Hackernoon logoLocking and Encrypting Apps with Encfs by@rohit

Locking and Encrypting Apps with Encfs

Author profile picture

@rohitRohit Goswami

For better syntax highlighting and the ability to copy paste the code snippets, view this post on grimoire.science.

One of the probΒ­lems of a shared sysΒ­tem, is that someΒ­times mulΒ­tiΒ­ple apΒ­pliΒ­caΒ­tions are used by mulΒ­tiΒ­ple peoΒ­ple. Normally this would be solved by the exΒ­celΒ­lent multi-user supΒ­port inΒ­herΒ­ent to *nix sysΒ­tems. After all, *nix and deΒ­rivΒ­aΒ­tives were deΒ­signed to be used by mulΒ­tiΒ­ple users at the same time.

However, in some cases, it just makes sense for a sinΒ­gle apΒ­pliΒ­caΒ­tion to stay locked unΒ­til a passΒ­word is supΒ­plied. In any case, encfs is one of the betΒ­ter enΒ­crypΒ­tion methΒ­ods (as long as usΒ­abilΒ­ity overΒ­shadΒ­ows seΒ­cuΒ­rity) and it’s a good pracΒ­tice to enΒ­crypt apΒ­pliΒ­caΒ­tion data anyΒ­way. The case for enΒ­crypΒ­tion varies, but weather it’s to make life harder for hackΒ­ers, or just to stop cloud storΒ­age providers from sniffΒ­ing around, it’s always a good idea. Even if mulΒ­tiΒ­ple users will not be sharΒ­ing an acΒ­count, enΒ­crypΒ­tion preΒ­vents the root users or admins from getΒ­ting too frisky with your data.

The pop­u­lar gnome-keyring and other se­cu­rity au­then­ti­ca­tion meth­ods are not a good fit for this since most of them are un­locked all at once and with­out be­ing linked to a par­tic­u­lar pro­gram.

Here we will creΒ­ate a few simΒ­ple bash scripts to generΒ­iΒ­cally and flexΒ­iΒ­bly lock and enΒ­crypt apΒ­pliΒ­caΒ­tions in a way which alΒ­lows for mulΒ­tiΒ­ple users to have their own priΒ­vate enΒ­crypted inΒ­stances of shared apps. The comΒ­plete scripts are loΒ­cated in my Dotfiles.

Requirements

The baΒ­sic reΒ­quireΒ­ments are comΒ­monly found across most UNIX sysΒ­tems and its deΒ­rivΒ­aΒ­tives inΒ­cludΒ­ing MacOS, Ubuntu and other Debian disΒ­tros, RPM based sysΒ­tems etc.

I perΒ­sonΒ­ally run Arch Linux but that’s just a biΒ­ased enΒ­dorseΒ­ment.

The reΒ­quireΒ­ments are:

  1. Bash

This is needed for the shell subΒ­stiΒ­tuΒ­tions in the shell script. Found alΒ­most everyΒ­where.

2. EncFS

This han­dles the en­cryp­tion por­tion. Though every­thing cov­ered here will re­quire only the base pro­gram it­self, new users would prob­a­bly ben­e­fit from hav­ing one of the GUI in­ter­faces to encfs as well. I pre­fer Gnome Encfs Manager.

3. An ASKPASS proΒ­gram

These are most faΒ­mously known for weird ssh erΒ­rors. However, here we will foΒ­cus on zenΒ­ity and git as a fallΒ­back.

And that’s it. Other variΒ­aΒ­tions of this method might use shoes for more GUI goodΒ­ness. Other askpass proΒ­grams and helpers may also be used, like the popΒ­uΒ­lar x11-ssh-askpass proΒ­gram.

Program Structure

Our basic structure is simple.

  1. An enΒ­crypted folder is mounted
  2. The apΒ­pliΒ­caΒ­tion is run

Additionally we would like the folΒ­lowΒ­ing feaΒ­tures:

  1. Execution withΒ­out the terΒ­miΒ­nal (GUI, no terΒ­miΒ­nal user queries)
  2. An auΒ­toΒ­mated way of genΒ­erΒ­atΒ­ing a new stash for apΒ­pliΒ­caΒ­tions
  3. A sanΒ­iΒ­tized name for the mount points

Preliminaries

Before getΒ­ting to the creΒ­ation of a script, I like to exΒ­perΒ­iΒ­ment with the naΒ­tive shell. In this case this simΒ­ply inΒ­volved checkΒ­ing the folΒ­lowΒ­ing:

Shell trials
  • This prompted me to creΒ­ate the diΒ­recΒ­tory if it didΒ­n’t exΒ­ist, which would not be hanΒ­dled propΒ­erly from within a shell script.

Additionally the MAN page for encfs showed me that supΒ­port for exΒ­terΒ­nal auΒ­thenΒ­tiΒ­caΒ­tion manΒ­agers is granted via the --extpass flag.

Implementation

With those preΒ­limΒ­iΒ­narΒ­ies out of the way, it is time to start scriptΒ­ing. Portions which reΒ­quire the bash shell specifΒ­iΒ­cally will have the sheΒ­bang inΒ­cluded.

Always re­mem­ber to start the script with it and to only put it once, right at the top of the file.

The shebang

Setting Variables

Initially we might simply set an unlock string as follows:

Using a variable for the unlockΒ dialog

Choosing an ASKPASSΒ proΒ­gram

Since scripts can quickly get clunky with­out in­tend­ing too, we will first add a sim­ple vari­able which is suit­able for run­ning the ex­ter­nal au­then­ti­ca­tion.

Zenity Prompt
Zenity implementation

As menΒ­tioned preΒ­viΒ­ously, zenΒ­ity is the pretΒ­tier choice, howΒ­ever, it may not be inΒ­stalled everyΒ­where. So we need a fallΒ­back.

Git is more or less availΒ­able everyΒ­where, and it just so hapΒ­pens to have a pretty neat askpass tool as well.

Git AskpassΒ Prompt
Git Askpass Implementaion

However, it would be betΒ­ter to wrap them both up in a way to pick one or the other based on the availΒ­abilΒ­ity. So, we write a simΒ­ple test.

The testΒ logic

Honestly the usΒ­age of which inΒ­stead of command -v is a bit conΒ­troΒ­verΒ­sial. However, here I went with which simΒ­ply beΒ­cause it seemed faster. The more portable (POSIX comΒ­pliΒ­ant) verΒ­sion of the above would use command -v. For more deΒ­tails check this stack exΒ­change quesΒ­tion.

Creating Mount-points

Gnome Encfs Manager deΒ­faults to reΒ­movΒ­ing the mount point when the stash is unΒ­mounted, howΒ­ever, this causes a terΒ­miΒ­nal inΒ­put deΒ­mand which needed to be supΒ­pressed, hence the diΒ­recΒ­toΒ­ries are creΒ­ated prior to runΒ­ning Encfs.

Variables and directories

Caveats

The above snipΒ­pet does not deal with sitΒ­uΒ­aΒ­tions where:

  • The stash is alΒ­ready mounted
  • The stash does not exΒ­ist

These are dealt with in the Improvements secΒ­tion of this docΒ­uΒ­ment.

Mount andΒ Run

Now we are in a poΒ­siΒ­tion to simΒ­ply mount our stash and run the proΒ­gram.

A basic mount andΒ run

Caveats

At this stage the script is not equipped to deal with sitΒ­uΒ­aΒ­tions where:

  • The mount opΒ­erΒ­aΒ­tion fails (wrong passΒ­word)
  • The con­fig files are enΒ­crypted

The script runs the proΒ­gram withΒ­out testΒ­ing the reΒ­sult of the mount, which will lead to much frusΒ­traΒ­tion and weird erΒ­rors. These edge cases are handled by the code in Handling Authentication.

Improvements

Several imΒ­proveΒ­ments to the baΒ­sic script creΒ­ated above are disΒ­cussed in this secΒ­tion.

Naming diΒ­recΒ­toΒ­ries

This is acΒ­tuΒ­ally not a reΒ­ally imΒ­porΒ­tant bit, howΒ­ever, I wanted the app diΒ­recΒ­toΒ­ries to start with capΒ­iΒ­tal letΒ­ters. Also I wanted the enΒ­crypted data to be stored in a hidΒ­den folder.

In any case, this por­tion of the script uses a bash spe­cific ex­pan­sion. At this
point we can also make the unlockString a little neater.

Bash substitutions for prettierΒ names

Now that we have the name, we simply modify the directories.

Renaming the directories

Handling mounted diΒ­recΒ­toΒ­ries

To en­sure that the script is able to even­tu­ally deal with sit­u­a­tions where the com­mand is run in suc­ces­sion, a check is re­quired to fig­ure out if the mount point is cur­rently mounted.

If it is mounted, we will unΒ­mount it.

Testing forΒ mounts

Additionally, for cases where the stash does not yet exΒ­ist, we will need to creΒ­ate the other diΒ­recΒ­tory as well. We shall also kill the apΒ­pliΒ­caΒ­tion if the stash is to be mounted (for seΒ­cuΒ­rity). This porΒ­tion was aided by this stack exΒ­change thread.

Mount handling with directory creation

Handling Authentication

Finally we shall deal with cases where the script exΒ­eΒ­cutes and the stashes exΒ­ist, but the passΒ­word is inΒ­corΒ­rect. Additionally, we shall deal with manΒ­agΒ­ing the flow of conΒ­trol via the $? variΒ­able.

Quite simΒ­ply, the $? variΒ­able holds the reΒ­sult of the preΒ­viΒ­ous comΒ­mand. Hence it can be used to conΒ­trol the flow. This was inΒ­spired by the anΒ­swers here.

The results variable and flow ofΒ control

Putting it all toΒ­gether

For the lat­est re­vi­sions check my Dotfiles.

It is also reΒ­proΒ­duced here as a gist, since Medium can’t handle syntax highlighting.

Future Directions

There ought to be a non-ter­mi­nal way of cre­at­ing the stash for the first time. Also, it may be in­ter­est­ing to work on the rules and con­fig­u­ra­tion schemes for a va­ri­ety of ap­pli­ca­tions.

Originally published at grimoire.science.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.