[EMAIL PROTECTED] wrote: > what is the formal distinction between a password and a key? A key is any secret used for encryption.
A password can be made into a key, usually by passing it through some cryptographic hash function and taking some of the bits. HOWEVER, A password can only generate a deterministic key (well, duh), which implies: A. Symmetric encryption (such as AES) and B. Using the same key for all files Not good A much better solution would be to use one public (read - assymetric) key to encrypt a different symmetric key for each file. That is "the industry standard". We would have used a symmetric key for encrypting the "session keys" (this is what the DVD CSS system does), except you would then not be able to encrypt without knowing the secret. A public key does allow you to do just that. What I would suggest for you to do is to use the rsyncrypto manual to generate an RSA key using openssl, but drop the "nokey" parameter. This will generate a password encrypted private key, and a standard public key certificate. Place the encrypted private key with your data. Next, use rsyncrypto to encrypt the data you want. Passing it the options "--roll-win=1 --roll-sensitivity=5000" should disable the rsyncable aspect of rsyncrypto, and get you a plain CBC AES encryption (industry standard). You will also need to erase the "keys" folder generated by rsyncrypto, as that contains unencrypted versions of the session keys, which you do not want to leave behind. Rsyncrypto has a planned option to not generate these, but they are, for the time being, mandatory. One bug. Rsyncrypto doesn't, currently, support password encrypted private keys. This means you will need to decrypt the key manually before decrypting the files. The following command (from memory, RTFM openssl for details) should do it: openssl -in enckey -out plainkey -nodes Should read in password encrypted key "enckey", ask you for the password, and generate none password protected "plainkey", which you can then feed to rsyncrypto for decryption. Let me know how it went..... Shachar p.s. Does gentoo carry rsyncrypto? Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
