Gocrypt

Iš Žinynas.
07:53, 4 lapkričio 2024 versija, sukurta \dev\null (Aptarimas | indėlis)
(skirt) ← Ankstesnė versija | Dabartinė versija (skirt) | Vėlesnė versija → (skirt)
Jump to navigation Jump to search

User space tipo virtuali fuse pagrindu sukurta failu sistema skirta failu sifravimui. Naudojamas sifras AES256-GCM arba AES256-SIV. Panaudojimas labai paprastas, vaultai kuriami direktorijose, nereikia formatuoti ar kitaip paruosti disku ar ju particiju, galima naudoji jau esamoje failu sistemoje. Multiplatformis veikia Windows (cppcryptfs) Linux ir MacOS.

MacOS

  • Sudiegiam MacFuse brew install --cask
  • Sudiegiam go
  • Atsiunciam source
  • Sukompiliuojam

Idedam i ~/.zshrc

export PATH="${PATH}:/usr/local/go/bin:${HOME}/go/bin"

Buildinam

./build-without-openssl.bash

Mount scriptas, skirtas uzmountinti encryptinta volume is SMB. Pirma karta uzmountina, antra karta jeigu path'ai jau yra primontuoti, unmountina.

#!/bin/bash
LOCAL_PATH=$HOME/data
REMOTE_PATH="//admin:admin@server.lan/secret/data"

if ! [[ -d $LOCAL_PATH/.tmp ]]; then
  mkdir -p $LOCAL_PATH/.tmp
fi

if ! [[ -d $LOCAL_PATH/Private ]]; then
  mkdir -p $LOCAL_PATH/Private
fi

if ! [[ -e $LOCAL_PATH/.pswd ]]; then
  echo "Create file $LOCAL_PATH/.pswd with your encrypted vault password"
fi

mounted=0

if ! [[ -e $LOCAL_PATH/.tmp/gocryptfs.conf ]]; then
  mount_smbfs $REMOTE_PATH $LOCAL_PATH/.tmp
else
  echo "SMB is already mounted"
  mounted=$((mounted+1))
fi

if ! [[ -e $LOCAL_PATH/Private/.mounted ]]; then
  gocryptfs -passfile $LOCAL_PATH/.pswd $LOCAL_PATH/.tmp $LOCAL_PATH/Private
else
  echo "Cryptfs is already mounted"
  mounted=$((mounted+1))
fi

if [[ $mounted == 2 ]]; then
  echo "All filesystems are mounted, unmounting..."
  umount $LOCAL_PATH/Private
  umount $LOCAL_PATH/.tmp
fi

Analogiškas variantas PowerShell scriptas windows sistemai

<#
.SYNOPSIS
maps and unmaps network drives
.DESCRIPTION
Maps or unmaps the specified network drives in the script 

.EXAMPLE
mount
Maps or unmaps the specified network drives in the script 

.NOTES
    Author: e1z0
 Copyright: 2024 e1z0
          : Permission to use is granted but attribution is appreciated
   Initial: 09/23/2024)
   ModHist:
 :
#>
[CmdletBinding()]

$username = "devnull"

function NewPwd {
param ()
# write new password
$SecureString = Read-Host -Prompt "Enter your new Password" -AsSecureString
$EncryptedString = ConvertFrom-SecureString $SecureString 
$EncryptedString | Out-File smb.txt  # Because who would look inside, right?
}

# Does not work in PowerShell 5.1
function Unmount-Disks {
$DriveList = Get-WMIObject Win32_LogicalDisk | Where-Object { $_.DriveType -eq 4 }

# Don't bother running this if we don't have any mapped drives
 if ($DriveList) { 
    $SmbDriveList = $DriveList.DeviceID
 } else {
    Write-Host "No mapped drives found"
    Return
}

Write-host "Unmapping drive: " -NoNewLine
Write-Host $SmbDriveList
Write-Host " "

Foreach ($drive in $SmbDriveList) {
    $psDrive = $drive -replace ":" #remove unwanted colon from PSDrive name
    Remove-SmbMapping -LocalPath $Drive -Force -UpdateProfile
    If ( (Get-PSDrive -Name $psDrive -Scope Global) 2>$Null ) {
       Remove-PSDrive -Name $psDrive -Scope Global -Force
    }
}
Write-Host " "

# Report back all FileSystem drives to confirm that only local drives are present. 
Get-PSDrive -PSProvider FileSystem
}

function Unmount-Disk {
param (
    [string]$letter
)
try
{
$mappings_to_remove = Get-PSDrive $letter -ErrorAction SilentlyContinue
Remove-PSDrive $mappings_to_remove -PSProvider FileSystem -Scope Global -erroraction SilentlyContinue | Out-Null
Remove-SMBMapping $mappings_to_remove -Force -erroraction SilentlyContinue | Out-Null
}
catch
{
}
}

function Mount-Disk {
    param (
        [string]$letter,
        [string]$Path
    )
    $EncryptedString = Get-Content $env:USERPROFILE\.mnt.txt
    $SecureString = ConvertTo-SecureString $EncryptedString
    $Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$SecureString
    New-PSDrive -Name $letter -PSProvider FileSystem -Root $Path -Persist -Credential $Creds -Scope Global
}

function MapPath {
    param (
        [string]$Path
    )
    $EncryptedString = Get-Content smb.txt
    $SecureString = ConvertTo-SecureString $EncryptedString
    $Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$SecureString
    New-PSDrive -Name MyRemoteDrive -PSProvider FileSystem -Root $Path -Credential $Creds -Scope Global
}

function MountCrypt {
    param (
        [string]$Path,
        [string]$Letter
    )
    $EncryptedString = Get-Content private_data.txt
    $SecureString = ConvertTo-SecureString $EncryptedString
    $UnsecurePassword = (New-Object PSCredential 0, $SecureString).GetNetworkCredential().Password
    C:\programs\cryptfs\cppcryptfs.exe -m $Path -d P -p $UnsecurePassword -t
}

Write-Host "Options:"
Write-Host "1 -> Mount \\server.lan\private smb share"
Write-Host "2 -> Unmount smb shares"
Write-Host "3 -> Unmount all shares"
Write-Host "4 -> Change password"
Write-Host "5 -> Exit"

$FromObj = "Please input object number"
$giveMeNumber = { (Read-Host $FromObj) -as [int] }
$FromInput = & $giveMeNumber

while($FromInput -isnot [int]) {
    Write-Output "Your input has to be a number."
    $FromInput = & $giveMeNumber
}
if ($FromInput -le 0) {
    Write-Output "Your input has to be a number greater than 0!"
    $FromInput = & $giveMeNumber
}
elseif ($FromInput -ge 6) {
    Write-Output "Your input has to be a number less than 6!"
    $FromInput = & $giveMeNumber
}

switch ($fromInput -as [int]) {
  1 {
     Write-Host "Mounting drives..."
     MapPath -Path '\\server.lan\private'
     MountCrypt -Path '\\server.lan\private\data' -Letter 'P'
     break
  }
  2 {
     Write-Host "Unmounting drives..."
     # does not work in PowerShell 5.1
     #Unmount-Disk -letter "X"
     #Get-PSDrive X, z -PSProvider FileSystem -Scope Global | Remove-PSDrive -Scope Global -Force
     #Remove-SmbMapping -LocalPath "X:" -Force
     #remove-psdrive -name Z -Scope Global
     net use P: /delete
     break
  }
  3 {
     net use * /delete /y
     break
  }
  4 {
     NewPwd
     break

  }
  default {
     Write-Host "Exiting..."
     Break Script
  }
}

Write-Host -NoNewLine 'Done!';
Start-Sleep -Seconds 3

Scriptas yra daugiau kaip PoC parodyti, kaip reikia dirbti su securestringais (t.y su užmaskuotais slaptažodžiais powershell scriptuose).