Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
gpg is the executable for the GnuPG package. The -c option you used is for symmetric encryption, meaning you enter a separate password to encrypt/decrypt the file. If you use -e instead, your keys are used for encryption/decryption. Either will work, but IMO using keys is a more secure way of doing it. Plus, you always use the same passphrase for decryption, which is the passphrase for your secret key. If you use -c, you have to remember the password you used for that one-time encryption, which may be difficult. But -c does have its uses.
One thing to remember is that after you encrypt a file, the unencrypted version of the file remains, still in the clear. You need to remember to delete that file if you need only the encrypted version. If you're encrypting files for upload to the cloud, and want to keep the unencrypted files on your local disk, that's fine. You have both versions, and can deal with them as you prefer.
Thanks sgosnell. I was going over that link you gave me. http://statistics.berkeley.edu/computing/encrypt So that is GnuPG, right? (Although it says: You can use PGP encryption to do this with the command-line tool gpg.) Kind of confusing: PGP, gpg, GnuPG. Anyway, my way (screenshot) of doing the gpg (with the -c option) was so simple and easy. Is the encryption that way not as good as the encryption with -e version?
And why would a peson use the same passphrase for the -e version and different passphrases for the -c version or the AES crypt versions?
And is the process in the link (the -e version) do-able for a newbie? (I got a little concerned when I saw that I would need to input 'security information.') Or would I maybe be getting in over my head?
And is it really important to do a killer passphrase for that? (Like you can do with "Diceware" passphrase method.)
You can use the same passphrase for your gpg/pgp/GnuPG/Opengpg key and the file you encrypt using -c. Use your public key, not your secret key. Anything you encrypt using your secret key can be decrypted by anyone who has your public key. It's all your choice, and the quality of the password you use is up to you, depending on how valuable the data is to you. Try the -e option and see if you like it. If you want to bail, Ctrl-C will always work.
One option I just discovered is Mega. It's a cloud storage service located in New Zealand, out of reach of the NSA, and it offers secure end-to-end encryption, and they don't have your password, if they can be believed. They make the source code available, so someone should have said something by now if they weren't kosher. They have a few million subscribers. You get 50GB of free storage, and additional storage is very reasonable. A Linux sync client is available, as is a mobile app for the major phone OS's. It's worth considering. I just signed up, and the process of syncing my data is ongoing. I plan to see how well the data is encrypted on the servers. I'm no hacking expert, so I'll really need to trust other people at least at first.
One thing to remember is that after you encrypt a file, the unencrypted version of the file remains, still in the clear. You need to remember to delete that file if you need only the encrypted version. If you're encrypting files for upload to the cloud, and want to keep the unencrypted files on your local disk, that's fine. You have both versions, and can deal with them as you prefer.
That all depends on how you do your encryption.
I have some special code in my VIM editor. When I edit a file ending in GPG, it reads in the binary file (if it exists) and filters it in memory (GPG asks the password). when I write it filters it again in memory back to binary (ask password twice), writes it then undoes the encrypt, so you can continue to work on the file.
The decrypted file is not stored to disk (not even in swap files)..
In actual fact VIM itself has file encryption built into it (type in vim ":help encryption" for more info). But I never trusted it a I don't know exactly what it does!
I used to use this a lot before switching to EncFS (for bulk directory encryption) and slightly different encrypted file storage method (AES with PBKDF2 pass-phrase hashing)
Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit-card information from someone
living in a cardboard box to someone living on a park bench.
-- Gene Spafford
The equivalent of an armoured car should always be used to
protect any secret kept in a cardboard box.
-- Anthony Thyssen, On the use of Encryption
Last edited by A.Thyssen; 02-22-2016 at 08:41 PM.
Reason: minor
The better type of passwords are LONG ones (pass-phrases). For example: "I really hate this damn machine"
is much much harder to crack than "1hate!machine".
A sentence has much better entropy (randomness) than the old style of passwords with a mix of character types.
I remember somewhere said just use gibberish because brut force uses .dict, &c plus I here about randomly generated passwords (could be best there?) Tho if we want to get technical and "most secure:" http://www.linuxquestions.org/questi...ve-4175572277/
Last edited by jamison20000e; 02-22-2016 at 01:50 AM.
It's certainly possible to use aliases, scripts, macros, or whatever to delete or never write decrypted files, but gpg doesn't do that itself. I have an alias that encrypts a file and then shreds the plaintext file. For decrypting, you can just have the decrypted file written to standardout. There are lots of ways to do things.
You can use the same passphrase for your gpg/pgp/GnuPG/Opengpg key and the file you encrypt using -c. Use your public key, not your secret key. Anything you encrypt using your secret key can be decrypted by anyone who has your public key. It's all your choice, and the quality of the password you use is up to you, depending on how valuable the data is to you. Try the -e option and see if you like it. If you want to bail, Ctrl-C will always work.
One option I just discovered is Mega. It's a cloud storage service located in New Zealand, out of reach of the NSA, and it offers secure end-to-end encryption, and they don't have your password, if they can be believed. They make the source code available, so someone should have said something by now if they weren't kosher. They have a few million subscribers. You get 50GB of free storage, and additional storage is very reasonable. A Linux sync client is available, as is a mobile app for the major phone OS's. It's worth considering. I just signed up, and the process of syncing my data is ongoing. I plan to see how well the data is encrypted on the servers. I'm no hacking expert, so I'll really need to trust other people at least at first.
Thanks sgosnell. I just can't quite get my head around this stuff, esp. the public and secret key. For instance, when I use -c (for the gpg in the terminal) I put in a passphrase. That passphrase encrypts it and it decrypts it. Same thing with AEScrypt. How does a secret and public key figure into those situations?
And regarding Mega (which looks great really) I was in another forum and there was a fair amount controversy as to whether it was safe or not. (As you know--LOL--I am no security expert so I really don't know one way or another.)
The better type of passwords are LONG ones (pass-phrases). For example: "I really hate this damn machine"
is much much harder to crack than "1hate!machine".
A sentence has much better entropy (randomness) than the old style of passwords with a mix of character types.
Thanks sgosnell. I just can't quite get my head around this stuff, esp. the public and secret key. For instance, when I use -c (for the gpg in the terminal) I put in a passphrase. That passphrase encrypts it and it decrypts it. Same thing with AEScrypt. How does a secret and public key figure into those situations?
And regarding Mega (which looks great really) I was in another forum and there was a fair amount controversy as to whether it was safe or not. (As you know--LOL--I am no security expert so I really don't know one way or another.)
Basically a public key system (like PGP, GPG, or the old RSA), encrypts with one key and decrypts with the other. Which is used for encrypt does not matter, the other then decrypts. One key is made public (anyone can know it) the other private (only you know it) and protected by a normal reverable encryption like AES.
So to encrypt a file you just use the public key (no password needed... its public) to decrypt you need to use your password to decrypt the private key which then is used to decrypt the file. However to protect against anyone encrypting a file and replacing your data, they also encrypt some data in the file with the private key, so if that decrypts it is valid data. This is a digital signature, declaring YOU (or whomever) encrypted it for you. Thus in a full system you end up needing the password for both encrypt and decrypt.
Public Keys thus work well communications between two different parties. But it is not good for disk, file system, or directory level encryptions as the system needs to be encrypting and decrypting the data as needed for the duration of the mounted data. As such you may as well use a symmetric key for encrypted data stores. (like AES).
When you use the -c option, gpg uses symmetric encryption, which does not make use of your keys. It just uses whatever passphrase/password you give it, and that does both encryption and decryption, thus symmetric. With keys, one key encrypts and a different key decrypts, thus disymmetric. Keys are usually more secure, but symmetric encrypting is probably good enough for most people most of the time. Use whatever is convenient and works for you, and what you're comfortable with.
Basically a public key system (like PGP, GPG, or the old RSA), encrypts with one key and decrypts with the other. Which is used for encrypt does not matter, the other then decrypts. One key is made public (anyone can know it) the other private (only you know it) and protected by a normal reverable encryption like AES.
So to encrypt a file you just use the public key (no password needed... its public) to decrypt you need to use your password to decrypt the private key which then is used to decrypt the file. However to protect against anyone encrypting a file and replacing your data, they also encrypt some data in the file with the private key, so if that decrypts it is valid data. This is a digital signature, declaring YOU (or whomever) encrypted it for you. Thus in a full system you end up needing the password for both encrypt and decrypt.
Public Keys thus work well communications between two different parties. But it is not good for disk, file system, or directory level encryptions as the system needs to be encrypting and decrypting the data as needed for the duration of the mounted data. As such you may as well use a symmetric key for encrypted data stores. (like AES).
I hope that makes it clear.
Thanks a lot, A.Thyssen. Really good explanation. I didn't realize there were two different ways of doing it. And for me (at this point anyway) the symmetric encryption is going to be enough. (But I still want to learn the other way in case I have to send somebody something.) Appreciate it.
When you use the -c option, gpg uses symmetric encryption, which does not make use of your keys. It just uses whatever passphrase/password you give it, and that does both encryption and decryption, thus symmetric. With keys, one key encrypts and a different key decrypts, thus disymmetric. Keys are usually more secure, but symmetric encrypting is probably good enough for most people most of the time. Use whatever is convenient and works for you, and what you're comfortable with.
Thanks sgosnell. That symmetric encryption explanation makes sense. I think it'll help if I experiment with that -e option to learn by doing. But for now the symmetric encryption is fine for me.
One more question. Say I do the symmetric encryption and I put files and folders into the cloud. It would be okay to use the same passphrase for all of them, right? I ask because I've seen that Sophos Encryptor and it has like a password vault included. So to put all kinds of stuff out there with different passwords could be a real boondoggle. But the way I'm thinking, say I use AEScrypt and have a killer good passphrase and use it on all the files I should be okay, right?
And you wrote in post #30
Quote:
Plus, you always use the same passphrase for decryption, which is the passphrase for your secret key. If you use -c, you have to remember the password you used for that one-time encryption, which may be difficult.
So yeah, I'm wondering why I wouldn't use the same password for AEScrypt or -c as well as when I use the -e (and keys) way.
Thanks.
You can use the same password for all your files if you want. It's up to you. But if someone does get your password, either by brute force, keylogging, or anything else, they can decrypt all your files. It depends on your level of paranoia. It's far more likely that a password used for symmetric encryption would be broken than a private key generated by gpg. Breaking a 2048-bit key isn't feasible by any means, as far as anyone knows. Breaking a password may be. As I said, it depends on your level of paranoia and the possible damage from having the password compromised.
You can use the same password for all your files if you want. It's up to you. But if someone does get your password, either by brute force, keylogging, or anything else, they can decrypt all your files. It depends on your level of paranoia. It's far more likely that a password used for symmetric encryption would be broken than a private key generated by gpg. Breaking a 2048-bit key isn't feasible by any means, as far as anyone knows. Breaking a password may be. As I said, it depends on your level of paranoia and the possible damage from having the password compromised.
Thanks sgosnell. Do the -c version and -e version both have the 2048-bit encryption?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.