Mounting on login about cppcryptfs HOT 8 CLOSED

The saved password feature is in release 1.4.0.2 which I uploaded today.

You should be able to manually mount your filesystems with save password on and then use a script that runs at login to mount them automatically using the saved password.

I did everything as I said above except I don't overwrite the saved passwords before deleting them when "Enable saved passwords" is unchecked. I realized that I have no idea how the registry storage is actually done, and that there was no guarantee that doing that would cause them to be overwritten on disk.

from cppcryptfs.

It looks like triple-DES hasn't actually been declared useless, and the Windows Data Protection API isn't deprecated.

So I think I'll use that.

So, what I would like to do is this.

1. add a checkbox to the settings page that enables the saving of passwords.
2. on the mount page, add a "save password" checkbox that's enabled (usable) if that setting is on.
3. if a filesystem is mounted with "save password" checked, then the password is encrypted using the Data Protection API, which will encrypt it with a key derived from the user's login password, and also using an additional (essentially hard-coded in cppcryptfs) secret for a slight boost in security. The encrypted password is saved in the registry using the hash of the path to the root of the filesystem as a (registry) key.
4. if a filesystem is mounted without the "save password" box checked, then any saved password for it in the registry is first overwrriten with random data of equal size and then deleted.
5. if there is already a saved password for the filesystem, and saved password is checked, then the password is automatically filled in (with dots) when the path is selected from the path history or typed in.
6. finally, add a -P --saved-password command line option which will cause cppcryptfs to attempt to retrieve any saved password for that filesystem and use it when mounting it.

I think that will allow for a reasonably secure mount on login method by invoking cppcryptfs from a script with the -P option after previously mounting the filesystem fro the GUI with save password.

from cppcryptfs.

cppcryptfs can mount filesystems from the command line. Could you store the password somewhere only on the local machine and then pass it on the command line?

from cppcryptfs.

Yep, that's my option 1, but then you write that this way the arguments don't get "zeroed" like the GUI arguments do, hence my question :)

from cppcryptfs.

To enable mount on login, cppcryptfs would have to save passwords.

I'm reluctant to do that.

First, I really don't believe that a save password feature belongs in this type of software.

If it did have such a feature, then I think the way to implement it would be by using either of the two things on Windows that provide similar functionality to the Keychain on Mac OSX.

The first one is the Data Protection API. It lets you give the OS a blob of data to encrypt using the logged-in user's password and optionally some other secret you specify (to make it harder for other apps to retrieve that information).

It has been around since Windows 2000 and appears to be outdated. It uses triple-DES to protect the master key. I think these days, triple-DES is way too weak.

The newer API is for Windows 8 and above. It is called the "Credential Locker".

I was not able to find any explanation of how the credentials are actually encrypted. But I assume they're using something better than triple-DES now.

The Credential Locker appears to work only with "managed" code that runs in a .net virtual machine.

cppryptfs is classical unmanaged C++ code that runs on the bare metal.

It is possible to call managed code from unmanaged code, but still the Credential Locker would work only on Windows 8 and above.

Also, no matter what Microsoft is doing with the encryption of the Credential Locker, I think there is no way that it can be any more secure than the strength of the user's password for logging into Windows.

I personally use a much weaker password for Windows login than I use for cppcryptfs.

I think most people don't use as strong of a password for their Windows login as they would for data that they would go to the trouble of protecting with something like cppcryptfs.

If I remember correctly, I think your plan was to use a separate config file that you store outside of the cloud and use a weaker, more memorable password for cppcryptfs because you care mainly about keeping your data secure in the cloud. Because your config file would never be uploaded to the cloud, then an attacker with access only to your cloud data wouldn't have much of a chance of decrypting it no matter what your password was.

If it really is the case that your primary concern is protecting your data in the cloud, then I think it is probably ok to pass the the password to cppcryptfs on the command line.

In that case, your password might end up in the paging file.

If you turned off the paging file and disabled hibernation, then your password would never be written to disk, even if you passed it in the clear on the command line.

from cppcryptfs.

Thanks for a detailed response. Re your first point I'm not sure that's the case.
First of all, users not willing to sacrifice potential security for usability can just not use this feature :)
But secondly, cloud-based file protection is one of the core use cases for CryptFSes, so it's not meant to be just a local-only encryption scheme, where storing the password also locally would kind of defeat the purpose (and for a local-only encryption I'd definitely agree with you that relying on Windows login password for protection kind of defeats the purpose)

Re. Credential Locker I don't really know much about it to comment on whether it's more secure than passing a plaintext password over the command line (which would be easily accessible by any local app). I'd hope so (after all, there are reasons macOS keychain is there instead of an unencrypted database of passwords stored locally even though it's also not more secure than the login password unless you change the default password), but not sure. "Windows 8 and above" is a bummer as Win7 is unfortunately still too popular.

from cppcryptfs.

You could use Keepass and pass it to the File://URL if cppcryptfs could be configureable as Default app for goconf File. maybe scriptable by KPScript for automount on Login?

from cppcryptfs.

Thanks a bunch for adding this functionality!

from cppcryptfs.