Crypt Drive is designed to manage encrypted uploads to cloud storage (Google Drive), store keys in a password protected database. Allows the user to share the unlock key & nonce via a temporary password protected encryption through emails & a password provided via sms text message. After unlock components are received the user downloads the shared encrypted data from drive and uses the program to import the key then decrypt it. Crypt Drive also is able to store and rebuild recursive file systems via database column encryption.
- Password protected access verified by encrypted hashed password stored in system keyring
- Automated Google Drive recursive uploads featuring strong AES Galios Counter Mode encryption
- Secure cryptographic key sharing via multiple email accounts and sms one-time password
- Self-encrypting logging system tied to authentication
- Store/extract recursive encrypted file systems to and from local databases
- Designed to manage program components, recover missing components, and recreate if not recoverable
- Database unlock & key sharing - Authenticated AES 256 bit Galios Counter Mode with 96 bit nonce
- Local database - Fernet AES 128 CBC mode with PKCS7 padding & HMAC integrity check
- Upload data encrypt / decrypt - AES 256 bit Galios Counter Mode with 96 bit nonce
The program is licensed under GNU Public License v3.0
Made for Windows and Linux, written in Python 3.9 and updated to 3.10.6
- Run the setup.py script to build a virtual environment and install all external packages in the created venv.
Example:
python3 setup.py venv
-
Once virtual env is built traverse to the (Scripts-Windows or bin-Linux) directory in the environment folder just created.
-
For Windows in the Scripts directory, for execute the
./activate
script to activate the virtual environment. -
For Linux in the bin directory, run the command
source activate
to activate the virtual environment. -
Create a gmail account or login to existing account.
-
Follow these steps but for step 5 create OAuth 2.0 Client ID and secret in Google Cloud instead of api keys https://support.google.com/googleapi/answer/6158862/setting-up-api-keys?hl=en
-
Click on the created OAuth 2.0 Client ID then copy the Client ID & Client secret to the settingsTemplate.yaml file where specified, which saves credentials after the first use of api. Then rename the file to settings.yaml.
-
Once the API credentials are saved, turn on two-factor authentication in security settings in google account. After that is set, an Application Password can be generated in Google account settings and need to be saved in the base directory in CryptDrive as a file named AppSecret.txt.
-
The API credentials are for Drive authentication and the AppSecret.txt is for Gmail authentication.
- Enter password to create key/database set, if they already exist the db encryption key is unlocked
- A startup script is run to confirm critical components exist, recreates anything missing
- Enter path to file in the instructed format
- The default web browser should pop up with a Google login page
- After completing authentication the credentials should be saved to a credentials.json file which prevents having to log in for future use
- Upload process should initiate & finish in a timely manner
- Simply enter the prompted questions and the rest will be handled
- Preferably obtain two separate email accounts (one being an encrypted provider like Protonmail or Tutanota) & a phone number of the person to share keys, nonce, & password with
- One email account can be used for both emails, but it reduces the security while requiring less effort to intercept and crack the encryption
- Download the files from both emails which should be two keys and a corresponding nonce for each key
- Move all 4 files into the Import folder
- Enter the username of the email account the keys were sent from
- Enter the password provided in the sms text message
- Download shared cloud drive data
- Move encrypted data into DecryptDock folder
- Make sure the user's decryption keys have been imported
- Enter username to decrypt data or enter to decrypt your own data
-- crypt_drive.py --
main_menu - Display command options and receives input on what command to execute.
start_check - Confirms program components are preset. If missing, component recovery is attempted. If that fails results in the creation of a fresh set of components.
password_input - Receive password input from user, verify with Argon2 hashing algorithm or create new password in none exist.
-- auth_crypt.py --
AuthCrypt - Class to manage cryptographic components.
get_plain_secret - Decrypt the encrypted hash secret.
decrypt_db_key - Decrypt the database key with aesccm authenticated.
-- db_handlers.py --
db_keys - Format MySQL query for Keys database table creation.
db_storage - Format MySQL query for Storage database table creation.
db_insert - Format MySQL query to insert keys in the keys database.
db_store - Format MySQL query to insert data into the storage database.
db_retrieve - Format MySQL query to retrieve item from database.
db_contents - Format MYySQL query to retrieve the contents of a database.
db_delete -  Format MySQL query to delete an item from a database.
-- menu_functions.py --
db_extract - Extracts data from local storage database in encrypted or plain text.
db_store - Encrypts and inserts data into storage database.
decryption - Decrypts data located on the file system.
file_upload - Recursively uploads files to Drive.
folder_upload - Recursively uploads folders to Drive.
import_key - Import user's key to the encrypted local key database.
list_drive - List the contents of Google Drive storage.
list_storage - List the contents of the local storage database.
key_share - Share decryption key protected by a password through authentication-based encryption.
upload - Manages encrypted recursive upload to Google Drive.
-- menu_utils.py --
decrypt_input - Gathers users input for database data decryption function.
extract_input - Gathers users input for database data extraction function.
extract_parse - Attempts to match regex of recursive path on stored file path in extracted database row. If match fails, document is extracted to base directory entered in non-recursive fashion. If stored filepath is formatted as opposing OS, reformat it to current OS.
import_input - Gathers users input for key import function.
meta_handler - Formats file path whether in recursive directory or not depending on
OS. Passes formatted file path into meta_strip function to strip the file metadata.
share_input - Gathers users input for key share function.
store_input - Gathers users input for database data storage function.
upload_dir_handler - Ensures the full path to the passed in directory name is created.
upload_extract - Extracts, decodes, and writes storage database contents to upload dock for cloud drive upload.
upload_input - Gathers users input for data upload to cloud drive.
upload_stage - Makes of copy of file data to be uploaded in the UploadDock folder.
-- utils.py --
component_handler - Creates various dir, db, and key components required for program operation.
data_copy - Copies data from source to destination.
db_check - Checks the upload contents within the keys database and populates authentication object.
decrypt_db_data - Decodes and decrypts database base64 cipher data.
dir_recover - Iterates through list of passed in dirs and checks to see if current folder is the same name to static assignment.
encrypt_db_data - Encrypts and encodes plain data for database.
error_query - Looks up the errno message to get description.
fetch_upload_comps - Retrieves upload components from keys database.
file_handler - Error validated file handler for read and write operations.
file_recover - Checks to see if current iteration of os walk is the file to be recovered.
get_database_comp - Unlock and retrieve database cryptography component.
hd_crawl - Recursive hard drive crawler for recovering missing components.
key_recreate - Recreates key or nonce and insert them back into param db_name database named as store_comp.
logger - Encrypted logging system.
login_timeout - Displays loging timeout per second for 60 second interval.
log_err - Logs error or exception based on passed in handler parameter.
log_read - Reads input text page by page, displaying 60 lines per page.
make_keys - Creates a fresh cryptographic key set, encrypts, and inserts in keys database.
meta_strip - Attempts striping metadata from passed in file. If attempt fails, waiting a second and tries again while adding a second of waiting time per failure. After 3 failed attempts, it returns a False boolean value.
msg_format - Format email message headers and attach passed in files.
msg_send - Facilitate the sending of formatted emails.
print_err - Displays error message via stderr for supplied time interval.
query_handler - Facilitates MySQL database query execution.
recycling_bin - Checks the recycling bin for missing program components.
secure_delete - Overwrite file data with random data number of specified passes and delete.
symm_retrieve - Retrieve symmetrical cryptographic components from Keys db, decoding and decrypting them.
sys_lock - Attempts to lockdown (Windows) or power-off system (Linux), if either fail the program exits with error code.
write_log - Parse new log message to old data and write encrypted result to log.
-- crypt_drive.py --
0 - Successful operation
1 - Error occurred during program startup
3 - Error occurred decrypting keyring in startup (password_input)
-- auth_crypt.py --
5 - Error decrypting the cipher hashed secret (get_plain_secret)
6 - Error decrypting the database Fernet key (decrypt_db_data)
-- utils.py --
2 - User has exhausted maximum password attempts (sys_lock)
4 - Error decryption local database key (db_check)
7 - Error decrypting database data (decrypt_db_data)
8 - Error encrypting database data (encrypt_db_data)
9 - Maximum (3) consecutive IO errors occurred (file_handler)
10 - Error occurred writing to encrypted log file (write_log)