Nov 03, 2012
Symmetric Encryption on the Command Line
I'm a big proponent of taking personal security measures when interacting on the internet. I sign all my emails using my PGP key so you know it is from me and not a virus, spammer, or a stolen account. I encrypt my netbook's hard drive and keep a pretty tight firewall. For the most part I like to keep everything under lock and key because you just never know who might get your info and what they might do with it.
What if you don't want to go through all this work. Without a Public/Private Key you can still use Symmetric Encryption to send files and emails and store data on your computer with an increased level of security. All possible with a few utilities found on most *nix systems.
OpenSSL
Everyone has used SSL if they've gone to a site starting with https. Pretty
much ever BSD and Linux flavor out there contains a /usr/bin/openssl.
Typically used for generating keys for networking, we can encrypt files
with just a few flags.
openssl enc -aes-256-cbc -salt -in msg.txt -out msg.enc
The following line encrypts msg.txt using a salted 256 bit AES
Cipher-Block Chaining algorithm and stores the result msg.enc. Or
to put it in simpler terms...the text file is broken into pieces, each
being used as part of the key to encrypt the next block. This command will
prompt you for a password that you must enter twice. This is your key to
decoding the file so as long as both parties know to use the same key you
can decrypt the message.
The output from this line is in a binary format which makes it difficult
to deal with outside of just storing it on a drive. So adding a -a
flag the output is stored in Base64 (i.e. text you can read) which
makes it easy copy and paste into an email.
To decrypt the command its pretty much the same.
openssl enc -aes-256-cbc -d -in msg.enc -out msg.txt
The -d flags causes the decryption. And if you used Base64 then add
the -a flag here too. Again, you'll be prompted for a password and
out pops the decrypt message.
OpenSSL: Scripting and Options
If we want to make these actions a little more useful we can add to our .bashrc (or the rc file for your shell of choice) two functions.
function ssl-encrypt
{
if [ $# -eq 2 ]; then
openssl enc -aes-256-cbc -a -salt -in $1 -out $2
else
echo "usage: sym-encrypt <source> <destination>"
fi
}
function ssl-decrypt
{
if [ $# -eq 2 ]; then
openssl enc -aes-256-cbc -d -a -in $1 -out $2
else
echo "usage: sym-decrypt <source> <destination>"
fi
}
Now we can call ssl-encrypt msg.txt msg.enc which will prompt us for
our password twice and we are done. I've added a little edge testing to
make sure you enter only 2 parameters.
Other options are available for the algorithm used for encoding/decoding.
Options are available by running openssl list-cipher-algorithms. Just
make sure that the person on the decoding side knows what algorithm you
selected to encrypt. You can also add the flag -z to compress the
file using zlib.
OpenSSL: Pros and Cons
OpenSSL is found on pretty much every system out there so no need to set anything up. It comes with a huge range of cipher algorithms and a pretty good set of options if you want to tweak out your encryption scheme.
A half up side/half down side, the encrypted files generated by OpenSSL do not contain a Magic Byte allowing your OS to detect what the file is. This is good in the sense that it comes off as just a file of random garbage, but on the down side it comes off as just a file of random garbage. If someone gets the file and doesn't know what it is then your data is safe. If you are sending it to a friend to decrypt, they need to know that the file is encrypted, the algorithm used and the password.
GnuPG
Another option for Symmetric Encryption is GNU's implementation of PGP. Typically used Public/Private Keys for Asymmetric Encryption, GnuPG can be used for Symmetric Encryption too.
gpg --cipher-algo AES256 --symmetric -o msg.enc msg.txt
Implementing the same 256-bit AES Encryption algorithm we can create our
password protected file in a single line. This makes a binary file that doesn't
work well for text editors or email clients so adding the -a flag makes the
output ASCII Armored.
Decryption is a little bit easier than with OpenSSL.
gpg --decrypt -o msg.txt msg.enc
No additional flags are needed to identify the algorithm or if it was compressed. Pretty simple.
GnuPG: Scripting and Options
Though the list of algorithms possible for GnuPG are slightly smaller than that of OpenSSL, the couple major ones everyone uses are provided. Additionally, compression can be performed using either zlib or the slightly better bzip2 algorithm, both allowing for compression levels.
Here is our scripts again for GnuPG.
function sym-encrypt
{
if [ $# -eq 2 ]; then
gpg --compress-algo BZIP2 --bzip2-compress-level 9 \
--cipher-algo AES256 \
--symmetric -a -o $2 $1
else
echo "usage: sym-encrypt <source> <destination>"
fi
}
function sym-decrypt
{
if [ $# -eq 2 ]; then
gpg --decrypt -o $2 $1
else
echo "usage: sym-decrypt <source> <destination>"
fi
}
I've added support to compress with bzip2 with a high compression level and ASCII Armored it as well.
GnuPG: Pros and Cons
As with OpenSSL, GnuPG is found on pretty much every Linux System out there. Some systems may not come with it pre-installed but you can find it in every repo. Depending on the build options, GnuPG has just about the same number of Cipher Algorithms available.
Unlike OpenSSL that puts no Magic Byte in the encrypted file, GnuPG (or any OpenPGP application) generates an output file containing fingerprint information about the encryption and compression used. This is good in the situation where you send a file to your friend. They can check the Magic Byte, see that it is an OpenPGP generated file and by only knowing the password, decrypt it. No need to know the compression or cipher algorithms used as that information is stored in the file. On the down side, this makes it slightly easier to first a) detect that the file is encrypted data and b) know enough information to start the cracking process. Since you are using 256-bit AES, hopefully with a good password, there really shouldn't be a worry about giving this cipher information away.
This message will self destruct in...
Whenever working with encryption its important to remember that clear text
versions of your data exist and can compromise the purpose of your endeavour
if found. If you keep an encrypted text file of user names and passwords, you
should make sure to destroy the decrypted version after you are done using it.
Most Linux systems come with the shred utility that overwrites your data
and renames your file many times to attempt to remove all signs the file ever
existed.
You have the option of defining the number of times random data is written to your file. I tend to use a bit of overkill on this one...
shred -vuz -n 128 msg.txt
This will write over the file's entirety 128 times, writes zeros over the data at the end to attempt to hide the shredding process and removes the file when complete.
Get out there and start hiding your data
Some additional things you could do are create scripts to tar a directory, encrypt it and then shred the files inside. Or create a password wallet that decrypts, prints to the screen and then shreds all in a single command. There are tons of places you can script in encryption to make your daily computing life a little more secure.
For the most part I tend to use the GnuPG solution because I use GnuPG for Public/Private signing of my email and source code. I also like the fact that it doesn't look like complete garbage data. If I wanted to store data in the wild and make sure no one knew what it was then I might use the OpenSSL option. In the end, both have the same algorithms and most of the same features. The important part is that you use encryption.
<perm> | /security | 2012.11.03-05:59.00 | <comments> | <reddit> | <digg> | <stumbleupon> | <tweet>
