Writing this hot on the toes (if that makes sense) of my post on setting up my new NetBSD machine.
I’ve always used Truecrypt to encrypt my usb stick (containing pretty much just ssh and gpg keys) as it is cross-platform meaning I could share it between my work’s Windows machine and OSX at home (since Truecrypt still supports 10.5 PPC), but I never realised it wasn’t fully cross-platform and not available for any BSD. Now that I have a NetBSD laptop at home I’ve had to come up with an alternative solution.
Since I’m only concerned with encrypting a handful of small files I’ve decided to use bcrypt combined with tar/pax and some helper scripts. I can’t encrypt a whole volume this way and there’s no plausible deniability especially because I’ve included windows versions of tools on the drive, but it is good enough for what I need which is feeling at ease when I lose or misplace the damn thing!
On the USB drive I have the following folder structure:
| |--applications | |--files | encrypt.bat decrypt.bat encrypt.sh decrypt.sh
applications folder carries some portable apps, such as Putty and the utilities I need on Window’s to perform the encryption. The
files folder is where I put anything I want to encrypt. Then on Windows I have two
.bat files to help with encrypting:
echo off echo 1 of 4. Moving files move /Y applications\gpg4usb\keydb files\ move /Y applications\portable_putty\hostkeys files\putty\ move /Y applications\portable_putty\sessions files\putty\ echo 2 of 4. Creating archive applications\bsdtar.exe -f files.pax -c --format pax files echo 3 of 4. Encrypting Archive call applications\bcrypt.exe files.pax if %ERRORLEVEL% ==1 GOTO halt ( echo 4 of 4. Deleting unencrypted files applications\sdelete.exe -s -q files\* rmdir /S /Q files exit ) :halt echo Something went wrong! pause
echo off echo 1 of 3. Decrypting Archive if not exist files.pax.bfe goto halt ( call applications\bcrypt.exe files.pax.bfe rem Only continue if above successful if %ERRORLEVEL% ==1 GOTO halt ( echo 2 of 3. Extracting archive applications\bsdtar.exe -f files.pax -x echo 3 of 3. Moving files move /Y files\keydb applications\gpg4usb\ move /Y files\putty\hostkeys applications\portable_putty\ move /Y files\putty\sessions applications\portable_putty\ exit ) ) :halt echo Something went wrong! pause
And similarly for NetBSD, to encrypt:
#!/bin/sh pax -w -f files.pax files/ && \ bcrypt files.pax && \ srm -rf files
#!/bin/sh bcrypt files.pax.bfe && \ pax -r -f files.pax
The only minor inconvenience I have at the moment is with the NetBSD machine: I can’t unplug the device without hanging the machine.
I wonder if there is anyway I could share an encrypted a volume using sshfs?
[EDIT: 2014-07-17] I’ve updated the above scripts to make them safer (conditionally execute subsequent tasks) after inadvertently destroying my own data. Doh! But, it did at least prove it’s securely erased. I also added in the folder structure I’m using. Finally, the NetBSD hanging thing was solved long ago - I think once I built my own Kernel.
[EDIT: 2014-11-18] Of course the answer to my question at the end of the original post is encfs. There is also a Windows version; however, it looks to old and fiddly for now (although there is also this), so I’ve decided to do a lazier approach based on this thread and have amended my scripts along to lines of this (for encrypting):
echo off echo 1 of 2. Moving files move /Y applications\gpg4usb\keydb files\ move /Y applications\portable_putty\hostkeys files\putty\ move /Y applications\portable_putty\sessions files\putty\ echo 2 of 2. Encrypting files cd files :in_pass set /p pass=Type password, no less than 8 characters: if "%pass:~7,1%"=="" goto in_pass ::Confirm pass set /p passc=Type password again: if not "%passc%"=="%pass%" goto in_pass :: Note: the above adds a space onto end of pass :: Ignore .bfe otherwise gets stuck in a loop for /R %%f in (*.*) do if not "%%~xf"==".bfe" (echo.%pass%& echo.%pass%)|..\applications\bcrypt.exe "%%f"2>Nul
The benefit of this is that it is faster than my original approach. The downside is that the filenames are still viewable, but I can live with that. I may eventually play with encfs, but for now this is good enough to protect myself from losing my usb drive and doesn’t require me to install anything on my work’s Windows machine (which is a definite plus).