maltfield
commented
1 year ago Thanks @Technoprenerd Is there any reason you prefer Cryptomator to Veracrypt? afaik veracrypt is the most popular cross-platform software for creating encrypted volumes
Open Technoprenerd opened 1 year ago
maltfield
commented
1 year ago Thanks @Technoprenerd Is there any reason you prefer Cryptomator to Veracrypt? afaik veracrypt is the most popular cross-platform software for creating encrypted volumes
maltfield
commented
1 year ago On Mac OSX, a script can do the unmounting:
umount --force /Volumes/<CryptomatorVaultName> or sudo diskutil unmount /Volumes/<CryptomatorVaultName/
Is there any command to list all mounts too? That way the trigger could just list them all and iterate through the list, umounting all of them?
Also, is there any built-in "shred" command that wipes the area of the encrypted volume that holds the (encrypted?) master keys? I mean something that's faster than overwriting the whole volume, of course.
And does Cryptomator have any decent documentation describing the encoding of their volumes? In LUKS there's 8-32 keyslots, and the way LUKS works is very clearly documented in the whitepapers:
Is there an equivalent whitepaper describing Cryptomator so I can wrap my head around its headers/footers/keyslots/encodings/recovery/etc?
Technoprenerd
commented
1 year ago @maltfield : No preference, I've tried them all and it seems that for new users this type of application is more usable (better UI/UX) for creating and encrypting individual files (not volumes). Specifically designed to backup with cloud storage service providers. But I would recommend to look into Veracode first, since that offers more granular features for the privacy community.
Probably iterate through the /Volumes/ paths to select folders, should be scripted though. Does not work with DiskUtil list.
Depends if Shred is installed, in osx it is no longer default installed.
Cryptomator does have decent documentation:
https://docs.cryptomator.org/en/latest/security/architecture/
https://docs.cryptomator.org/en/latest/security/security-target/
maltfield
commented
1 year ago Cryptomator was designed to solve privacy issues when saving files to cloud storages.
source: https://docs.cryptomator.org/en/latest/security/security-target/
Because of this, it seems like a self-destruct may be less valuable for Cryptomator. Depending on the adversary, they could just force the cloud provider to hand over a backup of the masterkey.cryptomator file after shred.
But I definitely think it would be worthwhile to write a trigger for Cryptomator that simply:
@Technoprenerd Do you have any python experience? I think the first deliverable here is to write a simple python function get_cryptomator_volumes() that
/Volumes/(if possible, it would be best if get_cryptomator_volumes() was cross-platform and worked on Linux, Windows, and MacOS)
This begs the question: does doing ^ that or unmounting a Cryptomator volume require root access? If so, we have a way to escalate buskill's triggers as root on MacOS (but not Windows or Linux yet):
Technoprenerd
commented
1 year ago @maltfield Agreed, adversary would just copy the backup masterkey from cloud provider and decrypt it.
Yes, below is how far I've come and works on OSX. The psutil is the main library to figure out volume paths.
import psutil
import platform
import os
CURRENT_PLATFORM = platform.system().upper()
partitions = psutil.disk_partitions(all=True)
def get_cryptomator_volumes():
#Need to list Fuse/WebDAV volumes mounts and iterate through it
#example OSX macFuse: sdiskpart(device='Cryptomator@macfuse0', mountpoint='/Volumes/test', fstype='macfuse', opts='rw,sync,nosuid', maxfile=255, maxpath=1024)
#example OSX WebDAV: sdiskpart(device='http://localhost:42427/sq5q-0UyuwBL/test3/', mountpoint='/Volumes/test3', fstype='webdav', opts='rw,noexec,nosuid', maxfile=255, maxpath=1024)
#example Linux: sdiskpart(device='fusefs-851974781', mountpoint='/home/<USER>/.local/share/Cryptomator/mnt/testlinuxvault', fstype='fuse.fusefs-851974781', opts='rw,nosuid,nodev,relatime,user_id=1000,group_id=1000', maxfile=254, maxpath=4096)
#iterate over list and find the mount in OSX if mounted with macFuse
if CURRENT_PLATFORM.startswith( 'DARWIN' ):
for p in partitions:
if p.device.startswith('Cryptomator'):
print (p.mountpoint)
#can use diskutil or umount -f
os.system('diskutil unmount force ' + p.mountpoint)
#port number of WebDav used by Cryptomator, default port 42427
elif p.device.find('42427') != -1:
print (p.mountpoint)
os.system('diskutil unmount force ' + p.mountpoint)
#iterate over list and find mount for Linux
elif CURRENT_PLATFORM.startswith( 'LINUX' ):
for p in partitions:
if p.mountpoint.find('Cryptomator') != -1:
print (p.mountpoint)
#TODO
#must be root to unmount fuse disk
os.system('umount -f ' + p.mountpoint)
#TODO Windows
#elif CURRENT_PLATFORM.startswith( 'WIN'):
get_cryptomator_volumes()TODO:
Technoprenerd
commented
1 year ago It does work with multiple vaults open at the same time
python3 find_volumes.py
/Volumes/test3
Unmount successful for /Volumes/test3
/Volumes/test4
Unmount successful for /Volumes/test4
/Volumes/test2
Unmount successful for /Volumes/test2Cryptomator GUI shows everything locked
maltfield
commented
1 year ago @Technoprenerd thanks for your work on this!
Would you mind adding your code and iterating directly on this new repo?
maltfield
commented
1 year ago maltfield
commented
1 year ago
Idea for Cryptomator trigger. Cryptomator (https://cryptomator.org/) creates encrypted volumes. It uses WebDav or Fuse to mount volumes.
On Mac OSX, a script can do the unmounting:
umount --force /Volumes/<CryptomatorVaultName>orsudo diskutil unmount /Volumes/<CryptomatorVaultName/The main issue with this, is that the Vault Name should be known for the path to be able to trigger it in a script.
Another idea is to buy and install the Mountain application (https://appgineers.de/mountain/) with HotKeys set for
Unmount external volumes, it works without knowing all the volume names. The Buskill would trigger a script that presses these hotkeys for the Mountain app to do this.Remarks on this are appreciated.