Writing this hot on the toes (if that makes sense) of my post on setting up my new NetBSD machine.

I've always used Truecrypt to encrypt my usb stick (containing pretty much just ssh and gpg keys) as it is cross-platform meaning I could share it between my work's Windows machine and OSX at home (since Truecrypt still supports 10.5 PPC), but I never realised it wasn't fully cross-platform and not available for any BSD. Now that I have a NetBSD laptop at home I've had to come up with an alternative solution.

Since I'm only concerned with encrypting a handful of small files I've decided to use bcrypt combined with tar/pax and some helper scripts. I can't encrypt a whole volume this way and there's no plausible deniability especially because I've included windows versions of tools on the drive, but it is good enough for what I need which is feeling at ease when I lose or misplace the damn thing!

On the USB drive I have the following folder structure:

|
|--applications
|
|--files
|
encrypt.bat
decrypt.bat
encrypt.sh
decrypt.sh

The applications folder carries some portable apps, such as Putty and the utilities I need on Window's to perform the encryption. The files folder is where I put anything I want to encrypt. Then on Windows I have two .bat files to help with encrypting:

echo off
echo 1 of 4. Moving files
move /Y applications\gpg4usb\keydb files\
move /Y applications\portable_putty\hostkeys files\putty\
move /Y applications\portable_putty\sessions files\putty\

echo 2 of 4. Creating archive
applications\bsdtar.exe -f files.pax -c --format pax files
echo 3 of 4. Encrypting Archive
call applications\bcrypt.exe files.pax
if %ERRORLEVEL% ==1 GOTO halt (
        echo 4 of 4. Deleting unencrypted files
        applications\sdelete.exe -s -q files\*
        rmdir /S /Q files
        exit
)

:halt
echo Something went wrong!
pause

and decrypting:

echo off
echo 1 of 3. Decrypting Archive

if not exist files.pax.bfe goto halt (
        call applications\bcrypt.exe files.pax.bfe
        rem Only continue if above successful
        if %ERRORLEVEL% ==1 GOTO halt (
                echo 2 of 3. Extracting archive
                applications\bsdtar.exe -f files.pax -x
                echo 3 of 3. Moving files
                move /Y files\keydb applications\gpg4usb\
                move /Y files\putty\hostkeys applications\portable_putty\
                move /Y files\putty\sessions applications\portable_putty\
                exit
        )
)

:halt
echo Something went wrong!
pause

And similarly for NetBSD, to encrypt:

#!/bin/sh
pax -w -f files.pax files/ && \
bcrypt files.pax && \
srm -rf files

and decrypt:

#!/bin/sh
bcrypt files.pax.bfe && \
pax -r -f files.pax

I'm using srm on NetBSD and SDelete on windows. I don't need to faff about with moving additional directories on NetBSD; I'm only ever likely to use those tools on Windows.

The only minor inconvenience I have at the moment is with the NetBSD machine: I can't unplug the device without hanging the machine.

I wonder if there is anyway I could share an encrypted a volume using sshfs?


[EDIT: 2014-07-17] I've updated the above scripts to make them safer (conditionally execute subsequent tasks) after inadvertently destroying my own data. Doh! But, it did at least prove it's securely erased. I also added in the folder structure I'm using. Finally, the NetBSD hanging thing was solved long ago - I think once I built my own Kernel.


[EDIT: 2014-11-18] Of course the answer to my question at the end of the original post is encfs. There is also a Windows version; however, it looks to old and fiddly for now (although there is also this), so I've decided to do a lazier approach based on this thread and have amended my scripts along to lines of this (for encrypting):

echo off
echo 1 of 2. Moving files
move /Y applications\gpg4usb\keydb files\
move /Y applications\portable_putty\hostkeys files\putty\
move /Y applications\portable_putty\sessions files\putty\

echo 2 of 2. Encrypting files
cd files

:in_pass
set /p pass=Type password, no less than 8 characters:
if "%pass:~7,1%"=="" goto in_pass

::Confirm pass
set /p passc=Type password again:
if not "%passc%"=="%pass%" goto in_pass
:: Note: the above adds a space onto end of pass

:: Ignore .bfe otherwise gets stuck in a loop
for /R %%f in (*.*) do if not "%%~xf"==".bfe" (echo.%pass%& echo.%pass%)|..\applications\bcrypt.exe "%%f"2>Nul

The benefit of this is that it is faster than my original approach. The downside is that the filenames are still viewable, but I can live with that. I may eventually play with encfs, but for now this is good enough to protect myself from losing my usb drive and doesn't require me to install anything on my work's Windows machine (which is a definite plus).