Saturday, April 4, 2015

Using MiniLock to encrypt files (safely email configuration files)

Minilock is a simple, easy to use file encryption extension for Chrome browsers. It's written by Nadim Kobeissi, the guy who wrote Cryptocat. The code has been audited and reviewed by the penetration testing company Cure53 with support from the Open Technology Fund. See the reference links below for more information about Minilock's design and a review by Steve Gibson of Security Now.

To get started with Minilock all you do is install the extension from the Chrome app store, start the app and enter your email address and a passphrase. Minilock will do an entropy check on your passphrase and if it isn't strong enough will offer a passphrase. I took the offered passphrase, which was long and there was no way I would remember it, but I use Lastpass to store my passphrases so I didn't care. Minilock is a Trust No One (TNO) application, if you forget your passphrase it CANNOT be recovered.

Minilock takes the email address and the passphrase to create a private\public key pair. The beauty of Minilock is that it uses Daniel Bernstein's Curve25519 crypto so the public key is very short. You can easily tweet it to someone if you need to share the encrypted file. It's easy enough to use that there is no longer a reason to send a configuration file or password list unencrypted in an email.
Apps Icon

After the extension is installed you click the Google Apps icon. You can right click on the icon and create a shortcut for future use. After you enter the email and passphrase click the arrow. Minilock will create the key pair and display your public key. Minilock calls the public key your "Minilock ID". You can save the Minilock ID but Minilock displays it every time you start the App.

You can tweet the Minilock ID, put it in your email signature, business card, etc. because it's the public part of the public/private key pair. This is the beauty of Public Key Infrastructure (PKI) crypto. You can create secure communications over an untrusted medium using a public key.

To encrypt a file, simply start the app, enter your email and passphrase. Minilock will display a link you can click to browse for a file or it allows you to drag and drop a file. Your Minilock ID will be displayed so that you can copy it and send it to someone else.
File Selection Dialog

Once you drag and drop or open a file it will be encrypted (and authenticated) and saved with a .minilock extension in the downloads folder. Minilock will display a new dialog asking you to enter the Minilock ID for the people who are allowed to decrypt the file.

You can add several IDs at once. The file size doesn't grow much at all as you add more IDs. One nice feature of Minilock is that none of the users will get any information about the other users that are allowed to open the file.

From the Minilock design document "Another feature is that analyzing a miniLock-encrypted file does not yield the miniLock IDs or identities of the sender or the recipient(s). Upon decryption, a legitimate recipient will be able to know and verify the identity of the sender, but will still be unable to determine the identity of other potential recipients."

Add "Allowed Users" Dialog
Once you add the Minilock IDs of the recipients click the arrow. The file will be encrypted and a new dialog will appear. Click the arrow to save the file to the downloads folder.

Now you can email the file without worrying about it being intercepted and compromised.

Chrome has become the number 1 browser and Minilock is easy enough to use that you should seriously consider it anytime you have to email a file with sensitive data in it.

References

Minilock Design Document
Security Now 501 Show Notes - includes a review of Minilock
My Minilock ID - 22LXKQertj4op8vCjpWNmGJyaGPryp3BEFv8d2y4rTzG4Q

No comments:

Post a Comment