Posted by gmendoza on November 4, 2009 under Tech Tips | 
If you ever want to quickly protect a file by encrypting it with a simple password, you can use GnuPG and symmetric key encryption for the job. Using this method, you can use industry strength encryption like AES256 and not have to worry about public and private keys. Just remember your password and use PGP compatible software to decrypt the files when needed.
For example, this is how you can encrypt a zip file called backup.zip and output the result to a new file called backup.zip.gpg.
gpg --symmetric --cipher-algo aes256 -o backup.zip.gpg backup.zip
Enter passphrase: *******
Repeat passphrase: *******
To decrypt the file, the following will work.
gpg -d -o backup.zip backup.zip.gpg
gpg: AES256 encrypted data
Enter passphrase: *******
gpg: encrypted with 1 passphrase
For fun, here’s how to create a Gzip Tar archive (tar.gz) and encrypt it on the fly.
tar czvpf - SomeFiles/ | gpg --symmetric --cipher-algo aes256 -o backup.tar.gz.gpg
Enter passphrase: *******
Repeat passphrase: *******
To decrypt and extract in a single command, the following also works.
gpg -d backup.tar.gz.gpg | tar xzvf -
gpg: AES256 encrypted data
Enter passphrase: *******
gpg: encrypted with 1 passphrase
If you’re curious to know what other ciphers are available to you, simple use the gpg --version command.
gpg --version | grep Cipher
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Posted by gmendoza on November 26, 2008 under Tech Tips |
When backing up data to a CD or DVD, you may find it useful to encrypt the entire disc just in case the media falls into the wrong hands. Some people may advise compressing your files within tar/gzip archive and use PGP to encrypt the data, burning the resulting data to disc. The challenge, however, is how easy it is to work with the data after the burn process. You are typically required to decrypt and extract the archive to your hard disk if you wish to access the files within.
A much more flexible method for Linux users is to encrypt the entire CD or DVD with an AES symmetric key, and work with the data by simply mounting the disc. This means you don’t have to copy the files, they are simply presented to you as you would expect with an unencrypted disc.
Prerequisites
Prerequisites include loading the Cryptoloop kernel module and the installation of the Loop-AES toolset. Installing these packages in Ubuntu/Debian and loading the cryptoloop module is a snap.
sudo apt-get install aespipe loop-aes-utils
sudo modprobe cryptoloop
Verify that cryptoloop and AES kernel modules are loaded with lsmod.
lsmod | grep cryptoloop
cryptoloop 10880 0
loop 23180 1 cryptoloop
lsmod | grep aes
aes_i586 15744 2
aes_generic 35880 1 aes_i586
If you had to load these modules by hand, make sure to add them to /etc/modules so that they are loaded on boot up.
Create, burn and mount encrypted images
To create a standard CD image, use genisofs (formally known as mkisofs), pipe the output to aespipe, and redirect the final output to an ISO file. Notice that we have specified that aespipe will use AES256 encryption, and it will has you to enter a password twice. Don’t lose it! ;)
genisoimage -quiet -r Documents/ | aespipe -T -e aes256 > documents.iso
Password: (enter password)
Retype password: (enter password)
Mount the image using the encryption option. The mounting process will ask you for the passphrase.
sudo mount -o loop,encryption=aes256 documents.iso /mnt
Password: (enter password)
Burn the disc image, replacing /dev/dvdrw with the appropriate value for your system. wodim was formerly known as cdrecord, so feel free to replace it with any command you are familiar with.
wodim dev=/dev/dvdrw documents.iso
Mount the CD/DVD using the same mount options as previously demonstrated.
sudo mount -o loop,encryption=aes256 /dev/dvdrw /mnt
Password: (enter password)
Work with your files as you would with any normal CD or DVD.
ls -l /mnt/
total 0
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile1.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile2.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile3.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile4.txt
Posted by gmendoza on September 20, 2008 under Tech Tips |
Introduced first in Ubuntu 8.04, UFW is Ubuntu’s “uncomplicated firewall”, a remarkably easy to use tool for creating simple iptables firewall rules. The goal behind UFW is to make it easy for administrators and even third party packages to work with firewall rules in a clean and consistent manner. When UFW is enabled, the default set of rules work very well for the average server or desktop platform, as it blocks all non-essential inbound network access without hobbling certain types of useful protocols and return traffic.
In the following example, we will set up a very simple firewall adequate for almost anyone.
First, let’s check the status of UFW, and the currently installed iptables rule set. The following displays that UFW is disabled and that there are no rules for iptables INPUT chain.
Check firewall status
sudo ufw status
Firewall not loaded
sudo iptables -L INPUT -n | column -t
Chain INPUT (policy DROP)
target prot opt source destination
Enable UFW
Now, let’s enable UFW and examine the change to iptables’ INPUT chain.
sudo ufw enable
Firewall started and enabled on system startup
sudo iptables -L INPUT -n | column -t
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
The default policy was changed to drop all traffic, and two new chains are referenced. For a much better understanding of what the default rules are, take a look at the files “/etc/ufw/before.rules” and “/etc/ufw/after.rules“.
Connection Tracking
For your convenience, UFW also enables some very useful connection tracking rules, which intelligently inspect outbound application traffic and dynamically allows the return traffic for you. By default, TCP, UDP, FTP and IRC connection tracking modules are loaded, but others may be added to the IPT_MODULES variable in the file “/etc/default/ufw“.
For example, I sometimes need to use TFTP for sending and receiving firmware to and from routers. So I typically add “nf_conntrack_tftp” to the variable IPT_MODULES.
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_tftp"
Remember to reload UFW so that the conntrack module is loaded.
sudo /etc/init.d/ufw restart
Allowing inbound services
If your system runs server applications such as DNS, SSH, TFTP and web, then you can add them to your firewall rules using these very simple commands. If you don’t run servers on your machine, this step can be skipped.
sudo ufw allow 53
sudo ufw allow 22/tcp
sudo ufw allow 69/udp
sudo ufw allow 80/tcp
Notice that the first command I used did not specify UDP or TCP. When omitted, UFW adds both protocols. DNS uses TCP for larger DNS exchanges like zone transfers and huge replies, so you’ll probably want both.
UFW displays the results very nicely.
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
53:tcp ALLOW Anywhere
53:udp ALLOW Anywhere
22:tcp ALLOW Anywhere
69:udp ALLOW Anywhere
80:tcp ALLOW Anywhere
SYN cookies and more
UFW can be used to load kernel options, too. These are defined in “/etc/ufw/sysctl.conf“. For example, I wanted to enable SYN cookies which was added to thwart certain TCP DoS attacks. Modify the following line to 1 in order to enable the feature.
net/ipv4/tcp_syncookies=1
Logging can suck
Okay, if you’re on a busy network and don’t want to fill up your syslog, you might want to disable UFW’s logging.
sudo ufw logging off
And really that’s all there is to it. Be sure to check out the man page for some more examples and features you may be interested in.
