gnupg – Encrypt backup files and send them to AWS S3

I know it’s not specifically your question, but S3 has an inbuilt ability to encrypt/decrypt already, and it’s probably a better solution.

Here’s how it works, when you upload the data to S3, you specify a kms key to encrypt the data. Ensure your IAM role assigned to your ubuntu machine must have the right permissions to do upload and encryt, namely kms:Encrypt.

Then for downloading and decrypting this data, ensure that the downloading machine has the right IAM role with the right permission to decrypt it, namely kms:Decrypt.

This ensures that data is viewable only to the party that has the right permission (AWS Credentials) to both download & decrypt the file — without the need for client-side encryption that can get both messy and insecure.

From Zero to Encrypted With nginx and Let’s Encrypt

Let’s Encrypt is a free https certificate you can install on your cheap VPS for free, browser-validated https.  In this tutorial, we’ll walk through setting up Let’s Encrypt https on an nginx host running on Debian 10.

We’ll be installing nginx from scratch but not will not be getting into php-fpm and other extensions in this tutorial. I’ll be starting from a spanking new VPS on Vultr.

This tutorial assumes that you’ve already got your DNS records setup. In other words, if you’re setting up for www.example.com, then www.example.com already has an A record or CNAME that points to your VPS. Note that the certbot installer we’ll be using will query DNS, so this must be working properly.

Installing nginx in straightforward:

apt-get update && apt-get upgrade
apt-get install nginx

I’ll be setting up www.lowend.party and putting its web root in /web/www.lowend.party.

Let’s configure the web root and log directory:

mkdir -p /web/www.lowend.party
mkdir -p /var/log/nginx/www.lowend.party
chown www-data:adm /var/log/nginx/www.lowend.party

We want separate logs for each domain we host, and we want to rotate those logs. We can Debian’s log rotation system to accomplish this. We do this by placing the appropriate rules file in /etc/logrotate.d. Start with nginx’s basic log rotation rule:

cp /etc/logrotated.d/nginx /etc/logrotate.d/nginx_domain_logs

Now edit /etc/logrotate.d/nginx_domain_logs and modify as follows:

# change this: /var/log/nginx/*.log { 
# to this:
/var/log/nginx/*/*.log {

Before setting up https, we’ll setup http. I’ll place a place-holder index.html in /web/www.lowend.party:

<html>
<head>
<title>www.lowend.party test page</title>
</head>
<body>
<h1>www.lowend.party works!</h1>
</body>
</html>

Now take a look at /etc/nginx. /etc/nginx/sites-available should have a file for every single site we might host. Then we symlink into /etc/nginx/sites-enabled to turn on or off specific sites.

Let’s create a basic nginx config by creating /etc/nginx/sites-available/www.lowend.party:

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }
}

Now make it live by:

ln -s /etc/nginx/sites-available/www.lowend.party /etc/nginx/sites-enabled/www.lowend.party

Let’s syntax check that file:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart nginx:

systemctl restart nginx

Then I visited http://www.lowend.party and successfully saw the HTML I created early.

Let’s start by installing certbot, the package that will setup https for us and keep our certificate fresh:

apt-get install certbot python-certbot-nginx

Now for the magic! Run this command:

certbot --authenticator webroot --installer nginx

And then follow along with the interactive install. My input is bolded:

# certbot --authenticator webroot --installer nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): raindog308@raindog308.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.lowend.party
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lowend.party
Input the webroot for www.lowend.party: (Enter 'c' to cancel): /web/www.lowend.party
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.lowend.party

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number (1-2) then (enter) (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.lowend.party

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.lowend.party

(rest snipped)

Now take a look at /etc/nginx/sites-available/www.lowend.party:

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/www.lowend.party/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.lowend.party/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
  if ($host = www.lowend.party) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  server_name www.lowend.party;
  listen 80;
  return 404; # managed by Certbot
}

certbot has done the following:

  • provisioned an SSL certification for www.lowend.party
  • loaded the SSL configuration in /etc/letsencrypt
  • updated /etc/nginx/sites-available/www.lowend.party and put the proper nginx rules in place to serve HTTPS
  • also added an entry so that if you connect on http, it redirects to https

And going to http://www.lowend.party in my browser confirms everything is working correctly.

Here’s a cool part of the certbot system: this chore is already taken care of for you.

Take a peek in /etc/systemd/system/certbot.timer and you’ll see a job is setup to run twice a day to check renewal and renew if needed.

encryption – Should we encrypt all REST API calls from a mobile device?

I have a mobile application and the backend is hosted on a cloud provider. I would like to ask for feedback on encrypting all REST API calls that will be used to communicate with the server, if we should or we shouldn’t do it.

Adding details:

for example instead of having a proper rest object

{
   "name" : "username",
   "info" : "profile"
}

make it similar to this:

{
   "encryptedData" : "Mq6rTVdPP1YMlE9AxhnryIRX+JA9MfIXv"
}

and after decryption it becomes the model and the flow carries on, of course the response is also expected to be encrypted in a similar fashion.

encryption – How can I encrypt something with a PGP private key?

I understand the normal operation is to encrypt with someone’s public key and decrypt with the private. And I’m also aware of how signatures usually work. However I’d like to ensure that in order to access the data, the recipient has actually gotten my public key and decrypted the data with it. My understanding this is possible with RSA. Is that correct that this is possible?

If so, how do I do this? And how do I then decrypt the resulting file? Ideally this is something that GPG would be able to do (tho it doesn’t look like Kleopatra on windows is able to do that that I can see).

Is it possible to encrypt data using an AIK audience with TPM2.0?

I am using a TPM for my project, I generate an AIK and I want to encrypt the data with this key.

I tried many commands but none of them works, so I don't know how to do it.
Can anybody help me?

Compress and encrypt file systems for backups

I am currently backing up the remote OS while maintaining permissions using rsync:

rsync -aAX --numeric-ids --delete ... root@X.X.X.X:/ /backup/server/

Now I want to back up the backup to a third party. Currently I have:

tar --xattrs -czpf - "/backup/server/" | openssl enc -aes-256-cbc -a -salt -pass pass:"$KEY" -out "/backup/server.encr"

Which will compress and encrypt while retaining permissions.

Eventually I'd like to write this to Go, but preserving permissions seems a bit tricky. Is there an alternative in a library to do this?

users: should I encrypt the response that triggers an Ajax action? Is not sufficient?

I am trying to write a custom user registry plugin. The plugin has 5 basic functionalities.

  1. Take form data and create a user using wp_insert_iser
  2. Once a user is created update the user meta for additional fields
  3. Send an e-mail
  4. Send SMS
  5. Send to Whatsapp

To speed up the whole process, I have created 5 ajax actions for the above 5 steps. Once the first step is complete, I send a success message for each action, such as:


if ($user_id) // Successfully user is created

$data = (
'user_id' => $user_id,
'next_actions' = (
    'update_meta_field' => wp_create_nonce($userid . 'update_meta_field')),
    'send_sms' => wp_create_nonce($userid . 'send_sms')),
    'send_mail' => wp_create_nonce($userid . 'send_email'),
    'send_whatsapp' => wp_create_nonce($userid . 'send_whatsapp')
));

wp_send_json_success($data);

Once the response has been received on the client side, 4 ajax actions are activated in ajaxSuccess event and executed asynchronously. E.g

$document.ajaxSuccess(function( event, request, settings, response ) {

        let next_actions = response.data.next_actions;
        let user_id = response.data.user_id;

        $.each(next_actions, function (action, nonce) {
            $.ajax({
                url: ajaxurl,
                type: 'post',
                dataType: 'json',
                data:{
                    action: action,
                    nonce : nonce,
                    user_id: user_id,
                },
                success: function (response) {
                    console.log(response);
                }
            });
        });
    });

So my queries are

  1. Are there any security flaws in my approach?
  2. Isn't that enough for it or should I encrypt the answer because I'm exposing user_id or username to clients? Does WordPress provide any native encryption / decryption function or method?
  3. I required to share some variables among 5 actions. I choose set_transient to share form data in all actions. Is efficient? Or should I go for SESSION? I heard that some hosting servers remove session id from the header. It is? Any efficient performance alternative please?

encryption: how can I encrypt Windows if I use an SSD and HDD?

I need to encrypt my Windows disks with full disk encryption. Windows is already installed and all drives have data.

My drives / disks:
1 SSD – C: drive
1 HDD – D: drive and I have a drive where Linux is installed

I need to encrypt C: and D: drives so that no one will see my files in case they access my PC or use Live Boot CD to boot.
I reviewed Veracrypt. It is open source, but allows only my C: to be encrypted because Veracrypt system encryption encrypts a partition or drive where Windows is installed and booted from. So my D: remains unencrypted.
Then I checked Bitlocker. I can use it, because I use Windows Enterprise. They are closed sources, but I saw different articles like Crack Bitlocker, Delete Bitlocker while searching on Google about Bitlocker. I don't know if that software works. Bitlocker will allow me to encrypt all my Windows C: and D: drives. But do I want to know if Bitlocker is safe?
What encryption should I use in my case? Maybe some other encryption software?

nodejs – Error: Illegal arguments: number at Object.bcrypt.getSalt encrypt – Does not encrypt password

I do not understand what the error may be, the documentation mentions that the minimum number to generate the salt is 10 and I am using it, if someone could help me.

This is the code that I execute when registering a user.

usersController.singUp = async (req, res) => {
    const { name, email, password, confirm_password } = req.body;
    const errors = ();
    let data = { name, email };

    if (password != confirm_password) errors.push({ text: "Passwords no coinciden" });
    if (password.length < 4) errors.push({ text: "El password es menor a 4 caracteres" }); 

    // console.log(req.body);
    // console.log(errors);

    if (errors.length > 0) res.render('users/singup', { errors, data });
    else {
        const emailUser = await User.findOne({ email: email });

        if(emailUser){
            req.flash('error_msg','The email is alredy in use');
            res.redirect('/users/singup');
        } else {
            try {
                let newUser = new User({ name, email, password });

                // Cifraremos la contraseña
                newUser.password = await newUser.encryptPassword(password);
                // Guardamos al usuario
                let result = await newUser.save();
                // console.log(result);
                req.flash('success_msg', 'You are registered');
                res.redirect('/users/singin');
            } catch (error) {
                console.log(error);
            }
        }
    }
};

This is the path I use to run it.

router.post('/users/singup', singUp);

And this is the model that I use for users.

const { Schema, model } = require('mongoose');
const bcrypt = require('bcryptjs');

const userSchema = new Schema({
    name: { type: String, required: true },
    email: { type: String, required: true , unique: true},
    password: { type: String, required: true }
},{ timestamps: true });

// Cifra la comtraseña
userSchema.methods.encryptPassword = async (password) => {
    console.log('antes');

    const salt = await bcrypt.getSalt(10);
    console.log(salt);
    const hash = await bcrypt.hash(password, salt);
    console.log(hash);

    return hash;
}

// Compara la contraseña con la de la bd
userSchema.methods.matchPassword = async function(password){
    await bcrypt.compare(password, this.password);
};

const User = model('User', userSchema);

module.exports= User;

However, wanting to encrypt the password and wanting to save it together with the new user throws the following error:

enter the image description here

I already looked for the error but none of the things that I have found have helped me to fix it and understand why the error is due.

Python: how safe is it to encrypt data using keys generated with a single password?

I want to encrypt / decrypt a plain text file with a single password in Python. It will be used in a simple text editor / note application, not on a strong system, but I want it to have a decent level of security.

What I tried so far was to take a password, use this password as seed to generate a random psuedo-string to use as salt, and pass the password and salt to the PBKDF2 function to generate a 16-bit key which is then used to AES encryption:

from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Util.Padding import pad, unpad
import random
import base64

BLOCK_SIZE = 32

password = "takenFromUser"
random.seed(password)
salt = ''.join(random.choice(string.ascii_lowercase) for i in range(32))

key = PBKDF2(password, salt, 16, 1000, None)

cipher = AES.new(key, AES.MODE_ECB)

msg_to_encrypt = b'plain text string'
encoded_msg = cipher.encrypt(pad(msg_to_encrypt, BLOCK_SIZE))
print(encoded_msg)

decoded_msg = unpad(cipher.decrypt(encoded_msg), BLOCK_SIZE)
print(decoded_msg)

However, it works. I have very limited encryption knowledge, so I want to know if this system is reliable or not for what it is supposed to do.

1 – Does this make no sense?

2 – Does the salt generated with random.seed() it will always be the same regardless of the system, time, etc.

3 – Is this a good solution?