overview

Uses OpenSSL library to encrypt a file using a private/public key pair and a one-time secret.

A full description of the process can be found here.

configuration

This uses a YAML file to describe the configuration; by default it assumes it is in /etc/filecrypt/conf.yml but its location can be specified using the -f flag.

The structure of the conf.yml file is as follows:

keys:
    private: /home/bob/.ssh/secret.pem
    public: /home/bob/.ssh/secret.pub
    secrets: /opt/store/

store: /home/bob/encrypt/stores.csv

# Where to store the encrypted file; the folder MUST already exist and the user
# have write permissions.
out: /data/store/enc

# Whether to securely delete the original plain-text file (optional, default true).
shred: false

The private/public keys are a key-pair generated using the openssl genrsa command; the encryption key used to actually encrypt the file will be created in the secrets folder, and afterward encrypted using the public key and stored in the location provided.

The name will be pass-key-nnn.enc, where nnn will be a random value between 000 and 999, that has not been already used for a file in that folder.

The name of the secret passphrase can also be defined by the user, using the --secret option (specify the full path, it will be left unmodified):

• if it does not exist a random secure one will be created, used for encryption, then encrypted and saved with the given path, while the plain-text temporary version securely destroyed; OR
• if it is the name of an already existing file, it will be decrypted, used to encrypt the file, then left unchanged on disk.

We recommend NOT to re-use encryption passphrases, but always generate new ones.

NOTE it is currently not possible to specify a plain-text passphrase: we always assume that the given file has been encrypted using the private key.

The store file is a CSV list of:

"Original archive","Encryption key","Encrypted archive"
201511_data.tar.gz,/opt/store/pass-key-001.enc,201511_data.tar.gz.enc

a new line will be appended at the end; any comments will be left unchanged.

usage

Always use the --help option to see the most up-to-date options available; anyway, the basic usage is (assuming the example configuration shown above is saved in /opt/enc/conf.yml):

filecrypt.py -f /opt/enc/conf.yml /data/store/201511_data.tar.gz

will create an encrypted copy of the file to be stored as /data/store/201511_data.tar.gz.enc, the original file will not be securely destroyed (using shred) and the new encryption key to be stored, encrypted in /opt/store/pass-key-778.enc.

A new line will be appended to /home/bob/encrypt/stores.csv:

/data/store/201511_data.tar,pass-key-778.enc,/data/store/201511_data.tar.gz.enc

IMPORTANT

We recommend testing your configuration and command-line options on test files: shred erases files in a terminal way that is not recoverable: if you mess up, you will lose data.

You have been warned.

code

The code has been uploaded to github.

See the requirements.txt to install required Python libraries:

pip install -r requirements.txt

(the use of a virtualenv is recommended here).

To install OpenSSL in Ubuntu see this page, but it boils down essentially to:

 sudo apt-get install -y openssl

references

• a detailed HOW-TO with the steps to encrypt a file manually;
• the original Ask Ubuntu post;
• OpenSSL;
• Ubuntu guide to OpenSSL.