Data are stored in secure wallets protected and signed by their own AES-256 key.
Wallets are protected by a master key using AES-256-CBC and the wallet master key is protected by a user password. The wallet defines up to 7 slots that identify a password key that is able to unlock the master key. To open a wallet, it is necessary to unlock one of these 7 slots by providing the correct password. Wallet key slots are protected by the user's password and the PBKDF2-HMAC-256 algorithm, a random salt, a random counter and they are encrypted using AES-256-CBC. A wallet key slot can also be protected by a GPG private key.
Data stored in the wallet are protected by their own encryption keys using AES-256-CBC. Big contents are stored in several data blocks and each data block is encrypted by using its own AES-256-CBC encryption key. Encryption keys are protected by the master key using AES-256-CBC. Data blocks are then signed using HMAC-256.
A wallet can contain another wallet which is then protected by its own encryption keys and passwords (with 7 independent slots). Because the child wallet has its own master key, it is necessary to known the primary password and the child password to unlock the parent wallet first and then the child wallet.
You can install AKT by using the Debian 10 and Ubuntu 20.04 or 18.04 packages. First, setup to accept the signed packages:
wget -O - https://apt.vacs.fr/apt.vacs.fr.gpg.key | sudo apt-key add -
and choose one of the
echo command according to your Linux distribution:
# Ubuntu 20.04 # echo "deb https://apt.vacs.fr/ubuntu-focal focal main" | sudo tee -a /etc/apt/sources.list.d/vacs.list # Ubuntu 18.04 # echo "deb https://apt.vacs.fr/ubuntu-bionic bionic main" | sudo tee -a /etc/apt/sources.list.d/vacs.list # Debian 10 # echo "deb https://apt.vacs.fr/debian-buster buster main" | sudo tee -a /etc/apt/sources.list.d/vacs.list
Then, launch the apt update command:
sudo apt-get update
and install the tool using:
sudo apt-get install -y akt
You can also build from the source by using the following commands:
sudo apt-get install -y make gnat-7 gprbuild git gnupg2 libfuse-dev git clone --recursive https://github.com/stcarrez/ada-keystore.git cd ada-keystore ./configure --enable-fuse
To setup a keystore file and protect it with your GPG key, use the following command:
akt create secure.akt --gpg your-gpg-key-id
The keystore content can be mounted as a filesystem so that the encrypted content are directly available to existing applications as regular files. The
mount command starts the fuse daemon and puts the command as a background fuse daemon to serve as a fuse filesystem and make the content visible through the mount point.
akt mount secure.akt /mnt
After the mount is successful, you can copy or access any file stored in the secure keystore. By default the Fuse filesystem is configured to ask the kernel to avoid caching the decrypted content. This has an impact on the performance since every access requires to decrypt the content.
To unmount the filesystem, you must use the
Sometimes, you may have to force the umount by running:
sudo umount /mnt