14 DAY TRIAL // Cryptkeeper, famous Linux encryption app, is not as safe as one would like since a bug has been discovered, allowing universal decryption with a single letter: “p.”
The flawed version can be found in Debian 9 (Stretch), which is currently in testing, but not in Debian 8 (Jessie). According to the folks who discovered the bug, it seems that this is a result of Cryptkeeper invoking encfs and attempting to enter paranoia mode. It does this with a simulated “p” keypress, but instead of doing that, it sets the folder password to this particular letter.
Considering this is a tool that’s supposed to offer people protection by encrypting their files, it’s quite ironic that it could be opened universally with a single letter.
The problem seems to stem from the fact that encfs is executed with –S switch, reading the password from stdin without a particular prompt. Following an encfs bug that prevented it from doing what it was supposed to do, a bugfix was released to correct the procedure. This, in turn, broke Cryptkeeper’s interface, preventing it from doing its job of securing people’s data.
Taking it down
Simon McVittie, Debian developer, advised the dev team to take Crytkeeper out of the Linux distro completely. “I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results. I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all,” he wrote in a bug report thread.
This seems to be the best course of action since providing people with a tool that does not do its job and, even worse, makes them feel as if they’ve somehow managed to secure their data while leaving it in the open is not such a good idea.
While this matter may have caused a few giggles given the irony of the situation, it’s still a serious issue, and we hope to see it fixed.