For a while now I had been using encrypted disk images, as recommended by Apple to store encrypted files. But the minimum disk image size is 10 megabytes, which is awfully large to store a 4K text file. Also, if I want to look at the file I have to mount the disk image, go to the file in the finder, open it and then eventually close it and eject the disk image. What a pain. I knew there had to be a better way.

The better was is to use openssl. I believe it’s available on all platforms and comes pre-installed on all Unix like platforms. I can sort of see why Apple doesn’t talk about this because there are a ton a options and figuring out which is the best or what they even mean is difficult. Even just getting started is hard. So without covering the myriad of functionality openssl has, here is how to encrypt and decrypt files.

To encrypt a file:

openssl enc -aes256 -salt -in myfile.txt -out myfile.crypt

You will receive a prompt for a password that will later be used when you decrypt the file. This is what the parameters mean:

enc

openssl has all sorts of sub-commands and “enc” is the one that specifies you want to encrypt (or decrypt) data.

-aes256

openssl supports tons of different encryption schemes and even allows you to write your own. For our purposes 256-bit AES is a good choice although you’re free to investigate the others.

-salt

The documentation says to always use this, but is worded in such a way that you don’t know if it’s the default. Just to amuse you, here is what the docs say for the opposite option, -nosalt:

This is the default for compatibility with previous versions of OpenSSL and SSLeay.

That is just phrased weird, kind of making it sound like it’s only the default in some cases? Instead of “for” do they mean “to provide”? Very odd. The output would indicate that -nosalt is not the default. Just put -salt in to be safe.

To decrypt the file:

openssl enc -d -aes256 -in myfile.crypt

Here that addition of the -d option is what makes openssl decide to decrypt the file. -salt only needs to be used for encryption. The command as written will send the output to standard output, but you can use the -out parameter if you wish. For my purposes, that would just be one more file I’d need to delete so if I don’t need to change it I’d rather not created it.

Important Notes

Once you start encrypting files, things get a little overwhelmingly crazy. Especially if you have Time Machine running. You don’t want to go decrypting those files into files in backed up folders. For this reason I have a /tmp file in my home directory that I have told Time Machine specifically not to back up. For now, Time Machine does not back up the trash so you don’t have to worry as much about what happens between you deleting the file and emptying the trash.

This is a problem for encrypted disk images to some extent as well, but not quite as much. Time Machine is not a friend to decrypted data, no matter where it comes from.

Secondly, although openssl is amazingly complex it is equally amazingly unhelpful. Just so you know, the man page for the sub command enc is retreived at man enc. Bizarre, I know. Also, there’s no –help option, however if you just pretend there is you will often get what you want. It usually responds to options it doesn’t know with a help page.

And finally, like me, you will want to create small scripts to make this faster and so you will remember what encryption algorithm you used. I have named mine enc:

#!/bin/bash

openssl enc -aes256 -salt -in "$1" -out "$1.crypt"

and dec:

#!/bin/bash

openssl enc -d -aes256 -in "$1"

Last night I was trying to finish up some stuff for a small client so I’d have everything they need done by the end of the month. It was kind of a trial as I upgraded their site to use Slimbox 2 and was running into an issue that was totally messing me up. It turned out to be a directory permissions issue. While I love Safari, it could have been a bit more clear about the fact that it couldn’t read the files in a certain directory. That is, when you say it took “this long” to read a file, I tend to assume that you actually read that file. Never assume.

I was just finishing up and looking forward to some TV when I noticed some links at the bottom of the pages. Oh great, the site had been hacked. By a hacker who had a lot of time on his hands. The hacker had gone into my custom code and found the exact place to include his links. I was amazed. Luckily, he was very clean about it, and since I use Subversion to track all my code, I just deleted all the files in the directory and copied the right ones back, changed the passwords, and did some other stuff.

From the looks of it, I think the user had full access to the account. The passwords were on the weaker side and I left them that way because quite honestly this isn’t a site with that much traffic. There’s no customer data stored on the site or anything like that. I can’t imagine it would have been worth his while to hack it. It’s also a site that’s clearly maintained, so I just don’t see the point. But it took me a while to deal with it. Now the passwords are ridiculously strong.

I really don’t like the web host this customer is using. It’s Lunarpages. They don’t support sftp, or ssh, or any number of other things and they’re all around lame. So we will be moving the site to a new host soon.

I used to be more easy going about this, if customers had a host, I wouldn’t try to get them to change, but now that I have a host that I know is economical, secure, and easy to use, I think I’ll be more likely to suggest the switch. It’s easy enough to cost justify, and will save all of us pain in the future.

Firefox has released a security update. Firefox isn’t my primary browser, that’s Safari, so sometimes I feel like there’s a security update available every time I open Firefox or Opera.

Of course I test on them, though. I like that there are multiple browsers now, it’s a much healthier community. And they’re all better than Internet Explorer. Open source also seems to really work for browsers. I think any time you need to conform to standards, your product should be open source. If there’s predefined work that people can do for free, by all means, allow them to do it! I wonder if Microsoft is aware of that concept?

One thing I would like is for Firefox to render form elements, such as text inputs, the same as other browsers. Firefox adds some space around them that’s not styleable, so firefox inputs are always a couple of pixels bigger than they are in other browsers.