Release Notes 2.x
RELEASE NOTES - Personal Data Security 2
Before using PDS, please verify the authenticity of the application you have received. The steps to verify the application can be found on the PDS Wiki under "Validating a release". Use of Personal Data Security (PDS) may be illegal in countries where the encryption of personal data is illegal. Wikipedia has a list of countries and their import restrictions related to cryptography: http://en.wikipedia.org/wiki/Restrictions_on_the_import_of_cryptography PDS is a data security product that provides affordable unlimited strength encryption in an easy to use application. PDS does not provide the actual encryption components; those are provided by the trusted open source Java Cryptographic Extensions (JCE) within your Java Runtime Environment (JRE). PDS is not sold, but instead is licensed under the End User License Agreement (EULA) contained within the application. The EULA is displayed during initialization and is also available on the PDS Wiki. Before you run the application you will first need to extract the files from within the zip or tgz file. The extracted directory may then be moved to a more suitable place (e.g. Desktop, Applications, Program Files, etc.). Running the application consists of 2x clicking the PDS application (Mac) or the pds.jar file (Linux / Windows). Additionally, start up scripts exist to run PDS with extra options. For more information on the options, please refer to the PDS 2 Users Guide on the PDS Wiki.
Should PDS not start, please confirm that:
1. A suitable Java runtime environment (JRE) is installed. Required is Java 6 or newer. Recommended is the latest JRE from Oracle.
2. For Mac release: If prompted, the Java for OS X release from Apple should be installed. Please see below for more about Java for OS X. For Linux and Windows: Ensure that a Java executable is in your path. Also, Java should be configured to launch a jar file. If this is uncertain, you may start PDS using an appropriate startup script or by manually running this command from a terminal window: $ java -jar /path/to/pds.jar
Once up and running, the Quick Start document within the application should be enough to get you started.
For more information about PDS, including the Users Guide, please consult the links below.
Sources for information:
Website: https://www.trustpds.com Wiki: https://www.trustpds.com/wiki QuickStart: Within PDS - select the blue question mark. Users Guide: https://www.trustpds.com/wiki/index.php/Users_Guide_2.0 README.txt: Within the software release. Change Log: In the Release Notes. Release Notes: This document.
Contact points include:
Question: firstname.lastname@example.org Bug: email@example.com Security: firstname.lastname@example.org Suggestion: email@example.com
- Known issues
- When decrypting a directory, the last modification time will be correctly assigned to all files and directories. However, as directories are decrypted first, when subsequent operations write decrypted contents into a directory, the time stamp on that directory will be updated to the current system time. Should you need to maintain the time stamps on directories at the time of encryption, decrypting the directory to a ZIP file, and then extracting the contents of the ZIP file will maintain the directory time stamps. - The optional ZIP compression of directories is performed after the encryption of each file. As encrypted (random) data does not compress very much, the value of enabling compression is very limited. Hence, the default compression level is 0 (none).
- Known issues with Java
- http://bugs.java.com/view_bug.do?bug_id=4681995 Zip64 was implemented in Java 7 (u55). Prior to that, ZIP archives were limited in both size (~4GB) and files (65536). - https://bugs.openjdk.java.net/browse/JDK-6550137 https://docs.oracle.com/javase/8/docs/api/java/util/zip/ZipEntry.html Directory encryption and decryption relies upon the ZipEntry class. This Java class does not provide full support for hard or soft links. During directory encryption, both types of links are dereferenced, resulting in unique directories and files being written during decryption. Also, canceling an operation while operating on a soft link to a file has been observed to result in an abrupt (no clean-up) end to the operation. - https://bugs.openjdk.java.net/browse/JDK-8064546 https://bugs.openjdk.java.net/browse/JDK-8061619 These bugs appear to be the same JRE bug. When hit, a BadPaddingException (BPE) will be thrown. If seen in PDS, it will typically be after decrypting a directory. In older JRE's, the exception was (correctly) ignored, but JRE changes caused the BPE to be thrown when calling close() on a CipherInputStream that had not been read to the end of the stream. It seems that newer JRE's are again not throwing this exception when closing a stream that has not been read to the end. PDS uses ZIP streams when encrypting directories, and it appears that the decryption of a ZIP stream may read less that written; thus the exception. PDS suppresses this exception within the GUI but logs the exception to standard error. To prevent logging of the BPE, the best solution is to upgrade to the latest JRE. Alternatively, the exception only seems to be seen when extracting files; thus, decrypting a directory to a ZIP file (instead of extracting the files) is an alternative to replacing the JRE. For effected versions of Java, please see the referenced URLs above.
- Known issues with Java - Mac only
- http://bugs.java.com/view_bug.do?bug_id=8133783 This bug results in a crash of the PDS application in a number of Java releases. It is related to issues to 8057830, 8133783, 8146278 and 8173981 in the OpenJDK, and appears to be in the backlog awaiting votes. Filing an issue with the Oracle JRE at http://bugreport.java.com may elicit activity on this issue by the OpenJDK developers. - When attempting to run PDS, you may be prompted to install Java for OS X, regardless of any other Java installations on the system. The reason for this appears to be caused by the Oracle Java VM attempting to detect if Apple Java is present, and in so doing triggering a series of events that ends up triggering OS X to require that Apple Java is installed: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8024281 Fixing this bug, and thus removing the Apple Java 6 dependency, is slated for Java 9. In the meantime, you may opt to run the PDS executable Jar file directly, instead of running PDS as a Mac application, and thus avoid needing to install the legacy JDK from Apple. But if you do decide to install the legacy JDK, the "upside" is that 1) PDS uses the most current JRE available on the system, and 2) Mac users will have a very compact JDK that provides both the "keytool" and "jarsigner" commands to verify the authenticity of the PDS executable. To install Java for OS X: 1. When prompted to install Java for OS X, select the "More Info" option within the Apple pop-up dialog. This should open a browser window to: https://support.apple.com/kb/DL1572 While not currently indicated at the URL above, the Java release does install and function on macOS "Sierra", also. 2. Select the "Download" button to download the Java for OS X release. 3. 2x-click the package and follow the instructions to install the JDK. Once installed, it will require ~50MB on disk, which is much better than the current Oracle JDKs which take ~500MB. When installed, the Java for OS X release will be installed in: /Library/Java/JavaVirtualMachines/. Similarly, Oracle/OpenJDK JDK's are installed in: /Library/Java/JavaVirtualMachines/ Seemingly to focus on Applets (why...?), Oracle JREs are installed in: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/ For a full list of Apple releases of Java, please see: https://support.apple.com/downloads/java For more about Apple and Java, please see: https://www.java.com/en/download/faq/java_mac.xml - As released, PDS is configured to run using Java 6 (or newer). To override this to force PDS to use Java 8, you will need to modify the Info.plist file within the PDS app. Valid options for the JVMVersion for PDS 2 include 6, 6+, 7, 7+, 8, 8+. - Selecting the native-looking "Quit PDS" option provides a confirmation prompt. Selecting the option to cancel the Quit operation eliminates the ability to use the "Quit PDS" option a second time. A reading of the QuitHandler documentation seems to indicate that this is the expected behavior: "Once used, the QuitResponse cannot be used again to change the decision." So, if you cancel a QuitHandler, you should then close PDS by selecting the close button in the title bar of the PDS GUI. - https://bugs.openjdk.java.net/browse/JDK-8074185 The above is a JRE bug on Mac. When it occurs, the JVM sends a 10 line error message to standard error. Note that you can prevent this error from being generated by horizontally increasing the size of the Dialog so that the title bar above the files and directories is not partially hidden by the right side of the Dialog. Also, there may be some "stickyness" in the size of the File Dialog (JFileDialog) between invocations, so the dialog will only need to be resized if the size is subsequently decreased.
- Other known issues - Specific conditions
- The XFCE 4 Desktop Environment provides a button on the frame of dialogs that will roll dialogs up and down with a single click. The use of this button is known to provide inconsistent behavior, sometimes working properly and other times not. For this reason, it is recommended that the use of this feature be avoided within the PDS application.
Change Log - 2.3 Release
- Minor changes to licensing and a few other dialogs.
Change Log - 2.2.2 Release
- Check for active encryption/decryption jobs when closing PDS. Display jobs and confirm the close request if any jobs are found. The check is performed before the existing confirmation that the contents of all Notes has been saved to persistent storage. - Prevent multiple instances of the QuickStart dialog. - Changed the default settings for password generator. - Enable all options by default. - Added the option "Always prompt to exit?" - Display Linux/Unix instead of just Linux in selected dialogs. - Add Java "os.name" to selected dialogs.
Change Log - 2.2.1 Release
- Very minor updates and bug fixes for modality, dialogs, and the default settings.
Change Log - 2.2 Release
- Improved modality for better interaction among the PDS components. - Progress Monitor Dialogs - Mac only Various issues have been observed when Progress Monitor Dialogs were enabled. These issues include instances of out of sync progress indicators as well as unexpected behavior when selecting the Cancel. button. This release applies a consistent workaround in the Cancel operation, and with that the Cancel operation now appears to function as expected. - Changes to Accelerator Keys. Keys D, F, G and H are now encryption (Directory and File) and decryption (File and Directory), respectively.
Change Log - 2.1.1 Release
- Moved the assignment of the Mac Look and Feel from an external configuration parameter to an internal component of the PDS app. By doing this, Mac users who do not wish to install Java 6 from Apple will still be able to run PDS with the Mac Look and Feel - by executing the JAR file directly. A side effect of starting PDS in this manner is that the PDS images that are specific to Mac will display as Java or Apple images.
Change Log - 2.1 Release
- New Features
- The option to add configurable time stamps to encrypted PDS Files and Directories during the encryption process. Time stamps may include the date, time, time zone, or any combination of the three. For encrypted PDS Directories there is also the option of adding a time stamp to the name of the PDS encrypted Directory without adding it to the contents of the encrypted Directory. - A configurable password generator that will use a small set of characters (A-Z, a-z and 0-9) or a much larger set of characters. The number of characters in the password is configurable. There is also an option to copy the newly generated password to the system clipboard. - The ability to clear the contents of the system clipboard. - Improved modality among the PDS Dialogs, to better facilitate interaction between different components within the application. - A free (as in beer) release.
Change Log - 2.0 Release
- Generation of Secret Keys is improved: Replaced the KeyGenerator class with the SecretKeyFactory class. PDS uses SecureRandom to generate a 64-bit salt that is fed into PBKDF2-HMAC-SHA1 to hash the Secret Keys' passphrase 65536 times. - Initialization Vector: Replaced the static Initialization Vector (IV) with a unique IV (generated by SecureRandom) for every file. Each unique IV is contained within the metadata of the PDS file. - Resolved edge cases where the Key and/or KeyStore passphrases were not being scrubbed from memory after use. Added debugging of the scrubbing passphrases into the application. To enable and observe, please see the "Improvements" section below. - Restricted the scope of classes and methods.
- New Features
- Added more decryption options (e.g. verification only). - Added support for both Plain and Styled Documents. - Added the ability to import plain text files into PDS Notes. To import a file, select the "File->Encrypt->File" option within PDS and select Base64 encoding; the result will be a PDS Note. - Added the ability to use non-rewinding tape devices to encrypt and decrypt records on magnetic tapes. - Added new warning dialogs where appropriate. Some can be disabled and re-enabled. - Added the ability to view and edit encryption Keys. There are two views: Information (Algorithm and Size) and Details. - Added the ability to display the current Default Key. - Added settings to manage the optional dialogs within the application. - Maintaining the backward compatibility with earlier Notes and Files.
- Better support for Mac - Implemented Mac look and feel. - Fine grained control over authentication. In previous releases, some dialogs unnecessarily prompted for both the KeyStore and Key credentials when only one was needed. This release prompts for the minimal amount of credentials required. - More robust error messages in dialogs. - Verification of the clearing of authentication credentials. To enable, set: showpassclear=true e.g. $ java -Dshowpassclear=true -jar /path/to/pds.jar PDS will attempt to clear the credentials as soon as possible, printing the result to the terminal window. - Verification of the cryptographic functions. To enable, set: showcrypto=true PDS prints selected cryptographic operations to the terminal window. - PDS uses the universalJavaApplicationStub to start the JVM on Mac. This open-source product provides the much needed support for newer JREs on OS X. Thank you Tobias! For more information, please see: https://github.com/tofi86/universalJavaApplicationStub