid
- Uses PGP
- https://www.symantec.com/endpoint-encryption
~~TrueCrypt~~
- ~~“Not secure”~~
- ~~http://www.truecrypt.org~~
- ~~https://revlis.nl/2012/03/13/windows-7-backup-and-truecrypt~~
VeraCrypt
- Free, Open Source
- Based on TrueCrypt
- https://veracrypt.codeplex.com
- https://revlis.nl/2012/03/13/windows-7-backup-and-truecrypt

Except for DiskCryptor and LibreCrypt all these programs also run on Linux.

More here: http://www.surfsafely.com/truecrypt-alternatives

Linux Disk Encryption

November 26, 2016 — 13:04

Author: silver Category: encryption linux Comments: Off

Linux Disk Encrption using Device Mapper, cryptsetup frontend and Linux Unified Key Setup LUKS (on disk format).

dm-crypt:
- https://www.kernel.org/doc/Documentation/device-mapper/dm-crypt.txt
- https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
- dmsetup
cryptsetup and LUKS:
- https://gitlab.com/cryptsetup/cryptsetup/

Setup:

cryptsetup -y -v luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 foo
cryptsetup status foo -v

Test:

cryptsetup --test-passphrase open /dev/sdb1 # (non-LUKS)

cryptsetup luksOpen --test-passphrase /dev/sdb1
cryptsetup isLuks /dev/sdb1 && echo IMaLUKS
cryptsetup luksDump /dev/sdb1

Change:

(asks current passphase first)

cryptsetup -y luksChangeKey <target device> -S <target key slot number>
cryptsetup -y luksChangeKey /dev/sdb1 -S 1

Or use gui gnome-disks:

Disks (gnome-disks)
1.0TB Hard Disk
Volumes: “Partition 1 1.0 TB LUKS”
Cogs/wheels

Add/remove key:

sudo cryptsetup -y luksAddKey ENCRYPTED_PARTITION
sudo cryptsetup luksRemoveKey ENCRYPTED_PARTITION

Various:

dmsetup ls --tree
lsblk
lsblk --fs

EncFS

November 25, 2016 — 22:02

Author: silver Category: encryption linux Comments: Off

Install on CentOS6:

Required packages:

yum install -y fuse-2.8.3-5.el6.x86_64 
yum install -y fuse-libs.x86_64
yum install -y fuse-devel.x86_64

usermod -a -G fuse <your_user>

yum install -y git
yum install -y cmake

yum install -y boost-serialization.x86_64
yum install -y openssl-devel.x86_64
yum install -y rlog-devel.x86_64
yum install -y tinyxml2-devel.x86_64 
yum install -y gettext-devel.x86_64

yum install -y centos-release-scl
yum install -y devtoolset-3-gcc-c++ -y

Compile:

scl enable devtoolset-3 bash

git clone https://github.com/vgough/encfs

cd encfs
mkdir build
cd build
cmake ..
make
make test
make install
make package

mkdir ~/test
mkdir ~/Private

Test:

encfs ~/Private ~/test
echo testing > ~/test/testfile

fusermount -u ~/test

OpenVPN AS

November 25, 2016 — 21:31

Author: silver Category: encryption linux Comments: Off

OpenVPN Access Server is quite easy and fast to setup and includes a web gui.

Download:

Server:
- All OpenVPN Access Server downloads come with 2 free client connections for testing purposes.
- https://openvpn.net/index.php/access-server/download-openvpn-as-sw/
Client:
- Download “OpenVPN-Connect” from Server
- For Windows there’s also “OpenVPN-GUI” which comes included with the Installer:
  - https://openvpn.net/index.php/open-source/downloads.html
  - https://build.openvpn.net/downloads/snapshots/openvpn-install-master-xxx-x86_64.exe (supports newer functions like OTP)

Configuration:

Clickety click in the gui, plus some hardening:

Server:

auth SHA512
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
tls-version-min 1.0

Client:

auth SHA512
cipher AES-256-CBC

Connect with SSH + SOCKS Proxy + OTP:

$ ssh -D 1 to remote host

$ sudo sh -c 'trap : INT; openvpn --socks-proxy localhost 1080 --config /etc/openvpn/keys/server/client.ovpn \
   --route 10.0.0.0 255.0.0.0 net_gateway 0 --script-security 2 --up-restart --persist-key --persist-tun \
   --up /etc/openvpn/update-resolv-conf --auth-nocache --auth-user-pass --user nm-openvpn --group nm-openvpn \
   --chroot /var/lib/openvpn/chroot; \
   set -x; for i in 127.0.0.1/32 10.0.0.0/8; do ip route del $i; done; /sbin/resolvconf -d tun0.openvpn'

Ban user:

Ban a user from logging into the VPN or Web server
(doesn’t affect a user who is already logged in — for this, use DisconnectUser below):

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value false UserPropPut

Disconnect a user:

/usr/local/openvpn_as/scripts//sacli --user <USER> --key prop_deny --value true UserPropPut

Set client cert keysize:

/usr/local/openvpn_as/scripts/sa --keysize=4096 Init

Generating init scripts:

/usr/local/openvpn_as/scripts/openvpnas_gen_init [--auto]

Google Authenticator:

Unlock a secret:

./sacli -u <USER> --lock 0 GoogleAuthLock

Lock a secret:

./sacli -u <USER> --lock 1 GoogleAuthLock

Generate a new, unlocked secret:

./sacli -u <USER> --lock 0 GoogleAuthRegen

Generate a new, locked secret:

./sacli -u <USER> --lock 1 GoogleAuthRegen

Enable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value true ConfigPut

Enable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut

Disable:

./sacli --key vpn.server.google_auth.enable --value false ConfigPut

Disable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut

Revoke and reissue secret:

./sacli -u <USER> GoogleAuthRegen

Retrieve current user properties:

./confdba -us -p

Port sharing:

Advanced VPN Settings: port-share 127.0.0.1 10443
(tcp mode only)

OpenSSL

November 25, 2016 — 21:26

Author: silver Category: encryption linux Comments: Off

List deleted open files (after update):

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq

Generate CSR, self signed cert:

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256

View CSR

openssl req -in file.csr -noout -text

View cert fingerprint

openssl x509 -fingerprint -noout -in file.crt -sha256
openssl x509 -fingerprint -noout -in file.crt -sha1
openssl x509 -fingerprint -noout -in file.crt -md5

View ciphers:

openssl ciphers -v 'TLSv1' | sort

Test ciphers:

openssl s_client -connect google.com:443 -cipher "EDH"
openssl s_client -connect google.com:443 -cipher "RC4"
openssl s_client -connect google.com:443 -tls1
openssl s_client -connect google.com:443 -tls1_1
openssl s_client -connect google.com:443 -tls1_2

echo -n | openssl s_client -connect google.com:443

nmap --script ssl-enum-ciphers -p 443

gnutls-cli --debug 9999 google.com --priority 'NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1
:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL'

Get fingerprint from live SSL cert (IRC):

echo | openssl s_client -connect efnet.port80.se:6697 |& openssl x509 -fingerprint -noout -sha256
echo | gnutls-cli -p 6697 irc.underworld.no --print-cert | sed -n '/-----BEGIN CERT/,/-----END CERT/p' |& openssl x509 -fingerprint -noout -sha256

Show fingerprint:

openssl x509 -in cert.pem -fingerprint -noout

To change the password of your private key:

openssl rsa -des3 -in ca.key -out ca_new.key
mv ca_new.key ca.key

Verifying that a Private Key Matches a Certificate

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5

Get the MD5 fingerprint of a certificate using OpenSSL

openssl dgst -md5 certificate.der

Get the MD5 fingerprint of a CSR using OpenSSL

openssl dgst -md5 csr.der

Debug SMTP/STARTTLS:

openssl s_client -debug -starttls smtp -crlf -connect localhost:25

File Encryption

November 25, 2016 — 18:44

Author: silver Category: encryption linux Comments: Off

All of these are FUSE based except for eCryptfs.

Comparison: https://nuetzlich.net/gocryptfs/comparison

CryFS:
- Works with cloud services like Dropbox, iCloud, OneDrive and others
- https://cryfs.org
- https://github.com/cryfs/cryfs
- https://revlis.nl/2016/11/25/cryfsr

eCryptfs:
- Build into Linux kernel
- http://ecryptfs.org
- https://launchpad.net/ecryptfs/
- http://revlis.nl/2012/03/12/ecryptfs

EncFS:
- Oldest (10 years)
- https://github.com/vgough/encfs
- http://revlis.nl/2016/11/25/encfs

gocryptfs:
- Personal favorite
- https://nuetzlich.net/gocryptfs
- https://github.com/rfjakob/gocryptfs
- Windows: cppcryptfs (https://github.com/bailey27/cppcryptfs)

KnoxCrypt
- Uses containers
- https://github.com/benhj/knoxcrypt

SecureFS:
- https://github.com/netheril96/securefs

Tahoe-LAFS:
- Also a distributed file system (“decentralized cloud storage”)
- https://tahoe-lafs.org

CryFS

November 25, 2016 — 18:18

Author: silver Category: encryption linux Comments: Off

Download:

http://cryfs.org
https://github.com/cryfs/cryfs

Compile under CentOS 6:

yum install https://www.softwarecollections.org/repos/denisarnaud/boost157/epel-6-x86_64/noarch/denisarnaud-boost157-epel-6-x86_64-1-2.noarch.rpm
yum install -y boost157-devel.x86_64 boost157-static.x86_64

scl enable devtoolset-3 bash

export BOOST_ROOT=/usr/include/boost157
export BOOST_LIBRARYDIR=/usr/lib64/boost157
mkdir cmake && cd cmake
cmake ..
make
sudo make install

Windows 7 Backup and TrueCrypt

March 13, 2012 — 21:35

Author: silver Category: encryption windows Comments: Off

Can’t use TrueCrypted drive directly in Win7 Backup, but have to use windows share… this means no image backups :(

TrueCrypt doesn’t support Volume Shadow Copy

Alternative: BitLocker or http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Update 25-01-2017:

Unfortunately the same seems to be true for VeraCrypt (and Windows 10). If a volume is mounted in VeraCrypt and you try to create a system image it’s not possible to select where to save the backup (error 0x80070001). The VeraCrypt documentation lists the following limitation:

The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of system encryption (e.g. a system partition encrypted by VeraCrypt, or a non- system partition located on a system drive encrypted by VeraCrypt, mounted when the encrypted operating system is running). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is not available.

( https://veracrypt.codeplex.com/wikipage?title=Issues%20and%20Limitations )

eCryptfs

March 12, 2012 — 16:50

Author: silver Category: encryption linux Comments: Off

Mount manually:

mount -t ecryptfs /home/username/.Private /home/username/Private

Change user password:

# ecryptfs-rewrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase

Recover without login password (needs mount passphrase):

# sudo ecryptfs-add-passphrase --fnek

[Enter mount passphrase]

Inserted auth tok with sig [9986ad986f986af7] into the user session keyring
Inserted auth tok with sig [76a9f69af69a86fa] into the user session keyring

# sudo mount -t ecryptfs /home/username/.Private /home/username/Private

Enter aes, 16, Enable: plaintext passthrough: no, Enable filename encryption: yes Enter fnek signature (76a9f69af69a86fa)

(auth tok signatures will match /home/.ecryptfs/username/.ecryptfs/Private.sig)

Restore from backup:

Mount backup image file under /mnt/img (or restore your homedir files some other way)

mkdir/mnt/img
mount backup.img /mnt/img

Prepare ecryptfs backup:

rm /mnt/img/home/username/.Private
sudo ln -s /mnt/img/home/.ecryptfs/username/.Private /mnt/img/home/username/.Private

Then use the following script by “Ian D. Allen” from ubuntuforums.org:
ecryptfs-mount-backup

#!/bin/bash -u
#    $0 [ecryptfsdir [mountpoint]]
# Run as root with USER set to login user of ecryptfs
# https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709
# http://ubuntuforums.org/showthread.php?p=10445371
# -Ian! D. Allen - idallen@idallen.ca - www.idallen.com

if [ $(whoami) != 'root' ] ; then
    echo 1>&2 "$0: ERROR must be root to use this"
    exit 1
fi
if [ "$USER" = 'root' ] ; then
    echo 1>&2 "$0: Warning - USER is '$USER'"
fi

# source ecryptfs dir and desired mount point
#
if [ $# -gt 0 ] ; then
    DIR=$1
    shift
else
    # change this to where your keep your default encrypted backup
    DIR=/backup/home/.ecryptfs/$USER
fi
if [ $# -gt 0 ] ; then
    MNT=$1
    shift
else
    # change this to your default backup mount point
    MNT=/mnt/some/place/you/decide
fi
if [ $# -gt 0 ] ; then
    echo 1>&2 "$0: $#: more than two arguments: $*"
    exit 1
fi

# check that things exist and we can write them
if [ ! -d "$DIR" -o ! -r "$DIR" ]  ; then
    echo 1>&2 "$0: not a directory, or not readable: $DIR"
    exit 1
fi
if [ ! -d "$MNT" -o ! -w "$MNT" ]  ; then
    echo 1>&2 "$0: is not a writable directory: $MNT"
    exit 1
fi

pvt=$DIR/.Private
ecr=$DIR/.ecryptfs

if [ ! -d "$pvt" -o ! -r "$pvt" ]  ; then
    echo 1>&2 "$0: not a readable directory: $pvt"
    exit 1
fi
if [ ! -d "$ecr" -o ! -r "$ecr" ]  ; then
    echo 1>&2 "$0: not a readable directory: $ecr"
    exit 1
fi

privsig=$ecr/Private.sig
if [ ! -s "$privsig" -o ! -r "$privsig" ]  ; then
    echo 1>&2 "$0: not a non-null, readable signature file '$privsig'"
    exit 1
fi

sig1=$(head -n1 "$privsig") || exit $?
sig2=$(tail -n1 "$privsig") || exit $?
case "$sig1/$sig2" in
????????????????/???????????????? ) ;;
*)  echo 1>&2 "$0: Unable to extract signatures from '$privsig'"
    echo 1>&2 "$0: sig1: '$sig1'"
    echo 1>&2 "$0: sig2: '$sig2'"
    exit 1
    ;;
esac

read -s -p "$USER login password: " loginpass || exit $?
echo "" # add the missing newline after reading the password

# echo "DEBUG sig1 $sig1 and sig2 $sig2"
# keyctl clear @u
printf '%s\0' "$loginpass" | ecryptfs-insert-wrapped-passphrase-into-keyring "$ecr/wrapped-passphrase" - || exit $?
# keyctl list @u # DEBUG

# The -i bypasses the mount helper - see "man mount.ecryptfs"
#  ... but the "mount" man page claims this has a different function!
#  ... but it works for me (Ubuntu 10.10).  -IAN!
mount -i -t ecryptfs -o "ro,ecryptfs_passthrough=no,ecryptfs_unlink_sigs,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig1,ecryptfs_fnek_sig=$sig2" "$pvt" "$MNT" || exit $?
echo ""
df "$MNT"

Mount the backup under /mnt/tmp

sudo su -
mkdir /mnt/tmp
USER=username; ./ecryptfs-mount-backup /mnt/img/home/username /mnt/tmp