Encrypt DNS Traffic In Linux With DNSCrypt (Via OpenDNS)

DNSCrypt, as its name suggests, encrypts DNS traffic between your computer and OpenDNS, in the same way SSL turns HTTP traffic into HTTPS encrypted traffic.

Initially, DNSCrypt was announced as being available for Mac only for now, but according to an OpenDNS article posted yesterday, the source code for DNSCrypt was published on GitHub when they've released the Mac preview and even though there's no user interface yet, Linux users can already install DNSCrypt.

Why use DNSCrypt?

DNSCrypt encrypts all DNS traffic between your computer and the OpenDNS servers (so you'll be using OpenDNS) and can protect you from man-in-the-middle attacks, spying, resolver impersonation, can prevent Internet service providers from blocking various websites and more.

This is the first tool that encrypts DNS traffic - for instance, TOR encrypts DNS requests, but they are decrypted at the exit node.

It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.

You can read more about DNSCrypt @ OpenSND DNSCrypt page and on GitHub.

How to use DNSCrypt in Linux

Download DNSCrypt, install it and then run the following command in a terminal:

sudo /usr/sbin/dnscrypt-proxy --daemonize

Then set your DNS server to "127.0.0.1" - to do this under GNOME, go to your Network Connections and select "Edit" and enter "127.0.0.1" under "DNS servers". If you are using DHCP, just select "Automatic (DHCP) addresses only, so you can enter a DNS server. Then, restart your network connection.

You can then check if you're using OpenDNS by visiting THIS link.

To get DNSCrypt to start automatically, you must create an init script. For Ubuntu, see below.

Arch Linux users can install DNSCrypt-proxy via AUR (it includes an rc.d script).

DNSCrypt in Ubuntu

To make DNSCrypt start automatically in Ubuntu, I've created an Upstart script which you can use if you want - download it.

Update: Because in Ubuntu 12.04 there is a local DNS cache running on 127.0.0.1 (dnsmasq), I've updated the script to make DNSCrypt use 127.0.0.2, so you should add "127.0.0.2" as your DNS and not "127.0.0.1" if you're using this script (for any Ubuntu version). Thanks to zzecool for testing it in Ubuntu 12.04!

To install the script, use the commands below (firstly extract the downloaded archive):

sudo cp dnscrypt.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt

And finally, start it with:

sudo start dnscrypt

DNSCrypt should now start automatically when you boot. To stop it, you can use:

sudo stop dnscrypt

Download DNSCrypt (.deb, .rpm and source code available)

0 comments

» read more....

Dropbox: Get Read / Write EncFS Support On Android Using Cryptonite

Dropbox is very popular - and for a good reason - it's fast, you get free storage space which can easily be increased, there are many additional tools that make use of Dropbox and so on, but unfortunately it doesn't encrypt the data on your computer. This is why, a while back I was suggesting to encrypt private Dropbox data using EncFS.

But what if you want to access an encrypted folder from an Android device? You can use BoxCryptor, but it has some limitations: the free version has read-only access so you can't upload / modify files, only the first two encrypted folder levels are accessible (deeper folders can't be accessed) and has limited EncFS support (you have to use custom EncFS settings to be able to use it).

Well, a new Android application has been released recently, solving all these issues: Cryptonite EncFS.

Cryptonite EncFS is still in alpha, but it can already read / write on existing Dropbox EncFS volumes (the upload feature is experimental, but it worked just fine in my test) and has full EncFS support, so there's no need for special EncFS configuration. Oh, and it's free software.

Further more, on rooted phones that support FUSE, like CyanogenMod, Cryptonite can also mount EncFS volumes (root is not required for using Cryptonite EncFS with Dropbox).

The application is very easy to use: you click a button to link your Dropbox account and then you can decrypt and browse EncFS folders in your Dropbox. Cryptonite then lets you export or directly open the encrypted files you select and you can also upload files to your Dropbox EncFS folder(s):

Browsing an EncFS volume on Dropbox

You can directly open or export files in EncFS volumes

Download Cryptonite EncFS:

Direct Market link

For source code or bug reports, see the Cryptonite EncFS Google Code page.

0 comments

» read more....

Dropbox: Access EncFS Folders On Android Using BoxCryptor

A while back we wrote about encrypting your private Dropbox data using EncFS. And that's a really great way to keep your private Dropbox data safe, but what if you want to access some encrypted files from an Android device?

That's where BoxCryptor comes in. The first public BoxCryptor version for Android was released a few days ago so you can finally access EncFS folders in your Dropbox from any Android device (there's also a BoxCryptor version for Windows and an iPhone / iPad app is currently under development). The application is currently in alpha and for now it can only read encrypted files, but according to it's Android Market page, write support will be added in a later version.

BoxCryptor is great, but there are a few quirks. Firstly, BoxCryptor doesn't have full EncFS support so you have to disable some of the default EncFS options to be able to use it (instructions available in the second part of this post). And secondly, in our Dropbox EncFS post, we wrote about excluding the encryption key from getting synced. Well, to be able to use BoxCryptor, you must sync the EncFS key too.

Also, the Windows version of BoxCryptor is free for an encrypted directory with a maximum size of 2GB and you must pay for more. There's nothing about this on the BoxCryptor Android Market page so I assume it's completely free for Android, but I'm not sure, so if you have a large ( >2GB) encrypted directory, let us know if BoxCryptor for Android works for you!

But this is the first public release so hopefully BoxCryptor will get full EncFS support by the time it reaches a stable status.  Oh, and BoxCryptor does offer an extra layer of security: you can set a PIN for unlocking the application.

Here are a few BoxCryptor screenshots:


- The first time you run it, you must select your encrypted folder (".encrypted" in my case):

- Once you select a folder and enter your EncFS password, you can easily open any files available in that folder:

BoxCryptor options:

How to set up EncFS to work with BoxCryptor

To create an EncFS folder under Linux that is supported by BoxCryptor, follow the instructions in our Encrypt Your Private Dropbox Data With EncFS post, but after running the command in step 2, enter "x" for expert configuration mode and set the following options like below:

The following filename encoding algorithms are available:
1. Block : Block encoding, hides file name size somewhat
2. Null : No encryption of filenames
3. Stream : Stream encoding, keeps filenames as short as possible

--> enter "3".

Enable filename initialization vector chaining?
--> enter "no"

Enable per-file initialization vectors?
--> enter "no"

Enable block authentication code headers on every block in a file?
--> enter "no"

Add random bytes to each block header?
--> enter "0"

And finally, skip the last step in our previous post which excludes the EncFS key from being synced.

Download BoxCryptor for Android:

Or use this direct Android Market link.

0 comments

» read more....

Create / Manage EncFS Folders With Cryptkeeper

Speaking of EncFS, here is a notification area applet for GNOME that lets you manage EncFS encrypted folders: Cryptkeeper.

Cryptkeeper lets you import or create new encrypted folders, automatically unmount an EncFS folder after a period of time and change EncFS password.

Cryptkeeper is very easy to use: left click the applet and select Import / New EncFS folder, then follow the instructions. The "change password" option is not very intuitive though: you must left click the applet, then right click an encrypted folder and you'll find the option to change the password as well as to delete the folder or get some detailed info:

Unfortunately Cryptkeeper lacks any advanced features so if you want to specify the encryption type, etc., use encfs via command line.

Important: if you use Ubuntu 11.04, Cryptkeeper won't show up in the notification area (systray) by default so you must whitelist it. See this post for more info: How To Re-Enable The Notification Area (Systray) In Ubuntu 11.04, For All Applications

Install Cryptkeeper

Cryptkeeper should be available in your Linux distribution official repositories. In Ubuntu, search for it in Ubuntu Software Center or run the following command to install it:

sudo apt-get install cryptkeeper

Cryptkeeper homepage

[via Ubuntuguide]

0 comments

» read more....

Encrypt Your Private Dropbox Data With EncFS

Dropbox is great but the data is not encrypted on your computer (you can read more about this here). There are various ways to encrypt some private files in your Dropbox folder: you can use Truecript, EncFS, SecretSync (now available for Linux too) etc.

- Truecrypt is great, but to use it with Dropbox you must manually unmout the filesystem to get it to sync which is kind of against the whole Dropbox idea. For those who don't mind having to manually unmount the filesystem to get it to sync, this is probably a better solution (because Truecrypt is very easy to set up on any OS: Linux, Windows or Mac).

- SecretSync is a new tool to encrypt some files in your Dropbox folder. While it works great (though there's currently a bug in the Linux version the bug in the Linux version has been fixed) and is cross-platform, it's no different than Dropbox because the encryption keys are not stored on your computer but on their server. But of course, it does add an extra security layer so you can check this out too!

So the best way to encrypt your Dropbox files is probably using EncFS. EncFS is very easy to configure and doesn't require manually mounting or unmounting the filesystem.

EncFS works on Linux as well as Mac through macfuse or Windows using BoxCryptor. There might be other ways of getting it to work under Windows but I don't use Windows so you're on your own here.

To be able to access some files using your Android phone, etc., you can only encrypt your private files and leave others unencrypted and that's what I'll be using in the instructions below but if you want, you can of course encrypt your whole Dropbox folder.

Here's how this works:

- files under ~/Dropbox/.encrypted are encrypted
- files under ~/Private are not encrypted

You place the private files you want to sync in the ~/Private folder and they are then automatically encrypted under ~/Dropbox/.encrypted and synced with Dropbox.

Here's a screenshot too:

(The files you see on the left (under ~/Dropbox/.encrypted/) are the encrypted version of the files on the right (which are under ~/Private))

Even though there are 2 folders, only the encrypted files are stored on your disk and when you access the plaintext files in EncFS, the files are decrypted (or encrypted) on-the-fly. So you won't need extra disk space for this.

(thanks to Robert Freudenreich - the BoxCryptor developer - for this info)

Set up an EncFS folder and sync it with Dropbox (in Linux w/ GNOME)*

1. Install EncFS:

sudo apt-get install encfs

2. To create a new encrypted volume, run:

encfs ~/Dropbox/.encrypted ~/Private

And follow the instructions. Selecting "p" should be enough ("pre-configured paranoia mode") but if you know what you're doing, you can of course select the advanced mode.

If you've used different folder names, adapt the command above to your folders.

3. Now let's use GNOME-EncFS to store the password in the keyring and automatically mount the encrypted folder at startup.

Download GNOME-EncFS, extract it somewhere - lets say in your home directory, rename its folder to "gnome-encfs" (so it's easier to follow the instructions below) and use a terminal to navigate to its directory. If you've renamed the folder like I said and placed it in your home directory, use the following command:

cd ~/gnome-encfs

Now to install it, run:

sudo install gnome-encfs /usr/local/bin

And finally, run:

gnome-encfs -a ~/Dropbox/.encrypted ~/Private

Again, replacing the paths with whatever folders you've used. This command will ask for your EncFS password and if you want it to mount at login - make sure you select "yes".

And you're done. Now the files you place in the ~/Private folder will be mirrored under ~/Dropbox/.encrypted, synchronized and encrypted.

For your 2nd, 3rd, etc. computer running Ubuntu, follow these steps again. For Windows you can use BoxCryptor and macfuse for Mac. Unfortunately I don't use Windows or Mac so I can't help you configuring them.

Optional: exclude the EncFS key from being synced

You can set Dropbox not to sync your EncFS key if you want. But by doing this, you'll have to manually copy the key on the 2nd, 3rd computer, etc. in the ~/Dropbox/.encrypted folder.

1. Copy the key from ~/Dropbox/.encrypted folder somewhere safe. The key is called ".encfs6.xml" and is a hidden file so press CTRL + H to see it.

2. Run the following command to get Dropbox to ignore your EncFS key:

dropbox exclude add ~/Dropbox/.encrypted/.encfs6.xml

In my test, the ~/Dropbox/.encrypted/.encfs6.xml file was deleted after running the above command but since you've copied it somewhere else (step 1), you can now copy the ".encfs6.xml" file back to ~/Dropbox/.encrypted/

3. Open the Dropbox site and delete the .encrypted/.encfs6.xml file.

Update: also see -> how to access EncFS Dropbox folders on Android (these instructions should work for Windows too).

* Instructions tested on Ubuntu 11.04 32bit.

Post inspired by:

• Pragmattica
• Dropbox TipsAndTricks -> IncreasePrivacyAndSafety

0 comments

» read more....