Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts

Wednesday, February 25, 2015

Generate a unique, strong password on the command line (linux, mac osx)

Find yourself generating a lot of random passwords? Here's a way to generate quick, random, and secure passwords on the command line:
echo $(head -c 64 /dev/urandom | base64) $(date +%s) | shasum | awk '{print $1}'
This command will read 64 bytes of random data from /dev/urandom, base64 encode it, add a small salt (the current data in epoch time), and then create a sha1 hash of the data.
I like this because it's cryptographically secure and the chance of a collision (provided your PNRG isn't totally borked), is infinitely small. It's also a hexadecimal string, so I don't have to worry about quoting it in weird ways or escaping special characters. I can just double-click it in iterm and it's automatically added to my clipboard!

Go ahead and double click the shas below and then click the password from 1password. You'll know what I'm talking about.

The drawback being you can't possibly remember these passwords unless you're US memory champion Nelson Dellis, but you use a password manager anyway, right? Right?!
I do this so frequently that I created an alias, so I just have to type "pw" on the command line to get a random password.
alias pw="echo \$(head -c 64 /dev/urandom | base64) \$(date +%s) | shasum | awk '{print \$1}'"
Now you can create random passwords all day long.
[stephen ~]$ pw
fc2bff4a44cc71b77638185161383592adcf5a6d
[stephen ~]$ pw
172f09a28878eab53df26801564f164209da7b6e
[stephen ~]$ while true; do pw; done
cf8f04bfa23b16dea92b69a9af72a0433e67cb79
28219dc9f626233df6361b44c673505755ac380e
ce14392eeeb408d68a4436586fc05f691c334006
d9c82dd59637ee75d9090195a4633d4b184e6e65
26e6754f480cf039d6b0e131bf079b2a0338b3e2
75376f012bc2ff36c00cb224ac245da719c832ae
b530a231f3a60030db47c077a249857ce4bb2d45
...
# Here's a password from 1password. Go ahead and double click it to add it to your clipboard
Fp9ef>btgMUm%K2AokM(JXV,vkF?CGX9Ry4d78.a

Saturday, November 22, 2014

Encrypting and decrypting files with Gnu Privacy Guard (GPG)

Asymmetrical encryption with GnuPG


You should start using asymmetrical encryption for your backups. Here's a little guide.
With asymmetrical key encryption, other hosts and people can encrypt data that only you can decrypt, meaning that you don't have to share a secret key with anyone and you can distribute the public key freely.
At Elastica this is how we do backups. Every host gets preseeded with one of our strong backup keys. This allows them to gobble up sensitive data and store it in places like S3. If our S3 account was ever compromised then the intruder would have a bunch of encrypted files that would take them 20 years of computing power to decrypt.
Since decryption speed is not an issue with cold storage backups, I recommend the maximum 4096-bit RSA key.
Here's a quick guide to creating a strong crypto key and encrypting some files.
Also remember that gpg can be installed on your mac via brew.
Generate the key:
$ gpg --gen-key
(follow the prompts)
If you'd rather do this automatically or in a script, you can feed the options in:
$ gpg --batch --gen-key <<EOF
    Key-Type: rsa
    Key-Length: 4096
    Name-Real: Stephen Wood
    Name-Comment: For Testing
    Name-Email: stephen@gmail.com
    Expire-Date: 0
    %pubring my_key.pub
    %secring my_key.sec
    %commit
    %echo done
EOF
You'll want to import the private key on any hosts that you want to be able to decrypt data.
$ gpg --allow-secret-key-import --import my_key.key
Remember to securely delete your secret key if you're not going to put the file elsewhere.
$ srm my_key.key

Encrypting and decrypting

Encrypting can be done on any host that has your public key. First, import the public key to the local hosts's gpg key ring
$ gpg --import my_key.pub
To encrypt a single file:
$ gpg --recipient stephen@gmail.com --encrypt ping.heystephenwood.com.cert
(creates ping.heystephenwood.com.cert.gpg)
Note that the key is referred to as an email address. This is how gpg typically works.
Decrypting the file is easy if you have the private key:
$ gpg --decrypt ping.heystephenwood.com.cert.gpg > ping.heystephenwood.com.cert
By default gpg will decrypt a file to stdout, so we redirect it to a file. You can tell gpg to decrypt it to the original filename by passing in the --use-embedded-filename flag:
$ gpg --use-embedded-filename --decrypt ping.heystephenwood.com.cert.gpg
(creates ping.heystephenwood.com.cert.gpg)
Notice that we didn't even have to specify which key to use. That's because gpg will use imbedded metadata in the file to decrypt the key. You can see this information by passing in the --list-packets flag:
$ gpg --list-packets ping.heystephenwood.com.cert.gpg
:pubkey enc packet: version 3, algo 1, keyid 6FC17A3C5E45F65C
    data: [4096 bits]
:encrypted data packet:
    length: unknown
    mdc_method: 2
gpg: encrypted with 4096-bit RSA key, ID 5E45F65C, created 2014-06-13
      "Stephen Wood <stephen@gmail.com>"
:compressed packet: algo=2
:literal data packet:
    mode b (62), created 1416686288, name="ping.heystephenwood.com.cert",
    raw data: 2171 bytes
Pretty nifty, huh?

Multiple files

Encrypting multiple files is much easier to do via the tar command. Since gpg files are compressed automatically, it's not even necessary to gzip them!
Here's how to encrypt an entire folder:
$ tar cf - some_folder | gpg --recipient stephen@gmail.com
(creates some_folder.gpg)
Since gpg defaults to stdout, we simply need to pass that back to tar
$ gpg --decrypt some_folder.gpg | tar xf -
(creates some_folder)

Other fun things

You can also use your private key to sign a message that others can verify for authenticity.
Let's create a document:
cat > my_message.txt <<MESSAGE
Help! The NSA is after me! They've tapped my phone, TV, microwave, and
Nike Air Jordans! Also the fillings in my teeth won't stop playing episodes
of "This American Life" and Ira Glass is getting on my nerves.
MESSAGE
Now let's sign the message:
$ gpg -u stephen@gmail.com --clearsign my_message.txt 
(produces my_message.txt.asc)
You've got yourself a signed document.
$ cat my_message.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Help! The NSA is after me! They've tapped my phone, TV, microwave, and
Nike Air Jordans! Also the fillings in my teeth won't stop playing episodes
of "This American Life" and Ira Glass is getting on my nerves.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUcPACAAoJEKSJEkYj0afvor0QALvrYflk52NkNmwpq09FM+2x
06RKsmzQgXa8W+3yHpTUlAMhVPoToeETp9wrM4zod+6nmiyan/aqP1QzXq0QC+yc
SEOGIn7r69+d1ybCXHnC2ebbB2pVj8NwH30a6hLNUHlmZ9xGjX4bnqUREIo1booV
MnWqUab7PFjEJ97fVW9b47kpZ+Mi0P8MhphGA+QHzGl56UtDo5wPci8A3TKqfCsq
didoYGAJurVnVIwvjXPkwKnKwL4E0AvTRN5iiiN6Rib+be8Pmy8wUNA7LdwjERO1
H8zVCgyFvOzA16PbdmKJF5nnUAlJASO4ZStUD5z/AIYir9cXuNSlx45FFVse3lFu
yyftQkvJPJbzVdg/JaYswj7vMFPPmRBweFzFZjBqrDu+o1aPWougbOFnU3ZDuf3s
4SmbI7gJDDet7cvYHWn+8doGGI5BpPb0gXjfhW+WBuvMZ01GJbXwychi5d4xC1Qi
XYkd4RgdxxIhyLrO+whWYHFZlI3UY6cPPyyiDjTLR/UCP2IrtdL7gcPJicXGSGG3
EJLjG1mK+nk44QT4oW7Ghha6G1oI2YoqjAWrlWhaSyxlNSv4qw75x5w6WtzoL2yR
mayROMUmmHrBYfgFtgk64X+qcd3Li8/InZUw95A5SnV69r2h5p05fPiE70sgu73R
ozOu9eBEjYDTEb4PYS+5
=JiEL
-----END PGP SIGNATURE-----
Anyone can verify the message. They don't even need your public key:

gpg --verify my_message.txt.asc
gpg: Signature made Sat Nov 22 12:29:17 2014 PST using RSA key ID 23D1A7EF
gpg: Good signature from "Stephen Wood <stephen@gmail.com>"
And what happens when somebody intercepts and alters your original message?

$ cat my_message.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear friend. All is well here.
-----BEGIN PGP SIGNATURE-----
...
gpg --verify my_message.txt.asc
gpg: Signature made Sat Nov 22 12:20:18 2014 PST using RSA key ID 23D1A7EF
gpg: BAD signature from "Stephen Wood <stephen@gmail.com>"
Looks like your friend is dead. I'm so sorry.
This can be taken a step further if you've already securely exchanged your public key with your "friend". They can both verify your message hasn't been altered, and also verify that it was sent from you. They just need to verify that the Key ID is the same as the one you've imported.
That's it for now. Encrypt your backups! It's easy to do.

Wednesday, January 22, 2014

UDP only rsyslog server and client on Ubuntu

The first thing you'll need to do is install a new version of rsyslog. There's a bug in the version that comes along with Ubuntu 12.04 that prevents rsyslog from listening on a privileged port if you're using drop-privileges. You can read instructions for installing a newer version of rsyslog here. Once you've done that, open up /etc/rsyslog.conf and uncomment the following lines:

#$ModLoad imudp
#$UDPServerRun 514

Restart rsyslog and you're done on the server. Now head over to a client and open up /etc/rsyslog.d/50-default.conf and make the following addition to the top of the file:

*.* @your_server:514

Note that the single @ sign is what designates the sending to UDP only. Restart rsyslog on the server and you can test to see if logs are being sent using the logger command:

logger -t TEST testing