LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-14-2015, 02:00 PM   #1
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Rep: Reputation: Disabled
Encrypting files with gpg


Downloaded gpg, but somewhat confused about how to encrypt files for safekeeping.
Examples seem to include a "recipient" address but im not trying to email or send anything. Just want to encrypt file in-place and find a way to keep the keys safe somewhere. I was thinking about printing the key and keeping it in a safe, is this the best approach?
I don't want to keep the keys online, for fear that someone will be able to hack in and swipe my data and keys.
 
Old 04-14-2015, 02:46 PM   #2
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,016

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
Does the manual help?

And yes, putting the passphrase into a save will be safer compared to storing it online.
 
Old 04-14-2015, 02:51 PM   #3
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
Not really, unless im just not reading things correctly.
I don't have a "recipient" as shows in the doc.

alice gpg --output doc.gpg --encrypt --recipient blake@cyb.org doc

Im just trying to encrypt a file locally for safekeeping, I don't want it sent anywhere or exposded on the internet.
 
Old 04-14-2015, 03:04 PM   #4
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,016

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
Quote:
Originally Posted by usao View Post
Not really, unless im just not reading things correctly.
I don't have a "recipient" as shows in the doc.

alice gpg --output doc.gpg --encrypt --recipient blake@cyb.org doc

Im just trying to encrypt a file locally for safekeeping, I don't want it sent anywhere or exposded on the internet.
I have never used gpg for that purpose, but reading e.g. this article it looks to me that it can be done.
The way I understand it the recipient needs to be specified to tell gpg whose private key should be able to decrypt the file. I your case, this would be your own, so you need to specify yourself as the recipient. Does that make sense?

In case you are not tied to actually using gpg there are other ways I personally find more convenient.

- ecryptfs-utils is the standard Ubuntu tool that allows you to set up a private directory.
- Truecrypt allows you to use a crypto container
- You can also create a crypto container with dmcrypt or luks.

The last is my personal preference as it feels like the most "native" approach in Linux that requires minimal dependencies... but that's obviously highly subjective. Let me know if I should elaborate a bit more on these alternatives...
 
Old 04-14-2015, 03:14 PM   #5
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,602

Rep: Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648Reputation: 2648
you normally do not use it all by it's self

pgp is "built into" things

like your desktop !!!

in kde and Gnome on the r-click menu is NORMALLY !!! a option "to encrypt" something

or built into your mail client

Last edited by John VV; 04-14-2015 at 03:16 PM.
 
Old 04-14-2015, 03:36 PM   #6
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
Thanks everyone, I really don't want to send it to myself. It's a database backup/dump which I want to encrypt to make sure it's not going to be readable by anyone who doesn't have the keys. Since it's a backup, it's purpose is to just hang-around and be available if it's needed.
I had read that 'gpg' offered the best security, which is the big concern here since the data contains sensitive customer personal data.
 
Old 04-14-2015, 03:58 PM   #7
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,016

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
You are not actually "sending" it to yourself, you are just specifying yourself as the recipient. That said, I thing I have a compelling argument why in your usecase this is not the way to go.

You create the dump that contains the critical data. While doing that, the dump is written to disk ... unencrypted. You then encrypt it. However, the original, unencrypted data still lies on your disk. (Just deleting it is insufficient) Someone with forensic tools & knowledge might still be able to recover that data. To prevent that, you'd have to "shred" it, i.e. overwriting it with random data.

A crypto container would allow you to avoid this problem. The procedure would be this:
Open crypto container
Dump the file into the container
Close the crypto container.

Does that make sense?
 
Old 04-14-2015, 04:38 PM   #8
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by joe_2000 View Post
You are not actually "sending" it to yourself, you are just specifying yourself as the recipient. That said, I thing I have a compelling argument why in your usecase this is not the way to go.

You create the dump that contains the critical data. While doing that, the dump is written to disk ... unencrypted. You then encrypt it. However, the original, unencrypted data still lies on your disk. (Just deleting it is insufficient) Someone with forensic tools & knowledge might still be able to recover that data. To prevent that, you'd have to "shred" it, i.e. overwriting it with random data.

A crypto container would allow you to avoid this problem. The procedure would be this:
Open crypto container
Dump the file into the container
Close the crypto container.

Does that make sense?
Im actually going to use named-pipes for the dump, piping the data through gzip as well as gpg before landing the data. The local filesystem doesn't have enough room to hold the dump uncompressed, much-less 2 copies of if which I would need if I did the steps serially.
 
Old 04-14-2015, 04:48 PM   #9
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
It sounds like you are trying to encrypt a large amount of data. I recommend NOT using gpg for this, because public key encryption is very slow. Instead, use cryptsetup, ccrypt, veracrypt, or 7zip with password.
 
Old 04-14-2015, 04:49 PM   #10
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,016

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
Quote:
Originally Posted by usao View Post
Im actually going to use named-pipes for the dump, piping the data through gzip as well as gpg before landing the data. The local filesystem doesn't have enough room to hold the dump uncompressed, much-less 2 copies of if which I would need if I did the steps serially.
Ok, I see. I am not sure about the implications of this approach concerning data that may or may not end up anywhere in unencrypted form, but using pipes at least sounds like it could cirumvent this problem. (If the data was really critical, I personally still would feel safer with the container approach, but that's your call)

Which brings us back to your original question.
So have you tried setting yourself as the recipient? I just tested this with a simple text file and it worked without any issues.
 
Old 04-14-2015, 04:50 PM   #11
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,016

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
Quote:
Originally Posted by metaschima View Post
It sounds like you are trying to encrypt a large amount of data. I recommend NOT using gpg for this, because public key encryption is very slow. Instead, use cryptsetup, ccrypt, veracrypt, or 7zip with password.
There you go. Another reason. :-)
 
Old 04-14-2015, 04:54 PM   #12
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by joe_2000 View Post
There you go. Another reason. :-)
Because of legal ramifications, I will only be allowed to use strong encryption, nothing like zipping files with passwords will pass muster from upstairs.
They are ok with GPG, im just trying to figure it out. The time isn't really a big factor, it's only about 20-30gb, and the time won't be a concern.
Im open to alternatives, as long as I can use something with serious encryption. We have to meet several ISO standards (which I don't really know anything about), but I was told GPG would be acceptable as long as it's a 4K key or 512ASE or something like that.
 
Old 04-14-2015, 04:56 PM   #13
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,707

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Quote:
Originally Posted by metaschima View Post
It sounds like you are trying to encrypt a large amount of data. I recommend NOT using gpg for this, because public key encryption is very slow. Instead, use cryptsetup, ccrypt, veracrypt, or 7zip with password.
gpg doesn't use public key encryption for the whole file:
Quote:
The GNU Privacy Handbook: Hybrid ciphers


Both PGP and GnuPG use hybrid ciphers. The session key, encrypted using the public-key cipher, and the message being sent, encrypted with the symmetric cipher, are automatically combined in one package. The recipient uses his private-key to decrypt the session key and the session key is then used to decrypt the message.
 
Old 04-14-2015, 05:18 PM   #14
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,243
Blog Entries: 4

Rep: Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776Reputation: 3776
Frankly, it seems to me that this person is trying to re-invent a wheel. The best course of action is to find an existing backup/archive utility which, as a matter of course, encrypts its backup volumes.

Basically, "the name of the game," in a situation like this, is simply to make it "less than trivially easy" "bothersomely difficult" for anyone who swiped your disk-drive at airport security to make any practical use of his purloined goodies ... while also making sure that you won't be permanently locked-out of your own files.

"Generally speaking," IMHO, "the second consideration is far more important than the first."

Lots (and lots and lots...) of times, encryption is simply a defense against "crimes of opportunity." Someone steals a laptop at Starbuck's. You can't get the laptop back, but you want to be sure that the data on the machine is inaccessible. You presume that the b*stard person who stole the machine isn't an employee or agent of "a 'three-letter acronym' government agency" ... and, let's face it, (unless you have far more serious troubles than encryption can help you with ...) he isn't.

Really, the most important consideration ought to be ... to make sure that you can actually use your backup when you need it most!
 
Old 04-14-2015, 05:30 PM   #15
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
I have kept trying to be minimal in my details, because I didn't want to get hung-up on them in the forum, but it seems like im failing.

We have a database application which runs at a datacenter. It's about 20-30Gb in size, and I can hold a single dump in the available on-host storage. We don't have a SAN, but do have an external storage device, to be used for offsite backups. It's attached via USB to the host.

The goal was to "as cheaply as possible" perform a database dump and take that dump offsite, which is where the encryption comes in. By exposing the drive to being shipped, we are at risk, and business doesn't want to take that risk, so they want to encrypt the data before shipping.

My goal is to use existing freeware where possible, which precludes fancy backup tools/software. The database itself already provides a dump capability, so by piping that to a gzip and a gpg we hoped to be able to keep a few copies on an external drive which we can swap-out periodically to our office for offsite backup.

The keys to the encryption need to be kept safe as it's not acceptable to have the decryption key anywhere near the drive itself when it's offiste. As for testing, we do a DBCC prior to the backup, so we have good expectation that the backup is viable. That said, we are not actually running a DBCC on the backup itself, which would be the only sure way to know it's gold.

To try and get back to my original question, is there a way to use gpg without actualyl having to send the file via internet/email? It's not practical to send the dump file of that size accross the network. Since we backup weekly, im not concerned about the time for the gzip/gpg operation, it can take several hours overnite without being an issue.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypting Backup Files netpumber Linux - Security 2 01-19-2010 08:14 PM
debian 5 - encrypting files - how to? dlugasx Linux - Security 2 10-27-2009 03:30 PM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
encrypting files in linux darkangel29 Linux - Software 1 11-27-2005 02:17 PM
software for encrypting files? mifan Linux - Security 8 08-13-2005 09:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration