LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-25-2016, 01:54 AM   #46
beachboy2
Senior Member
 
Registered: Jan 2007
Location: Wild West Wales, UK
Distribution: Linux Mint 20 MATE, MX-19.3, antiX, EndeavourOS
Posts: 3,286
Blog Entries: 17

Rep: Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232

Gregg,

Just make sure that you are not forced to reveal your top-secret password by being on the receiving end of a “$5 wrench decrypt”:

https://xkcd.com/538/

(Credit to allend for supplying this link on another thread)
 
1 members found this post helpful.
Old 02-25-2016, 09:57 AM   #47
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
There are many options for gpg. You should read the docs. If you set it up properly, using the gpg.conf file, it's easy to use. Set the default user to your username on your system, and all you need to do is enter
Code:
gpg -e filename
to get an encrypted file. It automatically uses your public key to encrypt the file, and only you, using the passphrase for you secret key, can decrypt it. There are also GUI frontends for gpg if you prefer that. I'm not certain what gpg uses for symmetric encryption.
 
1 members found this post helpful.
Old 02-25-2016, 11:57 PM   #48
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by beachboy2 View Post
Gregg,

Just make sure that you are not forced to reveal your top-secret password by being on the receiving end of a “$5 wrench decrypt”:

https://xkcd.com/538/

(Credit to allend for supplying this link on another thread)

ROFL Thanks, beachboy2. I needed the laugh. (At first I thought it was serious, some super encryptor breaker. LOL)
 
Old 02-26-2016, 12:36 AM   #49
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sgosnell View Post
There are many options for gpg. You should read the docs. If you set it up properly, using the gpg.conf file, it's easy to use. Set the default user to your username on your system, and all you need to do is enter
Code:
gpg -e filename
to get an encrypted file. It automatically uses your public key to encrypt the file, and only you, using the passphrase for you secret key, can decrypt it. There are also GUI frontends for gpg if you prefer that. I'm not certain what gpg uses for symmetric encryption.
Thanks sgosnell. I got around to getting into the terminal and checking it out. I was pretty clueless (LOL) to tell you the truth. It gave me these choices (I chose RAS, I think.) Then it kept telling me I didn't have enough bits and I should scroll the mouse or tap the keys until there were enough bits. (Which didn't seem very high-tech. LOL Like, 'Bang on the side of the computer until enough bits are present.') But, miracles of miracles, I got it to work. With the 2048 encryption. It was pretty exciting.

I still don't know what's going on. (I have been reading about it though, including from that "docs" link--I recognized the blue icon on the tab.) I'm still not sure about how the asymmetric encryption works. I don't know what exactly the email addresses has to do with it and how I would get my public key on the other guy's computer. But I'm sure it will come clearer in time. (The symmetric is pretty easy.)

Do you think the gpg symmetric encryption is decent though? Like the AEScrypt encryption is 256. Do you think the gpg symmetric encryption would be better than that?

And do you happen to know where I could get a GUI frontend for the symmetric encryption?

And your last suggestion (the gpg -e filename thing) would be PERFECT. I am going to explore that and see if I can figure it out.

I'm still not sure though why the -e passphrase is universal and the -c passphrase should be different for every file encrypted.

Thanks so much.
 
Old 02-26-2016, 02:07 PM   #50
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
Quote:
Thanks sgosnell. I got around to getting into the terminal and checking it out. I was pretty clueless (LOL) to tell you the truth. It gave me these choices (I chose RAS, I think.) Then it kept telling me I didn't have enough bits and I should scroll the mouse or tap the keys until there were enough bits. (Which didn't seem very high-tech. LOL Like, 'Bang on the side of the computer until enough bits are present.') But, miracles of miracles, I got it to work. With the 2048 encryption. It was pretty exciting.
It's collecting entropy. It uses the random mouse movement to get random data. Better than the possibly back-doored random() function in the OS.
Quote:
I still don't know what's going on. (I have been reading about it though, including from that "docs" link--I recognized the blue icon on the tab.) I'm still not sure about how the asymmetric encryption works. I don't know what exactly the email addresses has to do with it and how I would get my public key on the other guy's computer. But I'm sure it will come clearer in time. (The symmetric is pretty easy.)
The email address is to help identify the public key. You get your public key published either through the GUI, or a gpg option. It's in the help/man pages. Asymmetric encryption uses a public key to encrypt data, and a private key to decrypt it. You don't have to know the math, just know that one key encrypts, and the other key decrypts. That's why you don't use your private key to encrypt. Anyone with your public key, which should be almost everyone, can decrypt anything encrypted with your private key. People, including you, should use your public key to encrypt everything, and then only you, using your private key, can decrypt it. Not even the person who encrypted the file can decrypt it without having your private key.
Quote:
Do you think the gpg symmetric encryption is decent though? Like the AEScrypt encryption is 256. Do you think the gpg symmetric encryption would be better than that?
For most purposes, yes. As I've said several times, it depends on your level of paranoia.
Quote:
And do you happen to know where I could get a GUI frontend for the symmetric encryption?
Probably in your repositories. I still don't know what distro you're running. For Debian, gpa is the GUI, and it's installed like any other package, with apt, apt-get, or aptitude. Depends entirely on the distro. Your post shows Ubuntu, and assuming that's what you're actually running, it should be in the Ubuntu repositories, installable via the terminal or the software manager. Ubuntu is based on Debian, so the packages should be similar at least in name.
Quote:
And your last suggestion (the gpg -e filename thing) would be PERFECT. I am going to explore that and see if I can figure it out.
It's easy enough. Set up the config file, and it's all you need to do. The encrypted file magically appears.
Quote:
I'm still not sure though why the -e passphrase is universal and the -c passphrase should be different for every file encrypted.
The -e option uses your public key for encryption and private key for decryption. The private key already has a passphrase which unlocks it, so there is no need to repeat it. No passphrase is necessary for encryption, just decryption. With symmetric encryption, your keys are not used, so you need to provide a passphrase that protects that individual file. It can be different for every file, or you can reuse the same passphrase. But there is no encryption without a passphrase, unlike the -e option, which uses your public and private keys. Keys and passwords are different, and work differently. Keys are inherently more secure. That's why the standard for ssh is keys, not passwords. It's the same concept. Passwords can be brute-forced via several methods, keys can't, at least for any practical use with larger keys.

Last edited by sgosnell; 02-26-2016 at 02:11 PM.
 
1 members found this post helpful.
Old 02-26-2016, 08:33 PM   #51
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
For a decent explanation of pgp, take a look at Fedora Magazine's primer. It's 4 parts, and somewhat long, but there's no short and easy way to cover it, I don't think.
 
2 members found this post helpful.
Old 02-27-2016, 12:08 AM   #52
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sgosnell View Post
It's collecting entropy. It uses the random mouse movement to get random data. Better than the possibly back-doored random() function in the OS.


The email address is to help identify the public key. You get your public key published either through the GUI, or a gpg option. It's in the help/man pages. Asymmetric encryption uses a public key to encrypt data, and a private key to decrypt it. You don't have to know the math, just know that one key encrypts, and the other key decrypts. That's why you don't use your private key to encrypt. Anyone with your public key, which should be almost everyone, can decrypt anything encrypted with your private key. People, including you, should use your public key to encrypt everything, and then only you, using your private key, can decrypt it. Not even the person who encrypted the file can decrypt it without having your private key.
Wow, what a great post, sgosnell! Thank you! I really am getting a good sense of how it works. And, at this point anyway, I can see that the two-way communication (say via email) is much more complicated than I need. (Fortunately.)

I was a little weirded out by that Fedora link (which is great btw--thanks for it) and it showing how text is encrypted. (screenshot 004). I've been wanting to encrypt some of my novels (including italics and other stuff that goes beyond plain text. They're in .odt files.) before I put them in Dropbox, and it kind of freaked me out to see that gobbledygook that it becomes when it's encrypted. Are my novels going to be what they were when they went in once they get decrypted?

And I don't know if I'm missing something, but you said the public key does the encryption and the private key does the decrypting. But then you said:

Quote:
Anyone with your public key, which should be almost everyone, can decrypt anything encrypted with your private key.
That sounds like the public key decrypts and the private key encrypts. Did you just get those switched or did I miss something?

Quote:
Originally Posted by sgosnell View Post

For most purposes, yes. As I've said several times, it depends on your level of paranoia.
Probably in your repositories. I still don't know what distro you're running. For Debian, gpa is the GUI, and it's installed like any other package, with apt, apt-get, or aptitude. Depends entirely on the distro. Your post shows Ubuntu, and assuming that's what you're actually running, it should be in the Ubuntu repositories, installable via the terminal or the software manager. Ubuntu is based on Debian, so the packages should be similar at least in name.
It's easy enough. Set up the config file, and it's all you need to do. The encrypted file magically appears.
The -e option uses your public key for encryption and private key for decryption. The private key already has a passphrase which unlocks it, so there is no need to repeat it. No passphrase is necessary for encryption, just decryption. With symmetric encryption, your keys are not used, so you need to provide a passphrase that protects that individual file. It can be different for every file, or you can reuse the same passphrase. But there is no encryption without a passphrase, unlike the -e option, which uses your public and private keys. Keys and passwords are different, and work differently. Keys are inherently more secure. That's why the standard for ssh is keys, not passwords. It's the same concept. Passwords can be brute-forced via several methods, keys can't, at least for any practical use with larger keys.
I think for my needs at this point I would like to configure the -e to get to that

Code:
gpg -e filename
thing and I'll be happy.

And I'm on Xubuntu mainly. I've actually been playing around on Bodhi lately. (In case I screw up.) But my two main computers are Xubuntu 15.10.

And the OO3 screenshot is what I ran into when I was experimenting.

Thanks again for the great post and all the great help!
Attached Thumbnails
Click image for larger version

Name:	Selection_004.png
Views:	6
Size:	63.4 KB
ID:	20965   Click image for larger version

Name:	Selection_003.png
Views:	6
Size:	108.3 KB
ID:	20966  
 
Old 02-27-2016, 02:01 PM   #53
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
Email encryption doesn't need to be complicated. You can use enigmail in several email clients, and some email providers make it totally transparent. I use startmail, which is outside the governmental reach of the NSA, and it encrypts and decrypts email between its users automatically and transparently. You don't have to do anything other than click on the proper button to encrypt it. You can also send encrypted email to contacts who don't use startmail. This is done by clicking the encrypt button, and the recipient just gets an email with a link to the email. You do need to set up a shared secret with the recipient in advance, or separately. They can then decrypt the email with their previously-agreed secret answer. It's not as good as real pgp encryption, but it's better than nothing, if you need encryption on a one-off basis.

Either the secret or public key can be used for encrypting, and the opposite key is used for decryption. The problem is that everyone has, or should have, your public key, so anyone can decrypt anything you encrypted with your secret key, making encryption pointless.

To get to the point of using just
Code:
gpg -e filename
all you need to do is edit ~/.gnupg/gpg.conf. You can do this with any text editor. You need the line
Code:
default-recipient username
replacing username with your actual username on your computer. That will automatically use your public key for encrypting the files. To decrypt, you have to enter your secret passphrase at the prompt. You can always change the recipient via command-line options.
 
Old 02-27-2016, 02:42 PM   #54
beachboy2
Senior Member
 
Registered: Jan 2007
Location: Wild West Wales, UK
Distribution: Linux Mint 20 MATE, MX-19.3, antiX, EndeavourOS
Posts: 3,286
Blog Entries: 17

Rep: Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232Reputation: 1232
Gregg,

A link from Linux Voice magazine:

https://www.linuxvoice.com/issues/012/master12.pdf
 
Old 02-27-2016, 09:35 PM   #55
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sgosnell View Post
Email encryption doesn't need to be complicated. You can use enigmail in several email clients, and some email providers make it totally transparent. I use startmail, which is outside the governmental reach of the NSA, and it encrypts and decrypts email between its users automatically and transparently. You don't have to do anything other than click on the proper button to encrypt it. You can also send encrypted email to contacts who don't use startmail. This is done by clicking the encrypt button, and the recipient just gets an email with a link to the email. You do need to set up a shared secret with the recipient in advance, or separately. They can then decrypt the email with their previously-agreed secret answer. It's not as good as real pgp encryption, but it's better than nothing, if you need encryption on a one-off basis.

Either the secret or public key can be used for encrypting, and the opposite key is used for decryption. The problem is that everyone has, or should have, your public key, so anyone can decrypt anything you encrypted with your secret key, making encryption pointless.
Ah! Thanks. I get it now.

Quote:
Originally Posted by sgosnell View Post

To get to the point of using just
Code:
gpg -e filename
all you need to do is edit ~/.gnupg/gpg.conf. You can do this with any text editor. You need the line
Code:
default-recipient username
replacing username with your actual username on your computer. That will automatically use your public key for encrypting the files. To decrypt, you have to enter your secret passphrase at the prompt. You can always change the recipient via command-line options.
Okay, thanks, but can you break this down a little more. (Maybe step by step.) See, I'm uncertain about how to edit that line. And I don't know how to access it. By text editor do you mean like Kate or do you mean like Nano (to edit in the terminal).And, sorry, but who is the recipient? And if I'm just encrypting my files for myself why do I need any recipient?

And like I find the line

Code:
default-recipient username
and I replace username with my actual computer username. Then what? Hit "enter"?

And am I doing anything with "recipient" if I just want to encrypt for myself? Would changing it be if I wanted to send something to somebody?

In other words I'm probably in over my head (LOL). But if you can give me a step-by-step that would be awesome. Thanks.
 
Old 02-27-2016, 09:45 PM   #56
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by beachboy2 View Post
Gregg,

A link from Linux Voice magazine:

https://www.linuxvoice.com/issues/012/master12.pdf

Thanks beachboy2. That's a cool link. I got a little lost with the "signatures" and "fingerprint" but for the most part I tracked with it.

But I had a bad experience a while back with Thunderbird. It wasn't IMAPing and I lost some emails. It was kind of a mess.

Anyway, I'm not ready for the sending of encryted emails yet but I saved the pdf for when I do. Appreciate it.
 
Old 02-28-2016, 07:15 PM   #57
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
When you're contemplating any encryption task:
  1. Use a well-known, peer-reviewed system such as GPG, OpenSSL, ssh, OpenVPN, TLS, Kerberos, and so on.
  2. Use them properly, which especially(!) means: "don't use 'passwords!'" (a.k.a. "pre-shared keys")
Use unique digital certificates, with or without password-encryption of those certificates. Participants must possess the proper certificates, and those must be uniquely identifiable with them ... therefore, also individually revokable. (Certificates do not cost money.)

The system should be "easy and transparent" for the users, so that they will actually use it. It should provide not only "cryptographic concealment," but positive identification of the sender and receiver to one another, and assurance that the messages are neither forgeries nor tampered-with. These basic requirements are well provided-for.

"Security is a process." This is especially true in the case of cryptography.

Last edited by sundialsvcs; 02-28-2016 at 07:18 PM.
 
1 members found this post helpful.
Old 02-29-2016, 05:33 AM   #58
Blitzig
LQ Newbie
 
Registered: Feb 2016
Location: South Africa
Distribution: Fedora, RedHat, Centos7
Posts: 18

Rep: Reputation: 2
You could take a look at VeraCrypt

https://veracrypt.codeplex.com/
 
1 members found this post helpful.
Old 02-29-2016, 02:36 PM   #59
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,945

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
Kate, nano, mousepad, gedit, or whatever text editor you prefer. Nano is a text editor, it just has no GUI wrapper. I tend to use it a lot for quick edits, because it's easy to run it as root to edit files owned by root. If you use nano, just make sure you're in your home directory in the terminal, and enter
Code:
nano .gnupg/gpg.conf
and it will be ready for edit. Just put that line anywhere in the file, and then save it. If you use Kate or another GUI editor, you just have it open that file. You might need to tell the editor to show hidden files so you can select through the .gnupg directory.

You need to choose a recipient so gpg knows what key to use. If you don't have a default, and you don't specify one on the command line, you'll be asked for one. If you make yourself the default recipient, gpg will use your public key for encrypting without asking, which is what you seem to want to do. If you ever encrypt a file for someone else to decrypt using their secret key, you'll need to specify that on the command line. Or in the GUI, if you use that. Using gpa might be easier for you, but it's your choice. If you do use gpa, you need to open the file manager to select the file. The default window that opens is a clipboard, so you can enter and encrypt text without opening a file. It's not very intuitive. I seldom use it, preferring the command line, but that's me.
 
1 members found this post helpful.
Old 03-01-2016, 12:25 AM   #60
Gregg Bell
Senior Member
 
Registered: Mar 2014
Location: Illinois
Distribution: Xubuntu
Posts: 1,992

Original Poster
Rep: Reputation: 175Reputation: 175
Quote:
Originally Posted by sundialsvcs View Post
When you're contemplating any encryption task:
  1. Use a well-known, peer-reviewed system such as GPG, OpenSSL, ssh, OpenVPN, TLS, Kerberos, and so on.
  2. Use them properly, which especially(!) means: "don't use 'passwords!'" (a.k.a. "pre-shared keys")
Use unique digital certificates, with or without password-encryption of those certificates. Participants must possess the proper certificates, and those must be uniquely identifiable with them ... therefore, also individually revokable. (Certificates do not cost money.)

The system should be "easy and transparent" for the users, so that they will actually use it. It should provide not only "cryptographic concealment," but positive identification of the sender and receiver to one another, and assurance that the messages are neither forgeries nor tampered-with. These basic requirements are well provided-for.

"Security is a process." This is especially true in the case of cryptography.
Thanks sundial. passwords as "pre-shared keys" LOL I'm not quite to the level (of security or knowledge) you're describing, but I'm going to explore what you're saying.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Non-system partition encryption versus container-file encryption of equal size Ulysses_ Linux - Security 13 07-17-2015 07:38 PM
new gpg encryption/signing frontend -- looking for name suggestions ryran Linux - General 13 01-27-2012 02:09 PM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration