LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-14-2015, 05:32 PM   #16
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308

Quote:
Originally Posted by usao View Post
Because of legal ramifications, I will only be allowed to use strong encryption, nothing like zipping files with passwords will pass muster from upstairs.
Take a look at dmcrypt / luks. I will claim that it's the de-facto standard for encryption on Linux and offers just as much protection as gpg.
 
Old 04-14-2015, 05:32 PM   #17
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by usao View Post
Because of legal ramifications, I will only be allowed to use strong encryption, nothing like zipping files with passwords will pass muster from upstairs.
They are ok with GPG, im just trying to figure it out. The time isn't really a big factor, it's only about 20-30gb, and the time won't be a concern.
Im open to alternatives, as long as I can use something with serious encryption. We have to meet several ISO standards (which I don't really know anything about), but I was told GPG would be acceptable as long as it's a 4K key or 512ASE or something like that.
AFAIK, AES (not ASE) only supports a maximum of 256-bit key. ccrypt and 7zip use AES-256 by default. Cryptsetup and Veracrypt have it available. If it has to be gpg, try using the '--symmetric' option and choose AES256.
https://en.wikipedia.org/wiki/Advanc...ption_Standard
 
Old 04-14-2015, 05:49 PM   #18
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by joe_2000 View Post
Take a look at dmcrypt / luks. I will claim that it's the de-facto standard for encryption on Linux and offers just as much protection as gpg.
Seems to be more about encrypting an entire FS. Im just looking for a way to encrypt a file by itself and keep the keys away from the file as much as possible.
 
Old 04-14-2015, 05:52 PM   #19
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by metaschima View Post
AFAIK, AES (not ASE) only supports a maximum of 256-bit key. ccrypt and 7zip use AES-256 by default. Cryptsetup and Veracrypt have it available. If it has to be gpg, try using the '--symmetric' option and choose AES256.
https://en.wikipedia.org/wiki/Advanc...ption_Standard
Sorry, the ASE was a typo. I was referring to AES, which is apparently available at 256 for a max.
So still confused, because when I ran the --gen-key command, it allowed me to pick RSA 4096, so I guess I don't know what the difference is between an RSA encryption and an AES encryption...

My biggest issue so far is how to be able to encrypt without having to actually send the file anywhere... At most, I would want to copy the file to external USB drive once encrypted.
 
Old 04-14-2015, 06:16 PM   #20
manu-tm
Member
 
Registered: May 2008
Location: France
Distribution: Ubuntu, Debian
Posts: 343

Rep: Reputation: 43
To encrypt FILENAME with symetric key PASSPHRASE:
Code:
gpg -c --cipher-algo AES256 --no-use-agent --passphrase PASSPHRASE FILENAME
Then to decrypt:
Code:
gpg -d --no-use-agent --passphrase PASSPHRASE -o FILENAME FILENAME.gpg
 
1 members found this post helpful.
Old 04-15-2015, 07:45 AM   #21
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
Quote:
Originally Posted by usao View Post
Seems to be more about encrypting an entire FS. Im just looking for a way to encrypt a file by itself and keep the keys away from the file as much as possible.
No you can also use it to set up a crypto container as said before...
 
Old 04-15-2015, 09:48 AM   #22
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,201
Blog Entries: 4

Rep: Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123Reputation: 4123
If you are dealing with "[legal] requirements from upstairs," then I suggest that you research what are the best-practices and/or the legal strictures which apply to your application. I suggest also that you prepare a design-document and a testing-plan and that you send this "upstairs" for explicit approval before you begin.

Basically, the attorneys are going to have to review it, and they're going to look at "the entire shinola," not just the choice of cipher-algorithm.

I have encountered several web-sites built by "competent little companies" which had elaborate home-grown encryption strategies built into their site. But, those strategies didn't meet the requirements of US laws such as (e.g.) Sarbanes-Oxeley and/or HIPAA. As a result, the sites were scrapped, and the little-companies who had built them lost their only star client. (But: the "star client" didn't have any choice.)

Well-accepted encryption frameworks, such as GPG, OpenSSL, ipsec (VPN), and so-on, will always be preferred over "home-grown" implementations of a particular cipher. Security, especially crypto security, is a process that must protect the weakest link in the entire, complex chain.

Last edited by sundialsvcs; 04-15-2015 at 09:53 AM.
 
Old 04-15-2015, 09:50 AM   #23
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,815

Rep: Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100
Quote:
Originally Posted by usao View Post
To try and get back to my original question, is there a way to use gpg without actualyl having to send the file via internet/email? It's not practical to send the dump file of that size accross the network. Since we backup weekly, im not concerned about the time for the gzip/gpg operation, it can take several hours overnite without being an issue.
gpg is not capable of sending email. You should use the --recipient option with yourself as the recipient. No email will be sent.

Quote:
Originally Posted by usao View Post
So still confused, because when I ran the --gen-key command, it allowed me to pick RSA 4096, so I guess I don't know what the difference is between an RSA encryption and an AES encryption...
RSA is a public key encryption scheme, while AES is symmetric.

Quote:
The GNU Privacy Handbook: Public-key ciphers

As with good symmetric ciphers, with a good public-key cipher all of the security rests with the key. Therefore, key size is a measure of the system's security, but one cannot compare the size of a symmetric cipher key and a public-key cipher key as a measure of their relative security. In a brute-force attack on a symmetric cipher with a key size of 80 bits, the attacker must enumerate up to 281-1 keys to find the right key. In a brute-force attack on a public-key cipher with a key size of 512 bits, the attacker must factor a composite number encoded in 512 bits (up to 155 decimal digits). The workload for the attacker is fundamentally different depending on the cipher he is attacking. While 128 bits is sufficient for symmetric ciphers, given today's factoring technology public keys with 1024 bits are recommended for most purposes.
 
Old 04-15-2015, 11:23 AM   #24
veerain
Senior Member
 
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
Gnupg can used to encrypt using:

1) asymmetric cryptography (Public/private key) (RSA/Elgamel)

2) symmetric cryptography (AES, CAST5, CAMELLIA, TWOFISH)

3) Both of above.

As manu-tm said you should use option 2 above to encrypt. It would just need a password and you have to remember or note it down or use a password vault. And it's also the fastest.

To encrypt:
Code:
gpg2 -c filename
To decrypt:
Code:
gpg2 -d filename.gpg

Last edited by veerain; 04-15-2015 at 11:25 AM.
 
Old 04-15-2015, 11:45 AM   #25
usao
Member
 
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ntubski View Post
gpg is not capable of sending email. You should use the --recipient option with yourself as the recipient. No email will be sent.



RSA is a public key encryption scheme, while AES is symmetric.
That's good news. I was under the impression that it was sending it to a email address, but if that's just the address of the KEY, then my problem may be solved.
 
Old 04-15-2015, 12:06 PM   #26
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,317

Rep: Reputation: 1331Reputation: 1331Reputation: 1331Reputation: 1331Reputation: 1331Reputation: 1331Reputation: 1331Reputation: 1331Reputation: 1331Reputation: 1331
I don't think symmetric is the way to go. Your choice of gpg is good. Create a recipient asymmetric key pair for each db that you want to back up. The encrypting system will have all the public keys on its keyring. The private key copies will be maintained by whoever is responsible for that db. That way even if your system is hacked, the encrypted data is still safe. Key management is an important part of the system.
 
Old 04-15-2015, 01:08 PM   #27
joe_2000
Senior Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
Quote:
Originally Posted by usao View Post
That's good news. I was under the impression that it was sending it to a email address, but if that's just the address of the KEY, then my problem may be solved.
Huh? You have been told precisely that in posts 4, 7, 10 and 20 (especially in post 7) of this thread.

Don't get me wrong, I mean no offense, but I do want to point out that when people here take the time to answer your questions you should actually take the time to read their answers...
 
Old 04-15-2015, 08:34 PM   #28
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by sundialsvcs View Post
If you are dealing with "[legal] requirements from upstairs," then I suggest that you research what are the best-practices and/or the legal strictures which apply to your application. I suggest also that you prepare a design-document and a testing-plan and that you send this "upstairs" for explicit approval before you begin.

Basically, the attorneys are going to have to review it, and they're going to look at "the entire shinola," not just the choice of cipher-algorithm.
That's a good idea. They may want more than just encryption (such as adding a MAC or signature), and they may have restrictions on key use and distribution. So, definitely check with them. AES256 as an algorithm should be good enough for encrypting tho, I mean the NSA uses it for top secret data, it's just they may want more than just encryption.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypting Backup Files netpumber Linux - Security 2 01-19-2010 08:14 PM
debian 5 - encrypting files - how to? dlugasx Linux - Security 2 10-27-2009 03:30 PM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
encrypting files in linux darkangel29 Linux - Software 1 11-27-2005 02:17 PM
software for encrypting files? mifan Linux - Security 8 08-13-2005 09:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration