Encryption tools for Sysadmins

Date June 29, 2009

Every once in a while, someone will ask me what I use for keeping passwords securely. I tell them that I use password safe, which was reccommended to me when *I* asked the question.

Other times, people will ask for simple ways to encrypt or store files. If you're looking for something robust, cross platform, and full featured, you could do a lot worse than TrueCrypt. Essentially, it hooks into the operating system's kernel and allows it to mount entire encrypted volumes as if they were drives. It also has advanced security methods to hide volumes, so that if searched, no volumes would be found without knowing the proper key. In addition, it has a feature that can be valuable if you are seized and placed under duress: in addition to the "real" password, a 2nd can be setup to open another volume, so that your captors believe that you gave them the correct information. Unreal.

So you see that truecrypt is an amazing piece of software. For many things, it's definitely overkill. Instead, you just want something light, that will encrypt a file and that's it. In this case, Gnu Privacy Guard is probably your best bet. I use it in our company to send and receive client files over non secure transfer methods (FTP and the like). With proper Key Exchange, we can be absolutely sure that a file on our servers came from our clients, and vice versa. If you're running a Linux distribution, chances are good you've got GPG installed already. Windows and Mac users will have to get it, but it's absolutely worth it, and the knowledge of how public key encryption works is at the heart of everything from web certificates to ssh authentication. If you want to learn more about how to use it, Simple Help has a tutorial on it, covering the very basic usage. Once you're comfortable with that, check out the manual.

I'm sure I missed some fun ones, so make sure to suggest what you use!

  • Sam

    We use keepass - KeePass mostly because it works well on a number of platforms, Citrix included.

  • augmentedfourth

    I use Password Safe as well, but I use the Linux command-line version 'pwsafe' so I can have access to the one central installation from anywhere by bringing up a quick SSH session. As a companion product I use apg to generate passwords.

  • chewyfruitloop

    Our companies ex sysadmins used an encrypted excel spreadsheet which they shared between them. That was fine when they all knew the password, but one by one they left the company and failed to pass it on....

    Now after recovering and resetting them, we keep our passwords in a unencrypted spreadsheet, which is protected in a directory locked to a specific domain admin group. Hopefully this will allow anyone in future to access it should the same thing happen again.

    I know TrueCrypt is an excellent tool for encrypting things, but what happens if something happens to the person who knows the password?
    Sometimes with small teams i think locking everything down as it should be can be self defeating if something nasty or unexpected happens.

  • Anonymous

    We use keepassX with windows, linux, and unix.

    We keep the .kdb file stored in a subversion repository so when anyone checks in a change it is reflected.
    The repository is protected by private "Administration" usb sticks with a script for svn checkout and update and a password protected openssh certificate to access the .kdb file from repo. Also the checkout never puts the .kdb file onto the stick. So loosing it will not compromise security.

    hen it comes to easy encrypting. openssl with aes-256 is great.

  • Anonymous

    There's some really great tools out there. I've once used one called ssss (shamir's secret sharing scheme).

    Yeah, linux only--very technical. But there's great stuff in crypto... (Honestly, you could implement it yourself in a few hours without much background--it's pretty simple)

    Basic premise: I've got a secret--but I don't want to trust any one person with it. Instead, I give a fraction of it to M people such that any N of them can reconstruct it.

    If you trust some people more than others, you can give them more shares...

    Seems to me like a great way to prevent loss of a password in event of a car crash...

    Course, you know...you've gotta be able to get people smart enough to use it.

  • shokk

    I use lastpass.com and it's plugins for web site passwords, Password Safe for server passwords (which we pass around as exported XML files when we update), and Truecrypt to store the Password Safe files when we're not using them.

  • Paul Stoklosa

    I used keypass for a while, but recently started using clipperz.com. supposedly beta.. but gmail's been beta for years too..