s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-23 09:13:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added VeraCrypt guide

Browse Source
This commit is contained in:
Sun Knudsen 2020-08-27 11:18:39 -04:00
parent d214866127
commit 3f385d828b
No known key found for this signature in database
GPG Key ID: 1FA767862BBD1305
2 changed files with 241 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

233
how-to-backup-and-encrypt-data-privately-and-securely-using-rsync-and-veracrypt-on-macos/README.md Normal file
View File

@ -0,0 +1,233 @@
<!--
Title: How to backup and encrypt data privately and securely using rsync and VeraCrypt on macOS
Description: Learn how to backup and encrypt data privately and securely using rsync and VeraCrypt on macOS.
Author: Sun Knudsen <https://github.com/sunknudsen>
Contributors: Sun Knudsen <https://github.com/sunknudsen>
Publication date: 2020-08-26T14:07:36.767Z
-->
# How to backup and encrypt data privately and securely using rsync and VeraCrypt on macOS
## Requirements
- Computer running macOS Mojave or Catalina
## Caveats
- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
- When copy/pasting commands that start with `cat << "EOF"`, select all lines at once (from `cat << "EOF"` to `EOF` inclusively) as they are part of the same (single) command
## Setup guide
### Step 1: download and install [FUSE](https://osxfuse.github.io/)
Go to https://osxfuse.github.io/, download and install latest release.
### Step 2: install [GnuPG](https://gnupg.org/)
Follow steps from [How to encrypt, sign and decrypt messages using PGP on macOS (adding privacy to email)](../how-to-encrypt-sign-and-decrypt-messages-using-pgp-on-macos-adding-privacy-to-email) guide.
### Step 3: import VeraCrypts public key
```console
$ gpg --keyserver hkps://keys.openpgp.org --recv-keys 0x821ACD02680D16DE
gpg: key 0x821ACD02680D16DE: public key "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" imported
gpg: Total number processed: 1
gpg: imported: 1
```
### Step 4: download [VeraCrypt](https://www.veracrypt.fr/en/Home.html)
Go to https://www.veracrypt.fr/en/Downloads.html and download latest release and its associated PGP signature to `~/Downloads` folder.
### Step 5: verify VeraCrypt release signature using GnuPG
Replace `VeraCrypt_1.24-Update7` with current release.
```console
$ gpg --verify ~/Downloads/VeraCrypt_1.24-Update7.dmg.sig
gpg: assuming signed data in '/Users/sunknudsen/Downloads/VeraCrypt_1.24-Update7.dmg'
gpg: Signature made Sat 8 Aug 14:20:27 2020 EDT
gpg: using RSA key 5069A233D55A0EEB174A5FC3821ACD02680D16DE
gpg: Good signature from "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5069 A233 D55A 0EEB 174A 5FC3 821A CD02 680D 16DE
```
Good signature
👍
### Step 6: install VeraCrypt
### Step 7: create and test VeraCrypt symlink
```console
$ ln -s /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt /usr/local/bin/veracrypt
$ veracrypt --text --version
VeraCrypt 1.24-Update7
```
VeraCrypt 1.24-Update7
👍
### Step 8: set temporary environment variable
> Heads up: using `.b` as encrypted volume path to make things inconspicuous (files that start with `.` are hidden on macOS, use <kbd>cmd+shift+.</kbd> to display them).
`BACKUP_VOLUME_PATH` path to VeraCrypt volume
```shell
BACKUP_VOLUME_PATH="/Volumes/Samsung BAR/.b"
```
### Step 9: create encrypted volume
> Heads up: volume size cannot be increased later.
> Heads up: Mac OS Extended filesystem required on macOS.
```console
$ veracrypt --text --create "$BACKUP_VOLUME_PATH"
Volume type:
1) Normal
2) Hidden
Select [1]:
Enter volume size (sizeK/size[M]/sizeG): 1G
Encryption Algorithm:
1) AES
2) Serpent
3) Twofish
4) Camellia
5) Kuznyechik
6) AES(Twofish)
7) AES(Twofish(Serpent))
8) Camellia(Kuznyechik)
9) Camellia(Serpent)
10) Kuznyechik(AES)
11) Kuznyechik(Serpent(Camellia))
12) Kuznyechik(Twofish)
13) Serpent(AES)
14) Serpent(Twofish(AES))
15) Twofish(Serpent)
Select [1]:
Hash algorithm:
1) SHA-512
2) Whirlpool
3) SHA-256
4) Streebog
Select [1]:
Filesystem:
1) None
2) FAT
3) Mac OS Extended
4) exFAT
5) APFS
Select [3]:
Enter password:
Re-enter password:
Enter PIM:
Enter keyfile path [none]:
Please type at least 320 randomly chosen characters and then press Enter:
Done: 100.000% Speed: 245 MiB/s Left: 0 s
The VeraCrypt volume has been successfully created.
```
### Step 10 (optional): mount, rename and dismount encrypted volume
By default, VeraCrypt encrypted volumes are named "untitled".
#### Mount encrypted volume
```console
$ veracrypt --text --mount --pim 0 --keyfiles "" --protect-hidden no "$BACKUP_VOLUME_PATH" /Volumes/Backup
Enter password for /Volumes/SAMSUNG BAR/.b:
```
#### Rename encrypted volume
```console
$ diskutil rename "untitled" "Backup"
Volume on disk3 renamed to Backup
```
#### Dismount encrypted volume
```shell
veracrypt --text --dismount "$BACKUP_VOLUME_PATH"
```
### Step 11: create backup script
```shell
cat << EOF > /usr/local/sbin/backup.sh
#! /bin/sh
set -e
if [ "\$(id -u)" != "0" ]; then
echo "This script must run as root"
exit 1
fi
red=$'\e[1;31m'
end=$'\e[0m'
veracrypt --text --mount --pim 0 --keyfiles "" --protect-hidden no "$BACKUP_VOLUME_PATH" /Volumes/Backup
declare -a files=(
"/Users/$(whoami)/.gnupg"
"/Users/$(whoami)/.ssh"
"/Users/$(whoami)/Library/Keychains"
)
for file in "\${files[@]}"; do
rsync -axRS --delete "\$file" /Volumes/Backup
done
printf "\${red}Inspect backup and press enter\${end}"
read -r answer
veracrypt --text --dismount "$BACKUP_VOLUME_PATH"
echo "Done"
EOF
chmod +x /usr/local/sbin/backup.sh
```
### Step 12: edit backup script
```shell
vi /usr/local/sbin/backup.sh
```
Press <kbd>i</kbd> to enter edit mode, edit backup script, press <kbd>esc</kbd> to exit edit mode and press <kbd>shift+z+z</kbd> to save and exit.
## Usage guide
```console
$ sudo backup.sh
Password:
Enter password for /Volumes/Samsung BAR/.b:
Inspect backup and press enter
Done
```
Done
👍

8
how-to-configure-self-hosted-vpn-kill-switch-using-pf-firewall-on-macos/README.md
View File

@ -287,6 +287,8 @@ Use `socketfilterfw` to block specific apps.
cat << "EOF" > /usr/local/sbin/strict.sh cat << "EOF" > /usr/local/sbin/strict.sh
#! /bin/sh #! /bin/sh
set -e
if [ "$(id -u)" != "0" ]; then if [ "$(id -u)" != "0" ]; then
echo "This script must run as root" echo "This script must run as root"
exit 1 exit 1
@ -308,6 +310,8 @@ printf "\n"
pfctl -F all -f /etc/pf.conf pfctl -F all -f /etc/pf.conf
printf "\n%s" "${green}Strict mode enabled${end}" printf "\n%s" "${green}Strict mode enabled${end}"
exit 0
EOF EOF
chmod +x /usr/local/sbin/strict.sh chmod +x /usr/local/sbin/strict.sh
``` ```
@ -320,6 +324,8 @@ Use `socketfilterfw` to unblock specific apps (useful to allow 1Passwords [lo
cat << "EOF" > /usr/local/sbin/trusted.sh cat << "EOF" > /usr/local/sbin/trusted.sh
#! /bin/sh #! /bin/sh
set -e
if [ "$(id -u)" != "0" ]; then if [ "$(id -u)" != "0" ]; then
echo "This script must run as root" echo "This script must run as root"
exit 1 exit 1
@ -364,6 +370,8 @@ chmod +x /usr/local/sbin/trusted.sh
cat << "EOF" > /usr/local/sbin/disabled.sh cat << "EOF" > /usr/local/sbin/disabled.sh
#! /bin/sh #! /bin/sh
set -e
if [ "$(id -u)" != "0" ]; then if [ "$(id -u)" != "0" ]; then
echo "This script must run as root" echo "This script must run as root"
exit 1 exit 1