| | 1 | = Encrypted Zephyr classes = |
| | 2 | |
| | 3 | BarnOwl contains support for encrypting traffic to Zephyr classes, |
| | 4 | based on a modified version of the `zcrypt` program by Philip |
| | 5 | Lisiecki. |
| | 6 | |
| | 7 | == Using zcrypt == |
| | 8 | |
| | 9 | If the `zcrypt` variable in BarnOwl is enabled, BarnOwl will |
| | 10 | automatically attempt to decrypt zephyrs received with the opcode |
| | 11 | `crypt`. |
| | 12 | |
| | 13 | To send encrypted zephyrs, use the `zcrypt` command, which behaves |
| | 14 | identically to the `zwrite` command, except that it encrypts the |
| | 15 | bodies of outgoing zephyrs. |
| | 16 | |
| | 17 | == The zcrypt key file == |
| | 18 | |
| | 19 | In order to determine the key to use to encrypt zephyrs, BarnOwl uses |
| | 20 | the file "$HOME/.crypt-table". This table contains class-level and |
| | 21 | instance-level key file information. The file may also contain a |
| | 22 | default key file for all classes/instances that have no key file |
| | 23 | explicitly defined. Note that an entry with the instance defined |
| | 24 | takes precendence over one without the class. Here is a sample |
| | 25 | `.crypt-table`: |
| | 26 | |
| | 27 | {{{ |
| | 28 | crypt-xxx: AES: /afs/athena/user/n/e/nelhage/keys/key-xxx |
| | 29 | crypt-yyy: /afs/athena/user/n/e/nelhage/keys/key-yyy |
| | 30 | crypt-yyy-123: /tmp/yyy123.key |
| | 31 | crypt-default: /afs/athena/user/n/e/nelhage/Public/testkey |
| | 32 | }}} |
| | 33 | |
| | 34 | This `.crypt-table` will use `keys/key-xxx` for class `xxx`, using AES |
| | 35 | encryption via GPG. |
| | 36 | |
| | 37 | Class `yyy` will use the `key-yyy` key, unless the instance is "123", |
| | 38 | in which case, the key file will be "/tmp/yyy123.key". If none of |
| | 39 | these conditions are met, zcrypt will use the default key file, |
| | 40 | `Public/testkey`. |
| | 41 | |
| | 42 | == AES encryption == |
| | 43 | |
| | 44 | By default, for backwards-compatibility, BarnOwl encrypts messages |
| | 45 | using the `DES` encryption algorithm in |
| | 46 | [http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 ECB mode]. '''This is an extremely weak cipher''', and should not be considered resistant to any sort of dedicated attack. |
| | 47 | |
| | 48 | As of BarnOwl 1.6, BarnOwl supports encrypting messages using GPG and |
| | 49 | the modern AES cryptosystem. To enable this mode, prefix a keyfile |
| | 50 | with the string `AES:` in the `.crypt-table` file. This will cause |
| | 51 | BarnOwl to shell out to GPG for encryption, using the contents of the |
| | 52 | file as the passphrase. |
| | 53 | |
| | 54 | == Troubleshooting == |
| | 55 | |
| | 56 | If BarnOwl fails to send or receive encrypted messages, you can use |
| | 57 | the `:show errors` command to view the output of the `zcrypt` command, |
| | 58 | which will often contain more information about what went wrong. |
| | 59 | |
| | 60 | == The `zcrypt` binary == |
| | 61 | |
| | 62 | The BarnOwl distribution and locker contain a `zcrypt` program with is |
| | 63 | backwards-compatible with Philip Lisiecki's, but supports the AES |
| | 64 | encryption feature described above. This program can be used by other |
| | 65 | scripts or zephyr clients to encrypt and decrypt messages. |
