Encryption

Before you add encryption to an archive, it's helpful to understand a little about how QRecall's encryption works.

When you add encryption to an archive, QRecall generates a random encryption key. This is a symmetric key, used both to encrypt and decrypt the data in your archive.

This encryption key is stored in a file called the encryption key file, or just key file. To access the archive (say, to browse and recall some items), QRecall reads the key file and uses the encryption key to decrypt the archive:

The encryption key file is stored in your home folder (specifically in ~/Library/Application Support/QRecall/Keys). Because the key file and archive aren't normally stored on the same volume, an agent that has access to just the archive can't access any of its data.

An agent that has access to both the archive and a computer system containing the key file could, however, access the data. To add an additional layer of security, the encryption key file can, itself, be encrypted with a password. Accessing the archive now requires the archive, the encryption key file, and the encryption key's password:

The encryption key password can be entered every time you need to access that archive, or it can be stored on your keychain for automatic retrieval.

Setting Up Encryption

To encrypt your data, open the archive and choose Archive ➤ Encryption ➤ Install Encryption Key….

Installing encryption (quick steps) Steps

To encrypt future data added to an archive:

Open the archive
Choose Archive ➤ Encryption ➤ Install Encryption Key…
Choose a key length
Enter a password (optional)
Enter a passphrase for the recovery key (optional)
Click Install
Select key file and passphrase backup options

First, choose a key length. QRecall uses the Advanced Encryption Standard (AES). A 128-bit key is more than adequate for most purposes, but you also have the choice of 192-bit and 256-bit key lengths for situations that demand it (government or company policy compliance, for example).

Password Protection

As mentioned earlier, the encryption key file can be encrypted with a password. You may elect to do this if your computer is not physically secure, although this will complicate access to the archive.

To encrypt the key file, choose Encrypt the encryption key with a password and enter a password, twice to confirm. You may optionally choose to add the password to the keychain now. Either, or both, of these steps can be done (or undone) later.

Scheduled actions and the encryption key Note

Automated actions must have access to the encryption key in order to function.

This is easiest when the encryption key is not password protected; all QRecall actions and command will have unfettered access to the archive using the encryption key file.

If the key file is password protected, and the password is saved on the keychain, each action will first have to retrieve the password from the keychain. This requires that you be logged into your account with your keychain unlocked.

If the password is on the keychain, but the keychain is locked, the action will prompt for keychain access. If the password is not stored on the keychain, or you are not logged in, the action will fail.

Password strength More Info

The strength of any security is its weakest link.

The random encryption keys generated by QRecall are as secure as it gets. If you can prevent an agent from gaining access to the encryption key, your archive data is completely safe.

If you protect your encryption key with a password, the strength of your security becomes the strength of that password; strong encryption protected by a weak password is the same as weak encryption.

Note: the pass key used to encode the encryption key file is salted. This makes it resistant to most key cracking algorithms, but does not make it immune to well-known password dictionary attacks. In other words, don't use “123456” as your password or passphrase.

Similarly, if your strong password is stored on the keychain, and your keychain password is weak, that becomes your security's most vulnerable point.

Installing a Recovery Key

A recovery key is a copy of the encryption key, encrypted with a passphrase, and stored in the archive. A recovery key acts as an emergency backup for your encryption key and makes it easy to retrieve the key, should you need it. Installing a recovery key is highly recommended.

While technically identical to a password, a passphrase should be longer and harder to guess, often an entire sentence. Enter it twice to confirm.

Once everything is set up, click the Install button to install the encryption key.

Making backups of your encryption key

A dialog will now appear prompting you to make backup copies of your encryption key file and/or the passphrase used to protect your recovery key.

Do not lose your encryption key! Warning

The importance of keeping backups of your encryption key cannot be stressed enough.

QRecall uses completely random (maximum entropy) AES encryption keys. This level of encryption is considered unbreakable by modern standards, even by governments with massive resources. There are no known hacks, key crackers, or backdoors.

If you lose the encryption key, your archive data will be lost. Period. End of Story. No exceptions.

Do not call me in the middle of the night, crying into the phone, that you've lost your entire life's work because your hard drive crashed and you lost your encryption key file. I can't help you. No one can.

The same is true for password protected encryption key files and recovery keys, it's equally important to keep track of those passwords and passphrases.

If you didn't create a recovery key, making a backup of your encryption key is strenuously encouraged. Please, I'm begging you; make a backup! If you protected the encryption key file with a password, the backup will be protected by the same password. (Don't lose that either!)

If you elected to install a recovery key, it's equally important to keep track of your passphrase. Checking the passphrase backup option will prompt you save the passphrase as a file; you can later use that file to reload the passphrase, without having to type it in.

Encryption key backup strategies Note

The backups of your encryption key and password/passphrase file(s) should be kept on enduring media in a secure location, separate from both your computer system and the archive storage.

All digital media has a shelf life, so be aware of its limitation when crafting an encryption key backup strategy. Here are some suggestions:

Store the backup encryption key file, passphrase file, and possibly a password file, on a flash drive. For really important data, write it to two flash drives. Flash memory has a lifespan anywhere from 2 to 15 years. Every fews years, transfer the files to a new drive.
Burn the backup encryption key file, passphrase file, and possibly a password file, to a CD-R or DVD-R disc. Most optical media has a shelf life of at least 10 years. Store the discs vertically where they are not subject to extreme temperature changes. Every decade or so, copy the keys to a new disc. Keep the previous disc as a backup of the backup.
Consider saving an additional copy of your backup key files to a cloud storage service. Encrypt the files in a password-protected archive or disk image and upload that. Make sure the service is reputable, secure, and redundantly backed up. This makes a convenient off-site solution.
If you have the option, there are some digital media with extended lifespans such as linear tape (up to 30 years) and M-DISC optical discs (which claims to be stable for 1,000+ years).

Key files and the command line tool Details

The backup files you create during installation can also be used to provide the encryption key or passphrase when using the command line tool.

See the --keyfile, --password, and --passphrase options in man qrecall for the details.

Encrypting Previously Captured Data

If you just added an encryption key to an existing archive containing sensitive data, choose the Archive ➤ Encryption ➤ Encrypt… command to immediately apply the encryption to all unencrypted data.

Changing Passwords

Because the archive's encryption key is not based on a password, it's possible to change (or remove) the password that protects the encryption key file.

Choose Archive ➤ Encryption ➤ Change Encryption Key Password… to set, change, or remove the password protecting the encryption key file.

If the key file is not currently password protected, you'll be prompted to enter a password and optionally add it to the keychain.

If the key file is already protected by a password, you'll see a dialog requiring you to enter the existing password. You'll then have choices for removing or changing the password:

Passwords on multiple systems More Info

Each system can have a different (or no) password, and that password can be changed independently of any other system using the same archive. See Encrypted Archives and Multiple Systems.

The one exception is when you import a backup key file or copy an existing key file from another system. If the imported/copied key file is protected with a password, the installed copy will be protected by the original password—which you are then free to change.

Managing the Recovery Key

If you (went temporarily insane and) elected not to add a recovery key to your archive when setting up encryption, you can correct that oversight at any time by choosing the Archive ➤ Encryption ➤ Install Recovery Key… command. You'll be prompted for a passphrase, which you should save someplace safe.

If you (decide life would be more exciting knowing you could lose all of your data and) want to remove the recovery key, hold down the Option key and choose the Archive ➤ Encryption ➤ Remove Recovery Key… command.

Changing the recovery key passphrase Note

There is no direct way to change the passphrase used to protect the recovery key.

If you need to change the passphrase (possibly because you lost the old one), remove the existing recovery key and then reinstall it using a new passphrase.

If you open an archive and QRecall cannot read the encryption key file for that archive, and the archive contains a recovery key, you'll be prompted to enter the passphrase for the recovery key. The encryption key will be decoded and reinstalled.

Removing Encryption

If you want to remove encryption, open the archive, hold down the Option key, and choose the Archive ➤ Encryption ➤ Decrypt… command.

This command will use the installed encryption key to decrypt all protected data in the archive and rewrite it in its unencrypted (plaintext) form. The command then uninstalls the archive's encryption key.

You must decrypt an archive before installing a new encryption key, something you might want to do if the security of the existing encryption key has been compromised.

Duplicating an encrypted archive Warning

You can freely rename or relocate encrypted archives. QRecall will detect this and automatically update the binding between the archive and its encryption key file.

As a rule, you should not make a copy of an encrypted archive. If you do, you'll end up with multiple archives that depend on a single encryption key file. This can be the source of some confusion, possibly data loss.

If you need to duplicate an encrypted archive, and intend to use it independently of the original, you should:

Hold all actions that might try to use this archive.
If the archive does not contain a recovery key, make sure you have/make a backup of its key file now.
Make a copy of the archive.
Decrypt the copy of the archive. Note: this will delete the key file for both archives.
Open the original archive and reinstall its key file.
Resume the archive's actions.
(Optional) Install a new encryption key into the copy of the archive.

Encrypted Archives and Multiple Systems

If you access an encrypted archive from multiple computers, you must install that archive's encryption key on each system.

The easiest technique, by far, is to install a recovery key in the archive and use that recovery key to install the encryption key on each system that needs access to it.

If you don't want to install a recovery key, you can use the same basic technique using the backup of the encryption key file you made during installation. If the archive lacks a recovery key, attempting to open it without an encryption key installed will present an option to import the backup encryption key file. Select Import and navigate to the backup copy.

If you don't have either a recovery key or a backup copy of the key file, you'll have to locate the installed encryption key file on the original system and make a copy of it.

Locating the encryption key file Steps

Encryption key files are located in the ~/Library/Application Support/QRecall/Keys folder. To find the key file for a particular archive:

Open the encrypted archive
Hold down the Shift key, and choose the Archive ➤ Encryption ➤ Reveal Encryption Key File in Finder command

Alternatively, issue the qrecall keys check command in the Terminal. Search the output for the key file that belongs to the archive.