KeePassX + TrueCrypt + Dropbox: a secure and portable password management solution

Problem
I’ve arrived at the point that I’m fed up with the f* passwords. I can’t memorize them all so I usually write them in an exercise book that I keep at home. But what if I need something from it at my workplace? On the other hand, this booklet is already full (with other pieces of info too), so when I need a password from it, I need to search it for minutes… Damn. It would be so nice if I had all this information in a file on my machine but in a secure way.

Solution
The ideal solution is a password manager. But which one to choose? There are a lot. Since I also use Windows from time to time, I needed a cross-platform solution. First I thought of using a command line manager but finally I decided to use a graphical one; after all it looks nicer and easier to use (and I didn’t want to learn new command line options that I forget if I don’t use it for a few weeks…). This is how I got to KeePassX, which perfectly fulfills my needs. It’s also in the Ubuntu repos.

As I use several machines, the password database should be available everywhere. So let’s store it on Dropbox. But how safe is it? Well, it’s rather safe; your KeePassX database has a master password, which uses an AES-256 encryption but still… the devil never sleeps. Could we add an extra layer of security?

Yes, we could. With TrueCrypt you can create an encrypted file that can be mounted as a new volume (as if you had attached a USB stick for instance). I put the KeePassX database on this volume. Thus, in order to use the database, first I must mount the container file as a TrueCrypt volume, and then I can open the database file, but it also asks for the master password. Now I dare put the TrueCrypt container file on Dropbox :)

So, here is my setup (summary):

• Create a KeePassX database and provide a master password. You can change this password later under the File menu. It uses AES-256 encryption.
• Create a container file with TrueCrypt. The KeePassX database is very small so I set the container’s size to 1 MB. Encryption algorithm: AES-Twofish-Serpent cascading encryption with the XTS method. Hash algorithm: Whirlpool (tip from here). Of course, use a different password for this container file than for the KeePassX database. The TrueCrypt password should be long (20 to 30+ characters).
• Mount the container file and move the KeePassX database on the mounted volume.

OK. So far so good. But how to use the database painlessly? I made a simple script that mounts the container file and then opens the database. Just customize the constants in the header part. Launch it and simply type in the passwords. Instead of one password (for the database), you will have to provide two extra ones (for the TrueCrypt volume and your root password for being able to mount a new volume). I think this sacrifice is worth considering the additional security you gain. It may be a bit paranoid but on the Internet be paranoid. You know: Trust is a weakness :)

#!/usr/bin/env python

"""
Start KeePassX.
Mount the truecrypt container if necessary.

by Jabba Laci 2013 (jabba.laci@gmail.com)

http://ubuntuincident.wordpress.com/2013/04/14/keepassx-truecrypt-dropbox/

"""

import os

TRUECRYPT = '/usr/bin/truecrypt'
KEEPASSX = '/usr/bin/keepassx'
#
CONTAINER_FILE = "{home}/Dropbox/keepassx/container.dat".format(
    home=os.path.expanduser('~')
)
MOUNT_POINT = '/media/truecrypt9' 
KDB = '/media/truecrypt9/JabbaDB.kdb'

def mount_truecrypt_file():
    """
    Open the truecrypt container file that 
    includes the keepassx database.
    """
    if not os.path.isfile(KDB):
        cmd = 'sudo {tc} {container} {mount}'.format(
            tc=TRUECRYPT, container=CONTAINER_FILE, mount=MOUNT_POINT
        )
        print '#', cmd
        os.system(cmd)
    else:
        print '# container already mounted to', MOUNT_POINT

def open_kdb():
    """
    Open the keepassx database file on the previously mounted volume.
    """
    if not os.path.isfile(KDB):
        print "Error: the container file was not mounted."
    else:
        cmd = "{kpx} {f} &".format(kpx=KEEPASSX, f=KDB)
        print '#', cmd
        os.system(cmd)

def main():
    mount_truecrypt_file()
    open_kdb()

###################################################################

if __name__ == "__main__":
    main()

_{[ comments @reddit ]}

Update (20130501)
After two weeks of usage, I think adding truecrypt is an overkill. The problem is the following: I want to use this keepassx database on several machines, that’s why I put it on dropbox. That’s fine. But each time I need to mount the truecrypt volume that I often forget to dismount. At my workplace my machine is always on, so sometimes (often) I leave the volume mounted when I go home. If I want to add a new password to the database at home, dropbox creates a conflicted copy of the truecrypt file when I save the keepassx database. So I end up with two different databases that I will have to merge manually. It’s already happened to me 2 or 3 times…

So I removed truecrypt from the chain. Now I have a keepassx database (with a long password) stored on dropbox. I only have to pay attention to close keepassx when I leave my workplace but it’s feasible: when I copy a password from it, I close it immediately.

Symbolic links are not treated properly on Dropbox

If you try to use symbolic links in your Dropbox folder, you’ll end up with a mess :( Here is a nice summary of the problems. It turns out that it’s because of a stupid decision that was made by Dropbox a long time ago.

If you want them to implement symlinks properly, please vote here.

Remote control a script from home via dropbox

Problem
At my workplace I want to leave a script running on my desktop 24h/day. However, from home I cannot login to my machine, so if I want to stop/pause the script, I must go in to the office.

Still, how could I give commands for such a script from home?

Solution
I came up with the following idea. The script is put in my Dropbox folder and it is launched from there. At home I can create some special command files that are automatically synchronized on my office machine too. And when the script notices such a command file, it can react. My command files are called “stop” and “wait” and they can be empty.

The script checks periodically the presence of these files:

def check_commands():
    """
    Remote commands via dropbox.
    """   
    if os.path.isfile('stop'):
        os.unlink('stop')
        print '\nstop received, terminated.'
        sys.exit()
    #
    while os.path.isfile('wait'):
        sys.stdout.write('w')
        time.sleep(5)

The command “stop” terminates the script. The command “wait” pauses the program.

Dropbox: don’t sync certain directories; empty the cache

Problem
I have a laptop with a small HDD. I want to use Dropbox on it too but in this case I hardly have any free space left. Could I select certain directories that I don’t want to see on my laptop?

Solution
Yes, it’s possible. Here is a detailed description how to do that. In short: go to Dropbox -> Preferences…, select the Advanced tab and click on Selective Sync… Here untick the directories that you don’t need on your current machine. When you click on Update, these directories will be removed from your local Dropbox folder but they remain on the server, so there is no need to worry. They are simply not synced with the current machine.

However, you may notice that after Dropbox has removed these directories, you still don’t have more free space :( Well, the dropbox client put the deleted files in the cache… Here is how to empty the cache. In short: stop the client, delete the content of the cache folder (but leave the cache folder itself), restart the client.

Storing sensitive data in your Dropbox folder

Problem
You want to store some sensitive data in your Dropbox folder, e.g. passwords. How to protect these data?

Solution
In your Dropbox folder create a Truecrypt volume and store your data in this encrypted virtual file system. For more info refer to this article.

Example
I wanted to store some credentials that I wanted to access from several machines. In my Dropbox folder I created a 10 MB Truecrypt volume. I mounted it and put the sensitive data in it.

Get the public Dropbox links of several files

Problem

When you install Dropbox, you get a Public directory. It has the advantage that if you put a file in it, you can get a public http:// link on it, thus sharing files with your friends is very easy. To get the public link, just navigate to the file in Nautilus, right click on the file, then Dropbox -> Copy Public Link.

However, if you want to share several files, getting their public links via Nautilus can be a PITA. How to get the public links for all the files in the current directory?

Solution

I made a simple Python script for this task. It can show the public link of (1) one file, or (2) all files in the current directory.

Usage:

$ get_public_link share.zip

http://dl.dropbox.com/u/XXXXXX/share.zip

$ get_public_link -a

http://dl.dropbox.com/u/XXXXXX/share/movie.r01


http://dl.dropbox.com/u/XXXXXX/share/movie.r02


http://dl.dropbox.com/u/XXXXXX/share/movie.rar

If you want to copy the links to the clipboard, combine it with my tocb script:

$ get_public_link share.zip | tocb

Download

The script (together with tocb.py) is available here, in the dropbox/ folder.

Compress with RAR and split into multiple files

Problem

You have a large file that you want to send to a friend. One possible way is to upload it to your Dropbox folder and when he got it you remove it. If the file is too big, split it into multiple smaller files. If your friend uses Windows, you should compress the file with ZIP or RAR. Here I show you how to do it with RAR.

Solution

rar a -m5 -v10m myarchive movie.avi

It will compress movie.avi and split it into 10 MB chunks (-v10m), using the best compression ratio (-m5). In the case of an AVI file it won’t help much, so here you could use -m0 too, which means no compression at all. The default is -m3 by the way. Output: myarchive.part1.rar, myarchive.part2.rar, etc.

If you prefer the traditional names (myarchive.rar, myarchive.r00, myarchive.r01, …), add the -vn switch too.

Extraction:

rar x myarchive.part1.rar

Credits
This entry is based on this post: http://linux.byexamples.com/archives/226/compress-to-multiple-volume-rar/.

Setting file permissions in your Dropbox folder recursively

Problem

I use Dropbox a lot; it’s very useful to have a large folder that is automatically synchronized and made available on all my machines, be it either a Linux or a Windows box.

However, I have problems with file permissions. Unfortunately it’s not treated by Dropbox in a platform-independent way. What I mean is the following: when I log in to Windows, Dropbox “nicely” flattens all my files, i.e. it removes the executable flag from my scripts… When I log back to Linux, all my scripts (*.sh, *.py, etc.) are non-executable. Great! :(

Solution #1 (naive approach)

First I wrote a simple bash script to correct the directory and file permissions:

#!/bin/bash

HERE=$HOME/Dropbox
cd $HERE

find . -type d -print0 | xargs -0 chmod 700
find . -type f -print0 | xargs -0 chmod 600
find . | grep ".py$" | xargs chmod u+x
find . | grep ".sh$" | xargs chmod u+x
chmod u+x $HERE/xmind-portable/XMind_Linux/xmind
chmod u+x $HERE/xmind-portable/XMind_Linux/xmind-bin
chmod 755 $HOME/Dropbox
chmod u+x git.projects/others/upskirt/upskirt

I put it in crontab and called the script once in an hour.

The script gets the job done but it has a great price. In my Dropbox folder I have more than 30,000 files. This script updates all of them with “chmod”. Even if there is no change (for ex. a file had 0600 permissions and we set 0600 again), Dropbox notices the update (!) and synchronizes all the files with its server! Thus, even if the script modified the permissions of few files, all the files will be synchronized. Result: high CPU and RAM usage for several minutes when the script is launched…

Solution #2 (sophisticated approach)

To overcome the previous problem, we need to do the following: look at the permissions of a directory/file and IF its permissions are not good THEN modify the permissions. That is, if permissions are OK, we do not touch the file with “chmod” and thus Dropbox will not take any actions. Dropbox will synchronize only those files whose permissions really changed.

So here is my script, written in Python. Just put it in your Dropbox folder and launch it. By default it’s in “dry” mode, i.e. it only prints the changes without applying them. If the result is OK, set DRY to False. The script also verifies if it’s in the Dropbox folder. Since it changes permissions recursively, you don’t want to run it in your HOME folder :)

#!/usr/bin/env python

# dropbox_permissions.py
# https://ubuntuincident.wordpress.com/2011/05/08/setting-file-permissions-in-your-dropbox-folder-recursively/

import os
import sys
import stat

# dry run, make no changes just show them
DRY = True
#DRY = False

# verify if we are in the Dropbox folder
VERIFY_DROPBOX = True
#VERIFY_DROPBOX = False

ignore_dirs = ('.git', '.svn', '.eric4project', '.ropeproject')
executable_file_extensions = ('.py', '.sh', '.pl')
executable_files_with_relative_path = (
    './xmind-portable/XMind_Linux/xmind',
    './xmind-portable/XMind_Linux/xmind-bin'
)

changes = 0


def chmod_ux(file):
    set_mode_to(file, 0700)


def set_mode_to(file, permissions):
    global changes
    f = file
    mode = get_oct_mode(f)
    if mode != oct(permissions):
        try:
            if DRY:
                print "# chmod {0} {1}".format(oct(permissions), f)
            else:
                os.chmod(f, permissions)
            changes += 1
        except OSError:
            print >>sys.stderr, "# cannot chmod the file {0}".format(f)


def get_oct_mode(entry):
    entry_stat = os.stat(entry)
    mode = oct(entry_stat[stat.ST_MODE] & 0777)
    return mode


def process_dir(directory):
    set_mode_to(directory, 0700)


def process_file(file):
    f = file
    file_name = os.path.split(f)[1]
    file_ext = os.path.splitext(file_name)[1]

    if (file_ext in executable_file_extensions) or (f in executable_files_with_relative_path):
        process_exe_file(f)
    else:
        process_other_file(f)


def process_exe_file(file):
    chmod_ux(file)


def process_other_file(file):
    set_mode_to(file, 0600)


def traverse(directory):
    """Traverse directory recursively. Symlinks are skipped."""
    #content = [os.path.abspath(os.path.join(directory, x)) for x in os.listdir(directory)]
    content = [os.path.join(directory, x) for x in os.listdir(directory)]
    dirs = sorted([x for x in content if os.path.isdir(x)])
    files = sorted([x for x in content if os.path.isfile(x)])

    for d in dirs:
        if os.path.islink(d):
            continue
        dir_name = os.path.split(d)[1]
        if dir_name in ignore_dirs:
            continue
        # else
        process_dir(d)
        traverse(d)
    
    for f in files:
        if os.path.islink(f):
            continue
        # else
        process_file(f)


def verify_dir(directory):
    d = os.path.abspath(directory)
    if 'dropbox' not in d.lower():
        print >>sys.stderr, """
It seems that you are not in the Dropbox folder. If you launch this
script in a wrong folder, it may do more harm than good since it
changes file permissions recursively.
If this is a false alarm and you really want to execute the script
here, disable this verification by setting the variable VERIFY_DROPBOX
to False.
"""
        sys.exit(1)


def main():
    start_dir = "."
    if VERIFY_DROPBOX:
        verify_dir(start_dir)
    traverse(start_dir)
    #chmod_ux(sys.argv[0])
    print "# changes: {0}".format(changes)
    if DRY:
        print "# >>> it was a dry run, no changes were made <<<"

####################

if __name__ == "__main__":
    main()

The up-to-date version of the script is available here, in the dropbox/ folder.

You can safely call it from crontab at every hour, it will not eat up your system resources.

dropbox installation

To install dropbox, visit the page https://www.dropbox.com/downloading?src=index. In short, you need to do the following:

• Install the .deb file.
• Install Dropbox’s public key (sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5044912E).

Then you will find Dropbox under Applications -> Internet.

Update (20130309)
Here is how I installed Dropbox under Ubuntu 12.10.

$ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5044912E
$ sudo add-apt-repository "deb http://linux.dropbox.com/ubuntu quantal main"
$ sudo apt-get update
$ sudo apt-get install dropbox