Previously we discussed the role that passwords and encryption play in security. Now, we will take encryption a step further because the majority of people, even among IT staff, find encryption to be intimidating. We will show some examples on secret key block cipher encryption and list some tools to encrypt with.
|An Overview On How To Encrypt Data|
Before going into examples, it’s important to first note that there are many encryption algorithms. For the sake of discussion we will be using AES, which is a block cipher algorithm and the current top security standard. Secondly, note that even though AES is a standard for encryption, that does not mean all encryption algorithms encrypt in the same way. There are different modes, and a mode with a block cipher is the way the algorithm divides up and processes the blocks of text.
Let’s look at an example using the key “secret” and the text “Secret message”. Movable Type‘s online example uses the counter (CTR) mode of operation, and using it we get the cipher “/wAPngVc3k13vH7hXyJrOs77sB9G5g==”. Let’s do the same thing with Tools 4 Noobs‘ tool with the cipher-block chaining (CBC) method which will give the cipher “igfYs7qruAix8xidMxc+U09diB8Me/NMMHSWY3tKHUo=”. Notice the two are different. Thus, it is best to use the same tool for encrypting and decrypting you data.
- Encrypt Your Message – The Tools 4 Noobs program is easy to use: select Rijndael-256 enter the key “secret” and the text “Secret message” and be sure to check Base64 encode output.
- Decrypt Your Message – Using the decrypt tool, select Rijndael-256, take our key, “secret”, and our cipher, “igfYs7qruAix8xidMxc+U09diB8Me/NMMHSWY3tKHUo=”, and enter them, and be sure to check Base64 decode output.
Clicking “Decrypt this!” should give you back our “Secret message”. Now, hopefully you get the basic idea of encryption. Let’s look at some tools for encrypting your data, which will follow the same principles as we just showed. It should first be noted that the strength of your data’s security is not determined by which program you use, but how it is encrypted (AES, DES, etc) and the length and complexity of your encryption key (as well as how safe you keep your encryption key). So, choose a program that’s easiest for you to use and fits the purpose you want to use it for.
Windows has Encrypting File System (EFS) available, as of NTFS 3.0 (Windows 2000 onward), which gives a file or folder’s properties an encryption option. As of Windows Vista (and Server 2008) BitLocker is available to encrypt files, folders, and whole drives.
As of Ubuntu 7.10, the alternate or server CD can be used to encrypt a partition during the system install. Alternatively, you can use dm-crypt to setup after install. Some other distros have this capability as well, and most Linux distros come with other encryption programs; we will mention a few later.
Mac OS X
OS X has great built-in encryption capabilities. FileVault, found in Settings => Security => FileVault, encrypts just your home directory and automatically mounts and unmounts on login and logout. Also, encrypted volumes can be made using the Disk Utility.
TruCrypt is a very popular free cross-platform program for doing anything from encrypting and hiding entire volumes, to encrypting the whole drive, to just encrypting files and folders. For most anyone, this will do the trick.
For Linux users looking to encrypt whole drives, eCryptfs can easily encrypt your whole drive or create mountable volumes. It also has the great benefit of being able to create dynamically sized volumes, rather than needing to set static sizes.
GPG and PGP
GPG is a simple command line interface (CLI) that comes with most Linux distros, but can be installed on other platforms. Encryption looks like:
gpg -c --cipher AES256 tmp.txt
It can also be used to encrypt email. There is a long history between GPG and PGP, but suffice to say that PGP was developed by Philip Zimmerman and is now proprietary software owned by Symantec, but may be a great enterprise solution, especially for encrypting email.
Mcrypt is another great CLI, also integrated with PHP, for encrypting files. Here’s an example:
mcrypt -a rijndael-256 file.txt
mcrypt -d file.txt.nc
Again, beware of the different algorithms (“mcrypt –list”), which can cause issues.
Using OpenSSL may be the best option for a command line utility because many computers already have OpenSSL installed, since it is used for numerous services. AES-256 is supported, and note that the -salt option is default but is used in this example:
openssl aes-256-cbc -a -salt -in file.txt -out file.txt.enc
openssl aes-256-cbc -d -a -salt -in file.txt.enc -out file.txt
There is even a slick way to encrypt and decrypt a file or folder and compress it at the same time:
tar c file.txt | openssl enc -aes-256-cbc -e > file.txt.tar.enc
openssl enc -aes-256-cbc -d < file.txt.tar.enc | tar x
And, if you want to get really fancy, you can even make these into command line scripts, as VVildo's comment shows.
With any of these utilities, you can use them to encrypt passwords for safe keeping or any other personal data, like taxes and financial information. Also, be sure to use good encryption keys. As any good keeper of treasure should do, keep the treasure secret and keep it hidden.
For further reading and a bit of fun, take the encryption key "CotgabGKoc,hjpioM22!" (which was derived from the sentence "Check out this great article by Gary Kessler on cryptography, he just published it on May 22!") and decrypt this cipher (without the quotes):