Many CLI applications store or need secrets in plaintext files. I'm searching preferably for a tool, or a methodology, to encrypt those files without the application knowing.
What do I mean by that :
In my ideal dream world, when some process (unix) tries to access an encrypted file, I would get a prompt telling me process X wants to read file Y
, similar to something like gnome-keyring for example or ssh-agent, type a passphrase, which will be used to generate or unlock the encrytion key, decrypt the file, and have the process read it unencrypted (= the syscall read
would return the decrypted data)
Why I'd like to do it that way :
- because it decouples the encryption and the app (giving easily swappable encryption algo, etc)
- As mentioned before, many apps just store secrets as plain text files
Against what kind of threats that would protect :
- Someone having access to my unlocked computer (because either I forget to screen lock, or my screen-lock has a bug/is misconfigured and can be killed somehow)
- Someone dump my RAM (Am I correct that Linux would cache files in RAM and that a RAM dump could leak those ?) while locked/ in suspend mode
- A malicious process running as my user trying to access a file it should not (because I can't audit myself everything everytime, and I could run a bad program)
I'm aware that I could use gpg to encrypt the files, but that require the app to provide a hook into it's reading process (and some do not), or to manually decrypt the file everytime.
The features of the ideal system :
- invisible from the applications
- file-by-file (decrypt a file should not necessarily decrypt another).
- configurable, aka, it is possible to define custom behavior for some path (caching the file for some times after first use, etc).
- Bonus point if it works both way : process can also write unencrypted data and we have encrypted data in the file
Some tools I thought of :
- fscrypt : If I understood correctly, it's purpose is to enforce access rights with encryption, is that correct ? The problem is that it is directory based (unless I misunderstood).
Primitives that, I think, could be used (not proficient with them though) :
- inotify : that could be the hook mechanism to plug the encryption in. I found that question on Stack Overflow which could be relevant. Not sure though that I will work. Once the application has open the file, isn'it too late ?
- advanced unix permissions (ACL etc) : I'm not too knowledgeable about those, so maybe they could be used for that purpose.
- SELinux : same as above.
- Hooking into the syscalls, with somehting likes kprobes, maybe ?
P.S. : Access to disk while powered off is out of scope, and taken care of by whole disk encryption.