Gregg,

Just make sure that you are not forced to reveal your top-secret password by being on the receiving end of a “$5 wrench decrypt”:

https://xkcd.com/538/

(Credit to allend for supplying this link on another thread)

1 members found this post helpful.

There are many options for gpg. You should read the docs. If you set it up properly, using the gpg.conf file, it's easy to use. Set the default user to your username on your system, and all you need to do is enter to get an encrypted file. It automatically uses your public key to encrypt the file, and only you, using the passphrase for you secret key, can decrypt it. There are also GUI frontends for gpg if you prefer that. I'm not certain what gpg uses for symmetric encryption.

1 members found this post helpful.

ROFL Thanks, beachboy2. I needed the laugh. (At first I thought it was serious, some super encryptor breaker. LOL)

Thanks sgosnell. I got around to getting into the terminal and checking it out. I was pretty clueless (LOL) to tell you the truth. It gave me these choices (I chose RAS, I think.) Then it kept telling me I didn't have enough bits and I should scroll the mouse or tap the keys until there were enough bits. (Which didn't seem very high-tech. LOL Like, 'Bang on the side of the computer until enough bits are present.') But, miracles of miracles, I got it to work. With the 2048 encryption. It was pretty exciting.

I still don't know what's going on. (I have been reading about it though, including from that "docs" link--I recognized the blue icon on the tab.) I'm still not sure about how the asymmetric encryption works. I don't know what exactly the email addresses has to do with it and how I would get my public key on the other guy's computer. But I'm sure it will come clearer in time. (The symmetric is pretty easy.)

Do you think the gpg symmetric encryption is decent though? Like the AEScrypt encryption is 256. Do you think the gpg symmetric encryption would be better than that?

And do you happen to know where I could get a GUI frontend for the symmetric encryption?

And your last suggestion (the gpg -e filename thing) would be PERFECT. I am going to explore that and see if I can figure it out.

I'm still not sure though why the -e passphrase is universal and the -c passphrase should be different for every file encrypted.

Thanks so much.

It's collecting entropy. It uses the random mouse movement to get random data. Better than the possibly back-doored random() function in the OS.
The email address is to help identify the public key. You get your public key published either through the GUI, or a gpg option. It's in the help/man pages. Asymmetric encryption uses a public key to encrypt data, and a private key to decrypt it. You don't have to know the math, just know that one key encrypts, and the other key decrypts. That's why you don't use your private key to encrypt. Anyone with your public key, which should be almost everyone, can decrypt anything encrypted with your private key. People, including you, should use your public key to encrypt everything, and then only you, using your private key, can decrypt it. Not even the person who encrypted the file can decrypt it without having your private key.
For most purposes, yes. As I've said several times, it depends on your level of paranoia.
Probably in your repositories. I still don't know what distro you're running. For Debian, gpa is the GUI, and it's installed like any other package, with apt, apt-get, or aptitude. Depends entirely on the distro. Your post shows Ubuntu, and assuming that's what you're actually running, it should be in the Ubuntu repositories, installable via the terminal or the software manager. Ubuntu is based on Debian, so the packages should be similar at least in name.
It's easy enough. Set up the config file, and it's all you need to do. The encrypted file magically appears.
The -e option uses your public key for encryption and private key for decryption. The private key already has a passphrase which unlocks it, so there is no need to repeat it. No passphrase is necessary for encryption, just decryption. With symmetric encryption, your keys are not used, so you need to provide a passphrase that protects that individual file. It can be different for every file, or you can reuse the same passphrase. But there is no encryption without a passphrase, unlike the -e option, which uses your public and private keys. Keys and passwords are different, and work differently. Keys are inherently more secure. That's why the standard for ssh is keys, not passwords. It's the same concept. Passwords can be brute-forced via several methods, keys can't, at least for any practical use with larger keys.

1 members found this post helpful.

For a decent explanation of pgp, take a look at Fedora Magazine's primer. It's 4 parts, and somewhat long, but there's no short and easy way to cover it, I don't think.

2 members found this post helpful.

Wow, what a great post, sgosnell! Thank you! I really am getting a good sense of how it works. And, at this point anyway, I can see that the two-way communication (say via email) is much more complicated than I need. (Fortunately.)

I was a little weirded out by that Fedora link (which is great btw--thanks for it) and it showing how text is encrypted. (screenshot 004). I've been wanting to encrypt some of my novels (including italics and other stuff that goes beyond plain text. They're in .odt files.) before I put them in Dropbox, and it kind of freaked me out to see that gobbledygook that it becomes when it's encrypted. Are my novels going to be what they were when they went in once they get decrypted?

And I don't know if I'm missing something, but you said the public key does the encryption and the private key does the decrypting. But then you said:

That sounds like the public key decrypts and the private key encrypts. Did you just get those switched or did I miss something?

I think for my needs at this point I would like to configure the -e to get to that

thing and I'll be happy.

And I'm on Xubuntu mainly. I've actually been playing around on Bodhi lately. (In case I screw up.) But my two main computers are Xubuntu 15.10.

And the OO3 screenshot is what I ran into when I was experimenting.

Thanks again for the great post and all the great help!

Attached Thumbnails

   

Email encryption doesn't need to be complicated. You can use enigmail in several email clients, and some email providers make it totally transparent. I use startmail, which is outside the governmental reach of the NSA, and it encrypts and decrypts email between its users automatically and transparently. You don't have to do anything other than click on the proper button to encrypt it. You can also send encrypted email to contacts who don't use startmail. This is done by clicking the encrypt button, and the recipient just gets an email with a link to the email. You do need to set up a shared secret with the recipient in advance, or separately. They can then decrypt the email with their previously-agreed secret answer. It's not as good as real pgp encryption, but it's better than nothing, if you need encryption on a one-off basis.

Either the secret or public key can be used for encrypting, and the opposite key is used for decryption. The problem is that everyone has, or should have, your public key, so anyone can decrypt anything you encrypted with your secret key, making encryption pointless.

To get to the point of using just all you need to do is edit ~/.gnupg/gpg.conf. You can do this with any text editor. You need the line replacing username with your actual username on your computer. That will automatically use your public key for encrypting the files. To decrypt, you have to enter your secret passphrase at the prompt. You can always change the recipient via command-line options.

Gregg,

A link from Linux Voice magazine:

https://www.linuxvoice.com/issues/012/master12.pdf

Ah! Thanks. I get it now.

Okay, thanks, but can you break this down a little more. (Maybe step by step.) See, I'm uncertain about how to edit that line. And I don't know how to access it. By text editor do you mean like Kate or do you mean like Nano (to edit in the terminal).And, sorry, but who is the recipient? And if I'm just encrypting my files for myself why do I need any recipient?

And like I find the line

and I replace username with my actual computer username. Then what? Hit "enter"?

And am I doing anything with "recipient" if I just want to encrypt for myself? Would changing it be if I wanted to send something to somebody?

In other words I'm probably in over my head (LOL). But if you can give me a step-by-step that would be awesome. Thanks.

Thanks beachboy2. That's a cool link. I got a little lost with the "signatures" and "fingerprint" but for the most part I tracked with it.

But I had a bad experience a while back with Thunderbird. It wasn't IMAPing and I lost some emails. It was kind of a mess.

Anyway, I'm not ready for the sending of encryted emails yet but I saved the pdf for when I do. Appreciate it.

When you're contemplating any encryption task:

1. Use a well-known, peer-reviewed system such as GPG, OpenSSL, ssh, OpenVPN, TLS, Kerberos, and so on.
2. Use them properly, which especially(!) means: "don't use 'passwords!'" (a.k.a. "pre-shared keys")

Use unique digital certificates, with or without password-encryption of those certificates. Participants must possess the proper certificates, and those must be uniquely identifiable with them ... therefore, also individually revokable. (Certificates do not cost money.)

The system should be "easy and transparent" for the users, so that they will actually use it. It should provide not only "cryptographic concealment," but positive identification of the sender and receiver to one another, and assurance that the messages are neither forgeries nor tampered-with. These basic requirements are well provided-for.

"Security is a process." This is especially true in the case of cryptography.

1 members found this post helpful.

You could take a look at VeraCrypt

https://veracrypt.codeplex.com/

1 members found this post helpful.

Kate, nano, mousepad, gedit, or whatever text editor you prefer. Nano is a text editor, it just has no GUI wrapper. I tend to use it a lot for quick edits, because it's easy to run it as root to edit files owned by root. If you use nano, just make sure you're in your home directory in the terminal, and enter and it will be ready for edit. Just put that line anywhere in the file, and then save it. If you use Kate or another GUI editor, you just have it open that file. You might need to tell the editor to show hidden files so you can select through the .gnupg directory.

You need to choose a recipient so gpg knows what key to use. If you don't have a default, and you don't specify one on the command line, you'll be asked for one. If you make yourself the default recipient, gpg will use your public key for encrypting without asking, which is what you seem to want to do. If you ever encrypt a file for someone else to decrypt using their secret key, you'll need to specify that on the command line. Or in the GUI, if you use that. Using gpa might be easier for you, but it's your choice. If you do use gpa, you need to open the file manager to select the file. The default window that opens is a clipboard, so you can enter and encrypt text without opening a file. It's not very intuitive. I seldom use it, preferring the command line, but that's me.

1 members found this post helpful.

Thanks sundial. passwords as "pre-shared keys" LOL I'm not quite to the level (of security or knowledge) you're describing, but I'm going to explore what you're saying.