Encrypting history?

Encrypting history?

[Lloyd Zusman]

I would like my command history to be stored in an encrypted file. I
have read a few messages in this list from 2007 which state that there
isn't a straightforward way to do this within zsh, itself, and the use
of an encrypted file system is suggested.

However, I think that there might indeed be a way to accomplish this.

Is it possible to do the following?

Make sure that SAVEHIST is set to 0.

Then, on login, prompt the user for a password. Remember this password
for the duration of the shell session. Then, use this password along
with a decryption program to read an encrypted history file called, for
example, ~/.ehistory. Put the decrypted contents of this file into the
current shell's history list via the repeated use of the "print -s"
command.

Finally, on logout, pipe the output of "fc -ln 1" through a program
which uses the same password entered at login time to encrypt the
history and write it to the ~/.ehistory file.

Can any of you see any reason for why this would not work?

Or alternatively, is there perhaps a better way to do this within zsh?

Thanks in advance.
  

-- 
 Lloyd Zusman
 ljz@asfast.com
 God bless you.

Re: Encrypting history?

[Guido van Steen]

Hi Lloyd, 

Interesting idea indeed! You might miss a feature like sharing a history file across sessions. 

You could overcome this by seperately saving all your sessions' increments to your history file, and then incorporating them into the history file when you login again. 

This way the entries of your history file might get out of order, but you could probably handle this by also saving the time when your commands were issued. 

I would also be interested in a zsh extension like that. 

Best wishes, 

Guido 

--- On Sun, 27/12/09, Lloyd Zusman <ljz@asfast.com> wrote:

> From: Lloyd Zusman <ljz@asfast.com>
> Subject: Encrypting history?
> To: zsh-users@zsh.org
> Date: Sunday, 27 December, 2009, 5:55 AM
> I would like my command history to be
> stored in an encrypted file. I
> have read a few messages in this list from 2007 which state
> that there
> isn't a straightforward way to do this within zsh, itself,
> and the use
> of an encrypted file system is suggested.
> 
> However, I think that there might indeed be a way to
> accomplish this.
> 
> Is it possible to do the following?
> 
> Make sure that SAVEHIST is set to 0.
> 
> Then, on login, prompt the user for a password. Remember
> this password
> for the duration of the shell session. Then, use this
> password along
> with a decryption program to read an encrypted history file
> called, for
> example, ~/.ehistory. Put the decrypted contents of this
> file into the
> current shell's history list via the repeated use of the
> "print -s"
> command.
> 
> Finally, on logout, pipe the output of "fc -ln 1" through a
> program
> which uses the same password entered at login time to
> encrypt the
> history and write it to the ~/.ehistory file.
> 
> Can any of you see any reason for why this would not work?
> 
> Or alternatively, is there perhaps a better way to do this
> within zsh?
> 
> Thanks in advance.
>   
> 
> -- 
>  Lloyd Zusman
>  ljz@asfast.com
>  God bless you.
> 
> 


      Get your new Email address!
Grab the Email name you&#39;ve always wanted before someone else does!
http://mail.promotions.yahoo.com/newdomains/aa/

Re: Encrypting history?

[Lloyd Zusman]

Guido van Steen <gvsteen@yahoo.com> writes:

> Hi Lloyd, 
>
> Interesting idea indeed! You might miss a feature like sharing a history file across sessions. 
>
> You could overcome this by seperately saving all your sessions' increments to your history file, and then incorporating them into the history file when you login again. 
>
> This way the entries of your history file might get out of order, but you could probably handle this by also saving the time when your commands were issued. 
>
> I would also be interested in a zsh extension like that. 
>
> Best wishes, 
>
> Guido 

Thank you for reminding me about sharing history across sessions.

I've never written an extension for zsh, and so the first thing I plan
to do is implement this via code in my .zlogin and .zlogout files. Then,
once I get it working, I'll take the plunge and try to turn it into an
extension.

Concerning this session-specific history issue, is there a way to get a
history list of the commands that were issued only during the current
session? If so, I think I probably could do something like this upon
logout:

* Lock the current history file
* Get the history list for the current session
* Encrypt this history list and append it to the current
  history file
* Unlock the current history file

Would that work?



> --- On Sun, 27/12/09, Lloyd Zusman <ljz@asfast.com> wrote:
>
>> From: Lloyd Zusman <ljz@asfast.com>
>> Subject: Encrypting history?
>> To: zsh-users@zsh.org
>> Date: Sunday, 27 December, 2009, 5:55 AM
>> I would like my command history to be
>> stored in an encrypted file. I
>> have read a few messages in this list from 2007 which state
>> that there
>> isn't a straightforward way to do this within zsh, itself,
>> and the use
>> of an encrypted file system is suggested.
>> 
>> However, I think that there might indeed be a way to
>> accomplish this.
>> 
>> Is it possible to do the following?
>> 
>> Make sure that SAVEHIST is set to 0.
>> 
>> Then, on login, prompt the user for a password. Remember
>> this password
>> for the duration of the shell session. Then, use this
>> password along
>> with a decryption program to read an encrypted history file
>> called, for
>> example, ~/.ehistory. Put the decrypted contents of this
>> file into the
>> current shell's history list via the repeated use of the
>> "print -s"
>> command.
>> 
>> Finally, on logout, pipe the output of "fc -ln 1" through a
>> program
>> which uses the same password entered at login time to
>> encrypt the
>> history and write it to the ~/.ehistory file.
>> 
>> Can any of you see any reason for why this would not work?
>> 
>> Or alternatively, is there perhaps a better way to do this
>> within zsh?
>> 
>> Thanks in advance.
>>   
>> 
>> -- 
>>  Lloyd Zusman
>>  ljz@asfast.com
>>  God bless you.
>> 
>> 
>
>
>       Get your new Email address!
> Grab the Email name you&#39;ve always wanted before someone else does!
> http://mail.promotions.yahoo.com/newdomains/aa/
>
>

-- 
 Lloyd Zusman
 ljz@asfast.com
 God bless you.

Re: Encrypting history?

[Richard Hartmann]

On Sat, Dec 26, 2009 at 23:55, Lloyd Zusman <ljz@asfast.com> wrote:

> Finally, on logout, pipe the output of "fc -ln 1" through a program
> which uses the same password entered at login time to encrypt the
> history and write it to the ~/.ehistory file.

If you are using a block cipher, and you probably are, you should
put a salt which changes with each save at the beginning of the
file.
While I don't know of an example of attacks based on this working
on current ciphers, it's good practice, nonetheless.


Richard

Re: Encrypting history?

[Guido van Steen]

Hi Lloyd, 

With respect to the list of commands issued during
the current session, could you not use "fc -l" to detect the current history line at login? 

Guido 

--- On Mon, 28/12/09, Lloyd Zusman <ljz@asfast..com> wrote:

> From: Lloyd Zusman <ljz@asfast.com>
> Subject: Re: Encrypting history?
> To: zsh-users@zsh.org
> Date: Monday, 28 December, 2009, 1:56 AM
> Guido van Steen <gvsteen@yahoo.com>
> writes:
> 
> > Hi Lloyd, 
> >
> > Interesting idea indeed! You might miss a feature like
> sharing a history file across sessions. 
> >
> > You could overcome this by seperately saving all your
> sessions' increments to your history file, and then
> incorporating them into the history file when you login
> again. 
> >
> > This way the entries of your history file might get
> out of order, but you could probably handle this by also
> saving the time when your commands were issued. 
> >
> > I would also be interested in a zsh extension like
> that. 
> >
> > Best wishes, 
> >
> > Guido 
> 
> Thank you for reminding me about sharing history across
> sessions.
> 
> I've never written an extension for zsh, and so the first
> thing I plan
> to do is implement this via code in my .zlogin and .zlogout
> files. Then,
> once I get it working, I'll take the plunge and try to turn
> it into an
> extension.
> 
> Concerning this session-specific history issue, is there a
> way to get a
> history list of the commands that were issued only during
> the current
> session? If so, I think I probably could do something like
> this upon
> logout:
> 
> * Lock the current history file
> * Get the history list for the current session
> * Encrypt this history list and append it to the current
>   history file
> * Unlock the current history file
> 
> Would that work?
> 
> 
> 
> > --- On Sun, 27/12/09, Lloyd Zusman <ljz@asfast.com>
> wrote:
> >
> >> From: Lloyd Zusman <ljz@asfast.com>
> >> Subject: Encrypting history?
> >> To: zsh-users@zsh.org
> >> Date: Sunday, 27 December, 2009, 5:55 AM
> >> I would like my command history to be
> >> stored in an encrypted file. I
> >> have read a few messages in this list from 2007
> which state
> >> that there
> >> isn't a straightforward way to do this within zsh,
> itself,
> >> and the use
> >> of an encrypted file system is suggested.
> >> 
> >> However, I think that there might indeed be a way
> to
> >> accomplish this.
> >> 
> >> Is it possible to do the following?
> >> 
> >> Make sure that SAVEHIST is set to 0.
> >> 
> >> Then, on login, prompt the user for a password.
> Remember
> >> this password
> >> for the duration of the shell session. Then, use
> this
> >> password along
> >> with a decryption program to read an encrypted
> history file
> >> called, for
> >> example, ~/.ehistory. Put the decrypted contents
> of this
> >> file into the
> >> current shell's history list via the repeated use
> of the
> >> "print -s"
> >> command.
> >> 
> >> Finally, on logout, pipe the output of "fc -ln 1"
> through a
> >> program
> >> which uses the same password entered at login time
> to
> >> encrypt the
> >> history and write it to the ~/.ehistory file.
> >> 
> >> Can any of you see any reason for why this would
> not work?
> >> 
> >> Or alternatively, is there perhaps a better way to
> do this
> >> within zsh?
> >> 
> >> Thanks in advance.
> >>   
> >> 
> >> -- 
> >>  Lloyd Zusman
> >>  ljz@asfast.com
> >>  God bless you.
> >> 
> >> 
> >
> >
> >       Get your new Email
> address!
> > Grab the Email name you've always wanted before
> someone else does!
> > http://mail.promotions.yahoo.com/newdomains/aa/
> >
> >
> 
> -- 
>  Lloyd Zusman
>  ljz@asfast.com
>  God bless you.
> 
> 


      Get your preferred Email name!
Now you can @ymail.com and @rocketmail.com. 
http://mail.promotions.yahoo.com/newdomains/aa/

Re: Encrypting history?

[Lloyd Zusman]

Guido van Steen <gvsteen <at> yahoo.com> writes:

> Hi Lloyd, 
> 
> With respect to the list of commands issued during
> the current session, could you not use "fc -l" to detect the current
> history line at login? 

Thank you. I forgot about that option to "fc".

Hmm ... actually, shouldn't the command actually be "fc -l -1"?
Since this message might show up in the Courier font, I should
clarify that the first argument is the twelfth letter of the
alphabet preceded by dash, and the second argument is the number
one preceded by dash.

-- 
 Lloyd Zusman
 ljz@asfast.com
 God bless you.

Re: Encrypting history?

[Lloyd Zusman]

Richard Hartmann <richih.mailinglist <at> gmail.com> writes:

> [ ... ]
> 
> If you are using a block cipher, and you probably are, you should
> put a salt which changes with each save at the beginning of the
> file.
> While I don't know of an example of attacks based on this working
> on current ciphers, it's good practice, nonetheless.

Good idea. Thank you.

-- 
 Lloyd Zusman
 ljz@asfast.com
 God bless you.