Securing your work with encrypted workspaces

To encrypt, or not to encrypt, that is no longer a question. The answer is always yes, and sometimes yes with a hardware token.

There is no reason in this day and age to leave data unencrypted. Full-disk encryption is easier than ever while the performance impact is pretty much zero. It will provide adequate protection if your laptop gets stolen or otherwise lost. In this blog we will take encryption a step further and look at how you can setup encrypted workspaces for your projects that you can mount on a per-project or per-customer basis. This will provide an additional layer of protection with extra benefits.

To go with the times, we will use authentication with a YubiKey and use an encryption back-end that hides the volume contents. Whilst seemingly overkill, setting this up requires little effort and provides a level of security that will be acceptable for working with sensitive data. The tutorial at the end will be given for Ubuntu, but the software and approach used will work on both MacOS and Windows too.

The benefits

There are good reasons to apply seemingly redundant encryption. Once your OS is booted all data on your disk will appear unencrypted to you and to your applications. This can become a problem in multiple scenario’s, but the one we will highlight here is when you back-up your data to the cloud.

Many of us store a (realtime) copy of our data with a cloud provider because of the convenience it provides. Yet doing so without encryption exposes us to additional risk, as we have to assume both the encryption as well as the privacy policy of our cloud provider are in good order. When working with sensitive customer data we do not have the freedom to make either assumption.

Using encrypted volumes as an extra level of protection gives us both security and convenience, allowing us to use any cloud provider without having to trust them.

What we need

We will need three things. An encryption backend for the encryption itself, a hardware token for 2FA and a tool to glue them both together.

For the encryption backend we will use CryFs, a relatively young backend that is written for use with cloud storage providers such as DropBox or OneDrive. The hardware token will be the popular YubiKey. The tool to glue it all together is SiriKali, supporting both CryFs and our YubiKey.

Setup tutorial

1. Dependencies

We will install the cryfs, sirikali and yubikey-personalization packages. We need to add the SiriKali sources before we can use apt to install them.

If you forget to add the SiriKali sources you will get an older version of the application without YubiKey support!

# Add SiriKali sources
sudo sh -c “echo ‘deb http://download.opensuse.org/repositories/home:/obs_mhogomchungu/xUbuntu_19.10/ /’ > /etc/apt/sources.list.d/home:obs_mhogomchungu.list”
wget -nv https://download.opensuse.org/repositories/home:obs_mhogomchungu/xUbuntu_19.10/Release.key -O Release.key
sudo apt-key add – < Release.key
sudo apt-get update

# Install packages
sudo apt install cryfs sirikali yubikey-personalization

2. Configure our YubiKey to use HMAC-SHA1 Challenge-Response

This sounds and looks a lot harder than it is. Let’s look at the command and break it down:

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig

– Use the 2nd slot in our YubiKey (slot 1 is used for one-time-passwords)

– Set the slot to challenge-response mode

– Use HMAC-SHA1 (the cryptographic hash function)

– Less than 64 bytes of input will be used for the input

– Require touching the YubiKey

Test that your YubiKey is configured correctly by running the command ykchalresp -2 “challenge” and touching your YubiKey. If all went well you will receive a response in the form of a string.

Note that running this command a second time will overwrite the secret on your YubiKey and lock you out of your encrypted volumes!

3. Create an encrypted volume using SiriKali

Start SiriKali and press “Create Volume”. Cryfs will be an available option, select it. As an example we will call the volume “SensitiveProject”. Set the volume path to the location where you want to store the encrypted data and set the dropdown to “YubiKey Challenge/Response”. Write your password in the Key field and create the volume.

This actually concludes the set-up! The final step is to actually mount and use the volume.

Tech deepdive: Challenge-Response & SiriKali

It is interesting to look at the Challenge-Response implementation used here in-depth, as it deviates from what you might expect. We have automatically set-up our YubiKey with a secret on slot 2 as part of activating the Challenge-Response mode. Applications can now challenge the slot with a string (the challenge) and receive a hash back that is unique for the challenge (the response). Given the same challenge, the response will be the same.

 

Usually an application generates a unique challenge for each authentication attempt. The response that the YubiKey calculates is then verified in the application using the same secret that is stored on the YubiKey. This way the secret is never sent across and the response is of one-time use (meaning that a malicious actor cannot re-use it).
But this requires sharing the key beforehand, something we have not done here! This means that most likely the response itself is used to encrypt and decrypt the data. Using the response directly is by no means insecure, in the same sense that a static password isn’t insecure.

 

Since the source code of SiriKali is available we can confirm our assumptions. The challenge that is sent to our YubiKey is taken from the “Key” field in the GUI, and should you leave it empty the challenge will simply be a newline character (“\n”). The response is then used directly to encrypt and decrypt the volume we create with CryFS.

 

Long story short, the implementation that is used for the Challenge-Response mode here is not much different from a static password. We are therefore not using our YubiKey as a second factor, but as an extra step to transform our password.

4. Mount and use the volume

The encrypted volumes must be mounted in another directory before they can be opened and used. This is done by pressing “Mount Volume” in SiriKali and selecting the directory that you provided in step 3. You will be then requested to give the Mount Path (where do you want to mount the volume?), Key type (YubiKey Challenge/Response), Key (your password) and then insert your YubiKey and press it.

You can now browse to the Mount Path you provided and access your data.

Conclusion

Using multiple layers of security is best practise for good reasons. Full-disk encryption is easily enabled, but not enough protection by itself should you expose your data to other software (in the cloud or otherwise). To protect ourselves better we have added a layer of security in the form of an encrypted volume. Using CryFS, a YubiKey and SiriKali we have created an easy-to-use system to create and mount encrypted volumes that are safe to store in the cloud.

Ilia Awakimjan

Ilia Awakimjan is na het behalen van zijn Master-titel sinds 2017 Software Engineer met specialisatie AWS in dienst bij Profit4Cloud. Ilia is AWS Certified DevOps Professional, AWS Certified Security Specialty en AWS Certified Networking Specialty gecertificeerd.