Encryption - "age"

daniel.m.tripp · August 16, 2022, 5:12am

Was playing with GPG a few months ago, but it’s a giant plodding unwieldy piece of crap (yeah I guess people who’ve been using it for years or decades swear by it - I’m not one of them)…

Then the other day (~week ago?) I found “age” :

and it kicks arse, and nicely follows the UNIX philosophy…

I’ve used it to build my own password management “system”… HATE using that clunky piece of crap KeepAss (and all its many forks and variants!) - it looks and feels like something written for Windows 3.1… Sure its kludgy, and clunky (my password system) and I’m hoping messy and complex enough to obfuscate simple basic snooping by other parties, i.e. it wouldn’t stop someone determined, but also - where I’m travelling with that info, its on a fully encrypted HDD using LUKS or Apple’s system - there’s a tiny risk if someone got into my house and stole my desktop computer, piecing it all together, but if I got burgled and my desktop computer stolen, compromised passwords is the least of my worries!

So - now - using AGE I can “on the fly” decrypt and read encrypted text files (they’re never written, but I’m guessing they’re probably in RAM somewhere) - in the terminal…

And I use AGE to decrypt them to plain text files again, edit them, then re-encrypt (manual steps).

I’m using Resilio Sync to synchronise that across 5 computers, one of which is readonly (so I can only decrypt for read), and one of which is a “Resilio Sync” encrypted folder (EVERYTHING in that folder is encrypted - not just my “age” encrypted files) which I can then use to sync and “decrypt” a 5th target - e.g. when/if I go back into the office, I can RSL unencrypted sync from the encrypted sync folder. I host the RSL encrypted target on my RPi Zero W “gadget”…

I’ve ordered a Pi Zero 2 W to replace the Pi Zero W (similar specs, same RAM, except instead of 1 armel/armhf core, I’ve got 4 arm64 cores - note : I’ll still run 32 bit armhf Raspbian on there). Resilio Syncs a PITA on RPi Zero (which the developers don’t seem interested in fixing) - the only binaries that run properly on a Pi Zero are built for armel, when the Pi Zero is actually armhf, so to get RSL to work on the Pi Zero, have to --add-architecture armel, then install the armel DEB package (which then results in subsequent ugly messages when running “apt update” - but they’re only warnings, doesn’t seem to have broken anything, and default when installing new packages is to pull them from armhf repos).

And now I’m just figuring out how to get the age binaries installed on my NAS (FreeNAS i.e. FreeBSD 11.3 - but - not easy to install FreeBSD packages on there - the TrueNAS / FreeNAS have hobbled the pkg subsystem). I’m firing up a FreeBSD 11.4 VM so I can try and install age on there, then copy the binary over to my $HOME on my FreeBSD shell on my FreeNAS… Man FreeBSD can seem like a piece of crap at times : WTF is this :

root@osboxes:/usr/local # pkg install ports-mgmt/pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Not Found
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

This is exactly the sort of shit that scares away the casual, and is why NONE of the BSD’s will EVER succeed against Linux distributions, and I’m guessing the developers / maintainers aren’t even remotely interested addressing shonky stuff like this… FFS - even Solaris is better than this!

Imagine if you’re a developer, and reading some doco and doing some stuff in Debian or CentOS and they suggest :
sudo apt update

And you find there’s NO APT binary installed on your f–king system! How the F do you install “apt” if apt’s not installed? Thankfully that’s not an issue on most Linux distros… But that doesn’t help me install PKG if PKG is not F–KING INSTALLED!

Here’s how I intend to use the completely encrypted RSL folder stored on my Pi Zero gadget - e.g. I take it to work (intending to return to the office soonish - WFH is fine and dandy, but not ALL the time!) - then setup Resilio Sync on my work computer, using RSL keys, to sync unencrypted from the Pi Zero’s encrypted copy…

– edit – update –
Note also - someone’s done a rust port of age called “rage” … I know so little about Go (Google’s version of C / C++ ?) and Rust so not in any position to have an opinion…

– edit – update 2 –
I think part of my problem is that my FreeNAS is running 11.3, and that’s been superceded by FreeBSD 12 and 13 trains… still f–king ridiculous error that the package manager cannot install the package manager!
I’m now looking at upgrading my FreeNAS 11 to TrueNAS 12…

– edit – update 3 –

Well that was surprisingly painless… I’m now a TrueNAS user, no longer a FreeNAS user… Took maybe 15 minutes??? Booted up just fine - and there’s my config and my NFS share (and my SMB shares of the same data), and my Resilio Sync jail (which, despite no longer being installable as a plugin on later versions of FreeNAS and TrueNAS - the jail was migrated successfully!).

Edited /etc/pkg/local.conf and disabled it, edited /etc/pkg/FreeBSD.conf and enabled it.

root@baphomet[/usr/local/etc/pkg/repos]# uname -a
FreeBSD baphomet.local 12.2-RELEASE-p14 FreeBSD 12.2-RELEASE-p14 325282c09a5(HEAD) TRUENAS  amd64
root@baphomet[/usr/local/etc/pkg/repos]# uname -a
FreeBSD baphomet.local 12.2-RELEASE-p14 FreeBSD 12.2-RELEASE-p14 325282c09a5(HEAD) TRUENAS  amd64
root@baphomet[/usr/local/etc/pkg/repos]# cat FreeBSD.conf 
FreeBSD: {
    enabled: yes
}

Update and install :

root@baphomet[/usr/local/etc/pkg/repos]# pkg update
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB 388.8kB/s    00:17    
Processing entries:   0%
Newer FreeBSD version for package zxfer:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1203000
- running kernel: 1202000
Ignore the mismatch and continue? [Y/n]: y
Processing entries: 100%
FreeBSD repository update completed. 31692 packages processed.
All repositories are up to date.
root@baphomet[/usr/local/etc/pkg/repos]# pkg install age
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
New version of pkg detected; it needs to be installed first.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
	pkg: 1.14.6 -> 1.18.3 [FreeBSD]

Number of packages to be upgraded: 1

The operation will free 28 MiB.
7 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching pkg-1.18.3.pkg: 100%    7 MiB 702.6kB/s    00:11    
Checking integrity... done (0 conflicting)
[1/1] Upgrading pkg from 1.14.6 to 1.18.3...
[1/1] Extracting pkg-1.18.3: 100%
pkg: Failed to execute lua script: [string "-- args: etc/pkg.conf.sample..."]:12: attempt to call a nil value (field 'stat')
pkg: lua script failed
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	age: 1.0.0_4 [FreeBSD]

Number of packages to be installed: 1

The process will require 5 MiB more space.
1 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching age-1.0.0_4.pkg: 100%    1 MiB 593.4kB/s    00:02    
Checking integrity... done (0 conflicting)
[1/1] Installing age-1.0.0_4...
[1/1] Extracting age-1.0.0_4: 100%

and I’ve got it! I’ve got age running on FreeBSD 12… Woo Hoo! And the “portable” binary for rslsync on FreeBSD (compiled on 10.2) still works in 12.2 !

nevj · August 16, 2022, 12:29pm

Hey, I used to like FreeBSD. It actually made it into PCs before Linux.
I am currently having a retro look… using GhostBSD with Mate in Virtualbox…
GhostBSD is supposed to be an attempt to make FreeBSD palatable.
All I can say so far is it was an easy install. Some Linux distros are a beast in Vbox, but GhostBSD went smoothly.
Lets wait and see how its package system performs.

daniel.m.tripp · August 17, 2022, 4:14am

Me too… but it’s diabolically tricky… why make things harder than they need to be??? I suspect deliberate sadism … I guess that maybe also teaches me not to take shortcuts (running a pre-rolled VM image from osboxes.org).

The irony of not being able to install your package manger, because your package manager’s not installed… sadistic irony… and I can’t be arsed following up…

Fixed my issues with the FreeBSD that TrueNAS runs, and that’s all I need, or care, to know…

Sometimes problem solving can be fun, but not shite like this…

And - I just had a look in my downloaded binaries folder for “age”, and I already had a tar archive with the x86_64 binary for FreeBSD anyway Doh!

But thanks to my inattention, I accidentally upgraded my NAS to the latest iteration and that’s a happy accident

daniel.m.tripp · August 18, 2022, 3:42am

OK - so I once again took the path of least resistance, booted a VM from a FreeBSD 12.3 VDI downloaded from osboxes.org…

And it works - the package manager can download and install from the default BSD repos…

root@osboxes:~ # pkg install age
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.18.3...
Extracting pkg-1.18.3: 100%
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
Fetching packagesite.pkg: 100%    6 MiB   1.3MB/s    00:05    
Processing entries: 100%
FreeBSD repository update completed. 31538 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	age: 1.0.0_4

Number of packages to be installed: 1

The process will require 5 MiB more space.
1 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching age-1.0.0_4.pkg: 100%    1 MiB   1.2MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing age-1.0.0_4...
[1/1] Extracting age-1.0.0_4: 100%

I suspect that somewhere at http://pkg.FreeBSD.org/FreeBSD/ - the repo for 11.x I was trying to use was defunct… Still not very helpful…

I know what to do in Debian, Ubuntu or whatever when the upstream repo no longer exists, e.g. a distro has gone EOL… What to do in FreeBSD? I have no idea… And I’m pretty sure FreeBSD 11 (10 even) isn’t considered EOL…

In other news - I came across a severe limitation with BASH in MacOS - it’s positively ANCIENT :

╭─x@methone.local ~  
╰─➤  bash --version
GNU bash, version 3.2.57(1)-release (arm64-apple-darwin21)
Copyright (C) 2007 Free Software Foundation, Inc.

Simply because Apple REFUSES to use the GPL (surely CUPS, from Apple itself, is GPL’d? Debian would refuse to use it if it wasn’t)…

Note - most Linux distros are using bash 5.x ! Bash 3.x dates back to the mid oughties!

Hit this limitation as I was trying to use some “escape” codes to capitalise a string, e.g.

echo ${STRING^^} will capitalise (double carets “^^”) the alpha chars in $STRING on output… But not in bash 3.x…

So I had to get around this by using trusted and tried : “tr”… (echo $STRING | tr ‘[:lower:]’ ‘[:upper:]’)… Oh well… one step forward, 0.75 steps backward is still progress

Also - most Linux distros, e.g. Debian 8 onwards, Ubuntu 16, all the REL / OEL / CentOS EL7 distros and later - have some nice features in /etc/issue… Not necessarily very useful to the casual desktop user, but when you’re running a fleet of hundreds of VM’s if you can see the IP address on the console - it’s a huge help - I always add this (to the end) to my /etc/issue on VMs (whether hosted in VMware ESX / vSphere, or just local on VirtualBox or VMware player :

IPV4 Address : \4{eth0}

(where “eth0” is my default first NIC, it could be something else)

No such thing as /etc/issue in FreeBSD, just read a long forum article by someone wanting /etc/issue feature or similar in FreeBSD and can’t be done without a bunch of kludges using rc.local and other bits… not worth the effort IMHO…

daniel.m.tripp · October 5, 2022, 8:37am

Quite happy with my “homebrew” console / terminal password manager solution…

Works for me… anyway… But just found this - the author’s probably better at this stuff than my kludgy shell scripts :

Going to check it out anyway…

I think the kludgiest thing about my “homebrew” solution, is editing my “databases”… I have to decrypt all of them - even if I’m only updating one… then when I’m done editing, encrypt them again… I guess I could do something about that, but I can’t be arsed…

Anyway - I highly recommend age, GPG is such a MAJOR kludge to work with - age is nice and compact (I’m yet to try the rust port of age - one of these days).

Tried it out - has some “okay” features - but - it doesn’t offer any password protection for itself…

╭─x@beere253 ~/tmp/pa  ‹master› 
╰─➤  ./pa
pa 0.1.0 - age-based password manager
=> [a]dd  [name] - Create a new password, randomly generated
=> [d]el  [name] - Delete a password entry.
=> [e]dit [name] - Edit a password entry with .
=> [l]ist        - List all entries.
=> [s]how [name] - Show password for an entry.
Password length:   export PA_LENGTH=50
Password pattern:  export PA_PATTERN=_A-Z-a-z-0-9
Store location:    export PA_DIR=~/.local/share/pa
╭─x@beere253 ~/tmp/pa  ‹master› 
╰─➤  ./pa l
stinky
stinkfisting
╭─x@beere253 ~/tmp/pa  ‹master› 
╰─➤  ./pa s stinkfisting
shitdontstinkmuch

That “[a]dd” feature, will also let you type (or paste) in your own preferred password… I prefer to use randomly picked dictionary words, this just picks random alphanumeric chars :

╭─x@beere253 ~/tmp/pa  ‹master› 
╰─➤  ./pa a shittl                                                                                                                     1 ↵
Generate a password? [y/n]: y
Saved 'shittl' to the store.
╭─x@beere253 ~/tmp/pa  ‹master› 
╰─➤  ./pa s shittl
d9BLGVN6POhOaXYGw3v_piBc7zGF8fAwt4p7YswIpKInasIqPB

So - as you can see - it didn’t do any security check… it just let me “uncrack” that password entry in “stinkfisting”, which is hosted in an encrypted file stinkfisting.age - so anyone who happens to get my creds on this machine, can just run that, and “pa” will look in ~/.age/ for my key and unencrypt and display the password string (having said that, my shell script aint a whole load more secure anyway 0=- but the output of my solution is better for my needs)… One advantage it has over my homebrew / kludge, is in editing the stored secrets…

In summary - that solution is the same amount of securedness, as my kludge, but the output of my kludge is more useful for me…

As it’s just a shell script - I might be able purloin the algorithm for editing entries… but I doubt it…