| 1 | = Encrypted Zephyr classes = |
| 2 | |
| 3 | BarnOwl contains support for encrypting traffic to Zephyr classes, |
| 4 | based on a modified version of the `zcrypt` program by Philip |
| 5 | Lisiecki. |
| 6 | |
| 7 | == Using zcrypt == |
| 8 | |
| 9 | If the `zcrypt` variable in BarnOwl is enabled, BarnOwl will |
| 10 | automatically attempt to decrypt zephyrs received with the opcode |
| 11 | `crypt`. |
| 12 | |
| 13 | To send encrypted zephyrs, use the `zcrypt` command, which behaves |
| 14 | identically to the `zwrite` command, except that it encrypts the |
| 15 | bodies of outgoing zephyrs. |
| 16 | |
| 17 | == The zcrypt key file == |
| 18 | |
| 19 | In order to determine the key to use to encrypt zephyrs, BarnOwl uses |
| 20 | the file "$HOME/.crypt-table". This table contains class-level and |
| 21 | instance-level key file information. The file may also contain a |
| 22 | default key file for all classes/instances that have no key file |
| 23 | explicitly defined. Note that an entry with the instance defined |
| 24 | takes precendence over one without the class. Here is a sample |
| 25 | `.crypt-table`: |
| 26 | |
| 27 | {{{ |
| 28 | crypt-xxx: AES: /afs/athena/user/n/e/nelhage/keys/key-xxx |
| 29 | crypt-yyy: /afs/athena/user/n/e/nelhage/keys/key-yyy |
| 30 | crypt-yyy-123: /tmp/yyy123.key |
| 31 | crypt-default: /afs/athena/user/n/e/nelhage/Public/testkey |
| 32 | }}} |
| 33 | |
| 34 | This `.crypt-table` will use `keys/key-xxx` for class `xxx`, using AES |
| 35 | encryption via GPG. |
| 36 | |
| 37 | Class `yyy` will use the `key-yyy` key, unless the instance is "123", |
| 38 | in which case, the key file will be "/tmp/yyy123.key". If none of |
| 39 | these conditions are met, zcrypt will use the default key file, |
| 40 | `Public/testkey`. |
| 41 | |
| 42 | == AES encryption == |
| 43 | |
| 44 | By default, for backwards-compatibility, BarnOwl encrypts messages |
| 45 | using the `DES` encryption algorithm in |
| 46 | [http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 ECB mode]. '''This is an extremely weak cipher''', and should not be considered resistant to any sort of dedicated attack. |
| 47 | |
| 48 | As of BarnOwl 1.6, BarnOwl supports encrypting messages using GPG and |
| 49 | the modern AES cryptosystem. To enable this mode, prefix a keyfile |
| 50 | with the string `AES:` in the `.crypt-table` file. This will cause |
| 51 | BarnOwl to shell out to GPG for encryption, using the contents of the |
| 52 | file as the passphrase. |
| 53 | |
| 54 | == Troubleshooting == |
| 55 | |
| 56 | If BarnOwl fails to send or receive encrypted messages, you can use |
| 57 | the `:show errors` command to view the output of the `zcrypt` command, |
| 58 | which will often contain more information about what went wrong. |
| 59 | |
| 60 | == The `zcrypt` binary == |
| 61 | |
| 62 | The BarnOwl distribution and locker contain a `zcrypt` program with is |
| 63 | backwards-compatible with Philip Lisiecki's, but supports the AES |
| 64 | encryption feature described above. This program can be used by other |
| 65 | scripts or zephyr clients to encrypt and decrypt messages. |