Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Because of legal ramifications, I will only be allowed to use strong encryption, nothing like zipping files with passwords will pass muster from upstairs.
Take a look at dmcrypt / luks. I will claim that it's the de-facto standard for encryption on Linux and offers just as much protection as gpg.
Because of legal ramifications, I will only be allowed to use strong encryption, nothing like zipping files with passwords will pass muster from upstairs.
They are ok with GPG, im just trying to figure it out. The time isn't really a big factor, it's only about 20-30gb, and the time won't be a concern.
Im open to alternatives, as long as I can use something with serious encryption. We have to meet several ISO standards (which I don't really know anything about), but I was told GPG would be acceptable as long as it's a 4K key or 512ASE or something like that.
AFAIK, AES (not ASE) only supports a maximum of 256-bit key. ccrypt and 7zip use AES-256 by default. Cryptsetup and Veracrypt have it available. If it has to be gpg, try using the '--symmetric' option and choose AES256. https://en.wikipedia.org/wiki/Advanc...ption_Standard
Take a look at dmcrypt / luks. I will claim that it's the de-facto standard for encryption on Linux and offers just as much protection as gpg.
Seems to be more about encrypting an entire FS. Im just looking for a way to encrypt a file by itself and keep the keys away from the file as much as possible.
AFAIK, AES (not ASE) only supports a maximum of 256-bit key. ccrypt and 7zip use AES-256 by default. Cryptsetup and Veracrypt have it available. If it has to be gpg, try using the '--symmetric' option and choose AES256. https://en.wikipedia.org/wiki/Advanc...ption_Standard
Sorry, the ASE was a typo. I was referring to AES, which is apparently available at 256 for a max.
So still confused, because when I ran the --gen-key command, it allowed me to pick RSA 4096, so I guess I don't know what the difference is between an RSA encryption and an AES encryption...
My biggest issue so far is how to be able to encrypt without having to actually send the file anywhere... At most, I would want to copy the file to external USB drive once encrypted.
Seems to be more about encrypting an entire FS. Im just looking for a way to encrypt a file by itself and keep the keys away from the file as much as possible.
No you can also use it to set up a crypto container as said before...
If you are dealing with "[legal] requirements from upstairs," then I suggest that you research what are the best-practices and/or the legal strictures which apply to your application. I suggest also that you prepare a design-document and a testing-plan and that you send this "upstairs" for explicit approval before you begin.
Basically, the attorneys are going to have to review it, and they're going to look at "the entire shinola," not just the choice of cipher-algorithm.
I have encountered several web-sites built by "competent little companies" which had elaborate home-grown encryption strategies built into their site. But, those strategies didn't meet the requirements of US laws such as (e.g.) Sarbanes-Oxeley and/or HIPAA. As a result, the sites were scrapped, and the little-companies who had built them lost their only star client. (But: the "star client" didn't have any choice.)
Well-accepted encryption frameworks, such as GPG, OpenSSL, ipsec (VPN), and so-on, will always be preferred over "home-grown" implementations of a particular cipher. Security, especially crypto security, is a process that must protect the weakest link in the entire, complex chain.
Last edited by sundialsvcs; 04-15-2015 at 09:53 AM.
To try and get back to my original question, is there a way to use gpg without actualyl having to send the file via internet/email? It's not practical to send the dump file of that size accross the network. Since we backup weekly, im not concerned about the time for the gzip/gpg operation, it can take several hours overnite without being an issue.
gpg is not capable of sending email. You should use the --recipient option with yourself as the recipient. No email will be sent.
Quote:
Originally Posted by usao
So still confused, because when I ran the --gen-key command, it allowed me to pick RSA 4096, so I guess I don't know what the difference is between an RSA encryption and an AES encryption...
RSA is a public key encryption scheme, while AES is symmetric.
As with good symmetric ciphers, with a good public-key cipher all of the security rests with the key. Therefore, key size is a measure of the system's security, but one cannot compare the size of a symmetric cipher key and a public-key cipher key as a measure of their relative security. In a brute-force attack on a symmetric cipher with a key size of 80 bits, the attacker must enumerate up to 281-1 keys to find the right key. In a brute-force attack on a public-key cipher with a key size of 512 bits, the attacker must factor a composite number encoded in 512 bits (up to 155 decimal digits). The workload for the attacker is fundamentally different depending on the cipher he is attacking. While 128 bits is sufficient for symmetric ciphers, given today's factoring technology public keys with 1024 bits are recommended for most purposes.
As manu-tm said you should use option 2 above to encrypt. It would just need a password and you have to remember or note it down or use a password vault. And it's also the fastest.
gpg is not capable of sending email. You should use the --recipient option with yourself as the recipient. No email will be sent.
RSA is a public key encryption scheme, while AES is symmetric.
That's good news. I was under the impression that it was sending it to a email address, but if that's just the address of the KEY, then my problem may be solved.
I don't think symmetric is the way to go. Your choice of gpg is good. Create a recipient asymmetric key pair for each db that you want to back up. The encrypting system will have all the public keys on its keyring. The private key copies will be maintained by whoever is responsible for that db. That way even if your system is hacked, the encrypted data is still safe. Key management is an important part of the system.
That's good news. I was under the impression that it was sending it to a email address, but if that's just the address of the KEY, then my problem may be solved.
Huh? You have been told precisely that in posts 4, 7, 10 and 20 (especially in post 7) of this thread.
Don't get me wrong, I mean no offense, but I do want to point out that when people here take the time to answer your questions you should actually take the time to read their answers...
If you are dealing with "[legal] requirements from upstairs," then I suggest that you research what are the best-practices and/or the legal strictures which apply to your application. I suggest also that you prepare a design-document and a testing-plan and that you send this "upstairs" for explicit approval before you begin.
Basically, the attorneys are going to have to review it, and they're going to look at "the entire shinola," not just the choice of cipher-algorithm.
That's a good idea. They may want more than just encryption (such as adding a MAC or signature), and they may have restrictions on key use and distribution. So, definitely check with them. AES256 as an algorithm should be good enough for encrypting tho, I mean the NSA uses it for top secret data, it's just they may want more than just encryption.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.