VeraCrypt | Disk encryption with strong security based on TrueCrypt

You can use || to execute something that won't fail if a primary command fails, such as with:

That's what's literally in the code:

Download toggle5.rule from the Hashcat repo on Github and try running this:

Well, I should have figured that after several days of trying, the answer would appear just after I posted this question...and it did.

I was first directed to the default EDK\Conf\build_rule.txt file, and looking through there, I found a build rule for .obj files (as well as .o files)! This looked a lot like a plain copy (well, actually adding it to the same list as the output of .c/.cpp/.asm/etc. files), so the idea was suggested to try placing the .obj file into the [Sources] section. I had not seen that anywhere else, so I tried, and sure enough, it worked:

The approach is ok and is as secure as is pipeing the password in the shell <<<"myPassword" veracrypt.

1. There is no password in the ps output.
2. The password is stored in temporary buffers only.
3. I think an attacker could still get the password using some side channel attacks, if it knows enough about your application/source code.

Your code is not secure at all.

1. You don't check the return value of malloc
2. You don't check the return value of popen
3. You don't check the return value of getpass
4. You overflow the allocated memory for cc. You didn't allocate place for the terminating null character. You could use asnprintf and let GNU library do the job for you.
5. Because you don't pass properly the argv[i] and argv[i+1] it's plain simple to attack any PC using your program, with just ex.: ./your_program "; sudo rm -rf " "; echo I can run any shell script here".

Is this approach a good idea at all? (securitywise)

The approach is ok, how you approached it is not ok. Your program leaks memory and doesn't check any return values and has no control over the strings passed to popen, which is just unsecure. Using system(sudo echo -n) is also insecure. As for the approuch, would be best to bzero the buffer after it's last use memset(buffer, 0, strlen(buffer) + 1) (maybe multiple times, like 5), and then free(buffer).

In the light of last attacks like Meltdown and Spectre and others, newer ssh versions encrypt the password with a long key (I think with RSA, not sure) right after receiving it from user and decrypt each time upon use. The key is long enough to make attacks using such methods not probable or too long. I don't think there is need for easy small application to implement such method. source.

How is the value of buffer piped to veracrypt by popen()?

Because you use fprintf, the buffer is copied into the internal FILE* buffer and then flushed on the newline. By default FILE* streams are buffered and flushed on newline. You can specify the behavior with setvbuf, however, I don't think it's safe at all, as the password will remain in the FILE* buffer for some time. Then the fprintf call writes the content of the internal FILE* buffer upon newline to the associated pipe file descriptor with the FILE* pointer. Then kernel passes the data from the pipe's input to the command's stdin. A little tiny bit safer way (as you don't need printf utility at all, you just "%s"...), is probably to use setvbuf(fChild, NULL, _IONBF, 0) and then to use fwrite(buffer, strlen(buffer), 1, fChild).

A proper approach would be to remove the FILE* and to use the proper pipe() + fork() + exec() and stream the password directly into the pipe with write() call, so you don't use FILE* internal buffering. fork() will also allow you to send signals and handle the return value of the child.

Is buffer read directly from its location or is it copied and can therefore remain somewhere in memory?

Yes and yes and yes. It is read directly from it's location inside fprintf call. It is copied into internal FILE* buffer. It can therefore remain somewhere in memory.

You have used the tilde symbol ~ in your path names, but this is not a valid character at the beginning of a Unix path.

Rather, some shells substitute the tilde with the path of the user's home directory before passing it on to the operating system.

Because you are not using a shell, you must provide the actual directory yourself. You cannot use the tilde in the beginning of the paths.

You must be Googling for encryption/decryption far too specific towards JSON rather than towards Text File. If you want to encrypt a Text File which just so happens to contain JSON content then the internet is full of examples including SO. Never the less, here are some method that will carry out the task.

The file content encryption provided here utilizes Java 8's Base64 Class encoding and then a Caesar Cipher (which is a shift cipher) is applied to each file line. By no means is this considered a Secure Encryption but it is enough to confuse most (at least for a wee bit).

The concept here is to read in the JSON text file one line at a time. As each line is read in it is encoded, ciphered then saved to a Destination File Path until the end of file is reached. When finished you will see that in no way is the destination file legible towards what type of file the original may have been, at least not until is is Decrypted. All text is ciphered including format indentation. File Decryption is done in the very same fashion.

There are four simple methods provided here which requires Java 8+ to carry out the task of encryption/decryption:

To Encode and Cipher a string:

what you can do is to run veracrypt with elevated rights:

You should just be able to use the call operator & to run the command directly without using cmd: