LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-21-2016, 04:27 PM   #31
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US( + travel,) Earth( I wish,) END BORDER$!◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest; has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 4,281
Blog Entries: 3

Rep: Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419

I do use GnuPG for WiFi and browsers...
 
Old 02-21-2016, 06:19 PM   #32
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sgosnell View Post
gpg is the executable for the GnuPG package. The -c option you used is for symmetric encryption, meaning you enter a separate password to encrypt/decrypt the file. If you use -e instead, your keys are used for encryption/decryption. Either will work, but IMO using keys is a more secure way of doing it. Plus, you always use the same passphrase for decryption, which is the passphrase for your secret key. If you use -c, you have to remember the password you used for that one-time encryption, which may be difficult. But -c does have its uses.

One thing to remember is that after you encrypt a file, the unencrypted version of the file remains, still in the clear. You need to remember to delete that file if you need only the encrypted version. If you're encrypting files for upload to the cloud, and want to keep the unencrypted files on your local disk, that's fine. You have both versions, and can deal with them as you prefer.
Thanks sgosnell. I was going over that link you gave me. http://statistics.berkeley.edu/computing/encrypt So that is GnuPG, right? (Although it says: You can use PGP encryption to do this with the command-line tool gpg.) Kind of confusing: PGP, gpg, GnuPG. Anyway, my way (screenshot) of doing the gpg (with the -c option) was so simple and easy. Is the encryption that way not as good as the encryption with -e version?

And why would a peson use the same passphrase for the -e version and different passphrases for the -c version or the AES crypt versions?

And is the process in the link (the -e version) do-able for a newbie? (I got a little concerned when I saw that I would need to input 'security information.') Or would I maybe be getting in over my head?

And is it really important to do a killer passphrase for that? (Like you can do with "Diceware" passphrase method.)

Thanks.
Attached Thumbnails
Click image for larger version

Name:	Selection_018.png
Views:	9
Size:	80.5 KB
ID:	20919  
 
Old 02-21-2016, 07:28 PM   #33
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
You can use the same passphrase for your gpg/pgp/GnuPG/Opengpg key and the file you encrypt using -c. Use your public key, not your secret key. Anything you encrypt using your secret key can be decrypted by anyone who has your public key. It's all your choice, and the quality of the password you use is up to you, depending on how valuable the data is to you. Try the -e option and see if you like it. If you want to bail, Ctrl-C will always work.

One option I just discovered is Mega. It's a cloud storage service located in New Zealand, out of reach of the NSA, and it offers secure end-to-end encryption, and they don't have your password, if they can be believed. They make the source code available, so someone should have said something by now if they weren't kosher. They have a few million subscribers. You get 50GB of free storage, and additional storage is very reasonable. A Linux sync client is available, as is a mobile app for the major phone OS's. It's worth considering. I just signed up, and the process of syncing my data is ongoing. I plan to see how well the data is encrypted on the servers. I'm no hacking expert, so I'll really need to trust other people at least at first.

Last edited by sgosnell; 02-21-2016 at 07:29 PM.
 
Old 02-22-2016, 12:33 AM   #34
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Distribution: linux
Posts: 157

Rep: Reputation: 44
Quote:
Originally Posted by sgosnell View Post
One thing to remember is that after you encrypt a file, the unencrypted version of the file remains, still in the clear. You need to remember to delete that file if you need only the encrypted version. If you're encrypting files for upload to the cloud, and want to keep the unencrypted files on your local disk, that's fine. You have both versions, and can deal with them as you prefer.
That all depends on how you do your encryption.

I have some special code in my VIM editor. When I edit a file ending in GPG, it reads in the binary file (if it exists) and filters it in memory (GPG asks the password). when I write it filters it again in memory back to binary (ask password twice), writes it then undoes the encrypt, so you can continue to work on the file.

The decrypted file is not stored to disk (not even in swap files)..

In actual fact VIM itself has file encryption built into it (type in vim ":help encryption" for more info). But I never trusted it a I don't know exactly what it does!

For info on doing this (and for using other file encryption such the openssl), see
http://www.ict.griffith.edu.au/antho..._encrypt.hints

I used to use this a lot before switching to EncFS (for bulk directory encryption) and slightly different encrypted file storage method (AES with PBKDF2 pass-phrase hashing)


Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit-card information from someone
living in a cardboard box to someone living on a park bench.
-- Gene Spafford
The equivalent of an armoured car should always be used to
protect any secret kept in a cardboard box.
-- Anthony Thyssen, On the use of Encryption

Last edited by A.Thyssen; 02-22-2016 at 08:41 PM. Reason: minor
 
Old 02-22-2016, 12:44 AM   #35
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Distribution: linux
Posts: 157

Rep: Reputation: 44
Quote:
Originally Posted by jamison20000e View Post
P.s: for the first link use:
Code:
sudo echo "TypeYourPasswordHere" | sudo cracklib-check
The better type of passwords are LONG ones (pass-phrases). For example: "I really hate this damn machine"
is much much harder to crack than "1hate!machine".

A sentence has much better entropy (randomness) than the old style of passwords with a mix of character types.

XKCD comic explains it a lot better...
http://xkcd.com/936/
 
Old 02-22-2016, 01:45 AM   #36
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US( + travel,) Earth( I wish,) END BORDER$!◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest; has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 4,281
Blog Entries: 3

Rep: Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419
Good link!

I remember somewhere said just use gibberish because brut force uses .dict, &c plus I here about randomly generated passwords (could be best there?) Tho if we want to get technical and "most secure:" http://www.linuxquestions.org/questi...ve-4175572277/

Last edited by jamison20000e; 02-22-2016 at 01:50 AM.
 
Old 02-22-2016, 05:14 PM   #37
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
It's certainly possible to use aliases, scripts, macros, or whatever to delete or never write decrypted files, but gpg doesn't do that itself. I have an alias that encrypts a file and then shreds the plaintext file. For decrypting, you can just have the decrypted file written to standardout. There are lots of ways to do things.
 
Old 02-22-2016, 10:29 PM   #38
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sgosnell View Post
You can use the same passphrase for your gpg/pgp/GnuPG/Opengpg key and the file you encrypt using -c. Use your public key, not your secret key. Anything you encrypt using your secret key can be decrypted by anyone who has your public key. It's all your choice, and the quality of the password you use is up to you, depending on how valuable the data is to you. Try the -e option and see if you like it. If you want to bail, Ctrl-C will always work.

One option I just discovered is Mega. It's a cloud storage service located in New Zealand, out of reach of the NSA, and it offers secure end-to-end encryption, and they don't have your password, if they can be believed. They make the source code available, so someone should have said something by now if they weren't kosher. They have a few million subscribers. You get 50GB of free storage, and additional storage is very reasonable. A Linux sync client is available, as is a mobile app for the major phone OS's. It's worth considering. I just signed up, and the process of syncing my data is ongoing. I plan to see how well the data is encrypted on the servers. I'm no hacking expert, so I'll really need to trust other people at least at first.
Thanks sgosnell. I just can't quite get my head around this stuff, esp. the public and secret key. For instance, when I use -c (for the gpg in the terminal) I put in a passphrase. That passphrase encrypts it and it decrypts it. Same thing with AEScrypt. How does a secret and public key figure into those situations?

And regarding Mega (which looks great really) I was in another forum and there was a fair amount controversy as to whether it was safe or not. (As you know--LOL--I am no security expert so I really don't know one way or another.)

http://thenextweb.com/insider/2015/0...-mega-anymore/
 
Old 02-22-2016, 10:32 PM   #39
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by A.Thyssen View Post
The better type of passwords are LONG ones (pass-phrases). For example: "I really hate this damn machine"
is much much harder to crack than "1hate!machine".

A sentence has much better entropy (randomness) than the old style of passwords with a mix of character types.

XKCD comic explains it a lot better...
http://xkcd.com/936/
How about the diceware method?

http://world.std.com/~reinhold/diceware.html

Seems it would be much safer than a sentence that is syntactically correct and makes sense. (Like the 'I really hate this damn machine' does.)
 
Old 02-23-2016, 05:24 PM   #40
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Distribution: linux
Posts: 157

Rep: Reputation: 44
Quote:
Originally Posted by Gregg Bell View Post
Thanks sgosnell. I just can't quite get my head around this stuff, esp. the public and secret key. For instance, when I use -c (for the gpg in the terminal) I put in a passphrase. That passphrase encrypts it and it decrypts it. Same thing with AEScrypt. How does a secret and public key figure into those situations?

And regarding Mega (which looks great really) I was in another forum and there was a fair amount controversy as to whether it was safe or not. (As you know--LOL--I am no security expert so I really don't know one way or another.)

http://thenextweb.com/insider/2015/0...-mega-anymore/

Basically a public key system (like PGP, GPG, or the old RSA), encrypts with one key and decrypts with the other. Which is used for encrypt does not matter, the other then decrypts. One key is made public (anyone can know it) the other private (only you know it) and protected by a normal reverable encryption like AES.

So to encrypt a file you just use the public key (no password needed... its public) to decrypt you need to use your password to decrypt the private key which then is used to decrypt the file. However to protect against anyone encrypting a file and replacing your data, they also encrypt some data in the file with the private key, so if that decrypts it is valid data. This is a digital signature, declaring YOU (or whomever) encrypted it for you. Thus in a full system you end up needing the password for both encrypt and decrypt.

Public Keys thus work well communications between two different parties. But it is not good for disk, file system, or directory level encryptions as the system needs to be encrypting and decrypting the data as needed for the duration of the mounted data. As such you may as well use a symmetric key for encrypted data stores. (like AES).

I hope that makes it clear.
 
1 members found this post helpful.
Old 02-23-2016, 09:09 PM   #41
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
When you use the -c option, gpg uses symmetric encryption, which does not make use of your keys. It just uses whatever passphrase/password you give it, and that does both encryption and decryption, thus symmetric. With keys, one key encrypts and a different key decrypts, thus disymmetric. Keys are usually more secure, but symmetric encrypting is probably good enough for most people most of the time. Use whatever is convenient and works for you, and what you're comfortable with.
 
1 members found this post helpful.
Old 02-23-2016, 11:04 PM   #42
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by A.Thyssen View Post
Basically a public key system (like PGP, GPG, or the old RSA), encrypts with one key and decrypts with the other. Which is used for encrypt does not matter, the other then decrypts. One key is made public (anyone can know it) the other private (only you know it) and protected by a normal reverable encryption like AES.

So to encrypt a file you just use the public key (no password needed... its public) to decrypt you need to use your password to decrypt the private key which then is used to decrypt the file. However to protect against anyone encrypting a file and replacing your data, they also encrypt some data in the file with the private key, so if that decrypts it is valid data. This is a digital signature, declaring YOU (or whomever) encrypted it for you. Thus in a full system you end up needing the password for both encrypt and decrypt.

Public Keys thus work well communications between two different parties. But it is not good for disk, file system, or directory level encryptions as the system needs to be encrypting and decrypting the data as needed for the duration of the mounted data. As such you may as well use a symmetric key for encrypted data stores. (like AES).

I hope that makes it clear.
Thanks a lot, A.Thyssen. Really good explanation. I didn't realize there were two different ways of doing it. And for me (at this point anyway) the symmetric encryption is going to be enough. (But I still want to learn the other way in case I have to send somebody something.) Appreciate it.
 
Old 02-23-2016, 11:17 PM   #43
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sgosnell View Post
When you use the -c option, gpg uses symmetric encryption, which does not make use of your keys. It just uses whatever passphrase/password you give it, and that does both encryption and decryption, thus symmetric. With keys, one key encrypts and a different key decrypts, thus disymmetric. Keys are usually more secure, but symmetric encrypting is probably good enough for most people most of the time. Use whatever is convenient and works for you, and what you're comfortable with.
Thanks sgosnell. That symmetric encryption explanation makes sense. I think it'll help if I experiment with that -e option to learn by doing. But for now the symmetric encryption is fine for me.

One more question. Say I do the symmetric encryption and I put files and folders into the cloud. It would be okay to use the same passphrase for all of them, right? I ask because I've seen that Sophos Encryptor and it has like a password vault included. So to put all kinds of stuff out there with different passwords could be a real boondoggle. But the way I'm thinking, say I use AEScrypt and have a killer good passphrase and use it on all the files I should be okay, right?

And you wrote in post #30

Quote:
Plus, you always use the same passphrase for decryption, which is the passphrase for your secret key. If you use -c, you have to remember the password you used for that one-time encryption, which may be difficult.
So yeah, I'm wondering why I wouldn't use the same password for AEScrypt or -c as well as when I use the -e (and keys) way.
Thanks.
 
Old 02-24-2016, 10:07 AM   #44
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
You can use the same password for all your files if you want. It's up to you. But if someone does get your password, either by brute force, keylogging, or anything else, they can decrypt all your files. It depends on your level of paranoia. It's far more likely that a password used for symmetric encryption would be broken than a private key generated by gpg. Breaking a 2048-bit key isn't feasible by any means, as far as anyone knows. Breaking a password may be. As I said, it depends on your level of paranoia and the possible damage from having the password compromised.
 
1 members found this post helpful.
Old 02-24-2016, 10:16 PM   #45
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sgosnell View Post
You can use the same password for all your files if you want. It's up to you. But if someone does get your password, either by brute force, keylogging, or anything else, they can decrypt all your files. It depends on your level of paranoia. It's far more likely that a password used for symmetric encryption would be broken than a private key generated by gpg. Breaking a 2048-bit key isn't feasible by any means, as far as anyone knows. Breaking a password may be. As I said, it depends on your level of paranoia and the possible damage from having the password compromised.
Thanks sgosnell. Do the -c version and -e version both have the 2048-bit encryption?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Non-system partition encryption versus container-file encryption of equal size Ulysses_ Linux - Security 13 07-17-2015 07:38 PM
new gpg encryption/signing frontend -- looking for name suggestions ryran Linux - General 13 01-27-2012 02:09 PM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration