quixand

2014-10-12 23:16 UTC
  • Xyne

Metadata

Description:

A tool for creating single-use unrecoverable encrypted sandboxes.

Latest Version:

2012.12.24.1

Architecture:

  • any

Dependencies:

  • encfs

Arch Repositories:

  • [xyne-any]
  • [xyne-i686]
  • [xyne-x86_64]

AUR ID:

24495

Arch Forum ID:

67019

Tags:

QUIXAND(1)

Name

quixand - create disposable (encrypted) files and directories for use as sandboxes

Synopsis

quixand [options] [paths]

Description

Quixand (pronounced "quicksand") is a tool for easily creating disposable, single-session encrypted sandboxes. Quixand will create an encrypted directory with EncFS using "paranoid" mode and a random key. Once mounted, quixand can create temporary files and directories within the encrypted directory and symlink any file on your system to them. You can then use the symlinked files and directories as you normally would, but any data written to them will not be written to the disk in an unencrypted form. Once unmounted, the data within the encrypted directory should be unrecoverable because the key is not stored anywhere. Typical usage includes sandboxing your browser cache directory, creating secure disposable history files for various apps that you only wish to use for a single session, and creating a general-purpose sandbox for temporary files, for example the contents of a usb stick. The "EXAMPLES" section below should provide further insight into potential uses of quixand.

Technical Information And Caveats

Quixand depends on EncFS (Encrypted Filesystem) to create the encrypted directory. The encrypted directory is created using encfs's "paranoid" mode along with a one-time 256-bit random key generated from /dev/urandom. The key is not stored anywhere. Once the encrypted directory is unmounted, there should be no easy way to recover its contents and thus it is intended for use as a single-session sandbox. The strength of this setup directly depends on EncFS and the user is advised to consult the EncFS documentation in order to familiarize him-/herself with EncFS's strengths and weaknesses. The author of quixand assumes absolutely no liability for its use and the user uses quixand entire at his or her own risk.

EncFS does not require a fixed amount of space and thus bypasses the need to pre-allocate disk space and set up partitions etc. The encrypted directory will grow as needed and will only be limited by the amount of space available in /tmp.

To improve the security of the setup, it is recommended that the user either encrypt their swap partition with a one-time key at boot or disable swap completely to prevent the contents of memory from being written to the disk during operation.

Options

-c, --config /path/to/dir
Specify a configuration directory. Currently the only purpose of the configuration directory is to track the working quixand directory. Default: ~/.quixand
-d, --dir
Specify directories for symlinking. See notes below
--encfs-args
Specify additional command-line arguments to encfs. See notes below.
--file
Specify files for symlinking. See (1) below.
-f, --force
Force symlinks even if they already point to the working quixand directory.
--help
Display this message.
--plain
Place files and directories in a plain-text directory instead of one encrypted with EncFS. This may be useful if you are using an already encrypted /tmp partition
-p, --purge
Purge the working quixand directory and remove any passed symlinks. This is the recommended way of shutting down your current quixand setup. See "--renew" if you wish to reset your setup rather than shut it down.
-r, --renew
Purge the setup and create a new one. --renew implies --purge, see --purge
--wipe-with "/path/to/wiper [args]"
Use /path/to/wiper to wipe files instead of just removing them. Make sure to enclose all arguments to the wiper within the string beginning with the path.

Notes

The --dir, --encfs-args and --file arguments act as switches. By default, all non-option arguments passed to quixand will be considered files that should be symlinked. If "--dir" or "--encfs-args" is encountered then they will be interpretted as dirs that should be symlinked or additional arguments to encfs, respectively. Consider the following examples:

  • Create 3 file symlinks.

    quixand foo bar baz
  • Create 1 file symlink (foo) and 2 dir symlinks (bar,baz).

    quixand foo --dir bar baz
  • Create 2 file symlinks (foo,baz) and 1 dir symlink (bar).

    quixand foo --dir bar --file baz

Examples

  • Create a sandbox in your home dir.

    quixand -d ~/sandbox
  • Sandbox your image thumbnails in ~/.thumbnails.

    quixand -d ~/.thumbnails
  • Sandbox your bash history.

    quixand ~/.bash_history
  • Sandbox your Firefox cache.

    quixand -d ~/.mozilla/firefox/<profile>/Cache
  • Do all of the above when you first log in by adding the following line to ~/.bash_profile.

    quixand ~/.bash_history -d ~/sandbox ~/.thumbnails ~/.mozilla/firefox/<profile>/Cache
  • Purge all of the above.

    quixand -p ~/.bash_history -d ~/sandbox ~/.thumbnails ~/.mozilla/firefox/<profile>/Cache
Contact
echo xyne.archlinux.ca | sed 's/\./@/'
Feeds
Blog News
Validation
XHTML 1.0 Strict CSS level 3 Atom 1.0