Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
04-14-2015, 05:32 PM
|
#16
|
Senior Member
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019
|
Quote:
Originally Posted by usao
Because of legal ramifications, I will only be allowed to use strong encryption, nothing like zipping files with passwords will pass muster from upstairs.
|
Take a look at dmcrypt / luks. I will claim that it's the de-facto standard for encryption on Linux and offers just as much protection as gpg.
|
|
|
04-14-2015, 05:32 PM
|
#17
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
Quote:
Originally Posted by usao
Because of legal ramifications, I will only be allowed to use strong encryption, nothing like zipping files with passwords will pass muster from upstairs.
They are ok with GPG, im just trying to figure it out. The time isn't really a big factor, it's only about 20-30gb, and the time won't be a concern.
Im open to alternatives, as long as I can use something with serious encryption. We have to meet several ISO standards (which I don't really know anything about), but I was told GPG would be acceptable as long as it's a 4K key or 512ASE or something like that.
|
AFAIK, AES (not ASE) only supports a maximum of 256-bit key. ccrypt and 7zip use AES-256 by default. Cryptsetup and Veracrypt have it available. If it has to be gpg, try using the '--symmetric' option and choose AES256.
https://en.wikipedia.org/wiki/Advanc...ption_Standard
|
|
|
04-14-2015, 05:49 PM
|
#18
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep: 
|
Quote:
Originally Posted by joe_2000
Take a look at dmcrypt / luks. I will claim that it's the de-facto standard for encryption on Linux and offers just as much protection as gpg.
|
Seems to be more about encrypting an entire FS. Im just looking for a way to encrypt a file by itself and keep the keys away from the file as much as possible.
|
|
|
04-14-2015, 05:52 PM
|
#19
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep: 
|
Quote:
Originally Posted by metaschima
AFAIK, AES (not ASE) only supports a maximum of 256-bit key. ccrypt and 7zip use AES-256 by default. Cryptsetup and Veracrypt have it available. If it has to be gpg, try using the '--symmetric' option and choose AES256.
https://en.wikipedia.org/wiki/Advanc...ption_Standard
|
Sorry, the ASE was a typo. I was referring to AES, which is apparently available at 256 for a max.
So still confused, because when I ran the --gen-key command, it allowed me to pick RSA 4096, so I guess I don't know what the difference is between an RSA encryption and an AES encryption...
My biggest issue so far is how to be able to encrypt without having to actually send the file anywhere... At most, I would want to copy the file to external USB drive once encrypted.
|
|
|
04-14-2015, 06:16 PM
|
#20
|
Member
Registered: May 2008
Location: France
Distribution: Ubuntu, Debian
Posts: 343
Rep:
|
To encrypt FILENAME with symetric key PASSPHRASE:
Code:
gpg -c --cipher-algo AES256 --no-use-agent --passphrase PASSPHRASE FILENAME
Then to decrypt:
Code:
gpg -d --no-use-agent --passphrase PASSPHRASE -o FILENAME FILENAME.gpg
|
|
1 members found this post helpful.
|
04-15-2015, 07:45 AM
|
#21
|
Senior Member
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019
|
Quote:
Originally Posted by usao
Seems to be more about encrypting an entire FS. Im just looking for a way to encrypt a file by itself and keep the keys away from the file as much as possible.
|
No you can also use it to set up a crypto container as said before...
|
|
|
04-15-2015, 09:48 AM
|
#22
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,201
|
If you are dealing with "[legal] requirements from upstairs," then I suggest that you research what are the best-practices and/or the legal strictures which apply to your application. I suggest also that you prepare a design-document and a testing-plan and that you send this "upstairs" for explicit approval before you begin.
Basically, the attorneys are going to have to review it, and they're going to look at "the entire shinola," not just the choice of cipher-algorithm.
I have encountered several web-sites built by "competent little companies" which had elaborate home-grown encryption strategies built into their site. But, those strategies didn't meet the requirements of US laws such as (e.g.) Sarbanes-Oxeley and/or HIPAA. As a result, the sites were scrapped, and the little-companies who had built them lost their only star client. (But: the "star client" didn't have any choice.)
Well-accepted encryption frameworks, such as GPG, OpenSSL, ipsec (VPN), and so-on, will always be preferred over "home-grown" implementations of a particular cipher. Security, especially crypto security, is a process that must protect the weakest link in the entire, complex chain.
Last edited by sundialsvcs; 04-15-2015 at 09:53 AM.
|
|
|
04-15-2015, 09:50 AM
|
#23
|
Senior Member
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,815
|
Quote:
Originally Posted by usao
To try and get back to my original question, is there a way to use gpg without actualyl having to send the file via internet/email? It's not practical to send the dump file of that size accross the network. Since we backup weekly, im not concerned about the time for the gzip/gpg operation, it can take several hours overnite without being an issue.
|
gpg is not capable of sending email. You should use the --recipient option with yourself as the recipient. No email will be sent.
Quote:
Originally Posted by usao
So still confused, because when I ran the --gen-key command, it allowed me to pick RSA 4096, so I guess I don't know what the difference is between an RSA encryption and an AES encryption...
|
RSA is a public key encryption scheme, while AES is symmetric.
Quote:
The GNU Privacy Handbook: Public-key ciphers
As with good symmetric ciphers, with a good public-key cipher all of the security rests with the key. Therefore, key size is a measure of the system's security, but one cannot compare the size of a symmetric cipher key and a public-key cipher key as a measure of their relative security. In a brute-force attack on a symmetric cipher with a key size of 80 bits, the attacker must enumerate up to 281-1 keys to find the right key. In a brute-force attack on a public-key cipher with a key size of 512 bits, the attacker must factor a composite number encoded in 512 bits (up to 155 decimal digits). The workload for the attacker is fundamentally different depending on the cipher he is attacking. While 128 bits is sufficient for symmetric ciphers, given today's factoring technology public keys with 1024 bits are recommended for most purposes.
|
|
|
|
04-15-2015, 11:23 AM
|
#24
|
Senior Member
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524
|
Gnupg can used to encrypt using:
1) asymmetric cryptography (Public/private key) (RSA/Elgamel)
2) symmetric cryptography (AES, CAST5, CAMELLIA, TWOFISH)
3) Both of above.
As manu-tm said you should use option 2 above to encrypt. It would just need a password and you have to remember or note it down or use a password vault. And it's also the fastest.
To encrypt:
To decrypt:
Code:
gpg2 -d filename.gpg
Last edited by veerain; 04-15-2015 at 11:25 AM.
|
|
|
04-15-2015, 11:45 AM
|
#25
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep: 
|
Quote:
Originally Posted by ntubski
gpg is not capable of sending email. You should use the --recipient option with yourself as the recipient. No email will be sent.
RSA is a public key encryption scheme, while AES is symmetric.
|
That's good news. I was under the impression that it was sending it to a email address, but if that's just the address of the KEY, then my problem may be solved.
|
|
|
04-15-2015, 12:06 PM
|
#26
|
Senior Member
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,317
|
I don't think symmetric is the way to go. Your choice of gpg is good. Create a recipient asymmetric key pair for each db that you want to back up. The encrypting system will have all the public keys on its keyring. The private key copies will be maintained by whoever is responsible for that db. That way even if your system is hacked, the encrypted data is still safe. Key management is an important part of the system.
|
|
|
04-15-2015, 01:08 PM
|
#27
|
Senior Member
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019
|
Quote:
Originally Posted by usao
That's good news. I was under the impression that it was sending it to a email address, but if that's just the address of the KEY, then my problem may be solved.
|
Huh? You have been told precisely that in posts 4, 7, 10 and 20 (especially in post 7) of this thread.
Don't get me wrong, I mean no offense, but I do want to point out that when people here take the time to answer your questions you should actually take the time to read their answers...
|
|
|
04-15-2015, 08:34 PM
|
#28
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
Quote:
Originally Posted by sundialsvcs
If you are dealing with "[legal] requirements from upstairs," then I suggest that you research what are the best-practices and/or the legal strictures which apply to your application. I suggest also that you prepare a design-document and a testing-plan and that you send this "upstairs" for explicit approval before you begin.
Basically, the attorneys are going to have to review it, and they're going to look at "the entire shinola," not just the choice of cipher-algorithm.
|
That's a good idea. They may want more than just encryption (such as adding a MAC or signature), and they may have restrictions on key use and distribution. So, definitely check with them. AES256 as an algorithm should be good enough for encrypting tho, I mean the NSA uses it for top secret data, it's just they may want more than just encryption.
|
|
|
All times are GMT -5. The time now is 12:32 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|