Secure storage of secrets

I'll tell you about one of the portable, cross-platform methods of storing secrets on drives, which is based on only open, free software.

I could never remember all the logins, passwords and other access codes to all my accounts. Sometimes the registration name and the coveted code are needed at the most inappropriate moment, so I drag them on a flash drive. In order not to tear my hair when I lost the coveted storage device, I wrote scripts, which will be discussed below.





We formulate the problem.

There is a folder with secrets (personal diaries, information about accounts, articles for Habr, etc.), which by no means can be stored in the clear. The ability to read data from it you want to have on any computer, which will bring. For ease of describing further manipulations, narrow down to all computers running Windows. But no one bothers to expand this circle, since all the software used is cross-platform.

')

We will need the following tools:

• console archiver
• software package implementing cryptography tools
• file shredder

I will use 7-Zip portable , GnuPG and Eraser portable .

On * nix systems, this may be for example tar, GnuPG and wipe



Create a working directory on the flash drive (for example, F: \ bin \ secure). Copy into it the tools we need:

• 7z.exe, 7z.dll - of 7-Zip portable
• Eraserl.exe, Eraser.dll - from Eraser portable
• gpg.exe from GnuPG

Next we need to generate private and public keys for cryptography operations. This is done very simply with the help of the same gpg:



F:\bin\secure\gpg.exe --gen-key --home=C:\



Having answered all the questions (if you don’t understand what is being asked in the first three questions, you can answer this way: 1, 1024, 0) we will get the public and private keys, as well as the database of trusted certificates. These are files:

• C: \ pubring.gpg
• C: \ secring.gpg
• C: \ random_seed
• C: \ trustdb.gpg

The most important are pubring (the public key with which you can encrypt) and secring (the private key with which you can decrypt). In addition, I advise you to remember the name of the key holder and password. We write down everything on the registered carrier and put it in the safe. Portability is more important to me than security, so I will keep both files on the same flash drive. Just put them in a place where they will be looking for vryatli. Even if found, to decrypt the private key will need a password.



Let the private key be F: \ CLOSED.KEY, and the open key - F: \ OPEN.KEY. The base of trusted certificates (it is necessary that gpg does not swear when performing encryption / decryption operations) - we place the files random_seed and trust_db to gpg.exe, that is, in F: \ bin \ secure.



Comment:

If you work at home and in the office, carrying important information back and forth, keys can be stored on your work and office computer. Thus, "on the road" information will be protected from theft, loss or meeting in a dark alley with a group of Gopnik ITshnikov.



It remains only to implement an encryption script that implements the following operations:

• Copying the necessary keys in F: \ bin \ secure
• Archiving a directory with sectors
• Archive encryption
• Complete removal of the directory, archive and keys in F: \ bin \ secure

And the decryption script is

• Copy keys
• Decryption
• Unpacking
• Complete deletion of the archive and keys
• Delete encrypted archive

Here are the batch scripts:



enc.bat

1 @ echo off

2 rem Receiving keys

3 copy % 3 " % ~ dp0 /pubring.gpg" / Y >> nul

4 rem Packaging

5 % ~ dp0 / 7 z.exe a % 1 .7z % 1 >> nul && start / wait % ~ dp0 / gpg .exe ^

6 --homedir = % ~ dp0 -r % 2 --quiet -o % 1 .enc -e % 1 .7z

7 IF NOT % ERRORLEVEL% == 0 goto fail

8 echo ENCRYPTED SUCCESSFULL

9 % ~ dp0 / eraserl .exe -file % 1 .7z -silent && % ~ dp0 / eraserl .exe -folder % 1 ^

10 -subfolders -silent >> nul

11 goto end

12 : fail

13 echo ENCRIPTION FAILED

14 : end

15 rem We clean the keys

16 % ~ dp0 / eraserl .exe -file " % ~ dp0 /pubring.gpg" -silent





dec.bat

1 @ echo off

2 rem Receiving keys

3 copy % 3 " % ~ dp0 /pubring.gpg" / Y >> nul

4 copy % 4 " % ~ dp0 /secring.gpg" / Y >> nul

5 rem Decryption

6 start / wait % ~ dp0 / gpg .exe --homedir = % ~ dp0 -r % 2 --quiet -o % 1 .7z -d % 1

7 IF NOT % ERRORLEVEL% == 0 goto fail

8 rem Unpacking

9 % ~ dp0 / 7 z.exe x % 1 .7z -o % ~ dp1 >> nul && del % 1 / Q && % ~ dp0 / eraserl .exe ^

10 -file % 1 .7z -resultsonerror

11 echo DECRYPTED SUCCESSFULL

12 goto end

13 : fail

14 echo DECRYPTION FAILED

15 : end

16 % ~ dp0 / eraserl .exe -file " % ~ dp0 /secring.gpg" -resultsonerror && ^

17 % ~ dp0 / eraserl .exe -file " % ~ dp0 /pubring.gpg" -resultsonerror





Place them in the same folder F: \ bin \ secure. If you pack Eraserl.exe, Eraser.dll and gpg.exe with upx, then the entire secure folder with keys can easily fit on a registered 3.5 "diskette.

The encryption process itself looks like this:



F:\bin\secure\enc.bat F:\_ __ F:\.



and decrypt like this:



F:\bin\secure\dec.bat F:\_.enc __ F:\. F:\.



During the decryption process, you will be asked to enter a password for the private key.



Comment:

These scripts only encrypt folders, because eraserl distinguishes between folders and files, but if you have the necessary skills, this annoying misunderstanding can be easily fixed.