Here is an example command to use symmetrical encryption with gpg:
cat passphrase.txt | gpg -c --no-secmem-warning --cipher-algo
RIJNDAEL256 --command-fd 0 --yes -o OUTPUT INPUT
If you choose a pass phrase you can remember, you need never worry about
loosing a floppy or piece of paper with a private key.
Having known plain text in the data you encrypt significantly weakens
your security.
In particular, since you are making multiple files with the same pass
phrase, having the same known plain text could be particularly bad.
If you are using tar or a similar program to create the file which you
are backing up, then the back up file will have a fixed sequence of
characters at the very beginning. This is known plain text.
Unfortunately, I am not able to recall where I heard this and would
appreciate if anyone can provide the source or refute the following:
To eliminate a weakness with known plain text at the very beginning of a
file to be encrypted, you can insert a fixed amount of random data
before the data you are encrypting. When decrypting your data, you
simply discard the random data after decryption. Ideally gpg would do
this for you, but I have not checked the program to see if it does this.
Ideally you could use /dev/random for random data, as this provides real
randomness vs pseudo-randomness of /dev/urandom. Unless you have a real
random number source, using /dev/random in a script can cause the script
to hang until enough entropy is collected.
For example, you could use /dev/random if: (1) you are around to move
the mouse and type keys on the keyboard to generate entropy or (2) you
have an Intel random number generator your computer and you having
installed the intel-rng-tools ebuild:
http://bugs.gentoo.org/show_bug.cgi?id=8997
You could use /dev/urandom to add 1K of random data to the start of your
archive as follows:
head -c 1024 /dev/urandom > NEW
cat INPUT >> OUTPUT
Hope this helps,
Arthur
On Wed, 2003-02-19 at 07:59, Bruno Lustosa wrote:
> * Michael Jinks <[EMAIL PROTECTED]> [18-02-2003 19:03]:
> > If what you want is to store a bunch of stuff, for however long, in a
> > small number of encrypted cpio (or tar or whatever) archives, are there
> > really going to be so many of them that it justifies a script with a
> > password in it? And, if you're worried enough about privacy to want to
> > store your files in an encrypted form, why would you also simultaneously
> > want to store the key to unlock them in a script on the same system? If
> > you store the password+script elsewhere, you're back to the same problem
> > you had with keeping a key on a floppy, only now it's a script instead of
> > a key.
>
> Also, if you think that floppies aren't all that reliable, you could
> still print (on paper) the ascii armoured private key and store it
> somewhere safe.
> In case the floppy doesn't work anymore, you could still get the paper,
> type it and re-import on gpg. Of course, would be a tedious thing to do,
> but that's the last resort thing, isn't it?
>
> Just my $.02
--
[EMAIL PROTECTED] mailing list
