Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a need to encrypt backup files before they are sent to the tape library.
After some reading, I found that I should be using the 'gpg -c' command to encrypt the files.
When I tried to do that, I received an error, something about an agent. Not sure how to proceed. Don't know what the problem is.
[user@host ~]$ gpg -c foo
gpg: directory `/home/user/.gnupg' created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
can't connect to `/home/user/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[56666]: directory `/home/user/.gnupg/private-keys-v1.d' created
gpg-agent[56666]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of `foo' failed: Operation cancelled
I found that I should be using the 'gpg -c' command to encrypt the files.
When I tried to do that, I received an error, something about an agent. Not sure how to proceed. Don't know what the problem is.
AFAIS, with newer versions of GnuPG, gpg-agent is automatically installed. If this is not the case for your Linux-distribution, either verify that there is not a newer version of GnuPG available for your distribution or locate a package “gpg-agent” in the package-resources. In the latter case, verify also, that a pinentry-program is installed. There are different versions available, choose the one that pleases you most.
If installed, gpg-agent can be executed.
Code:
user@machine:~$ gpg-agent --version
gpg-agent (GnuPG) 2.1.12-beta152
libgcrypt 1.7.1-beta1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
It appears the agent is installed:
$ gpg-agent --version
gpg-agent (GnuPG) 2.0.14
libgcrypt 1.4.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Is this something which has to be started manually or is it a daemon process?
Do you really need symmetric encryption? You don't seem to be seeing the password prompt, for whatever reason. It says "cancelled by user". I use the -e option for almost everything, which does asymmetric encryption, using the public key for encryption and the private key for decryption. I can understand using symmetric encryption if you need to have someone else able to decrypt, but asymmetric is easier.
It doesn't appear that you have generated you keys, though. You need to do that before doing anything else.
You need to set the environment variables according to gpg-agent's output, so that subsequent gpg calls know how to find the agent. You can do this with
I can understand using symmetric encryption if you need to have someone else able to decrypt, but asymmetric is easier.
Sorry to intervene once again on this topic, but usually it is the other way 'round.
Asymmetric encryption is to organize communication and exchange. Neither the security of the algorithms nor the protocols in use favor asymmetric encryption of locally stored files. “Easier” can only refer to a single aspect, that occupies you at a certain point in time. Afterwards, the complication augments with asymmetric encryption, as security begins to diminish and continues to decline continuously...
Some people confuse “Security” with the security to retrieve their data from encrypted files or encrypted media, or the security to receive and be able to open encrypted mail. But this is not the kind of security that encryption is meant for. Worse, if security is confused with facilitation and fail proof procedures. We are not discussing this, I know. Just for completeness...
By 'easier', I was referring to the ease and convenience of the encryption. You don't need to enter a password because you're using a pre-generated key. This is arguably more secure in addition to the convenience. Passwords are a weak link in most cases. I'm not sure I follow you with your argument that asymmetric encryption diminishes security, if in fact that's what you're saying.
Asymmetric algorithms do not the same job as the others. Apart from that, key generation and key management are not easy.
Quote:
You don't need to enter a password because you're using a pre-generated key
Tell me how you secure your keys. If you do not use a password, than we are discussing a moot point.
But I have all from the books, from Internet-sources, many discussions, trial, error, corrections from some people that I still keep in high esteem and from my experience.
I cannot try to show off with my own wisdom. So better go somewhere else for clarifications.
Last edited by Michael Uplawski; 05-08-2016 at 05:23 AM.
I don't think you completely understand how gpg works. And I don't think we can have a productive conversation on this issue. So I'm bailing out on this one.
I don't think you completely understand how gpg works. And I don't think we can have a productive conversation on this issue. So I'm bailing out on this one.
These are not questions of belief. I know, you believe.
Last edited by Michael Uplawski; 05-09-2016 at 04:50 AM.
Reason: f
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.