Before going abroad for an extended stay, there was lots of planning and organizing. In the process all sorts of eventualities were thought about. Including questions of serious injury or even death. That's when I realized that I have a lot of accounts, passwords, logins, codes, PINs, whatever secrets, that no one knows besides me. As a security aware person, I try to lock down everything and want it to stay like that. However, should anything drastic happen to me, all of this data becomes inaccessible. Since the login data is key to all other sort of data, the effect of this is even more drastic. For example, noone could access contacts, accounts, project data or family pictures.
You could resolve this issue legally by placing access data at a notary. But I'm a technical person, so I want a technical solution. Naturally, I don't want to surrender security by removing passwords or blindly hand them out to people (e.g. by sticking them onto the monitor). And I don't trust a single person with all my passwords. But how about distributing my trust? That's the keysafe approach. With the keysafe, my data can only be accessed by a group of people. Meaning that every person of the group must give consent. So even if I don't fully trust a person of the group, I figure it will be OK if I can (partially) rely on some other people. What someone would maybe do in a dark back room, the same one wouldn't dare in the open.
So, every person of the group gets a password. Naturally, the data is encrypted. Only when all passwords come together, they can decrypt my super secret data. Very much like a box with several padlocks attached: you need to unlock all the locks to open the box. The keysafe is a bit more flexible than that. You can allow only a fraction of all users, let's say three out of five, to be sufficient for decryption. In fact, you can create arbitrary combinations of users being able to access your data.
And living in a digital world, there's even more possibilities to tailor the security to your personal needs. Not only have you control over who can decrypt with whom, but also where you put your encrypted data. And how many copies. This leaves you with many possibilities to create a situation where you are in control as much as you like. For example, you can keep a password on you (as in written down). It's not too bad if you loose it and your trust issues won't overboard. Or you can distribute several copies of the data. They are still encrypted but without suffering the risk of loosing the only copy. You can of course also store the data with a trusted person (here's the notary again). Keep in mind, though, that data given away is out of your control. You can't prevent copies nor ensure deletion.
The toolchain consists of three parts: An encryption and decryption script and a live system. The idea is that you encrypt your data and put them on a USB key, embedded in the live system. The encryption process gives you the password information which you can distribute among your users. The USB key provides a self-contained way to store and decrypt the data. In this combination, little technical knowledge is required (for access, at least) and the data can be read out anywhere.
To encrypt the data and create the live system, you'll pretty much need a running Unix system. The scripts depend on perl and some basic tools (gpg, tar). If you have a Linux at hand, most of the dependencies will probably be preinstalled. Get your data and the toolchain on a save machine.
Use the encrypt.pl script to encrypt the data and create the user information.
./encrypt.pl /pth/to/plaintext /pth/to/ciphertext "Alice Bob; Alice Charlie; Bob Charlie Dave"
Alice, Bob, Charlie and Dave are your users. In the command, you define the combination of users which are allowed to decrypt your data. Groups are seperated by semicolon (;). Users are seperated by whitespace. For example, Alice and Charlie together will be able to decrypt the data.
After encryption, the script shows you the information you'll have to distribute to the users. Specifically, the user name, password, archive checksum and a list of decryption partners. You can print the infos and hand them to your semi-trusted fellows.
The next step is to create the live system which includes your encrypted data. The live image is based on the gentoo installer. In fact, only a greeter and the decryption script are added. And of course you'll add own data. Once you've downloaded the prepared image, copy your data and remaster the image. There's two options here: ISO and USB. Choose the one which fits your needs. It's the same technology behind it but a slightly different setup. If you want to do something custom, maybe the remaster tutorial may help you.
If you need an ISO image (e.g. you use a CD or a virtual machine), run the following command. Dependencies are mksquashfs, mkisofs and isohybrid. Install these before running the script.
./live-iso/update-image-iso.sh /pth/to/cipher /pth/to/target
If you want to use a USB key, do the next command instead. The device is of the form /dev/sdX.
sudo ./live-usb/update-image-usb.sh /pth/to/cipher /pth/to/device
Alternatively, you can of course store the encrypted data somewhere else and use the decrypt.pl script directly.
Let me show you some screenshots to demonstrate how this process looks.
||You start by downloading the tools, unpacking them and writing the file with all your secrets.
||Then, let's encrypt the secret file. This gives you a new file, the cipher
||So, let's put this into a bootable image. Since we'll use it in a virtual machine, the iso approach was chosen.
||The remastering (= iso creation) was finished. Now, there's a brand new and shiny master.iso file. That's the one we'll boot.
||The virtual machine was fired up (for a tutorial on creating a virtual machine like this, check out the Remastering tutorial). It has booted and started the greeter.
||So let's start the decryption. Verifying the checksum comes first, then you'll enter the passwords (as seen before after the encryption).
||The passwords worked and the super secret content is show.
||Finished, you can now stop the machine and go on with your daily business.
Behold, the BSD 3-clause License!
Copyright (c) 2014, Matthias Baumgartner
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the keysafe nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL MATTHIAS BAUMGARTNER BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
links and downloads
Extract archives with
sudo tar --same-owner -xvpf /pth/to/archive.tgz
If you want to do something different or need more details, check out the Remastering tutorial for instructions on how to create a live system from the Gentoo admin cd.
If you have any remarks, questions or want to get in touch for other reasons, drop a mail at dev-at-igsor-dot-net