File encryption and decryption utility This source code is used to build the fcrypt and fdecrypt utilities that are used to encrypt existing files using the AES CBC 256 bit encryption algorithm based on the OpenSSL implementation. In the distribution example programs used for OpenSSL development and testing are under the following directory: openssl_examples Example programs for the AES encryption routines are under the following directory: aesdb_examples The fcrypt and fdecrypt programs provide a comprehensive symmetric encryption tool kit for encrypting and decrypting files. FEATURES: AES 256 bit symmetric file encryption File encryption using a password or key file Multi user access to encrypted files using RSA keys Multi user access to encrypted files using a smart card Supports DOD CAC smart cards TO BUILD THE FCRYPT AND FDECRYPT PROGRAMS FOR LINUX --------------------------------------------------- $ mkdir -pv ${HOME}/git $ cd ${HOME}/git $ git clone https://github.com/datareel/fcrypt.git $ cd fcrypt/console/linux $ make To run a simple test of the utilities: $ ./fcrypt testfile.txt The above command will encrypt the input file and create a .enc file with the same file name. To decrypt the file: $ ./fdecrypt testfile.enc This will decrypt the file creating the unencrypted file using the original file name. USING A MASTER KEY FOR AES SYMMETRIC FILE ENCRYPTION ---------------------------------------------------- Create a master file encryption key: $ dd if=/dev/urandom of=master.key bs=1 count=128 $ chmod 600 master.key Encrypt the file: > ./fcrypt --key=master.key testfile.txt Decrypt the file: > ./fdecrypt --key=master.key testfile.enc USING RSA KEYS FOR MULTI USER ACCESS TO THE ENCRYPTED FILE ---------------------------------------------------------- Use openssl to make some test keys: > mkdir ${HOME}/.keys > chmod 700 ${HOME}/.keys > openssl genrsa -aes256 -out ${HOME}/.keys/private.pem 2048 > chmod 600 ${HOME}/.keys/private.pem > openssl rsa -in ${HOME}/.keys/private.pem -outform PEM -pubout -out ${HOME}/.keys/public.pem Create a master file encryption key: > dd if=/dev/urandom of=${HOME}/.keys/master.key bs=1 count=128 > chmod 600 ${HOME}/.keys/master.key Encrypt a file: > ./fcrypt --key=${HOME}/.keys/master.key testfile.txt Add your RSA key: > ./fcrypt --key=${HOME}/.keys/master.key --add-rsa-key=${HOME}/.keys/public.pem --rsa-key-username=testuser testfile.enc Decrypt the file using your private key that is passphrase protected and ensure you private key is never shared with anyone: > ./fdecrypt --rsa-key=${HOME}/.keys/private.pem --rsa-key-username=testuser testfile.enc USING SSH-RSA FOR MULTI USER ACCESS TO THE ENCRYPTED FILE --------------------------------------------------------- Create a temp key to encrypt the file > mkdir ${HOME}/.keys > chmod 700 ${HOME}/.keys > dd if=/dev/urandom of=${HOME}/.keys/temp.key bs=1 count=128 > chmod 600 ${HOME}/.keys/temp.key Encrypt a file: > ./fcrypt --key=${HOME}/.keys/temp.key testfile.txt Add your SSH-RSA key to the encrypted file: > ssh-keygen -f ~/.ssh/id_rsa.pub -m 'PKCS8' -e | ./fcrypt --key=${HOME}/.keys/temp.key --add-rsa-key --rsa-key-username=testuser testfile.enc Decrypt the file using your SSH-RSA private key: > ./fdecrypt --rsa-key=${HOME}/.ssh/id_rsa --rsa-key-username=testuser testfile.enc Have your users that need access to the encrypted file give you a copy of their public ~/.ssh/id_rsa.pub SSH-RSA key. Once you have a copy of all the public RSA keys that need access to the encrypted file add each key. After all the user are added you can remove the file encrytion key: > rm -fv ${HOME}/.keys/temp.key All users will only be able to decrypt the file using their SSH-RSA private key. All user should ensure their private key is passphrase protected and never shared with anyone. For users that do not have passphrase protected keys a passphrase can be added with the following command: > ssh-keygen -p -f ~/.ssh/id_rsa USING A SMART CARD FOR MULTI USER ACCESS TO THE ENCRYPTED FILE -------------------------------------------------------------- Create a temp key to encrypt the file > mkdir ${HOME}/.keys > chmod 700 ${HOME}/.keys > dd if=/dev/urandom of=${HOME}/.keys/temp.key bs=1 count=128 > chmod 600 ${HOME}/.keys/temp.key Encrypt a file: > ./fcrypt --key=${HOME}/.keys/temp.key testfile.txt Make sure your smart card is in the card reader and you know the ID number for the cert you are using. You can list the smart card objects with the 'pkcs11-tool --list-objects' command. Add your smart card cert to the encrypted file: > ./fcrypt --key=${HOME}/.keys/temp.key --add-smartcard-cert --smartcard-cert-id=01 --smartcard-username=testuser testfile.enc Decrypt the file using your smart card: > ./fdecrypt --smartcard-cert --smartcard-cert-id=01 --smartcard-username=testuser testfile.enc You will be prompted to enter your smart card pin. Have your users that need access to the encrypted file add their smart card cert. Once you have all the users added that need access to the encrypt file add each key. After all the user are added you can remove the file encryption key: > rm -fv ${HOME}/.keys/temp.key All users will only be able to decrypt the file using their smart card. USING A SMART CARD EXPORTED CERT file FOR MULTI USER ACCESS TO THE ENCRYPTED FILE --------------------------------------------------------------------------------- Create a temp key to encrypt the file > mkdir ${HOME}/.keys > chmod 700 ${HOME}/.keys > dd if=/dev/urandom of=${HOME}/.keys/temp.key bs=1 count=128 > chmod 600 ${HOME}/.keys/temp.key Encrypt a file: > ./fcrypt --key=${HOME}/.keys/temp.key testfile.txt For all users that need access each user will need to use the p11tool to export a PEM formated X509 cert that contains the public key. Add your cert file to the encrypted file: > ./fcrypt --key=${HOME}/.keys/temp.key --add-smartcard-cert-file=/usr/local/sc_certs/testuser_cert.pem --smartcard-username=testuser testfile.enc Decrypt the file using your smart card: > ./fdecrypt --smartcard-cert --smartcard-cert-id=01 --smartcard-username=testuser testfile.enc You will be prompted to enter your smart card pin. Add all your users that need access to the encrypted file. Once you have all the users added that need access to the encrypt file add each key. After all the user are added you can remove the file encryption key: > rm -fv ${HOME}/.keys/temp.key All users will only be able to decrypt the file using their smart card.