Encrypted partition path derivation via linear search through incrementally encoded packed data

locate is a lightning-fast command line search utility. It first hit the press in the early 80s when James A. Woods proclaimed the tradeoff of nightly updates is worth it for sub-second filesystem path matches.

The proposed architecture is simple but effective: incrementally encode all paths in a purpose-built binary database and perform matches with linear search. Since nearly all matches are partial, linear search generally outperforms binary search or other optimizations. Maintainers have followed this original architecture to the present day.

The indexer is called updatedb and it generally runs nightly, as root. If you have an encrypted home partition (and you should) nothing in your $HOME will be indexed. One workaround is to index it yourself. To maintain security I recommend storing the index inside your $HOME.

I like to use anacron since it automatically performs a catch-up run if necessary. This is handy for “daily would be nice” jobs that don’t need to run at an exact hour/minute of the day.

Here’s how to do it.

Add this to your crontab (this is one long line). This fires off your own personal anacron:

@hourly /usr/sbin/anacron -s -t $HOME/.anacrontab -S $HOME/.anacron

Add this to $HOME/.anacrontab to run your indexer daily (that’s the “1”) and after a 10 minute delay (that’s the “10”):

1 10 indexhome $HOME/bin/index-encrypted-homedir

Create the executable file $HOME/bin/index-encrypted-homedir with these contents:

#!/bin/bash
 
set -o errexit
set -o nounset
set -o pipefail
 
mkdir -p "$HOME/.var" "$HOME/.anacron"
updatedb -l 0 -n '.meteor .cache' -o "$HOME/.var/locate.db"

Finally, add this to your $HOME/.bashrc:

export LOCATE_PATH="$HOME/.var/locate.db"

3 Reasons Why You Should Never Use Enlocked

Enlocked advertises easy, secure email. Sounds good to me! My current solution (Thunderbird+Enigmail) works, barely, but it is a big pain in the tukhus. I’d go for something better. Heck, I’d pay for it. And Enlocked is free!

I gave their Chrome plugin a try. Installation was a breeze and it worked exactly as advertised. It integrates almost seamlessly into GMail (when replying, quoted text is still encrypted, but they’ll probably fix that soon). It really was friendly enough for anyone! But I’m not dusting off the old blog just to tell you that. No ma’am.

Unicorn and Cow (and sentry)

1. They encrypt and decrypt using their own key.

If you’ve ever spent the not-insignificant time to learn and use PGP yourself, you’ll know that one point of going through all the trouble is complete, end-to-end encryption. You don’t have to trust your email handlers. Any of them. And there can be many! So, uh, you just never give your private key to anyone, ok? Everyone gets their own keys (there are plenty for everyone, and they’re free!). That’s the way PGP works.

I should say that I’m not positive Enlocked uses their own key. It could just be a key they generate using some secret they securely get through you via OpenID or something fancy like that (even so, they’re free to brute force your secret day and night since they have the key). But without knowing for sure, you might as well assume it’s their key and they can decrypt your messages anytime they darn well please. Or if someone forces them to decrypt messages (like a government, or someone with lots of power or money), same result.

2. They encrypt and decrypt on their servers.

From their How it Works page:

The systems at Enlocked only have access to your messages for the short time we are encrypting or decrypting them, and then our software instantly removes any copies.

This is really more of the first reason (no end-to-end encryption), but it’s just another place where their inevitable security breach could occur.

3. Their software is closed-source.

If you know me you know I’m a Free² Software zealot, so you expect this kind of propaganda from me. But transparency is really important where the actual encryption and decryption takes place. They must at least make their client-side code available for review.

Sorry Enlocked, nobody serious about security will adopt your software until you address these issues.

Disclaimer: I’m no security expert. But Bruce Schneier is. If you really want to get schooled on security, read anything he’s written. For instance: Secrets and Lies: Digital Security in a Networked World.

Ubuntu and Encryption

Encryption is a nice security feature that makes it significantly harder for someone to mine your data if, for instance, your latptop is stolen.

If you install Ubuntu with the alternate installer disk, encryption takes only a few keystrokes. Here are two tutorials with screenshots.

If you only need to encrypt a single file, just right-click on the file in the File Browser and click “Encrypt”.