A handheld gadget that encrypts your drives on the fly
Pocket sized encryption for your removable media!
Cryptopuck is a hand-held device that will encrypt whatever drive gets attached to it. Currently, the encryption is performed on a Raspberry Pi Zero, but the software should work on any Linux system that can run Python. The device enables its users to encrypt their removable media on the fly, simply by plugging them in Cryptopuck.
The concept is based on the Cryptopuck not being able to decrypt the files and the user being in the position to feasibly claim incapable of decrypting the files. This is because the private key that can decrypt the files cannot be memorized and is remotely stored. Therefore it cannot be compromised by the perpetrator who might get hold of the Cryptopuck device that encrypted the files. However, since this is a filesystem level encryption the Cryptopuck user cannot deny that they have encrypted the files. Additionally, the file sizes are visible but not other kind of metadata such as the filenames, which are safely encrypted.
The software is made up of the following Python 3 scripts:
cryptopuck.py
encrypt.py
decrypt.py
generate_keys.py
DISCLAIMER: Please keep in mind this is a proof-of-concept system that toys around with the idea of a portable gadget that will encrypt your removable media. It incorporates hardware and software which have neither been audited nor designed for security-critical applications. There is absolutely no guarantee that your files will be safely encrypted or remain in tact after using Cryptopuck.
The Cryptopuck software is written in Python 3 and is automatically launched after each boot. It detects when a new removable medium is mounted and encrypts it. The files are encrypted symmetrically, with AES-256 using a randomly generated 32-byte key. This key is then placed among the encrypted files, but not before it is itself encrypted with an RSA asymmetric algorithm. The files are given random names and are all placed in the root directory in order for the file structure to be hidden. The original structure is saved in a JSON file that gets encrypted and is also placed among the other files.
The encrypted medium can be decrypted using the private key. Specifically, the private key decrypts the symmetric key which then in turn decrypts the rest of the files and the file structure is restored.
There are many reasons you would want to encrypt your removable media on the fly. Maybe you are a reporter who has gotten hold of important files or a photographer in a warzone and need to cross some checkpoints. Perhaps you need to deliver your proprietary corporate software to a customer or an off-site location and cannot have it being transported around in clear form. Or you just want to encrypt your drive before passing the nosy TSA check at the airport. Or wait, that could get you into more trouble so don't do it! :laughing:
To set things up, you will need to get your RPi Zero connected to the Internet and some very light soldering to put everything together will be necessary. Neither of these topics will be covered here.
sudo apt-get update --fix-missing
pip
for Python 3:
sudo apt-get install python3-pip
pip3 install pycrypto
pip3 install pyinotify
pip3 install RPi.GPIO
udiskie
which will help us automount the removable drives:
sudo apt-get install python3-udiskie
udiskie
will not allow you to mount disks as a non-root user. That is technically not necessary, but I did not like it, so I made some changes in the configuration files.
sudo nano /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
<allow_any>auth_admin</allow_any><allow_inactive>auth_admin</allow_inactive>
to:<allow_any>yes</allow_any><allow_inactive>yes</allow_inactive>
rng-tools
:
/dev/hwrng
by editing /etc/default/rng-tools
:
HRNGDEVICE=/dev/hwrng
to the file (or uncomment the existing entry)exit 0
in /etc/rc.local
:
sudo nano /etc/rc.local
# Run udiskie
su pi -c '/usr/bin/udiskie --no-notify --no-file-manager &'
# Create mountpoint if it does not exist so we can monitor it with the Python script
su pi -c '/bin/mkdir -p /media/pi'
# Run Cryptopuck and save logs
su pi -c '/usr/bin/python3 /home/pi/cryptopuck/cryptopuck.py --mountpoint=/media/pi/ --public-key=/home/pi/cryptopuck/key.public >> /home/pi/cryptopuck.log 2>&1 &'
/home/pi
folder. You can either use git
or copy the files directly to the microSD card.python3 generate_keys.py
key.private
) off the Cryptopuck. You should never use Cryptopuck with the private key stored on the Raspberry Pi as if the perpetrator discovers it, they will be able to decrypt your files.
decrypt.py
script:
python3 decrypt.py --source=/path/to/your/drive/ --destination=/path/to/your/drive/ --private-key=/path/to/your/key.private
[life/freedom/industrial secrets/X]
on this?