CrypTag
Encrypted, taggable, searchable cloud storage.
CrypTag was announced at DEF CON 23 in August of 2015. Presentation
slides:
https://talks.stevendphillips.com/cryptag-defcon23-cryptovillage.
What is CrypTag?
CrypTag is an idea, a spec, an API, and a piece of software that makes
it easy to build a zero-knowledge system, which means that the server
holding user data doesn't know what it is (since it's encrypted).
It is meant as a primitive to be used to build more sophisticated
systems that would rather not re-implement the pieces necessary to
build a zero-knowledge system, but several useful command line
applications have been built with it so far, namely cput (for
encrypting/saving files), cget (for fetching/decrypting files), and
cpass (CryptPass, a password manager).
To use a command line password manager, CryptPass, see "Getting
Started with CryptPass", below.
How is it searchable and encrypted?
It's not fully searchable; you can query by tag. See slide 7 of the
presentation from DEF CON 23:
https://talks.stevendphillips.com/cryptag-defcon23-cryptovillage/#/7
Then the server stores the tags in plaintext?
Nope! The client stores mapping between tags ("snowden") and a random
hex string ("b6a27d9"), and the server only ever sees the random
strings.
(The client also encrypts these mappings and stores them to the
server, too.)
Use Cases (what CrypTag is good at) + Syncing via Dropbox
I personally have virtually all data I want shared between my laptops
in one Dropbox folder that CrypTag-based programs add (encrypted) data
to and grab it from.
I've been using cpass to store and fetch...
- Passwords (cpass @elimisteve)
- Credit card numbers (cpass visa digits)
- Quotes (cpass nietzsche quote)
- Bookmarks, tagged like on Pinboard or Delicious (cpass url snowden)
- Command line commands -- cross-machine shell history! (cpass install docker)
- GitHub recovery codes (cpass github recoverycode)
For more on getting started, including how to safely and securely
share passwords with others via a shared Dropbox folder, check out
this section of the README:
https://github.com/elimisteve/cryptag#getting-started-with-cryptpass
It's still early days for CrypTag and CryptPass, so don't trust your
life with cpass. Eventually I will have the code professionally
audited for security flaws.
Getting Started with CryptPass
The current focus for CrypTag is creating a password manager out of it
called CryptPass. CryptPass exists as a command line tool (cpass
)
you can use to store and retrieve passwords. Unencrypted passwords
never touch disk; they are stored encrypted, read into memory, then
printed to your terminal for you to use, with the first one found
added to your clipboard.
TL;DR version
Install + config:
go get github.com/elimisteve/cryptag/cmd/cpass
cpass
Create passwords, fetch them by tag, or delete them:
cpass create mytwitterp4ssw0rd twitter @myusername tag3 tag4
cpass @myusername
cpass delete twitter
Keep reading for more advanced options, including password sharing via
shared Dropbox folders.
Installing cpass
Install Go (instructions), then run
go get github.com/elimisteve/cryptag/cmd/cpass
That's it! Now run
cpass
cpass
will generate a new encryption key to store your passwords
with, as well as create the directories it will use to store your
data, all in ~/.cryptag
(by default).
Using cpass
Create a new password and associated tags with commands like:
cpass create mycr4zyemailp4ssw0rd gmail email elimisteve@gmail
cpass create mytwitterp4ssw0rd twitter @elimisteve
cpass create mycr4zyAWSp4ssw0rd4myj0b work aws
Fetch the password you're looking for and see them printed to the
screen with commands like:
cpass gmail
cpass @elimisteve
cpass aws work
For convenience, cpass
adds the first password found to your
clipboard so you can paste it into whichever program you're using.
To view all your passwords, run
cpass all
And finally, to delete all passwords with certain tags, run
cpass delete aws
To only delete one specific password, not all passwords with a generic
tag (e.g., "email") that you may have used to tag multiple passwords,
use the password's tag of the form id:...
, which is auto-generated
and guaranteed to be unique:
cpass delete id:a91d46c7-45bb-48e4-43d1-642196df15b2
Multiple Storage Backends
Maybe you want to store your personal data in ~/.cryptag
but have
passwords you share with colleagues at ~/Dropbox/cryptag_work
, for
example. (With cpass
this is secure because plaintext, unencrypted
passwords will never touch ~/Dropbox/cryptag_work
.)
Create a new backend with the desired name (e.g., "work") by running
CRYPTAG_BACKEND_NAME=work cpass
You can then change the value of DataPath
at the end of
~/.cryptag/backends/work.json
to wherever you want your work
passwords stored (e.g., /home/MYUSERNAME/Dropbox/cryptag_work
),
being sure to use the absolute path.
(Dropbox note: CrypTag-based programs generally, and cpass
specifically, store each piece of data (e.g., each password and each
tag) in a separate file, so it is safe for multiple people to create
passwords simultaneously and save them to a shared Dropbox folder,
unlike with KeePass, KeePassX, 1Password, and some other password
managers.)
Now you can save shared work passwords with the same commands as
before, except with the CRYPTAG_BACKEND_NAME
environment variable
set:
CRYPTAG_BACKEND_NAME=work cpass create mycr4zyAWSp4ssw0rd4myj0b work aws
Now you should share ~/.cryptag/backends/work.json
with your
colleagues -- or at least the encryption key -- so that you can
decrypt passwords saved by each other.
More Convenient Multiple Storage Backends
See this issue for
discussion on how to make storing data in multiple places much better!
I would love your input.
I currently do this:
echo 'CRYPTAG_BACKEND_NAME=work cpass "$@"' > ~/bin/work
chmod +x ~/bin/work
so I can simply do
work create mycr4zyAWSp4ssw0rd4myj0b aws
to create work passwords, or
work aws
to fetch them.
Non-use Cases (what CrypTag is not good at)
Anything that requires rapid changes being made to data by multiple
users, such as:
Any data that is "write once, read many times" is ideal for CrypTag.
Future Plans
I have big plans for CryptPass and other CrypTag-based software to
help make the world's data -- passwords, everything stored "in the
cloud", file backups, bookmarks and so on -- more secure.
I believe that you should be able access your data from any of your
devices, and just grab what you need, exactly like you can from the
Dropbox mobile app. Or if you don't mind storing all your data on
your computer, being able to use Dropbox (or anything similar) to sync
all your data between all your devices without having to trust the
company storing your data for you is also deeply important; we should
all benefit from the convenience of cloud storage without giving up
any privacy whatsoever.
So whatever feedback you may have, please please send it my way! Yes,
there will be a graphical version of CryptPass usable on Windows,
Mac OS X, and Linux desktops. Eventually I'd like to have mobile
apps, too, of course.
I am open to all questions, comments, suggestions, insults, and
whatever else you've got.
Geeky Feedback Requested
The graphical version of CryptPass (that uses Electron + React, that
then talks to a local CrypTag daemon) once the command line version,
cpass, is better, and once more complex storage
questions are
answered, which I'd appreciate feedback on from those of you who may
want to store different kinds of data in different places (e.g., all
passwords in a local directory, all work passwords in a shared Dropbox
folder, and all backups in S3).
I'd love to create mobile versions of CryptPass, probably starting
with Ubuntu Phone, because I can write it all in Go :-), and now that
both Android and iOS apps can call into Go code using some new
awesome mobile
shit, it
shouldn't be necessary to port the core CrypTag logic to another
language.
Thank you! Here's to a more privacy-friendly future for all!