0

Many CLI applications store or need secrets in plaintext files. I'm searching preferably for a tool, or a methodology, to encrypt those files without the application knowing.

What do I mean by that :

In my ideal dream world, when some process (unix) tries to access an encrypted file, I would get a prompt telling me process X wants to read file Y, similar to something like gnome-keyring for example or ssh-agent, type a passphrase, which will be used to generate or unlock the encrytion key, decrypt the file, and have the process read it unencrypted (= the syscall read would return the decrypted data)

Why I'd like to do it that way :

  1. because it decouples the encryption and the app (giving easily swappable encryption algo, etc)
  2. As mentioned before, many apps just store secrets as plain text files

Against what kind of threats that would protect :

  • Someone having access to my unlocked computer (because either I forget to screen lock, or my screen-lock has a bug/is misconfigured and can be killed somehow)
  • Someone dump my RAM (Am I correct that Linux would cache files in RAM and that a RAM dump could leak those ?) while locked/ in suspend mode
  • A malicious process running as my user trying to access a file it should not (because I can't audit myself everything everytime, and I could run a bad program)

I'm aware that I could use gpg to encrypt the files, but that require the app to provide a hook into it's reading process (and some do not), or to manually decrypt the file everytime.

The features of the ideal system :

  • invisible from the applications
  • file-by-file (decrypt a file should not necessarily decrypt another).
  • configurable, aka, it is possible to define custom behavior for some path (caching the file for some times after first use, etc).
  • Bonus point if it works both way : process can also write unencrypted data and we have encrypted data in the file

Some tools I thought of :

  • fscrypt : If I understood correctly, it's purpose is to enforce access rights with encryption, is that correct ? The problem is that it is directory based (unless I misunderstood).

Primitives that, I think, could be used (not proficient with them though) :

  • inotify : that could be the hook mechanism to plug the encryption in. I found that question on Stack Overflow which could be relevant. Not sure though that I will work. Once the application has open the file, isn'it too late ?
  • advanced unix permissions (ACL etc) : I'm not too knowledgeable about those, so maybe they could be used for that purpose.
  • SELinux : same as above.
  • Hooking into the syscalls, with somehting likes kprobes, maybe ?

P.S. : Access to disk while powered off is out of scope, and taken care of by whole disk encryption.

VannTen
  • 101
  • 2
  • 1
    It may be possible to write a custom user-space filesystem driver that does something like this, although that is likely beyond the scope of an answer here. – multithr3at3d Apr 10 '20 at 15:15
  • What is the question you are asking? It seems like you are generally asking how (or whether) you should you (or could) go about doing this? It might be too broad a question. – hft Apr 10 '20 at 22:44
  • But, it seems like you are on the right track. You want the application to be able to use the normal "open" system call to open a file and read it but you want to hook that call and insert a step where you transparently decrypt the file without the app knowing. So you could hook open, get the process information, get the file information, prompt the user, do the decrypt, etc. – hft Apr 10 '20 at 22:47
  • My question is primarily if there is such a tool already. Although I did not find one, I might have missed it. If there is no such tool (or combination of ), the question might indeed be too broad... But I'm not really knowledgeable about the tools I mention in primitives, the information of whether they could be used for that purpose, or if they are hard blockers that makes them unfit, and you really need to go lower (syscalls hooking/kernel module) to achieve it. – VannTen Apr 11 '20 at 11:38

0 Answers0