Any way to decrypt files encrypted by secrecy in windows/linux?

[alete89]

Pretty much self-explanatory. Is there a way? Thanks.

[nicogarcia]

+1 :+1:

[langston-barrett]

I've tried to copy the files onto my PC and run

openssl aes-256-cbc -d -in c2lnbmFsLTIwMTctMDEtMDgtMTcxNDIy.jpg -out plain-text.jpg

but haven't had any luck yet. Not sure whether or not CBC/CTR/ECB is the default (or if that sentence even makes sense). It seems that the files are also encrypted using a vault-specific salt, so it might be hard to decrypt without knowing it.

I think we'll need some kind of officially supported export.

[minusdavid]

I'm very much interested in this goal as well.

After browsing the code, it looks like the salt and other encryption details are stored in the .vault file. I imagine the password hash is also stored there but I haven't had time to verify yet. But at a glance it seems like the details in .vault should be

[minusdavid]

Enough to get a person the key for decryption.

I've only looked at the source for a few minutes today so not sure if each file has its own encryption key (like Facebook's f4 object storage) or if all files use the same encryption key. I think it might be the latter but just haven't had the time.

I'm hoping to find some time to try to make a little Java utility that can unlock a Secrecy vault, and then probably port that to Python and Perl for convenience if possible.

Of course, I have a million pet projects I'd like to spend time on, but this one would be fun.

[minusdavid]

I'd love to add some unit tests to this codebase too. That would make this type of task way easier ...

[minusdavid]

At a glance, it seems like .vault might be encrypted, but according to the source it looks like it's actually just a serialized data structure using Google Protocol Buffers.

So sometime soon I'll look at examining the .vault header on a desktop and see if I can decrypt files in a vault from there...

[minusdavid]

https://developers.google.com/protocol-buffers/docs/reference/other

[minusdavid]

Btw, it looks like the salt is in the .vault header so that should get us that bit closer.

Notwithstanding the bug with not being able to access the external sd card, interoperability with other operating systems is my only other wishlist item really...

[minusdavid]

Here's the protocol buffer definition to use with the protocol buffer compiler for the desired lang:

https://github.com/SecrecySupportTeam/secrecy/blob/master/app/src/main/java/SecrecyHeaders.proto

[minusdavid]

Using the Python tutorial for Protocol Buffers (https://developers.google.com/protocol-buffers/docs/pythontutorial), I've been able to access the salt, the vault initialisation vector, the pbkdf2iterations, and encrypted aes key, which are all stored in .vault. I'm working on Ubuntu on Windows (on Windows 10). So that's cool.

It looks like each file header also contains an initialisation vector for the file and the filename which will be needed for decrypting the files I reckon.

Now to convert the decryption logic from Java to Python...

[minusdavid]

Starting to think it might not be worth doing this in Python (at least to start) and that it would be smarter just to use Java to start off with...

[minusdavid]

I'm glad that I switched to Java from Python. Trying to find equivalent crypto functions in Python was a nightmare. Most of the Java classes are part of the standard library, so it's easy enough to replicate the functionality from the Android app. The only difference is that you need to install BouncyCastle on your system, since it's already baked into Android. But it's available in the Ubuntu 14.04 repositories.

[minusdavid]

I have written a little Java tool which can decrypt files from an encrypted Secrecy backup. I have verified it by adding a file to Secrecy on an Android phone, taking a backup on the Android phone (ie zipping the files), and then copying that backup over to a desktop. On the desktop, I run the Java tool using some command line arguments, and it successfully decrypts the chosen file and saves it to a clear file on disk.

It's an extremely rough draft at the moment, but I'll look at polishing it up and sharing it on Github. (So I'll host a repo and share the link here.)

@alete89 : I reckon it'll do what you need. @siddharthist : Since it'll do the decryption, you can probably close your bug about an openssl compatible format. Although I had actually thought about going that route at one point when I found Python didn't have the key unwrapping functionality I wanted. In the long-run, it would be interesting to see if a person could do it in Python or with openssl, but... the Java tool works.

I'll try to include explanatory notes in the code. It looks like the .vault file is encrypted with aes-gcm and the individual files with aes-ctr. Well, newer versions of Secrecy would be with aes-ctr I think. I don't know about older ones. Older ones might be aes-cbc or aes-ecb. I think those have just been retained for backward compatibility.

Anyway, the tool seems to work well enough for retrieving data from a backup. I will probably extend it to do things like list files as well so you know what you want (I just happened to know the encrypted filename of what I wanted).

It would be nice to have a GUI for this though. I've only played with WPF and Qt, but I think Java has a number of GUI options. Who knows... maybe I can try to reverse engineer the Java a bit to see if I can get this working with C++ or C#. (Python wouldn't be much help for a GUI project so probably no point going that route in any case.)

[Graveen]

Very interesting. Kudos !

[minusdavid]

Cheers, @Graveen! I notice that you pushed a commit a while ago in 2017. Are you maintaining the project?

Looks like Google Play has version 0.5.3 from 19 Nov 2014, but I only see master, 0.5.0, and 0.6.0 here for branches/tags. I'm curious why Google Play hasn't been updated. I haven't looked at fdroid yet to see its version.

I'm hoping to contribute to the project over time. Is it still active?

[Graveen]

I can't publish to the original Secrecy account. Perhaps @Doplgangr could release from time to time ? I'm not maintaining actively this project, but i'd be glad to push bugfixes / improvement - this is why i can give you an hand about this and noticing you i'm still lurking around ;).

[minusdavid]

@Graveen, I notice that @Doplgangr is still active on Github, so maybe he could do Google Play releases from time to time or transfer ownership of the app (eg https://support.google.com/googleplay/android-developer/answer/6230247?hl=en) to someone else?

@Graveen, who all has push access to this repository? I'm wondering how many other lurkers there might be ;).

[minusdavid]

I have a few improvements in mind, although I haven't had time to work on them yet, but thanks for being willing to push them, @Graveen!

First, I'm thinking of splitting out some of the crypto modules into libraries, so that I could use them for the standalone Java tool I made. While my tool works, it's fragile since it doesn't depend on the same modules as Secrecy.

I'm not sure how best to split out the crypto modules though. There are a few options. Using git submodules might work although they can be a hassle. So I was thinking instead of splitting off the crypto modules and then pushing to Maven Central and specifying them as a dependency in the Gradle build. I haven't dealt with Maven Central before though, so I don't know how realistic that is.

[minusdavid]

I finally got around to installing Android Studio.

I forked this repo and checked it out from Github using Android Studio's Github integration. Worked rather nicely. I had to install some older packages (since my Android Studio was only set up for API levels 25 and 26), and Android Studio updated some of the Gradle details, which I've now committed locally... and now I can build the app!

I think Google Play has version 0.5.3 whereas this git repo is at version 0.6.0. I don't know if stability has been compromised at all between those versions, but I've taken a quick spin and decrypting vaults has worked fine. It said something about upgrading the vaults, but... I think they were already upgraded. Not too worried about that in any case since I'm still just in the testing phase as a user of the app.

Took a moment to just do some string changes, rebuilt, and redeployed to a real phone and it worked great. So that's exciting.

Alas, I don't have much time for working on Android apps, so don't expect too much from me.

That said, I'm keen to work on this app as a pet project. It ticks a number of my hobby boxes. So when I do have time, I might try to work on this.

Before I provide a desktop tool, I'm going to want to split out some core libraries. My current desktop tool is fragile since it duplicates the code in this repo. If both the mobile app and the desktop app rely on the same library, then I'd feel much better about distribution and maintenance of both apps.

I think only @Doplgangr has access to the Secrecy Google Play account and he doesn't seem to be involved here anymore, so that's unfortunate. Any changes I would provide would just be through my own Github fork of this repo. Alternatively, I suppose I could set up a Google Play account for a forked version... but considering @Graveen is still pushing code to this repo, it would be nice to keep this as the canonical repository.

[Graveen]

Let's wait a bit to see if @Doplgangr is interested to publish updates. In the other case, if some changes are pushed, i think we should publish it to play store on our own.

[TheKinrar]

Just made a little tool to decrypt Secrecy encrypted files on a computer.

If this interests some people (I suppose it's the case?) I'll probably make a GUI and improve CLI and publish it on GitHub.

[minusdavid]

Sounds good to me, @TheKinrar. I made a CLI tool as well but not happy with it yet, so if you keep working on your CLI tool and a GUI tool, that would be awesome. I'm time poor, but happy to test it out when I can : ).

[TheKinrar]

Here is the one I made yesterday. That was because of a personal need to decrypt a lot of files from different vaults. So it could be way better, however it works. ;) I'll improve it but if anyone needs it right now: https://i.thekinrar.fr/secrecy-decryptor/secrecy-decryptor-20171015.jar

It takes the SECRECYFILES folder as a parameter, will ask for the passwords interactively and will output files to secrecy-decrypted-files in the current directory.

(For the source code the main class is here. https://gist.github.com/TheKinrar/5c41d02b29e603fe2674c2b49162ce54

The rest is just some of the libraries used by the Secrecy app, and the Secrecy source code with everything related to Android or not used by the app removed, and some adaptations. So the decryption is performed by the (modified) code of Secrecy, my code just calls it.)

[alete89]

@minusdavid did you update the version of gradle in build.gradle file? which one did you use?

[minusdavid]

@alete89 it's been a while now since I looked at it so I don't know which version but I think I updated it to whatever version Android Studio thought it should be

[thiswillbeyourgithub]

Can anyone tell me how far this decryptor project is right now ? I would love to use secrecy+syncthing to backup encrypted files to my computer but I'm stuck with "S.S.E encryption" which does the work but is not open source* (as well as being ugly) :/

*: actually it is