What's the best way to encrypt gnucash data

François Huot estb at globetrotter.net
Mon Feb 7 20:38:11 EST 2011 

Hi all,

I am beginning in Gnucash and i want to know the best way to encrypt my  
Gnucash data.

I think to use Truecrypt or Axcrypt to encrypt de data and GRsync or  
SBackup to backup my data on USB hard disk.

I have searched on the net and fund some scripts that seam to do the work,  
but i don't know anything about script. Is it someone can test the scripts  
joints and tell me what is the better and why.

Any suggestion will be appreciate.

Therr are the scripts:

1) First script
http://waronpants.net/?p=176
GnuCash Encryption  December 13th, 2010 | Scripts
Tags: encryption, gnucash, truecrypt

I created an encrypted disk image using TrueCrypt. Normally, I mount the
image, use GnuCash along with any bank statements that I also put on the
image, close GnuCash, then dismount the drive. I don’t leave the image
mounted if I’m not actively using it.

Because I’m me, I scripted this.

#!/bin/sh

truecrypt $HOME/bank.tc /media/truecrypt52 && \
gnucash /media/truecrypt52/bank/GnuCash/bankstuff.gnucash && \
truecrypt -d $HOME/bank.tc

This hardly counts as a script. It’s only one line. However, this one line
automates everything I usually do. I only have to double-click the script
file, and everything is ready.

How It Works

The “&&” on each line means that the command after it will only run if the
command before it runs successfully.

The first command mounts my encrypted bank image. I find that I have to
use “/media/truecrypt??” where “??” is a one or two digit number. This
command launches a dialog box to enter the image password. If the password
is incorrectly entered, truecrypt returns 1 instead of 0 (success),
exiting the script.

Then, GnuCash is opened. The script waits until I close GnuCash to
continue. So far, I haven’t had GnuCash return anything but success.

The final line dismounts the image.

Caveats

All files relating to the encrypted image should be closed before closing
GnuCash. Once GnuCash is closed, the script will try to dismount the
drive. I don’t know if truecrypt will wait to dismount the drive if a file
is currently open.

The paths to all of the files involved are hard-coded in the script. If
you change any file names or paths, remember to update the script.
*********************************************************************************************
2) Second script,
This one use Openssl in place of Truecrypt to encrypt the data, is it  
better?

If no, is it better than the first script if we change Openssl to  
Truecrypt?

http://pluton8.wordpress.com/2011/01/31/update-of-the-gnucash-encryption-script/

By GnuCash files encryption ... on the 31st of Jan 2011

#!/bin/bash
# This is a script to work with an encrypted gnucash file. It asks for the
# password, decrypts the file, runs gnucash, and encrypts it back. Logs and
# backups are shredded at the end.
# Author: pluton <plutonpluton at mail.ru>
# Version: 1.0 (Sat Jan 29 2011)
# License: GNU GPL 3

CP=/bin/cp
KDIALOG=/usr/bin/kdialog
OPENSSL=/usr/bin/openssl
GNUCASH=/usr/bin/gnucash
SHRED=/bin/shred
BASENAME=/usr/bin/basename
CHMOD=/bin/chmod

FILE=~/main
FILETMP="${FILE}.tmp"
TIMEOUT=2   # seconds
TITLE=$( $BASENAME $0 )

notify() {
       [ -n "$1" ] && text="$1" || text="?"
       $KDIALOG --passivepopup "$text" --title "$TITLE" $TIMEOUT
}

[ -e "$FILE" ] || { notify "File '$FILE' was not found"; exit 1; }

pass=$( $KDIALOG --password "Enter the password /GC/" )
[ "$pass" == "" ] && { notify "The password is empty"; exit 2; }

if ! $OPENSSL enc -d -aes-256-cbc -in "$FILE" -out "$FILETMP" -pass stdin
<<EOF
${pass}
EOF
then
       notify "The password seems to be wrong"
       exit 3
fi
$CHMOD go= "$FILETMP"
$CP -f "$FILE" "${FILE}.bkp"
$GNUCASH "$FILETMP"
if ! $OPENSSL enc -e -aes-256-cbc -in "$FILETMP" -out "$FILE" -pass stdin
<<EOF
${pass}
EOF
then
       notify "An error occured while encoding (code #$?)"
       exit 4
fi
unset pass
$SHRED -zun 2 "${FILETMP}"*
notify "Done"
******************************************************************************************
3) Thirth solution
http://ubuntu-utah.ubuntuforums.org/showthread.php?p=3265493
Kilarin, August 27th, 2007, 10:28 PM

I _tried_ to register at the TrueCrypt forum. They are not exactly eager
to help over there.
That seems odd, they have a pretty active forum over there.

I guess I'm looking for how to decrypt the volume after I encrypt it. I do
not find anywhere the day-to-day usage instructions for this program. What
would I do after I power up my computer? How do I put in the password? I'm
just not finding useful documentation on TrueCrypt.

I decrypt and mount a truecrypt volume on Ubuntu FF 7 like this:
   From the terminal go into the media directory and create a new folder to
mount the true crypt volume on. I named mine tc1 (for truecrypt1), but you
can name it whatever you want. The commands to do this are:
cd /media <-this takes you to the media folder
sudo mkdir tc1 <-this creates the tc1 folder, you will have to enter your
password

Now, you can mount your truecrypt volume on to tc1 using this command in
the terminal:

truecrypt -u /media/sda1/mytruecryptvol /media/tc1

of course, change /media/sda1/mytruecryptvol to whatever the location and
name of your encrypted truecrypt volume is.

You will now be prompted twice, once to enter your user password for root
access, then again for the password of the encrypted volume.

Once you've typed both in, your truecrypt volume is mounted and available,
a shortcut to it should appear on your desktop.

If the volume is formatted as ntfs so that you can also access it from
windows, and assuming you have already installed ntfs-3g drivers for read
write access to ntfs volumes, change your mount command to:

truecrypt -u /media/sda1/mytruecryptvol /media/tc1 --filesystem ntfs-3g

When you are ready to dismount the volume, enter the terminal command:
truecrypt -d /media/tc1

truecrypt -d
will dismount all volumes that are not currently busy.

Now then, there is another pesky and annoying detail. having to enter your
user password every time you mount a volume, as well as the volume
password, is quite... frustrating. you can eliminate this problem (at the
cost of slightly lower security) by doing the following:

export EDITOR=gedit
sudo visudo

now you are editing the /etc/sudoers file. at end add:
yourusername ALL= NOPASSWD: /usr/bin/truecrypt

Save and exit and now truecrypt will not require your user password.

BUT, if you are mounting the same volume all the time, you don't really
want to have to type in the terminal command every time you log on. So,
you can set up a launcher like this:

right click top bar/add to panel/custom application launcher
type=application in terminal name=truecrypt-mount
command=truecrypt -u /media/sda1/mytruecryptvol /media/tc1

of course change the name to whatever you want, and the command to use the
correct location of your encrypted volume and its mount point.

You can also create a "dismount all" launcher in a similar manner:

right click top bar/add to panel/custom application launcher
type=application in terminal name=truecrypt-dismount-all
command=truecrypt-d


BUT, while clicking on a launcher is certainly more convenient than
retyping the entire command into the terminal, well, you MIGHT just want
to have the truecrypt volume mount automatically every time you log on,
without you having to click ANYTHING, and this you can do! You just have
to add the mount command to your session startup program list. And thats
actually pretty easy to do:

System/Preferences/Sessions
   From the "Startup Programs" tab, click "New"
Name=truecrypt-mount
Command=/usr/bin/gnome-terminal -x /usr/bin/truecrypt -u
media/disk/DCH/evol/dch /media/tc1

usr/bin/gnome-terminal -x /usr/bin/truecrypt -u /media/sda1/mytruecryptvol
/media/tc1

Again using your own encrypted volume path and mount point. You need the
gnome-terminal because you can't actually enter the password unless you
have a terminal window to enter the password in!

One warning when using this method. If your encrypted volume is on a USB
drive, this will probably not work because the USB drive will not be
mounted when the startup programs run.

TrueCrypt is really a handy program. Good luck!
*******************************************************************************************
4) http://code.neil.williamsleesmill.me.uk/gnome2/gnc-gpg_8c-source.html
This last use GPG to encrypt the data.
******************************************************************************************

It is my firt meesage on this mailing list and it is very long, sorry, but  
Gnucash don't give information about this process.

Sorry for my english, i am french speaking.
Thank in advance for your help,
Merçi de votre collaboration.

François Huot
Montmagny, Québec

More information about the gnucash-user mailing list