This topic contains steps for using the CryptTool:

• Encrypting a config file
• Decrypting a config file
• Launching the key server with encrypted config files

Encrypting a config file

1. Create config file the way you normally do.

       $ echo "This is a secret" > config.txt
       
   
       $ cat config.txt
       This is a secret
   

2. Generate a secure, printable password with at least 256 bits of entropy. Use one of the following methods:
   • Use openssl [recommended].

       $ openssl rand -base64 32
       mWQuj9FdGJk/3zPy0jJu3ii7+GWpDfz0E84wLuc3OJE=
   

   • Use /dev/random directly.

       $ dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64
       HlQJetaCPRgCBXCQ/51RpLnUF1wHwCW6Bb/MpX/C9EU=
   

   • Use your organization's preferred password generator, making sure to request at least 256 bits of entropy.
3. Disable shell history (prevents saving the password to disk).

       $ set +o history
       
   
      (NOT A TYPO: in bash, "+o" disables history, and "-o" enables it)
   

4. Encrypt your config file.

       $ PW=mWQuj9FdGJk/3zPy0jJu3ii7+GWpDfz0E84wLuc3OJE= ./cryptool -pwsrc=PW config.txt > config.crypt
       
   
       $ cat config.crypt
       o0TwgAoz5yKba8mokItweb+clgAi8ClEWzP1aRB/s2Fc6UY9R4VFs3tKJjos7ubAoaE=
   

5. Re-enable shell history when you are done, if desired.

       $ set -o history
       

6. Store your password securely, retrieve it, then verify you can decrypt the config file using the procedure below, with the retrieved password. As always, take care to mark similar characters distinctly, such as the number 1 vs the lower case 'L'.)
7. Securely remove the plaintext version of the config file from disk.

       $ shred -z -u config.txt || srm config.txt || wipe config.txt || rm -f config.txt
       

   The effectiveness of secure removal depends on the details of your disk subsystem. SSDs, journaling or log-structured file systems like EXT3 may limit the effectiveness of these tools. If you are not sure, consult with your system administrator, or create and encrypt your config file on an air-gapped, trusted system)

Decrypting a config file

Use the following steps to decrypt a file for editing.

1. Disable shell history.

       $ set +o history
       

2. Decrypt your config file.

       $ PW=mWQuj9FdGJk/3zPy0jJu3ii7+GWpDfz0E84wLuc3OJE= ./cryptool -pwsrc=PW config.crypt > config.txt
       

3. Re-enable shell history when you are done, if desired.

       $ set -o history
       
   

Launching the key server with encrypted config files

When using encrypted config files, the end-user is responsible for securely delivering the password to the key server at startup time. The key server can read this password from either an environment variable or from stdin. Environment variables are a more convenient delivery mechanism, but are slightly less secure, since the environment variables can be snooped by another root-level process on the system. (SeLinux and other similar mechanisms can be used to mitigate this.)

Manually launch using environment variables

  $ PWVAR=mypassword /path/to/keyserver -config /path/to/configFile -pwsrc=PWVAR

Manually launch using stdin

  $ [execute shell command that will print out the password on its own line] | /path/to/keyserver -config /path/to/configFile -pwsrc=-

  e.g.

  $ echo mypassword | /path/to/keyserver -config /path/to/configFile -pwsrc=-