Archive

Posts Tagged ‘truecrypt’

KeePassX + TrueCrypt + Dropbox: a secure and portable password management solution

April 14, 2013 4 comments

Read the update at the bottom.

Problem
I’ve arrived at the point that I’m fed up with the f* passwords. I can’t memorize them all so I usually write them in an exercise book that I keep at home. But what if I need something from it at my workplace? On the other hand, this booklet is already full (with other pieces of info too), so when I need a password from it, I need to search it for minutes… Damn. It would be so nice if I had all this information in a file on my machine but in a secure way.

Solution
The ideal solution is a password manager. But which one to choose? There are a lot. Since I also use Windows from time to time, I needed a cross-platform solution. First I thought of using a command line manager but finally I decided to use a graphical one; after all it looks nicer and easier to use (and I didn’t want to learn new command line options that I forget if I don’t use it for a few weeks…). This is how I got to KeePassX, which perfectly fulfills my needs. It’s also in the Ubuntu repos.

As I use several machines, the password database should be available everywhere. So let’s store it on Dropbox. But how safe is it? Well, it’s rather safe; your KeePassX database has a master password, which uses an AES-256 encryption but still… the devil never sleeps. Could we add an extra layer of security?

Yes, we could. With TrueCrypt you can create an encrypted file that can be mounted as a new volume (as if you had attached a USB stick for instance). I put the KeePassX database on this volume. Thus, in order to use the database, first I must mount the container file as a TrueCrypt volume, and then I can open the database file, but it also asks for the master password. Now I dare put the TrueCrypt container file on Dropbox :)

So, here is my setup (summary):

  • Create a KeePassX database and provide a master password. You can change this password later under the File menu. It uses AES-256 encryption.
  • Create a container file with TrueCrypt. The KeePassX database is very small so I set the container’s size to 1 MB. Encryption algorithm: AES-Twofish-Serpent cascading encryption with the XTS method. Hash algorithm: Whirlpool (tip from here). Of course, use a different password for this container file than for the KeePassX database. The TrueCrypt password should be long (20 to 30+ characters).
  • Mount the container file and move the KeePassX database on the mounted volume.

OK. So far so good. But how to use the database painlessly? I made a simple script that mounts the container file and then opens the database. Just customize the constants in the header part. Launch it and simply type in the passwords. Instead of one password (for the database), you will have to provide two extra ones (for the TrueCrypt volume and your root password for being able to mount a new volume). I think this sacrifice is worth considering the additional security you gain. It may be a bit paranoid but on the Internet be paranoid. You know: Trust is a weakness :)

#!/usr/bin/env python

"""
Start KeePassX.
Mount the truecrypt container if necessary.

by Jabba Laci 2013 (jabba.laci@gmail.com)

http://ubuntuincident.wordpress.com/2013/04/14/keepassx-truecrypt-dropbox/

"""

import os

TRUECRYPT = '/usr/bin/truecrypt'
KEEPASSX = '/usr/bin/keepassx'
#
CONTAINER_FILE = "{home}/Dropbox/keepassx/container.dat".format(
    home=os.path.expanduser('~')
)
MOUNT_POINT = '/media/truecrypt9'
KDB = '/media/truecrypt9/JabbaDB.kdb'

def mount_truecrypt_file():
    """
    Open the truecrypt container file that
    includes the keepassx database.
    """
    if not os.path.isfile(KDB):
        cmd = 'sudo {tc} {container} {mount}'.format(
            tc=TRUECRYPT, container=CONTAINER_FILE, mount=MOUNT_POINT
        )
        print '#', cmd
        os.system(cmd)
    else:
        print '# container already mounted to', MOUNT_POINT

def open_kdb():
    """
    Open the keepassx database file on the previously mounted volume.
    """
    if not os.path.isfile(KDB):
        print "Error: the container file was not mounted."
    else:
        cmd = "{kpx} {f} &".format(kpx=KEEPASSX, f=KDB)
        print '#', cmd
        os.system(cmd)

def main():
    mount_truecrypt_file()
    open_kdb()

###################################################################

if __name__ == "__main__":
    main()

[ comments @reddit ]

Update (20130501)
After two weeks of usage, I think adding truecrypt is an overkill. The problem is the following: I want to use this keepassx database on several machines, that’s why I put it on dropbox. That’s fine. But each time I need to mount the truecrypt volume that I often forget to dismount. At my workplace my machine is always on, so sometimes (often) I leave the volume mounted when I go home. If I want to add a new password to the database at home, dropbox creates a conflicted copy of the truecrypt file when I save the keepassx database. So I end up with two different databases that I will have to merge manually. It’s already happened to me 2 or 3 times…

So I removed truecrypt from the chain. Now I have a keepassx database (with a long password) stored on dropbox. I only have to pay attention to close keepassx when I leave my workplace but it’s feasible: when I copy a password from it, I close it immediately.

Mount a truecrypt volume from the command line

September 9, 2012 Leave a comment
sudo truecrypt <truecrypt-file> <mount-point>

This will open a GUI window where you can specify the password.

If you want a full CLI solution, check out this page.

Update (20130617)
To unmount a volume, do this:

sudo truecrypt -d <path-to-truecrypt-file>
Categories: bash Tags: ,

Storing sensitive data in your Dropbox folder

January 7, 2012 1 comment

Problem
You want to store some sensitive data in your Dropbox folder, e.g. passwords. How to protect these data?

Solution
In your Dropbox folder create a Truecrypt volume and store your data in this encrypted virtual file system. For more info refer to this article.

Example
I wanted to store some credentials that I wanted to access from several machines. In my Dropbox folder I created a 10 MB Truecrypt volume. I mounted it and put the sensitive data in it.

Categories: security Tags: ,

Truecrypt freezes under Ubuntu

July 11, 2011 Leave a comment

Problem
I installed Truecrypt from a .deb package. Sometimes, when I copy lots of files to an encrypted volume, Truecrypt freezes. What’s worse, it freezes the whole machine and the only way to reboot is to press the power button. WTF?

Solution
Someone on a forum (thanks mihoe) suggested to compile Truecrypt from source. Here is how to do it. I will test this method for a few days but so far it seems to work.

Update: this damn thing still freezes :( If someone has a solution for this problem, let me know.

Categories: Uncategorized Tags:

Compile Truecrypt from source

July 11, 2011 7 comments

Problem

You want to compile Truecrypt from source but suddenly you realize that it’s not that trivial.

Solution

Let’s install some necessary packages:

sudo apt-get install build-essential libfuse-dev libgtk2.0-dev
sudo apt-get install nasm
sudo apt-get install libwxgtk2.8-dev
# This last one is for the problem "'wx/wx.h' is not found".

Download the source code of Truecrypt (link) and extract it to a folder. I put mine here: /opt/truecrypt-7.0a-source.

From the README of Truecrypt, we need this too: “RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20 header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20) located in a standard include path or in a directory defined by the environment variable ‘PKCS11_INC’.

So, visit ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20 and download the .h files. Actually, you only need 3 of them; I collected their URLs here. I put these files in this directory: /opt/truecrypt-7.0a-source/PKCS11_INC. Then, register it in an environment variable:

export PKCS11_INC=/opt/truecrypt-7.0a-source/PKCS11_INC

Now you can try to compile it. Go to /opt/truecrypt-7.0a-source and execute the command make. The executable will be placed here: Main/truecrypt.

Optional

I’m not sure that this step is necessary. If you have problems compiling the source, follow these instructions too.

For a successful compilation, you might need the wxWidgets library too. Download the latest stable release (choose wxAll in the list). Mine is extracted here: /opt/wxWidgets-2.8.12.

Get Truecrypt to compile wxWidgets for you:

export WX_ROOT=/opt/wxWidgets-2.8.12/
make WX_ROOT=/opt/wxWidgets-2.8.12 wxbuild

It will create the directory /opt/truecrypt-7.0a-source/wxrelease.

Further help

Remove the binary package

If you installed Truecrypt with the binary .deb package, here is how to remove it:

sudo truecrypt-uninstall.sh
Categories: security Tags: ,

Backup your Gmail messages

February 28, 2011 Leave a comment

You must have heard about the Gmail incident that occurred today. 150,000 users found their e-mail accounts reset.

Remember the motto: “Shit happens.” Gmail is not an exception, so make regular backups of your mails.

Short version

Install Thunderbird, link it with your Gmail account with IMAP, and let Thunderbird synchronize your mails regularly.

Longer version

  • install Mozilla Thunderbird
  • Thunderbird 3.x has built-in support for Gmail, so it’s very easy to set up an account that links Thunderbird with your Gmail account. Create an IMAP account, not a POP3. You can also refer to this post for more info.
  • Don’t be greedy, don’t try to download all your mails in one session. Give it some days, otherwise you risk that Google shuts your account down because of the high load. Download about max. 1 GB a day.

More security

If you make a local backup of your mails, you should protect it. If someone gets to your machine, (s)he can read your mails, right? I suggest storing this backup on a TrueCrypt volume [more info here]. On my laptop, I have an encrypted partition of 20 GB, and I keep my backups there.

Another advantage

If you download your mails with Thunderbird, it has another advantage. As pointed out in this post, with Thunderbird you can sort your messages in descending order by size, thus you can remove messages with large attachments easily. If your Gmail account is 90% full, consider this method.

Categories: google Tags: , , , ,

Encrypt your data with TrueCrypt

November 11, 2010 Leave a comment

TrueCrypt is an open-source disk encryption software for Windows, Linux, and Mac OS X.

Ask yourself the question: “If my laptop gets stolen, is there anything on it that I don’t want to be found?” If the answer is yes, use TrueCrypt. Create with it a virtual encrypted disk or encrypt an entire partition.

Troubleshooting (update 20110301)

Recently, I noticed that TrueCrypt cannot unmount some volumes. The error message says: “device-mapper: remove ioctl failed: Device or resource busy”.

Solution: in the TrueCrypt GUI, go to Setting -> Preferences -> System Integration -> Kernel Services and check the box “Do not use kernel cryptographic services”.

I found this help in this thread.

Follow

Get every new post delivered to your Inbox.

Join 72 other followers