netbsd-users: Re: portable encrypted CD/USB

Subject: Re: portable encrypted CD/USB
To: None <netbsd-users@NetBSD.org>
From: Stefan 'Kaishakunin' Schumacher <stefan@net-tex.de>
List: netbsd-users
Date: 05/23/2007 09:56:22
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Also sprach Douglas Allan Tutty (dtutty@porchlight.ca)
> On Tue, May 15, 2007 at 09:27:15PM +1000, Thilo Jeremias wrote:
> > Douglas Allan Tutty wrote:
> > >I see in the netbsd guide about using the CGD to create an encrypted C=
D.
> > >It does note that such a CD can't be read with any other OS.
> > >
> > >Does anyone know of a tool to do something similar that is cross-OS
> > >between especially NetBSD and Debian GNU/Linux?  Ideally, it wouldn't =
be
> > >limited to CD but could be used on e.g. USB sticks.
> > >
> > > =20
> > Things at a filesystem level are highly incompatible and specific to th=
e OS,
> > easier (not as elegant though) would be to script something around well=
=20
> > ported tools like openssl
>=20
> The cross-platform nature was why I was interested in the CD aspect.
> iso9660 is OS independant.  If only there was an iso* cross-platform
> rw filesystem.  In any event, whatever filesystem can be written to any
> raw device.
>=20
> >=20
> > (you might even include scripts for win/lnx & bsd) that call
> > openssl enc -aes-256-cbs -d -pass "$1" -in "$2.cryp" -out "$2"
> >=20
>=20
> I'll look into openssl.  Unfortunatly, on my Debian box, the ssl docs
> are in pod format, whatever that is; makes it hard to read as plain
> text.  I'll try to find docs in pdf, html, or plain text.

Some years ago I wrote a small shellskript to protect file on a HP
Jornada 680, before CGD was available. It is available as [1], but it
has several strong security issues. If you encrypt a decrpyted file to
access it, you have to reencrypt it if the content changed. And you
have to secure delete the encrypted version. A simple "rm foo" does
not work, since the content can still be reconstructed. Check out
pkgsrc/sysutils/wipe, to secure delete files. But note that not all
filesystems allow secure deletion by overweriting data and the way how
data can be secure deleted also depends on the media. A Flash-EEPROM
(eg. USB memory stick, CF Card) can be secure deleted by overwriting
the data one time with 0 or 1. A magnetic device needs a more specific
treatment.=20

If you need a good introduction into cryptography, read [2], if you
think you don't need to read [2], read [3] ;-)

> Debian has aespipe that takes input, encrypts it, and spits it out via
> pipes.  I don't know the details since I haven't seen it for other OSs.
>=20
> Perhaps there's a simple way to use openssl like that.  Then use your
> archive format of choice (is pax cross-platform?) and pipe it through to
> encrypt and decrypt. =20

If you want to encrypt on file level / via pipes, you could use almost
any encryption program available. I use mcrypt, which is available as
pkgsrc/security/mcrypt/, to encrypt my backups that way:
=20
 dump -0 -a -f - /dev/fss0 2>dumplog | bzip2 | \=20
 mcrypt -a  rijndael-256  > `date +%y%m%d`.asc

You could substitute mcrypt with GnuPG, OpenSSL or even /usr/bin/bdes,
which only supports DES and is therefor insecure.

If you are interested in portabilitiy of the encrypted files, I'ld
suggest to use GnuPG. It is available on anything Unix-like and other
esotheric OS like MS Windows or MacOS X ;-)

[1] http://net-tex.dnsalias.org/~stefan/nt/code/dir-enc.sh
[2] Applied Cryptography, Bruce Schneier,=20
    http://www.schneier.com/book-applied.html
[3] Why Cryptosystems Fail, Ross Anderson,=20
    http://www.cl.cam.ac.uk/~rja14/Papers/wcf.pdf
--=20
PGP FPR: CF74 D5F2 4871 3E5C FFFE  0130 11F4 C41E B3FB AE33
http://www.net-tex.de                                =20
http://www.cryptomancer.de
--=20
Worum haben die Menschen von Kindesbeinen an gebetet, wovon haben sie getr=
=E4umt,
womit haben sie sich gequ=E4lt? Da=DF irgendeiner ihnen ein f=FCr allemal s=
age, was das
Gl=FCck ist, und sie mit einer Kette an dieses Gl=FCck schmiede. Und ist di=
es nicht=20
gerade das, was wir tun? Der uralte Traum vom Paradies ...
Jewgenij Iwanowitsch Samjatin, =BBWir=AB

--k1lZvvs/B4yU6o8G
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)

iD8DBQFGU/OmEfTEHrP7rjMRAvspAJ9kCp4x23oQpSax79DSx1C92EuyiwCfWCr5
9SmctCiB1y5Vjh9Kk6cWAHI=
=YNe0
-----END PGP SIGNATURE-----

--k1lZvvs/B4yU6o8G--