added note that pycrypto is required

made other small changes for grammar and clarity
This commit is contained in:
Guy B. deBros 2020-06-08 07:53:35 -04:00 committed by Jonathan Wren
parent 0fa21d7532
commit ffe6e9070d
No known key found for this signature in database
GPG key ID: 43D5FF8722E7F68A

View file

@ -1,60 +1,68 @@
# Encryption # Encryption
## Encrypting and decrypting ## `pycrypto`
If you dont choose to encrypt your file when you run Please note that _all_ of `jrnl`'s encryption functions require `pycrypto`,
`jrnl` for the first time, you can encrypt which can be installed using `pip`:
your existing journal file or change its password using this:
```sh
pip3 install pycrypto
```
## Encrypting and Decrypting
If you chose not to encrypt your file when you ran `jrnl` for the first time,
you can still encrypt your existing journal file or change its password using
the following command:
``` sh ``` sh
jrnl --encrypt jrnl --encrypt
``` ```
If it is already encrypted, you will first be asked for the current If your file is already encrypted, you will first be asked for the current
password. You can then enter a new password and your plain journal will password. You can then enter a new password, and your unencrypted file will
replaced by the encrypted file. Conversely, replaced with the new encrypted file. Conversely,
``` sh ``` sh
jrnl --decrypt jrnl --decrypt
``` ```
will replace your encrypted journal file with a journal in plain text. You replaces your encrypted journal file with a journal in plain text. You can also
can also specify a filename, i.e. `jrnl --decrypt plain_text_copy.txt`, specify a filename, e.g., `jrnl --decrypt plain_text_copy.txt`, to leave the
to leave your original file untouched. original encrypted file untouched and create a new plain text file next to it.
## Storing passwords in your keychain ## Storing Passwords in Your Keychain
Whenever you encrypt your journal, you are asked whether you want to When you encrypt your journal, you will be asked whether you want to store the
store the encryption password in your keychain. If you do this, you encryption password in your keychain. This saves you the trouble of having to
wont have to enter your password every time you want to write or read enter your password every time you want to write in or read your journal.
your journal.
If you dont initially store the password in the keychain but decide to If you don't initially store the password in the keychain but decide to do so at
do so at a later point or maybe want to store it on one computer but a later point---or if you want to store it in one computer's keychain but not
not on another you can run `jrnl --encrypt` on an encrypted in another computer's---you can run `jrnl --encrypt` on an encrypted journal
journal and use the same password again. and use the same password again. This will trigger the keychain storage prompt.
## A note on security ## A Note on Security
While `jrnl` follows best practices, total security is an illusion. While `jrnl` follows best practices, total security is never possible in the
There are a number of ways that people can at least partially real world. There are a number of ways that people can at least partially
compromise your `jrnl` data. See the [Privacy and Security](./security.md) compromise your `jrnl` data. See the [Privacy and Security](./security.md)
documentation for more information. page for more information.
## No password recovery ## Password Recovery
There is no method to recover or reset your `jrnl` password. If you lose it, There is no method to recover or reset your `jrnl` password. If you lose it,
your data is inaccessible. your data is inaccessible forever.
## Manual decryption ## Manual Decryption
Should you ever want to decrypt your journal manually, you can do so Should you ever want to decrypt your journal manually, you can do so with any
with any program that supports the AES algorithm in CBC. The key used program that supports the AES algorithm in CBC. The key used for encryption is
for encryption is the SHA-256-hash of your password, the IV the SHA-256 hash of your password. The IV (initialization vector) is stored in
(initialisation vector) is stored in the first 16 bytes of the encrypted the first 16 bytes of the encrypted file. The plain text is encoded in UTF-8 and
file. The plain text is encoded in UTF-8 and padded according to PKCS\#7 padded according to PKCS\#7 before being encrypted.
before being encrypted. Heres a Python script that you can use to
decrypt your journal: Here is a Python script that you can use to decrypt your journal:
``` python ``` python
#!/usr/bin/env python3 #!/usr/bin/env python3
@ -66,18 +74,18 @@ import hashlib
import sys import sys
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
parser.add_argument("filepath", help="journal file to decrypt") parser.add_argument(“filepath”, help=”journal file to decrypt”)
args = parser.parse_args() args = parser.parse_args()
pwd = getpass.getpass() pwd = getpass.getpass()
key = hashlib.sha256(pwd.encode('utf-8')).digest() key = hashlib.sha256(pwd.encode(utf-8)).digest()
with open(args.filepath, 'rb') as f: with open(args.filepath, rb) as f:
ciphertext = f.read() ciphertext = f.read()
crypto = AES.new(key, AES.MODE_CBC, ciphertext[:16]) crypto = AES.new(key, AES.MODE_CBC, ciphertext[:16])
plain = crypto.decrypt(ciphertext[16:]) plain = crypto.decrypt(ciphertext[16:])
plain = plain.strip(plain[-1:]) plain = plain.strip(plain[-1:])
plain = plain.decode("utf-8") plain = plain.decode(“utf-8”)
print(plain) print(plain)
``` ```