quixand
Metadata
| Description: | A tool for creating single-use unrecoverable encrypted sandboxes. |
| Latest Version: | 2020 |
| Source Code: | src/ |
| Architecture: |
|
| Dependencies: |
|
| Arch Repositories: |
|
| AUR Page: | quixand |
| Arch Forum Thread: | 67019 |
| Tags: |
QUIXAND(1)
Name
quixand - create single-use unrecoverable encrypted sandboxes
Synopsis
quixand [options] [paths]
Description
Quixand (pronounced “quicksand”) is a tool for easily creating disposable, single-session encrypted sandboxes. Quixand will create an encrypted directory with EncFS using “paranoid” mode and a random key. Once mounted, quixand can create temporary files and directories within the encrypted directory and symlink any file on your system to them. You can then use the symlinked files and directories as you normally would, but any data written to them will not be written to the disk in an unencrypted form. Once unmounted, the data within the encrypted directory should be unrecoverable because the key is not stored anywhere. Typical usage includes sandboxing your browser cache directory, creating secure disposable history files for various apps that you only wish to use for a single session, and creating a general-purpose sandbox for temporary files, for example the contents of a usb stick. The “EXAMPLES” section below should provide further insight into potential uses of quixand.
Technical Information And Caveats
Quixand depends on EncFS (Encrypted Filesystem) to create the encrypted directory. The encrypted directory is created using encfs’s “paranoid” mode along with a one-time 256-bit random key generated from /dev/urandom. The key is not stored anywhere. Once the encrypted directory is unmounted, there should be no easy way to recover its contents and thus it is intended for use as a single-session sandbox. The strength of this setup directly depends on EncFS and the user is advised to consult the EncFS documentation in order to familiarize him-/herself with EncFS’s strengths and weaknesses. The author of quixand assumes absolutely no liability for its use and the user uses quixand entirely at his or her own risk.
EncFS does not require a fixed amount of space and thus bypasses the need to pre-allocate disk space and set up partitions etc. The encrypted directory will grow as needed and will only be limited by the amount of space available in /tmp.
To improve the security of the setup, it is recommended that the user either encrypt their swap partition with a one-time key at boot or disable swap completely to prevent the contents of memory from being written to the disk during operation.
Options
- -c, –config /path/to/dir
-
Specify a configuration directory. Currently the only purpose of the
configuration directory is to track the working quixand directory.
Default:
$XDG_CONFIG_HOME/quixandor$HOME/.config/quixand. - -d, –dir
- Specify directories for symlinking. See notes below
- –encfs-args
- Specify additional command-line arguments to encfs. See notes below.
- -f, –force
- Force symlinks even if they already point to the working quixand directory.
- –file
- Specify files for symlinking. See (1) below.
- –help
- Display this message.
- -p, –purge
- Purge the working quixand directory and remove any passed symlinks. This is the recommended way of shutting down your current quixand setup. See “–renew” if you wish to reset your setup rather than shut it down.
- –plain
- Place files and directories in a plain-text directory instead of one encrypted with EncFS. This may be useful if you are using an already encrypted /tmp partition
- -r, –renew
-
Purge the setup and create a new one.
--renewimplies--purge, see--purge - –wipe-with “/path/to/wiper” [args]
- Use “/path/to/wiper” [args] to wipe files. If one of the arguments is “%d”, it will be replaced with the quixand directory, otherwise the directory will be added as a final argument to the command.
- –wipe-with “/path/to/wiper” [args]
-
Use “/path/to/wiper” [args] to wipe files. If one of the arguments is
“%d”, it will be replaced with the quixand directory, otherwise the
directory will be added as a final argument to the command. See
--*for an example of how to pass through quixand arguments to the wiper. - –*
-
Any other argument that begins with “–” will act as a switch that toggles argument parsing. This should be used to pass through arguments that match quixand options. For example, to use the “wipe” command to recursively wipe directories, it must be passed the “-r” option, which is also a quixand option. This can be done with any of the following, which are all equivalent.
quixand --wipe-with wipe -- -r -- --dir somedir quixand --wipe-with wipe --foo -r --foo --dir somedir quixand --wipe-with wipe --bar -r --bar --dir somedir
Notes
The --dir, --file,
--encfs-args and --wipe-with arguments act as
switches. By default, all non-option arguments passed to quixand will be
considered files that should be symlinked. If “–dir” or “–encfs-args” is
encountered then they will be interpreted as dirs that should be
symlinked or additional arguments to encfs, respectively. Consider the
following examples:
Create 3 file symlinks.
quixand foo bar bazCreate 1 file symlink (foo) and 2 dir symlinks (bar,baz).
quixand foo --dir bar bazCreate 2 file symlinks (foo,baz) and 1 dir symlink (bar).
quixand foo --dir bar --file baz
Examples
Create a sandbox in your home dir.
quixand -d ~/sandboxSandbox your image thumbnails in ~/.thumbnails.
quixand -d ~/.thumbnailsSandbox your bash history.
quixand ~/.bash_historySandbox your Firefox cache.
quixand -d ~/.mozilla/firefox/<profile>/CacheDo all of the above when you first log in by adding the following line to ~/.bash_profile.
quixand ~/.bash_history -d ~/sandbox ~/.thumbnails ~/.mozilla/firefox/<profile>/CachePurge all of the above.
quixand -p ~/.bash_history -d ~/sandbox ~/.thumbnails ~/.mozilla/firefox/<profile>/Cache
- Contact
- echo xyne.archlinux.org | sed 's/\./@/'
- Validation
- XHTML 1.0 Strict CSS level 3 Atom 1.0