Locking and Encrypting Apps with Encfs

Rohit Goswami
Aug 16, 2018 · 6 min read

For better syntax highlighting and the ability to copy paste the code snippets, view this post on grimoire.science.

Image for post
Image for post

One of the prob­lems of a shared sys­tem, is that some­times mul­ti­ple ap­pli­ca­tions are used by mul­ti­ple peo­ple. Normally this would be solved by the ex­cel­lent multi-user sup­port in­her­ent to *nix sys­tems. After all, *nix and de­riv­a­tives were de­signed to be used by mul­ti­ple users at the same time.

However, in some cases, it just makes sense for a sin­gle ap­pli­ca­tion to stay locked un­til a pass­word is sup­plied. In any case, encfs is one of the bet­ter en­cryp­tion meth­ods (as long as us­abil­ity over­shad­ows se­cu­rity) and it’s a good prac­tice to en­crypt ap­pli­ca­tion data any­way. The case for en­cryp­tion varies, but weather it’s to make life harder for hack­ers, or just to stop cloud stor­age providers from sniff­ing around, it’s always a good idea. Even if mul­ti­ple users will not be shar­ing an ac­count, en­cryp­tion pre­vents the root users or admins from get­ting too frisky with your data.

The pop­u­lar gnome-keyring and other se­cu­rity au­then­ti­ca­tion meth­ods are not a good fit for this since most of them are un­locked all at once and with­out be­ing linked to a par­tic­u­lar pro­gram.

Here we will cre­ate a few sim­ple bash scripts to gener­i­cally and flex­i­bly lock and en­crypt ap­pli­ca­tions in a way which al­lows for mul­ti­ple users to have their own pri­vate en­crypted in­stances of shared apps. The com­plete scripts are lo­cated in my Dotfiles.

Requirements

I per­son­ally run Arch Linux but that’s just a bi­ased en­dorse­ment.

The re­quire­ments are:

  1. Bash

This is needed for the shell sub­sti­tu­tions in the shell script. Found al­most every­where.

2. EncFS

This han­dles the en­cryp­tion por­tion. Though every­thing cov­ered here will re­quire only the base pro­gram it­self, new users would prob­a­bly ben­e­fit from hav­ing one of the GUI in­ter­faces to encfs as well. I pre­fer Gnome Encfs Manager.

3. An ASKPASS pro­gram

These are most fa­mously known for weird ssh er­rors. However, here we will fo­cus on zen­ity and git as a fall­back.

And that’s it. Other vari­a­tions of this method might use shoes for more GUI good­ness. Other askpass pro­grams and helpers may also be used, like the pop­u­lar x11-ssh-askpass pro­gram.

Program Structure

  1. An en­crypted folder is mounted
  2. The ap­pli­ca­tion is run

Additionally we would like the fol­low­ing fea­tures:

  1. Execution with­out the ter­mi­nal (GUI, no ter­mi­nal user queries)
  2. An au­to­mated way of gen­er­at­ing a new stash for ap­pli­ca­tions
  3. A san­i­tized name for the mount points

Preliminaries

Image for post
Image for post
Shell trials
  • This prompted me to cre­ate the di­rec­tory if it did­n’t ex­ist, which would not be han­dled prop­erly from within a shell script.

Additionally the MAN page for encfs showed me that sup­port for ex­ter­nal au­then­ti­ca­tion man­agers is granted via the --extpass flag.

Implementation

Always re­mem­ber to start the script with it and to only put it once, right at the top of the file.

Image for post
Image for post
The shebang

Setting Variables

Image for post
Image for post
Using a variable for the unlock dialog

Choosing an ASKPASS pro­gram

Image for post
Image for post
Zenity Prompt
Image for post
Image for post
Zenity implementation

As men­tioned pre­vi­ously, zen­ity is the pret­tier choice, how­ever, it may not be in­stalled every­where. So we need a fall­back.

Git is more or less avail­able every­where, and it just so hap­pens to have a pretty neat askpass tool as well.

Image for post
Image for post
Git Askpass Prompt
Image for post
Image for post
Git Askpass Implementaion

However, it would be bet­ter to wrap them both up in a way to pick one or the other based on the avail­abil­ity. So, we write a sim­ple test.

Image for post
Image for post
The test logic

Honestly the us­age of which in­stead of command -v is a bit con­tro­ver­sial. However, here I went with which sim­ply be­cause it seemed faster. The more portable (POSIX com­pli­ant) ver­sion of the above would use command -v. For more de­tails check this stack ex­change ques­tion.

Creating Mount-points

Image for post
Image for post
Variables and directories

Caveats

  • The stash is al­ready mounted
  • The stash does not ex­ist

These are dealt with in the Improvements sec­tion of this doc­u­ment.

Mount and Run

Image for post
Image for post
A basic mount and run

Caveats

  • The mount op­er­a­tion fails (wrong pass­word)
  • The con­fig files are en­crypted

The script runs the pro­gram with­out test­ing the re­sult of the mount, which will lead to much frus­tra­tion and weird er­rors. These edge cases are handled by the code in Handling Authentication.

Improvements

Naming di­rec­to­ries

In any case, this por­tion of the script uses a bash spe­cific ex­pan­sion. At this
point we can also make the unlockString a little neater.

Image for post
Image for post
Bash substitutions for prettier names

Now that we have the name, we simply modify the directories.

Image for post
Image for post
Renaming the directories

Handling mounted di­rec­to­ries

If it is mounted, we will un­mount it.

Image for post
Image for post
Testing for mounts

Additionally, for cases where the stash does not yet ex­ist, we will need to cre­ate the other di­rec­tory as well. We shall also kill the ap­pli­ca­tion if the stash is to be mounted (for se­cu­rity). This por­tion was aided by this stack ex­change thread.

Image for post
Image for post
Mount handling with directory creation

Handling Authentication

Quite sim­ply, the $? vari­able holds the re­sult of the pre­vi­ous com­mand. Hence it can be used to con­trol the flow. This was in­spired by the an­swers here.

Image for post
Image for post
The results variable and flow of control

Putting it all to­gether

It is also re­pro­duced here as a gist, since Medium can’t handle syntax highlighting.

The entire script.

Future Directions

Originally published at grimoire.science.

HackerNoon.com

#BlackLivesMatter

Sign up for Get Better Tech Emails via HackerNoon.com

By HackerNoon.com

how hackers start their afternoons. the real shit is on hackernoon.com. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Rohit Goswami

Written by

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Rohit Goswami

Written by

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store