mirror of
https://github.com/jrnl-org/jrnl.git
synced 2025-05-20 21:18:32 +02:00
added note that pycrypto
is required
made other small changes for grammar and clarity
This commit is contained in:
parent
0fa21d7532
commit
ffe6e9070d
1 changed files with 45 additions and 37 deletions
|
@ -1,60 +1,68 @@
|
||||||
# Encryption
|
# Encryption
|
||||||
|
|
||||||
## Encrypting and decrypting
|
## `pycrypto`
|
||||||
|
|
||||||
If you don’t choose to encrypt your file when you run
|
Please note that _all_ of `jrnl`'s encryption functions require `pycrypto`,
|
||||||
`jrnl` for the first time, you can encrypt
|
which can be installed using `pip`:
|
||||||
your existing journal file or change its password using this:
|
|
||||||
|
```sh
|
||||||
|
pip3 install pycrypto
|
||||||
|
```
|
||||||
|
|
||||||
|
## Encrypting and Decrypting
|
||||||
|
|
||||||
|
If you chose not to encrypt your file when you ran `jrnl` for the first time,
|
||||||
|
you can still encrypt your existing journal file or change its password using
|
||||||
|
the following command:
|
||||||
|
|
||||||
``` sh
|
``` sh
|
||||||
jrnl --encrypt
|
jrnl --encrypt
|
||||||
```
|
```
|
||||||
|
|
||||||
If it is already encrypted, you will first be asked for the current
|
If your file is already encrypted, you will first be asked for the current
|
||||||
password. You can then enter a new password and your plain journal will
|
password. You can then enter a new password, and your unencrypted file will
|
||||||
replaced by the encrypted file. Conversely,
|
replaced with the new encrypted file. Conversely,
|
||||||
|
|
||||||
``` sh
|
``` sh
|
||||||
jrnl --decrypt
|
jrnl --decrypt
|
||||||
```
|
```
|
||||||
|
|
||||||
will replace your encrypted journal file with a journal in plain text. You
|
replaces your encrypted journal file with a journal in plain text. You can also
|
||||||
can also specify a filename, i.e. `jrnl --decrypt plain_text_copy.txt`,
|
specify a filename, e.g., `jrnl --decrypt plain_text_copy.txt`, to leave the
|
||||||
to leave your original file untouched.
|
original encrypted file untouched and create a new plain text file next to it.
|
||||||
|
|
||||||
## Storing passwords in your keychain
|
## Storing Passwords in Your Keychain
|
||||||
|
|
||||||
Whenever you encrypt your journal, you are asked whether you want to
|
When you encrypt your journal, you will be asked whether you want to store the
|
||||||
store the encryption password in your keychain. If you do this, you
|
encryption password in your keychain. This saves you the trouble of having to
|
||||||
won’t have to enter your password every time you want to write or read
|
enter your password every time you want to write in or read your journal.
|
||||||
your journal.
|
|
||||||
|
|
||||||
If you don’t initially store the password in the keychain but decide to
|
If you don't initially store the password in the keychain but decide to do so at
|
||||||
do so at a later point – or maybe want to store it on one computer but
|
a later point---or if you want to store it in one computer's keychain but not
|
||||||
not on another – you can run `jrnl --encrypt` on an encrypted
|
in another computer's---you can run `jrnl --encrypt` on an encrypted journal
|
||||||
journal and use the same password again.
|
and use the same password again. This will trigger the keychain storage prompt.
|
||||||
|
|
||||||
## A note on security
|
## A Note on Security
|
||||||
|
|
||||||
While `jrnl` follows best practices, total security is an illusion.
|
While `jrnl` follows best practices, total security is never possible in the
|
||||||
There are a number of ways that people can at least partially
|
real world. There are a number of ways that people can at least partially
|
||||||
compromise your `jrnl` data. See the [Privacy and Security](./security.md)
|
compromise your `jrnl` data. See the [Privacy and Security](./security.md)
|
||||||
documentation for more information.
|
page for more information.
|
||||||
|
|
||||||
## No password recovery
|
## Password Recovery
|
||||||
|
|
||||||
There is no method to recover or reset your `jrnl` password. If you lose it,
|
There is no method to recover or reset your `jrnl` password. If you lose it,
|
||||||
your data is inaccessible.
|
your data is inaccessible forever.
|
||||||
|
|
||||||
## Manual decryption
|
## Manual Decryption
|
||||||
|
|
||||||
Should you ever want to decrypt your journal manually, you can do so
|
Should you ever want to decrypt your journal manually, you can do so with any
|
||||||
with any program that supports the AES algorithm in CBC. The key used
|
program that supports the AES algorithm in CBC. The key used for encryption is
|
||||||
for encryption is the SHA-256-hash of your password, the IV
|
the SHA-256 hash of your password. The IV (initialization vector) is stored in
|
||||||
(initialisation vector) is stored in the first 16 bytes of the encrypted
|
the first 16 bytes of the encrypted file. The plain text is encoded in UTF-8 and
|
||||||
file. The plain text is encoded in UTF-8 and padded according to PKCS\#7
|
padded according to PKCS\#7 before being encrypted.
|
||||||
before being encrypted. Here’s a Python script that you can use to
|
|
||||||
decrypt your journal:
|
Here is a Python script that you can use to decrypt your journal:
|
||||||
|
|
||||||
``` python
|
``` python
|
||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python3
|
||||||
|
@ -66,18 +74,18 @@ import hashlib
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
parser = argparse.ArgumentParser()
|
parser = argparse.ArgumentParser()
|
||||||
parser.add_argument("filepath", help="journal file to decrypt")
|
parser.add_argument(“filepath”, help=”journal file to decrypt”)
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
pwd = getpass.getpass()
|
pwd = getpass.getpass()
|
||||||
key = hashlib.sha256(pwd.encode('utf-8')).digest()
|
key = hashlib.sha256(pwd.encode(‘utf-8’)).digest()
|
||||||
|
|
||||||
with open(args.filepath, 'rb') as f:
|
with open(args.filepath, ‘rb’) as f:
|
||||||
ciphertext = f.read()
|
ciphertext = f.read()
|
||||||
|
|
||||||
crypto = AES.new(key, AES.MODE_CBC, ciphertext[:16])
|
crypto = AES.new(key, AES.MODE_CBC, ciphertext[:16])
|
||||||
plain = crypto.decrypt(ciphertext[16:])
|
plain = crypto.decrypt(ciphertext[16:])
|
||||||
plain = plain.strip(plain[-1:])
|
plain = plain.strip(plain[-1:])
|
||||||
plain = plain.decode("utf-8")
|
plain = plain.decode(“utf-8”)
|
||||||
print(plain)
|
print(plain)
|
||||||
```
|
```
|
||||||
|
|
Loading…
Add table
Reference in a new issue