Java 2 Ada

AKT a tool to store and protect your sensitive information

By Stephane Carrez

Data security is a major risk at the time of "everything on the Cloud". Using the Cloud can be a good thing but it is sometimes critical to encrypt documents before exposing them to third parties. AKT is a tool for signing and encrypting user's data.

AKT stores information in secure wallets and protects the stored information by encrypting the content with different keys. AKT can be used to safely store passwords, credentials, bank accounts, documents and even directories.

Wallets are protected by a master key using AES-256 and the wallet master key is protected by a user password or a user GPG encrypted key. The wallet defines up to 7 slots that identify a password key that is able to unlock the master key. To open a wallet, it is necessary to unlock one of these 7 slots by providing the correct password. Wallet key slots are protected by the user's password and the PBKDF2-HMAC-256 algorithm, a random salt, a random counter and they are encrypted using AES-256.

C

Values stored in the wallet are protected by their own encryption keys using AES-256. A wallet can contain another wallet which is then protected by its own encryption keys and passwords (with 7 independent slots). Because the child wallet has its own master key, it is necessary to known the primary password and the child password to unlock the parent wallet first and then the child wallet.

The data is organized in 4K blocks whose primary content is encrypted either by the wallet master key or by the entry keys. The data block is signed by using HMAC-256. A data block can contain several values but each of them is protected by its own encryption key. Each value is also signed using HMAC-256.

The keystore uses several encryption keys at different levels to protect the content. A document stored in the keystore is split in data fragment and each data fragment is encrypted by using its own key. The data fragments are stored in specific data blocks so that they are physically separated from the encryption keys.

The data fragment encryption keys are stored in the directory blocks and they are encrypted by using a specific directory key.

akt-keys.png

For example, a 10K document will be split in 3 data fragments, each of them encrypted by their own AES-256 key. A 5K document will be encrypted with two AES-256 keys, one for the two data fragments. All these keys are protected by the wallet data key key. The directory part of the wallet which describes entries in the wallet is also encrypted by another wallet key: the directory key.

The tool allows to separate the data blocks which contain data fragments from other blocks. This allows to keep the wallet keys separate from the data. It is then possible to export the data blocks, which are encrypted in AES-256-CBC, to the Cloud without exposing the keys used for encryption.

If you want to know more about the implementation, have a look at the Ada Keystore Implementation chapter.

Using AKT

akt is the command line tool that you can use to protect and store your documents. It contains several commands:

  • create: create the keystore
  • edit: edit the value with an external editor
  • get: get a value from the keystore
  • help: print some help
  • list: list values of the keystore
  • remove: remove values from the keystore
  • set: insert or update a value in the keystore

To create the secure file, use the following command and enter your secure password (it is recommended to use a long and complex password):

  akt create secure.akt

You may also protect the keystore by using your GPG key. In that case, you can use the --gpg option and specify one or several GPG key ids. Using GPG is probably the best method to protect your akt files.

  akt create secure.akt --gpg 0xFC15CA870BE470F9

At this step, the secure file is created and it can only be opened by providing the password you entered. To add something, use:

  akt set secure.akt bank.password 012345

To store a file, use the following command:

  akt store secure.akt contract.doc

If you want to retrieve a value, you can use one of:

  akt get secure.akt bank.password
  akt extract secure.akt contract.doc

You can also use the akt command together with the tar command to create secure backups. You can create the compressed tar file, pipe the result to the akt command to store the content in the wallet.

  tar czf - dir-to-backup | akt store secure.akt -- backup.tar.gz

To extract the backup you can use the extract command and feed the result to the tar command as follows:

  akt extract secure.akt -- backup.tar.gz | tar xzf -

Using Ada Keystore

The Ada Keystore is the Ada 2012 library that is behind AKT. It should be quite easy to integrate the library in an existing Ada application to protect for example some sensitive configuration file. The Keystore is the main package that provides operations to store information in secure wallets and protect the stored information by encrypting the content. To use it, add the following with clause at beginning of your GNAT project:


   with "keystoreada";
Creation

To create a keystore you will first declare a Wallet_File instance. You will also need a password that will be used to protect the wallet master key.


with Keystore.Files;
...
  WS   : Keystore.Files.Wallet_File;
  Pass : Keystore.Secret := Keystore.Create ("There was no choice but to be pioneers");

You can then create the keystore file by using the Create operation:


  WS.Create ("secure.akt", Pass);
Storing

Values stored in the wallet are protected by their own encryption keys using AES-256. The encryption key is generated when the value is added to the wallet by using the Add operation.


  WS.Add ("Grace Hopper", "If it's a good idea, go ahead and do it.");

The Get function allows to retrieve the value. The value is decrypted only when the Get operation is called.


  Citation : constant String := WS.Get ("Grace Hopper");

The Delete procedure can be used to remove the value. When the value is removed, the encryption key and the data are erased.


  WS.Delete ("Grace Hopper");

Getting AKT

You can get AKT by using the Ubuntu 18.04 binary packages. You can do this by running:

wget -O - http://apt.vacs.fr/apt.vacs.fr.gpg.key | sudo apt-key add -
sudo add-apt-repository "deb http://apt.vacs.fr/ubuntu-bionic bionic main"
sudo apt-get install akt

For other platforms, you have to get it from the sources. Install the GNAT Ada compiler, either the FSF version or the GNAT GPL version and then, run the following commands:

git clone --recursive https://github.com/stcarrez/ada-keystore.git
cd ada-keystore
./configure --disable-nls
make build install

You can browse the documentation online: Ada Keystore Guide.

Add a comment

To add a comment, you must be connected. Login