Cryptomator Trigger

[Technoprenerd]

Idea for Cryptomator trigger.
Cryptomator (https://cryptomator.org/) creates encrypted volumes.
It uses WebDav or Fuse to mount volumes.

On Mac OSX, a script can do the unmounting:
umount --force /Volumes/<CryptomatorVaultName> or
sudo diskutil unmount /Volumes/<CryptomatorVaultName/

The main issue with this, is that the Vault Name should be known for the path to be able to trigger it in a script.

Another idea is to buy and install the Mountain application (https://appgineers.de/mountain/) with HotKeys set for Unmount external volumes, it works without knowing all the volume names.
The Buskill would trigger a script that presses these hotkeys for the Mountain app to do this.

Remarks on this are appreciated.

[maltfield]

Thanks @Technoprenerd Is there any reason you prefer Cryptomator to Veracrypt? afaik veracrypt is the most popular cross-platform software for creating encrypted volumes

[maltfield]

On Mac OSX, a script can do the unmounting:

umount --force /Volumes/<CryptomatorVaultName>  or
sudo diskutil unmount /Volumes/<CryptomatorVaultName/ 

Is there any command to list all mounts too? That way the trigger could just list them all and iterate through the list, umounting all of them?

Also, is there any built-in "shred" command that wipes the area of the encrypted volume that holds the (encrypted?) master keys? I mean something that's faster than overwriting the whole volume, of course.

And does Cryptomator have any decent documentation describing the encoding of their volumes? In LUKS there's 8-32 keyslots, and the way LUKS works is very clearly documented in the whitepapers:

1. LUKS1 https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf
2. LUKS2 https://gitlab.com/cryptsetup/LUKS2-docs/blob/master/luks2_doc_wip.pdf

Is there an equivalent whitepaper describing Cryptomator so I can wrap my head around its headers/footers/keyslots/encodings/recovery/etc?

[Technoprenerd]

@maltfield : No preference, I've tried them all and it seems that for new users this type of application is more usable (better UI/UX) for creating and encrypting individual files (not volumes).
Specifically designed to backup with cloud storage service providers.
But I would recommend to look into Veracode first, since that offers more granular features for the privacy community.

Probably iterate through the /Volumes/ paths to select folders, should be scripted though.
Does not work with DiskUtil list.

Depends if Shred is installed, in osx it is no longer default installed.

Cryptomator does have decent documentation:

https://docs.cryptomator.org/en/latest/security/architecture/

https://docs.cryptomator.org/en/latest/security/security-target/

[maltfield]

Cryptomator was designed to solve privacy issues when saving files to cloud storages.

source: https://docs.cryptomator.org/en/latest/security/security-target/

Because of this, it seems like a self-destruct may be less valuable for Cryptomator. Depending on the adversary, they could just force the cloud provider to hand over a backup of the masterkey.cryptomator file after shred.

But I definitely think it would be worthwhile to write a trigger for Cryptomator that simply:

1. Finds all the Cryptomator volumes
2. Unmounts all the Cryptomator volumes

@Technoprenerd Do you have any python experience? I think the first deliverable here is to write a simple python function get_cryptomator_volumes() that

1. iterates through everything in /Volumes/
2. determines if each volume is Cryptomator volume
3. returns a list of paths to all the Cryptomator volumes

(if possible, it would be best if get_cryptomator_volumes() was cross-platform and worked on Linux, Windows, and MacOS)

This begs the question: does doing ^ that or unmounting a Cryptomator volume require root access? If so, we have a way to escalate buskill's triggers as root on MacOS (but not Windows or Linux yet):

• https://github.com/BusKill/buskill-app/blob/v0.6.0/src/packages/buskill/__init__.py#L567-L751
• https://github.com/BusKill/buskill-app/blob/v0.6.0/src/packages/buskill/root_child_mac.py

[Technoprenerd]

@maltfield Agreed, adversary would just copy the backup masterkey from cloud provider and decrypt it.

Yes, below is how far I've come and works on OSX.
The psutil is the main library to figure out volume paths.

import psutil
import platform
import os
CURRENT_PLATFORM = platform.system().upper()
partitions = psutil.disk_partitions(all=True)

def get_cryptomator_volumes():

    #Need to list Fuse/WebDAV volumes mounts and iterate through it
        #example OSX macFuse:  sdiskpart(device='Cryptomator@macfuse0', mountpoint='/Volumes/test', fstype='macfuse', opts='rw,sync,nosuid', maxfile=255, maxpath=1024)
        #example OSX WebDAV: sdiskpart(device='http://localhost:42427/sq5q-0UyuwBL/test3/', mountpoint='/Volumes/test3', fstype='webdav', opts='rw,noexec,nosuid', maxfile=255, maxpath=1024)
        #example Linux: sdiskpart(device='fusefs-851974781', mountpoint='/home/<USER>/.local/share/Cryptomator/mnt/testlinuxvault', fstype='fuse.fusefs-851974781', opts='rw,nosuid,nodev,relatime,user_id=1000,group_id=1000', maxfile=254, maxpath=4096)
    
    #iterate over list and find the mount in OSX if mounted with macFuse
    if CURRENT_PLATFORM.startswith( 'DARWIN' ):
        for p in partitions:
            if p.device.startswith('Cryptomator'):
                print (p.mountpoint)
                #can use diskutil or umount -f
                os.system('diskutil unmount force ' + p.mountpoint)

         #port number of WebDav used by Cryptomator, default port 42427
           elif p.device.find('42427') != -1:
                print (p.mountpoint)
                os.system('diskutil unmount force ' + p.mountpoint)

    #iterate over list and find mount for Linux    
    elif CURRENT_PLATFORM.startswith( 'LINUX' ):
        for p in partitions:
            if p.mountpoint.find('Cryptomator') != -1:
                print (p.mountpoint)
                #TODO
                #must be root to unmount fuse disk
                os.system('umount -f ' + p.mountpoint)

    #TODO Windows
    #elif CURRENT_PLATFORM.startswith( 'WIN'):

get_cryptomator_volumes()

TODO:

• Figure out if this works with more Vaults open at the same time
• Root needed for Linux Umount
• Support for Windows
• Check if WebDAV can be easily dismounted (does work the mount is gone, but Cryptomator GUI still shows/hangs on unlocked)
• Forensically attest that there is no data left

[Technoprenerd]

It does work with multiple vaults open at the same time

python3 find_volumes.py
/Volumes/test3
Unmount successful for /Volumes/test3
/Volumes/test4
Unmount successful for /Volumes/test4
/Volumes/test2
Unmount successful for /Volumes/test2

Cryptomator GUI shows everything locked

[maltfield]

@Technoprenerd thanks for your work on this!

Would you mind adding your code and iterating directly on this new repo?

• https://github.com/BusKill/trigger_cryptomator_umount

[maltfield]

See also #62

[maltfield]

See also https://github.com/BusKill/awesome-buskill-triggers