I do use GnuPG for WiFi and browsers...

Thanks sgosnell. I was going over that link you gave me. http://statistics.berkeley.edu/computing/encrypt So that is GnuPG, right? (Although it says: You can use PGP encryption to do this with the command-line tool gpg.) Kind of confusing: PGP, gpg, GnuPG. Anyway, my way (screenshot) of doing the gpg (with the -c option) was so simple and easy. Is the encryption that way not as good as the encryption with -e version?

And why would a peson use the same passphrase for the -e version and different passphrases for the -c version or the AES crypt versions?

And is the process in the link (the -e version) do-able for a newbie? (I got a little concerned when I saw that I would need to input 'security information.') Or would I maybe be getting in over my head?

And is it really important to do a killer passphrase for that? (Like you can do with "Diceware" passphrase method.)

Thanks.

Attached Thumbnails

 

You can use the same passphrase for your gpg/pgp/GnuPG/Opengpg key and the file you encrypt using -c. Use your public key, not your secret key. Anything you encrypt using your secret key can be decrypted by anyone who has your public key. It's all your choice, and the quality of the password you use is up to you, depending on how valuable the data is to you. Try the -e option and see if you like it. If you want to bail, Ctrl-C will always work.

One option I just discovered is Mega. It's a cloud storage service located in New Zealand, out of reach of the NSA, and it offers secure end-to-end encryption, and they don't have your password, if they can be believed. They make the source code available, so someone should have said something by now if they weren't kosher. They have a few million subscribers. You get 50GB of free storage, and additional storage is very reasonable. A Linux sync client is available, as is a mobile app for the major phone OS's. It's worth considering. I just signed up, and the process of syncing my data is ongoing. I plan to see how well the data is encrypted on the servers. I'm no hacking expert, so I'll really need to trust other people at least at first.

That all depends on how you do your encryption.

I have some special code in my VIM editor. When I edit a file ending in GPG, it reads in the binary file (if it exists) and filters it in memory (GPG asks the password). when I write it filters it again in memory back to binary (ask password twice), writes it then undoes the encrypt, so you can continue to work on the file.

The decrypted file is not stored to disk (not even in swap files)..

In actual fact VIM itself has file encryption built into it (type in vim ":help encryption" for more info). But I never trusted it a I don't know exactly what it does!

For info on doing this (and for using other file encryption such the openssl), see
http://www.ict.griffith.edu.au/antho..._encrypt.hints

I used to use this a lot before switching to EncFS (for bulk directory encryption) and slightly different encrypted file storage method (AES with PBKDF2 pass-phrase hashing)


Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit-card information from someone
living in a cardboard box to someone living on a park bench.
-- Gene Spafford
The equivalent of an armoured car should always be used to
protect any secret kept in a cardboard box.
-- Anthony Thyssen, On the use of Encryption

The better type of passwords are LONG ones (pass-phrases). For example: "I really hate this damn machine"
is much much harder to crack than "1hate!machine".

A sentence has much better entropy (randomness) than the old style of passwords with a mix of character types.

XKCD comic explains it a lot better...
http://xkcd.com/936/

Good link!

I remember somewhere said just use gibberish because brut force uses .dict, &c plus I here about randomly generated passwords (could be best there?) Tho if we want to get technical and "most secure:" http://www.linuxquestions.org/questi...ve-4175572277/

It's certainly possible to use aliases, scripts, macros, or whatever to delete or never write decrypted files, but gpg doesn't do that itself. I have an alias that encrypts a file and then shreds the plaintext file. For decrypting, you can just have the decrypted file written to standardout. There are lots of ways to do things.

Thanks sgosnell. I just can't quite get my head around this stuff, esp. the public and secret key. For instance, when I use -c (for the gpg in the terminal) I put in a passphrase. That passphrase encrypts it and it decrypts it. Same thing with AEScrypt. How does a secret and public key figure into those situations?

And regarding Mega (which looks great really) I was in another forum and there was a fair amount controversy as to whether it was safe or not. (As you know--LOL--I am no security expert so I really don't know one way or another.)

http://thenextweb.com/insider/2015/0...-mega-anymore/

How about the diceware method?

http://world.std.com/~reinhold/diceware.html

Seems it would be much safer than a sentence that is syntactically correct and makes sense. (Like the 'I really hate this damn machine' does.)

Basically a public key system (like PGP, GPG, or the old RSA), encrypts with one key and decrypts with the other. Which is used for encrypt does not matter, the other then decrypts. One key is made public (anyone can know it) the other private (only you know it) and protected by a normal reverable encryption like AES.

So to encrypt a file you just use the public key (no password needed... its public) to decrypt you need to use your password to decrypt the private key which then is used to decrypt the file. However to protect against anyone encrypting a file and replacing your data, they also encrypt some data in the file with the private key, so if that decrypts it is valid data. This is a digital signature, declaring YOU (or whomever) encrypted it for you. Thus in a full system you end up needing the password for both encrypt and decrypt.

Public Keys thus work well communications between two different parties. But it is not good for disk, file system, or directory level encryptions as the system needs to be encrypting and decrypting the data as needed for the duration of the mounted data. As such you may as well use a symmetric key for encrypted data stores. (like AES).

I hope that makes it clear.

1 members found this post helpful.

When you use the -c option, gpg uses symmetric encryption, which does not make use of your keys. It just uses whatever passphrase/password you give it, and that does both encryption and decryption, thus symmetric. With keys, one key encrypts and a different key decrypts, thus disymmetric. Keys are usually more secure, but symmetric encrypting is probably good enough for most people most of the time. Use whatever is convenient and works for you, and what you're comfortable with.

1 members found this post helpful.

Thanks a lot, A.Thyssen. Really good explanation. I didn't realize there were two different ways of doing it. And for me (at this point anyway) the symmetric encryption is going to be enough. (But I still want to learn the other way in case I have to send somebody something.) Appreciate it.

Thanks sgosnell. That symmetric encryption explanation makes sense. I think it'll help if I experiment with that -e option to learn by doing. But for now the symmetric encryption is fine for me.

One more question. Say I do the symmetric encryption and I put files and folders into the cloud. It would be okay to use the same passphrase for all of them, right? I ask because I've seen that Sophos Encryptor and it has like a password vault included. So to put all kinds of stuff out there with different passwords could be a real boondoggle. But the way I'm thinking, say I use AEScrypt and have a killer good passphrase and use it on all the files I should be okay, right?

And you wrote in post #30

So yeah, I'm wondering why I wouldn't use the same password for AEScrypt or -c as well as when I use the -e (and keys) way.
Thanks.

You can use the same password for all your files if you want. It's up to you. But if someone does get your password, either by brute force, keylogging, or anything else, they can decrypt all your files. It depends on your level of paranoia. It's far more likely that a password used for symmetric encryption would be broken than a private key generated by gpg. Breaking a 2048-bit key isn't feasible by any means, as far as anyone knows. Breaking a password may be. As I said, it depends on your level of paranoia and the possible damage from having the password compromised.

1 members found this post helpful.

Thanks sgosnell. Do the -c version and -e version both have the 2048-bit encryption?