On Wed, Jul 13, 2011 at 2:04 PM, Jerome Baum <[email protected]> wrote:
> You've said it yourself. The attack is to encrypt something else to your > public key. You're right. Somehow I hadn't thought about someone being able to simply encrypt a file with the same filename as an existing file to me, with some nefarious content. A separate encrypted file is kept, storing a manifest of the backed up files (i.e., which file is in which encrypted container), so I think it'd be more along the lines of getting lucky, since the program (Duplicity) would realise that a file that should be in a certain container isn't, or something extra is there in its place. > Have you considered a separate key for the signature? I use a separate signing key anyway, for all my signatures. How would using a separate key help here?... I'd still need to give my passphrase somehow. Cheers Chris Poole [PGP BAD246F9] _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
