Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?


Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Send us news
44 Comments

X's new 'encrypted' XChat feature seems no more secure than the failure that came before it

Musk's 'Bitcoin-style encryption' claim has experts scratching their heads

Forgotten Turing treasure trove rescued from attic goes under the hammer

Computing pioneer's personal papers expected to fetch tens of thousands

Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms

Update before that proof-of-concept comes to bite

Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess

No, really? That's a shocking surprise

EU: These are scary times – let's backdoor encryption!

ProtectEU plan wants to have its cake and eat it too

Google makes end-to-end encrypted Gmail easy for all – even Outlook users

The UK government must be thrilled

UK's attempt to keep details of Apple 'backdoor' case secret… denied

Last month's secret hearing comes to light

The post-quantum cryptography apocalypse will be televised in 10 years, says UK's NCSC

Wow, a government project that could be on time for once ... cos it's gonna be wayyyy more than a decade

The software UK techies need to protect themselves now Apple's ADP won’t

No matter how deep you are in Apple's 'ecosystem,’ there are ways to stay encrypted in Blighty

Apple's alleged UK encryption battle sparks political and privacy backlash

National security defense being used to keep appeal behind closed doors

Governments can't seem to stop asking for secret backdoors

Cut off one head and 100 grow back? Decapitation may not be the way to go

Apple drags UK government to court over 'backdoor' order

A first-of-its-kind legal challenge set to be heard this month, per reports