Windows Disk Encryption
November 26, 2016 — 14:35

Author: silver  Category: encryption windows  Comments: 0

Before I chose to replace TrueCrypt with VeraCrypt I was looking for/comparing alternatives.
I also use Bitlocker and EFS that are included with Windows.

Except for DiskCryptor and LibreCrypt all these programs also run on Linux.

More here: http://www.surfsafely.com/truecrypt-alternatives

Linux Disk Encryption
November 26, 2016 — 13:04

Author: silver  Category: encryption linux  Comments: 0

Linux Disk Encrption using Device Mapper, cryptsetup frontend and Linux Unified Key Setup LUKS (on disk format).

Setup:

cryptsetup -y -v luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 foo
cryptsetup status foo -v

Test:

cryptsetup --test-passphrase open /dev/sdb1 # (non-LUKS)
cryptsetup luksOpen --test-passphrase /dev/sdb1
cryptsetup isLuks /dev/sdb1 && echo IMaLUKS
cryptsetup luksDump /dev/sdb1

Change:

(asks current passphase first)

cryptsetup -y luksChangeKey <target device> -S <target key slot number>
cryptsetup -y luksChangeKey /dev/sdb1 -S 1

Or use gui gnome-disks:

  • Disks (gnome-disks)
  • 1.0TB Hard Disk
  • Volumes: “Partition 1 1.0 TB LUKS”
  • Cogs/wheels

Add/remove key:

sudo cryptsetup -y luksAddKey ENCRYPTED_PARTITION
sudo cryptsetup luksRemoveKey ENCRYPTED_PARTITION

Various:

dmsetup ls --tree
lsblk
lsblk --fs
EncFS
November 25, 2016 — 22:02

Author: silver  Category: encryption linux  Comments: 0

Install on CentOS6:

Required packages:

yum install -y fuse-2.8.3-5.el6.x86_64 
yum install -y fuse-libs.x86_64
yum install -y fuse-devel.x86_64
usermod -a -G fuse <your_user>
yum install -y git
yum install -y cmake
yum install -y boost-serialization.x86_64
yum install -y openssl-devel.x86_64
yum install -y rlog-devel.x86_64
yum install -y tinyxml2-devel.x86_64 
yum install -y gettext-devel.x86_64
yum install -y centos-release-scl
yum install -y devtoolset-3-gcc-c++ -y

Compile:

scl enable devtoolset-3 bash
git clone https://github.com/vgough/encfs
cd encfs
mkdir build
cd build
cmake ..
make
make test
make install
make package
mkdir ~/test
mkdir ~/Private

Test:

encfs ~/Private ~/test
echo testing > ~/test/testfile
fusermount -u ~/test
OpenVPN AS
November 25, 2016 — 21:31

Author: silver  Category: encryption linux  Comments: 0

OpenVPN Access Server is quite easy and fast to setup and includes a web gui.

Download:

Configuration:

Clickety click in the gui, plus some hardening:

Server:

Client:

auth SHA512
cipher AES-256-CBC

Connect with SSH + SOCKS Proxy + OTP:

$ ssh -D 1 to remote host

Ban user:

Ban a user from logging into the VPN or Web server
(doesn’t affect a user who is already logged in — for this, use DisconnectUser below):

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value false UserPropPut

Disconnect a user:

/usr/local/openvpn_as/scripts//sacli --user <USER> --key prop_deny --value true UserPropPut

Set client cert keysize:

/usr/local/openvpn_as/scripts/sa --keysize=4096 Init

Generating init scripts:

/usr/local/openvpn_as/scripts/openvpnas_gen_init [--auto]

Google Authenticator:

Unlock a secret:

./sacli -u <USER> --lock 0 GoogleAuthLock

Lock a secret:

./sacli -u <USER> --lock 1 GoogleAuthLock

Generate a new, unlocked secret:

./sacli -u <USER> --lock 0 GoogleAuthRegen

Generate a new, locked secret:

./sacli -u <USER> --lock 1 GoogleAuthRegen

Enable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value true ConfigPut

Enable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut

Disable:

./sacli --key vpn.server.google_auth.enable --value false ConfigPut

Disable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut

Revoke and reissue secret:

./sacli -u <USER> GoogleAuthRegen

Retrieve current user properties:

./confdba -us -p

Port sharing:

Advanced VPN Settings: port-share 127.0.0.1 10443
(tcp mode only)

OpenSSL
November 25, 2016 — 21:26

Author: silver  Category: encryption linux  Comments: 0

List deleted open files (after update):

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq

Generate CSR, self signed cert:

openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256

View CSR

openssl req -in file.csr -noout -text

View cert fingerprint

openssl x509 -fingerprint -noout -in file.crt -sha256
openssl x509 -fingerprint -noout -in file.crt -sha1
openssl x509 -fingerprint -noout -in file.crt -md5

View ciphers:

openssl ciphers -v 'TLSv1' | sort

Test ciphers:

openssl s_client -connect google.com:443 -cipher "EDH"
openssl s_client -connect google.com:443 -cipher "RC4"
openssl s_client -connect google.com:443 -tls1
openssl s_client -connect google.com:443 -tls1_1
openssl s_client -connect google.com:443 -tls1_2
echo -n | openssl s_client -connect google.com:443
nmap --script ssl-enum-ciphers -p 443

Get fingerprint from live SSL cert (IRC):

echo | openssl s_client -connect efnet.port80.se:6697 |& openssl x509 -fingerprint -noout -sha256
echo | gnutls-cli -p 6697 irc.underworld.no --print-cert | sed -n '/-----BEGIN CERT/,/-----END CERT/p' |& openssl x509 -fingerprint -noout -sha256

Show fingerprint:

openssl x509 -in cert.pem -fingerprint -noout

To change the password of your private key:

openssl rsa -des3 -in ca.key -out ca_new.key
mv ca_new.key ca.key

Verifying that a Private Key Matches a Certificate

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5

Get the MD5 fingerprint of a certificate using OpenSSL

openssl dgst -md5 certificate.der

Get the MD5 fingerprint of a CSR using OpenSSL

openssl dgst -md5 csr.der

Debug SMTP/STARTTLS:

openssl s_client -debug -starttls smtp -crlf -connect localhost:25
File Encryption
November 25, 2016 — 18:44

Author: silver  Category: encryption linux  Comments: 0

All of these are FUSE based except for eCryptfs.

Comparison: https://nuetzlich.net/gocryptfs/comparison

 

CryFS
November 25, 2016 — 18:18

Author: silver  Category: encryption linux  Comments: 0

Download:
 
http://cryfs.org
https://github.com/cryfs/cryfs
 
Compile under CentOS 6:
 

yum install https://www.softwarecollections.org/repos/denisarnaud/boost157/epel-6-x86_64/noarch/denisarnaud-boost157-epel-6-x86_64-1-2.noarch.rpm
yum install -y boost157-devel.x86_64 boost157-static.x86_64 
scl enable devtoolset-3 bash
export BOOST_ROOT=/usr/include/boost157
export BOOST_LIBRARYDIR=/usr/lib64/boost157
mkdir cmake && cd cmake
cmake ..
make
sudo make install
Windows 7 Backup and TrueCrypt
March 13, 2012 — 21:35

Author: silver  Category: encryption windows  Comments: 0

Can’t use TrueCrypted drive directly in Win7 Backup, but have to use windows share… this means no image backups :(

TrueCrypt doesn’t support Volume Shadow Copy

Alternative: BitLocker or http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Update 25-01-2017:

Unfortunately the same seems to be true for VeraCrypt (and Windows 10). If a volume is mounted in VeraCrypt and you try to create a system image it’s not possible to select where to save the backup (error 0x80070001). The VeraCrypt documentation lists the following limitation:

The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of system encryption (e.g. a system partition encrypted by VeraCrypt, or a non- system partition located on a system drive encrypted by VeraCrypt, mounted when the encrypted operating system is running). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is not available.

( https://veracrypt.codeplex.com/wikipage?title=Issues%20and%20Limitations )

eCryptfs
March 12, 2012 — 16:50

Author: silver  Category: encryption linux  Comments: 0

Mount manually:

mount -t ecryptfs /home/username/.Private /home/username/Private

Change user password:

# ecryptfs-rewrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase

Recover without login password (needs mount passphrase):

# sudo ecryptfs-add-passphrase --fnek

[Enter mount passphrase]

Inserted auth tok with sig [9986ad986f986af7] into the user session keyring
Inserted auth tok with sig [76a9f69af69a86fa] into the user session keyring

# sudo mount -t ecryptfs /home/username/.Private /home/username/Private

Enter aes, 16, Enable: plaintext passthrough: no, Enable filename encryption: yes
Enter fnek signature (76a9f69af69a86fa)

(auth tok signatures will match /home/.ecryptfs/username/.ecryptfs/Private.sig)

Restore from backup:

Mount backup image file under /mnt/img (or restore your homedir files some other way)

mkdir/mnt/img
mount backup.img /mnt/img

Prepare ecryptfs backup:

rm /mnt/img/home/username/.Private
sudo ln -s /mnt/img/home/.ecryptfs/username/.Private /mnt/img/home/username/.Private

Then use the following script by “Ian D. Allen” from ubuntuforums.org:
ecryptfs-mount-backup


Mount the backup under /mnt/tmp

sudo su -
mkdir /mnt/tmp
USER=username; ./ecryptfs-mount-backup /mnt/img/home/username /mnt/tmp