Generate private key encrypted with password using openssl

I’m using openssl to sign files, it works but I would like the private key file is encrypted with a password. These are the commands I’m using, I would like to know the equivalent commands using a password:

- Use the following command to generate your private key using the RSA algorithm:  openssl genrsa -out private.key 2048   - Use the following command to extract your public key:  openssl rsa -in private.key -pubout -out public.key   - Use the following command to sign the file:  openssl dgst -sha512 -sign private.key -out signature.bin file.txt   - To verify the signature:  openssl dgst -sha512 -verify public.key -signature signature.bin file.txt 

Storing encrypted tokens in LocalStorage

I am building a JavaScript application that will run in a web browser but also as a pseudo-native mobile application via Apache Cordova. It communicates via API to a separate backend service.

The app requires that the user be prompted for some kind of identifying information whenever it is launched, but for ease of use this need not be their full username and password. Password entry in particular (and especially on mobile devices) will be too cumbersome to make this feasible. Therefore, we are considering a once-off login procedure where the full credentials are supplied, followed by a “setup” step where the user creates a PIN for future access. This could, in future, be extended to allow a fingerprint/face scan to also “unlock” the app on supported devices.

We are also hoping to avoid the use of cookies. Doing so subsequently avoids CSRF concerns but also, support for cookies in Cordova applications appears to be either non-existent or at least unreliable.

My initial thoughts on implementation are:

  • The user submits a valid username/password combination to a login/ endpoint of the API and receives an “ID token” in response.
  • During the “setup” phase, the PIN chosen by the user is used to encrypt the ID token.
  • The encrypted ID token is stored in LocalStorage.
  • A secondary request is made to an authorise/ endpoint of the API, including the plaintext ID token. Assuming the token validates, a second token is issued to the app.
  • This second token is what is used in all subsequent requests to the API to prove the user is trusted, has a relatively short expiry, and is not stored in any persistent manner by the application.
  • Upon returning to the app at a later date, the user need only provide their chosen PIN.
  • It can be used to decrypt the stored ID token, which is then used in the authorise/ request to generate and return a new short-lived session token.

The internet abounds with articles advising against the use of LocalStorage for anything sensitive, due to its exposure in the event of XSS attacks. The threat is that a token in LocalStorage could be stolen when the same token in an httpOnly cookie could not. It is worth noting that in both cases, a malicious script running within the app could successfully issue fraudulent requests to the backend API.

I believe the XSS threat of the ID token being stolen is mitigated by it being encrypted under the user’s PIN, and neither the decrypted value nor the PIN itself being stored or used beyond the authorise/ request.

The session token is also vulnerable to being stolen by XSS. It is only stored in memory, but is obviously still accessible to JavaScript and thus to a malicious script. These tokens would be given short expiry times to mitigate this threat. Not to mention we would do our best to harden against XSS in the first place.

I think the above sounds like a secure way to implement our requirements, but I am no security expert. Am I missing any obvious weaknesses here? Does this actually sound secure?

Converting LVM root block device to an encrypted one

Is their an easy way to convert a vanila install with unencrypted root partition to an encrypted one (eg LUKS) in Ubuntu 16.04? I know that Android offers equivalent functionality, but am unaware of a “Linux” equivalent, and posit that this is OS specific and non-trivial.

I note the root filesystem is EXT4 and /boot is a seperate partition. I am aware of the possibility of backing up my data and reinstalling the OS, I’m just wondering if there is a more expedient way.

Problem with booting a newly LUKS encrypted root partition

I didn’t encrypt my root partition when I was installing my Ubuntu 18.04 when 18.04 first came out (first few months of it’s release) So for reasons I decided to encrypt it now.

I know this question has been asked before (I posted the links of some of the asked ones, actually!) but I posted this because this issue is specific to me, so please don’t remove my question, thank you very much, dear moderators and admins. I did not find anyone who had an issue same as mine, and after doing some MAJOR linux stuff, I had to ask for help since I was unable to solve this by myself. (Which hasn’t happened a lot over my past 11 years of GNU/Linux-*nix experience. I solved/fixed my problems by myself and dear Google like 99% of the times… and as you know problems happen a lot in linux! 😀 )

Anyway, Here are the steps of which I did it: (In a 18.04 live usb)

sudo cryptsetup -v -y -c aes-xts-plain64 --key-size 512 --hash sha512 luksFormat --uuid=049172c6-5376-4b9c-bd27-b503b6f25423 /dev/sda5 sudo cryptsetup -v luksOpen /dev/sda5 myroot sudo mkfs.ext4 -m 0 /dev/mapper/myroot sudo mount /dev/mapper/myroot /media/myroot #I created /media/myroot beforehands #Then for copying the contents of my root partition I used dd: sudo dd if=/dev/sda6 of=/dev/mapper/myroot bs=4M #/dev/sda6 is a duplicate of my original sda5 root... 

Then after this I did A LOT of things I thought would help for booting this new encrypted root of mine with GRUB, and also A LOT OF MORE things I found by searching. So I basically tried everything people suggested in these links:

Booting 19.04 from LUKS system drive

Can't get Ubuntu to boot from LUKS / LVM group on external drive on iMac with refind

Ubuntu full disk encryption with encrypted /boot

Mount LUKS encrypted hard drive at boot

How to get grub to boot from a newly encrypted partition

(And a lot of more links)

Here’s the output of fdisk -l:

Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: FE0857E8-E0DE-40A0-96C5-C4FEC80B8742  Device         Start       End   Sectors   Size Type /dev/sda1       2048    534527    532480   260M EFI System /dev/sda2     534528   1067007    532480   260M EFI System /dev/sda3    2582528   4630527   2048000  1000M Lenovo boot partition /dev/sda4    4892672 259438591 254545920 121.4G Microsoft basic data /dev/sda5  259438592 332343295  72904704  34.8G Linux filesystem /dev/sda6  332343296 400898047  68554752  32.7G Linux filesystem /dev/sda7  410068992 425521151  15452160   7.4G Microsoft basic data 

These are my UUIDs:

/dev/sda5: LUKS UUID: 049172c6-5376-4b9c-bd27-b503b6f25423 Partition UUID: 1db5df50-7000-48df-a281-74bad5689ce1  /dev/sda6: Former UUID which I recently changed it to a new one because it was same as sda5's due to using dd for copying root filesystem to new LUKS partition: 1db5df50-7000-48df-a281-74bad5689ce1 New UUID: 7876a195-7219-4440-892a-61b57c706443 

And finally the things I tried in GRUB:

Any help will be much appreciated I really don’t want to reinstall and encrypt from the installer, I need the things I have on my ubuntu and I really can’t do a reinstall, this ubuntu install of mine is just so perfect, I’ve had a lot of experience with GNU/Linux (Over 10 years now) and had a lot of linux installations and I’m no noob, but I just can’t loose all my data or configurations or customizations I made… I know I can back them up but I just… you know?

How are files in file container (posibly in archive file) encrypted?

I see advantage of using container in it that offer work with more files rather than with one but is there some advantage in encryption technique?I would like to know if it encrypt each single file in a container (or an archive) or is there some another technique used to encrypt it?I want create my own file container as a school project and add some features like encryption etc. therefore i would like to gain more complex overview firstly.

How to check if a connection between a server and an app is encrypted?

I have a Corona SDK sample project that contains only the following code:

-- The following sample code contacts Google's encrypted search over SSL -- and prints the response (in this case, the HTML source of the home page) -- to the Corona terminal.  local function networkListener( event )      if ( event.isError ) then         print( "Network error: ", event.response )     else         print ( "RESPONSE: " .. event.response )     end end  -- Access Google over SSL: network.request( "", "GET", networkListener ) 

The code has been copied directly from Corona SDK’s documentation.

Once the network request completes, the console will output the requested HTML source. However, my question is, how can I verify that the network request and all information that was exchanged was actually encrypted and not clearly legible as it is in the console output?

I am planning on creating an app that will communicate with a PHP file on my server over SSL and being able to verify that the traffic between the server and the Corona made app is actually encrypted is essential since I’d be sending over passwords and other confidential (but not personally identifiable) information.