Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?


Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Send us news
44 Comments

European Court of Human Rights declares backdoored encryption is illegal

Surprising third-act twist as Russian case means more freedom for all

Feds post $15 million bounty for info on ALPHV/Blackcat ransomware crew

ALSO: EncroChat crims still getting busted; ransomware takes down CO public defenders office; and crit vulns

Raspberry Pi Pico cracks BitLocker in under a minute

Windows encryption feature defeated by $10 and a YouTube tutorial

Meta starts rolling out end-to-end encryption in Facebook Messenger

Surfing the cryptographic wave

Privacy crusaders accuse X of ad-targeting that flouts EU rules

Campaign to promote 'chat control' legislation allegedly sorted users by political views, religious beliefs

Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain

Emergency comms standard had five nasty flaws but will be opened to academic research

EU lawmakers scolded for concealing identities of privacy-busting content-scanning 'experts'

Names of consultants on encryption bypass plan leaked anyway

UK may demand tech world tell it about upcoming security features

Campaigners say proposals to reform laws are 'dangerous' and an attack on safety

'Corrupt' cop jailed for tipping off pal to EncroChat dragnet

Taking selfie with 'official sensitive' doc wasn't smartest idea, either

Does Windows have a very weak password lurking in its crypto libraries?

Don't panic – it's just for testing

Europe mulls open sourcing TETRA emergency services' encryption algorithms

Turns out secrecy doesn't breed security

Signal adopts new alphabet jumble to protect chats from quantum computers

X3DH readied for retirement as PQXDH is rolled out