Re: a bit off topic, how to find encrytped files (ransom attack)
On Fri, Aug 05, 2022 at 05:45:53PM +0200, Uwe Brauer via Gnupg-users wrote: 1. just for the first very rough analysis what is a convenient command to get a list of files that have high entropy? The first step might be to install tripwire and only check files, which tripwire reports as changed. See "man tripwire" after installing it. Regarding your attempt to find candidate files: find . -iname '*.*' -follow -print -exec ent {} \; Files don't need to have a dot in their name. But they might have unusual characters in their names instead. So you might actually want to use find -type f -print0 | xargs -0 ent Tip: "man find" and "man xargs" describe what those zeroes mean. So I am not sure what is the best line, but the question boils down to this, anybody know enough sed or awk or whatsoever to tell me how ot filter the ent output? Gentle suggestion: you'd need to learn such basic usage yourself, before you rely on them as a tool. especially when attempting to secure your systems. Tips (for example): https://www.amazon.de/Learning-Perl-Making-Things-Possible/dp/1492094951 or https://www.amazon.de/Effective-awk-Programming-Universal-Processing/dp/1491904615 Regards, JC -- Experience is the worst teacher. It always gives the test first and the instruction afterward. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Five volunteers needed (EU only please)
On Tue, Oct 06, 2020 at 04:49:15PM +0200, Stefan Claas wrote: Good question. QR codes needs for example a printer and stickers too, if not printed directly on postcards. My new Epson printer, for example, does not support feeding of postcards or other thick materials, only standard paper and photo paper. We are moving a bit far away from GnuPG issues, but ... ;-) a) you'll neither need stickers nor postcards, just a standard sheet of plain paper. b) you can generate QR codes without using a smartphone (e.g. qrencode on Linux systems) but easly on smartphones without NFC hardware too. maybe we should ask ourselves why NFC tags were invented if QR-code would be sufficient. c) NFC capable smartphones still are less common than smartphones with cameras to scan QR codes, so if you want to expand the set of possible recipients and senders, you should think about the least common denominator instead. d) NFC tags have their uses, but weren't invented to replace or augment QR codes. And besides being cheaper to produce, QR codes are much more resilient. Finally: using password protected NFC tags to carry encrypted content seems a bit of overkill or over engineering too. But one could read a tag without opening the letter that would be used to ship it, which obviously would be a bit harder with QR codes ... --jc P.S. Last but not least, we could send QR codes via email! ;-0 -- Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -- Andrew S. Tanenbaum ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Five volunteers needed (EU only please)
On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: My new idea is to send encrypted postcards or letters, with an NFC tag attached, containing a GnuPG clearsigned test message. I like to see if the postcards will arrive in proper condition, so that the NFC tags are still readable. Looks like an over-engineered idea to me: why use NFC tags when simple QR codes printed on paper would be sufficient? And probably less prone to detection or damage, I expect. --jc -- I love deadlines. I love the whooshing sound they make as they fly by. -- Douglas Adams ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to create an authinfo.gpg encrypted file with a GitHub token
On Wed, Feb 26, 2020 at 12:18:00AM +, John Stevenson wrote: I would like to store a GitHub personal access token in a file called ~/.authinfo.gpg so that the token is not stored unencrypted on my computer. This file would be used by Emacs to talk to GitHub via its API. Recent versions of Emacs (>= 23.x) offer EasyPG ("epa-mode") which handles GnuPG encrypted files easily. That might be a good place to start looking for what you might need. Just try to create /tmp/foo.gpg and save it. You should be asked for a recipient and/or a key. Or, if you're using org-mode, you could handle encrypted data there as it offers to encrypt/decrypt certain regions of .org files: https://orgmode.org/worg/org-tutorials/encrypting-files.html Cheers, JC -- If universal surveillance were the answer, lots of us would have moved to the former East Germany. If surveillance cameras were the answer, camera-happy London, with something like 500,000 of them at a cost of $700 million, would be the safest city on the planet. -- Bruce Schneier ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Android
On Wed, Oct 16, 2019 at 01:02:10PM +0200, Daniel Bossert wrote: Is anybody using pgp on Android? I did some years ago, would like to, but am afraid of security reason. Hi Daniel, I'm using gnupg with Termux (Linux as app) on Android. And ssh for file transfers too. Works for me, as I'm comfortable with commandline interfaces, even on mobiles. Cheers, JC -- Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Feature proposal - image encryption
On Sun, Jan 06, 2019 at 11:12:28PM +0100, Stefan Claas wrote: GnuPG is world standard for email and probably file encryption, so why not for image encryption too? :-) As Dirk already said, you can encrypt image files with GnuPG already ;-) And why should I trust people less who maintain complicated software like (the fantastic) ImageMagick? At least it would not hurt to have such feature in GnuPG. ;-) I beg to differ. Given the classic Unix philosophy of chaining small tools which do their job well, GnuPG is already way too complex, especially for casual users. I generally prefer the ImageMagick concept of small tools (convert, identify, mogrify, ...). So using ImageMagick for image encryption (in the way you want to use it) is fine, as using GnuPG for general file encryption is fine too. Creating the "eierlegende Wollmilchsau"[*] (what next: steganography in GnuPG? Or add audio encryption?) rarely does something good in the software world. --jc [*] For reader's who don't know the "concept" take a look at https://de.wikipedia.org/wiki/Eierlegende_Wollmilchsau ;-) -- Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Configuration for offline usage - best practice tips?
On Sat, Feb 17, 2018 at 11:15:57PM -0500, Daniel Kahn Gillmor wrote: On Thu 2018-02-15 21:33:05 +0100, Juergen Christoffel wrote: I'm looking for best practice tips for offline usage of GnuPG. [...] GnuPG's defaults should be fine for the common, simple backup case. However, i note that you're talking about "today's public key" -- that suggests that you're imagining a regularly-updated key that your backup tooling will know about. This is in some sense antithetical to "offline usage" -- how will the backup scripts learn about the new keys if they can't go online to fetch them? Thanks for the feedback and sorry for the delayed answer, I've been on a business trip. It sounds like you're proposing an OpenPGP primary key that has a series of relatively short-lived, expiring encryption-capable subkeys. Is that correct? Yes, that's what I plan to do, generate a subkey for each month in advance and use this to encrypt my backups. And it seems that I shouldn't have used the term "offline usage" without a better spec what I ment. So: GnuPG tips for communications use state that I should do this or don't configure that in order to keep my keys compatible with potential recipients. That's what I consider "online" use, while I use "offline" to say that I don't intend to share encrypted stuff with external parties, so I have no need for potential limitations For further clarity, it'd be useful to understand what you see as the goal of key rotation here. Do you plan on deleting older secret subkeys? if so, how will you recover backups that were encrypted to the destroyed secrets? Backups are done from a rented root server to a rented storage server in "the cloud" and I want to lessen the impact of a potential compromise of these keys. That is, if I have to restore certain files from a backup, and the machine where the decryption happens might be compromised, I don't want all backups to be compromised in a single step. But for backups, this is a slightly more complicated story. It certainly can be useful if you want to be able to robustly *destroy* backups that might be stored on servers that you don't have full control over. That is: encrypt the backup to public key X, send the encrypted copy to "the cloud", and then when you're sure you don't need it any more, delete the secret key corresponding to X to ensure that it's not recoverable. But most people have a hard time just getting their backups to happen on a reasonable schedule, and don't have a reliable schedule for backup destruction. Do you have such a plan? Or do you envision some other reason for the proposed key rotation? The backup plan is in place and uses rotating backups, so older backups expire anyway after some time. Thanks for your detailed suggestions, I'll rethink my plans with them in mind. Regards, JC -- Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Configuration for offline usage - best practice tips?
Hi folks, I'm looking for best practice tips for offline usage of GnuPG. What Do I mean by offline usage? I plan to encrypt backups or files on my machines with GnuPG and generate weekly or monthly keys for that purpose so backups for example can run unattended and simply encrypt with today's public key. As the backups need to be compatible with my software only, I could possibly choose different configuration options than for my "online" usage. While I can find a number of configuration hints for compatibility between implementations and standards or strong encryption in general, I expect that a configuration for offline usage might be different from one for general purpose encrypted communication. Regards, JC -- Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Specifying entropy source
On Tue, Nov 15, 2016 at 11:57:18AM +0100, aafanas...@os3.nl wrote: I know that during generation of the key will be asked for moving mouse or some other actions to create enough entropy. However could I use a specific source to create entropy for key generation? Like only mouse or keyboard. As Stefan wrote, try haveged. Or: if your CPU has "RDRAND" (i.e. grep rdrand /proc/cpuinfo) it contains Intel's hardware RNG. Which you have to trust, as it's a proprietary feature of a big player. But Linux's entropy gathering mixes its output with other sources of randomness, Then there are http://www.bitbabbler.org and http://ubld.it/products/truerng-hardware-random-number-generator/ as hardware random number generators. Both are worth their money IMO. --jc -- Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: recording and retrieving "secrets" into gpg files
On Fri, Sep 30, 2016 at 03:56:08PM +0200, Arbiel (gmx) wrote: Can somebody, please, direct me toward a url where they provide bash scripting examples. Take a look at https://www.passwordstore.org/ which is written in bash and stores secrets with gnupg. --jc -- Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users