Re: Is it safe to put an encrypted file on a public web server
(a) assume nothing is safe (b) assume that if your information is not valuable to national security agencies or organized crime, it is in less danger of probing and poking. (c) if someone takes your car, it is likely obvious; if someone copies your data, you may never know (d) if someone copies your data and then deletes it and holds the copied data for ransom, you are scr**d if you do not have local backup. (e) shared host ISPs may not back up your data, if their server hard disk(s) fail, you may be scr**d if you do not have local backup. (f) decryption may fail ... so encrypt only those files you want to hide from prying eyes. (g) decompression may fail ... so compress only those files for which you have local backup. (h) one of my mantra's: you can NEVER have TOO MUCH backup. Regards, Gerry (Lowry) --- Never miss an appointment ~~ apprem.com ~~ https://www.apprem.com --- Gerry Lowry, Principal Ability Business Computer Services ~~ Because it's your Business, our Experience Counts! 68 John W. Taylor Avenue Alliston · Ontario · Canada · L9R 0E1 · 705.250.0112 gerry.lo...@abilitybusinesscomputerservices.com http://abilitybusinesscomputerservices.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
David . you are sending this over and over and over . I have this message 21 times. What's going on? Please stop. One copy is enough ... if someone has time to answer your question, they will. Thank you. - Original Message - From: David Lais sn...@snope.org To: Sent: Tuesday, November 03, 2009 2:17 PM Subject: FSFE Fellower Card + LUKS on Startup Hi GnuPG-Users, I have been testing the FSFE GnuPG smartcard in the past few days and I find it really cool! However, I have some more questions regarding the card. I have encrypted all of my linux partitions with LUKS and it works really great. Next, I would like to integrate the GnuPG card into the boot process in order to encrypt or to provide the key file. I found a Howto in the ubuntu wiki: https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption. However, in this HowTo, they use a MultiFlex Smartcard and load the key file on the card. In the startup process, the keyfile is read out and sent to LUKS. This step is really simple but how can this work with the gnupg smartcard? I think it is not a problem to decrypt the key file in the startup process, isn't it!? Is it possible to access the card reader (omnikey 4040) and the smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a similar way or are there any alternatives? Finally, is there a HowTo? I would be very happy for any kind of information. Thanks, David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
I do hope I was not perceived as being rude. I was not intending to be rude. Robert J. Hansen wrote in part: . You'd be appalled at how many rude, profane and offensive messages I received from people telling me to stop spamming the list. Yes, appalled but not surprised. Given the stress level of most of us, I'm not surprised that some people sometimes react in unkind ways. Thank you, Robert, for reminding us to be patient and understanding. Gerry Free Appointment Reminders: https://www.apprem.com Resume: http://gerrylowryprogrammer.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Public key crypto by hand
http://www.schneier.com/solitaire.html solitaire is done with cards, it was used by two men in jail, both characters in Neal Stephenson's Cryptonomicon ... imo a novel worth reading ... Bruce Schneier invented the game at Stephenson's request AFAIK. gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Public key crypto by hand
Robert wrote in part that We've known since '99 that Solitaire is weak, thanks to the work of Paul Crowley. It was, however, sufficient as a plot device in Cryptonomicon. Even simple systems like pig-latin are sufficient as long as they are more sophisticated than those from whom one wishes to safeguard information. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Public key crypto by hand
Robert, you are absolutely 100% correct when you write: The danger comes from assuming you're more sophisticated than the people who want your information. The television show So you think you are smarter than a fifth grader proves your point time and time again. g. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keyservers
AFAIK you can publish your key to https://keyserver.pgp.com/vkd/GetWelcomeScreen.event; it will be synchronized AFAIK; you will need to confirm every so often that your key is valid so PGP do not drop it. You can publish to other keyservers and your public key will not find its way to the PGP Global Directory (https://keyserver.pgp.com/vkd/GetWelcomeScreen.event) AFAIK. I've been advised to avoid MIT's keyserver because apparently it's not well maintained. (I think it was MIT, could be some other server). Other members of this mailing list can give you much better advice. Also check Google for sources like http://en.wikipedia.org/wiki/Key_server_(cryptographic); remember that anybody can contribute to wikipedia articles. Your question about finding keys: GnuPG has a find option ... point it at a keyserver to retrieve. You can use ID, e-mail address, and possibly other data to retrieve the key(s) you require. Again, other members of this mailing list can give you much better advice. g, ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: subscribe
Alex, you are likely already subscribed or your message would likely not have been posted. [ http://lists.gnupg.org/mailman/listinfo/gnupg-users ] - Original Message - From: Alex Pennington To: gnupg-users@gnupg.org Sent: Friday, April 17, 2009 10:51 AM Subject: subscribe subscribe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trying to understand UID and subkeys
David Shaw wrote, in part: You can have one subkey for encryption, one subkey for signing, and leave your primary key for certification. This lets you do tricks like keeping your primary key offline. This is useful as the primary key is the most valuable key (since it can make more subkeys), Question # 1: does primary key here mean primary PUBLIC key? Question # 2: without the pass phrase, how can one make more subkeys? Question # 3: what determines that a key is a primary key? (is it because --gen-key was used instead of --edit-key?) Question # 4: by offline, do you mean not on a keyserver? (versus not on your local hard disk?) Thank you. Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: surrendering one's passphrase to authorities
unfortunately, it's likely that certain countries handle this using torture. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I.
http://support.apple.com/kb/HT1620 How to use the Apple Product Security PGP Key http://www.apple.com/support/security/pgp/ Protecting Security Information F.Y.I.: I've not noticed anything similar from Microsoft and other software companies. Most seem to be happy with MD5 and SHA1 for files and nothing else. Also, Apple even provides links to PGP Corporation and GnuPG plus its key and key ID. This is our PGP key which is valid until May 15, 2010 Key ID: 0x8A648901 Key Type: RSA Expires: 5/15/10 Key Size: 2048/2048 Fingerprint: 39EC C76A 3D62 7062 C321 10B2 7928 75E8 8A64 8901 UserID: Apple Product Security This from Apple is like an endorsement of PGP/GPG technology. So few people use PGP/GPG technology openly. The Internet took off when Microsoft, for better or worse, included and promoted Internet Explorer in Windows 95, thus beginning the so called browser wars. I would be surprised and also happy to see Microsoft promote PGP/GPG technology. I do not actually expect that to happen. If it did, it would be good if Microsoft could stimulate PGP/GPG technology with more user friendliness since at the moment there's much to learn to understand and begin using PGP/GPG technology. Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want
Robert and David, thank you for increasing my understanding and pointing out the errors I made. g. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
a paranoid's answer to your question: your passphrase is also required ... so my best guess is that you are more or less safe; others on this list would know better than myself. Here's the paranoid part: if your system became compromised with a keylogger, you could be vunerable to having your passphrase stolen. More paranoia: when you're viewing your file as plain text which you must do to read its contents (unless you're superhuman), your text is at least temporarilly vunerable. a paranoid's solution: have a second computer, even a small pocket something or other that supports PGP/GPG technology and also is NEVER connected to the rest of the connected world; keep your secured information on the second computer only; external backups excluded (you can never have too much backup; some backup is better than none). Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please select what kind of key you want ~~ suggestion to developers
The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. Suggestion: add help as an option to gpg --gen-key and gpg --edit-key [ ID ] addkey Example: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices Sample help: Choice/Description If you choose a sign only key, you may also need to (1) DSA and Elgamal (default) Phasellus interdum nunc eget libero. In ante dui, ... (2) DSA (sign only) Vivamus ut libero eget tortor lobortis ... (5) RSA (sign only) Aliquam sit amet risus auctor felis ... Real and useful text should replace the random lorem ipsum* used in the above example.B-) Additionally, build more help/guidance text into PGP/GPG technology. Users are more likely to implement technologies that they understand once they have achieved a level of comfort with those technologies. Regards, Gerry (Lowry) * source: http://www.lipsum.com/. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Sven Radde wrote, in part: ... there are more usable ways of managing one's passwords than storing them in a GnuPG file. I'm curious what more usable ways there are that Sven and others can recommend. I'm also unsure what Sven apparently means by more usable? (While they need to be decrypted, one would only occasionally need to decrypt them because for most of the time, until forgotten, those passwords that one uses frequently reside in one's biological memory.) I guess one downside of the GnuPG file is that if one loses her/his private key or forgets her/his passphrase, then the passwords in the GnuPG file will be secure forever or at least until she/he acquires her/his quantum computer in the future. regards, gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, yes, literacy is important, too. Your counter proposition also has validity. I point out, however, that by the time one is looking at Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices she/he has likely already proceeded far enough along to have achieved some degree of literacy. Having reached that point, with regards to understanding PGP/GPG technology, she/he may still be a novice. Of course, had Michael W. Lucas been a bit clearer in his book, the (h) help on the above choices might not have been of benefit to myself. OTOH, it would nevertheless benefit many of those beginners who might not be aware of MWL's book and who might not have access to anything else written for novices. One problem is that many writers write for an audience that has already achieved domain erudition. Fortunately, for the rest of us, there are authors of __ for Dummies, et cetera. (where __ represents some subject of interest to the reader). So, Robert, I restate my proposition as The easier it is for informed, literate beginners to understand the need for PGP/GPG technology, and the easier it is for them to become aware of the existence of PGP/GPG technology, the faster the adoption of PGP/GPG technology into broad general use by the public will likely occur. Regards, Gerry P.S.: I finished high school in 1965 and went straight into working. In 1967, I became a programmer. Long before user friendliness was a broadly known and often abused concept, I was writing software that truly qualified as user friendly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, excellent points. I shall return to my thinking board. Amazing that, in today's world, with events like the infamous 9/11, identity theft, debit and credit card fraud, a plethora of Bernhard Madoffs making Carlo Ponzi sit up in his grave and take notice, and jobs going down the toilet daily, it surprises me that there is so little paranoia. I'm willing to share my paranoia. I've got enough for everybody. Perhaps it can be made into a vaccine.B-) I appreciate your always interesting, knowledgeable, and thoughtful ideas. Regards, Gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple e-mail addresses: what are the solutions?
Thank you John and David. John Clizbe has suggested a key with multiple email addresses (userIDs) per identity/personae as one strategy. David Shaw has mentioned a strategy of separate keys for different purposes. My question: if I go with separate keys, as in e-mail_address_1 public_key_1private_key_1 e-mail_address_2 public_key_2private_key_2 e-mail_address_3 public_key_3private_key_3 then, is it permissible to have all of my public keys together on the same pubring.gpg file and all of my private keys together on the same secring.gpg file? is it even architecturally possible to have all of my public keys together on the same pubring.gpg file and all of my private keys together on the same secring.gpg file? Also, if it is possible, what are the advantages and the disadvantages? Thank you. Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please select what kind of key you want
Preamble -- Michael W. Lucas on page 73 in Chapter 4 of PGP GPG: Email for the Practical Paranoid, No Starch Press, (c) 2006, shows the following choices for Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Michael recommends choosing 5 which turns out to be a disadvantage that one might not discover until the first time that she/he attempts to encrypt something. AFAIK, other people can still encrypt for the user who has selected 5 above. And the user can decrypt whatever she/he receives. I do not recall Michael discussing the solution to the problems caused by selecting just (5) RSA (sign only), although, since his book is written for a beginner audience, I do think he should have addressed this problem. Nevertheless, I found his book still quite helpful. QUESTIONS - Especially because of my experience mentioned above, I tend to pay attention to the text that follows Please select what kind of key you want. The Windows' version that I used matches Michael's text: gpg --gen-key gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) From gpg --edit-keyIDaddkey, I also get (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) -- where's (3) (3) ?? Why is there no (3) in the above two lists [gen-key list, addkey list]? Why are choices (4) Elgamal (encrypt only) and (6) RSA (encrypt only) not present in the gen-key list? Why is choices (1) DSA and Elgamal (default) not present in the addkey list? http://www.netbsd.org/developers/pgp.html == shows different choices for gpg --gen-key: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) (5) RSA (sign only) Exploring further Please select what kind of key you want via Google, I get the impression that there's potentially a standard that might read something like: position (1) should always be __; position (2) should always be __; position (3) should always be __; et cetera and for any position, you can offer nothing, sign only, encrypt only, or sign and encrypt together. Is that the case with regards to developer guidelines? Also, I'm guessing that although a developer might opt out of creating a key of type X, regardless, the developer must presumably support a complete set of encryption/decryption choices for the purpose of processing public and private keys properly. Is this the case? Thank you. Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Command Line Use of GPG
Kara, It sounds like gpg.exe is not in your path. you can get around this by adding the directory where gpg.exe exists or by using a fully qualified path. I prefer the latter. Example: assume I've installed GnuPG to c:\topsecret\spytools (btw, I have not) Open a Windows command prompt, a.k.a. a DOS window. [note: before you get in too deep, you might want to read a book like PGP GPG, Michael W. Lucas. It's not perfect but it got me restarted. No Starch Press, 2006. Try your local library.] [if your GnuPG folder is not in your path, then, in the following, type, for example, c:\topsecret\spytools\gpg instead of just gpg ] At your Command prompt, usually , type commands like these: gpg --gen-key[creates a GnuPG keypair] [the following is a one line command to generate a revocation certificate in case you ever need it] gpg --verbose --armor --output y...@yourplace.com.asc.revoke.txt --gen-revoke y...@yourplace.com gpg --verbose --listkeys gpg --verbose --listsecretkeys use Google to locate useful articles on GnuPG, example, GnuPG tutorial regards, gerry (lowry) __ Gerry Lowry, Principal Ability Business Computer Services ~~ Because it's your Business, our Experience Counts! 68 John W. Taylor Avenue Alliston · Ontario · Canada · L9R 0E1 gerry.lo...@abilitybusinesscomputerservices.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Command Line Use of GPG
Hello Robert ... what, me paranoid? Okay, I admit maybe a little. Likely a lot. You're not with the CIA, are you? Do I have control of my system? I hope so. It's almost impossible to know. Perhaps Bill Gates has control of my system. That's unlikely but not impossible. I used to work for Microsoft. Perhaps I have control of your system. Likely not. Is your name really Robert? B-) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
multiple e-mail addresses: what are the solutions?
Hello, in my first attempts at PGP, I had only one e-mail at time, occasionally two or three. Now I have many different e-mail addresses that I use on a regular basis for various purposes, none of them illegal. Some web sites force users to have addresses likem...@theirdomain.com for reasons such as attempting to control spam. Examples: I have a gmail account for communication with my IPP if my site is down. If my IPP is also down, I'm out of luck. I have an e-mail address from a customer who prefers that his customers contact me via ge...@hiscompany.com. et cetera, et cetera, et cetera Please note: I'm for all intents and purposes new to PGP/GPG. It seems that for any e-mail address that I have, I need a key pair that corresponds to each e-mail address. Is there a better strategy? Regards, Gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG - how to update keys to a new format?
I'm just guessing but I doubt you can do that; I think you need to generate new keys and revoke your old keys. Keys are cast to be impregnable which is why I suspect that the keys are not updateable. You can AFAIK add and change information; e.g., add a picture but I would be surprised if you can actually tamper with the actual generated keys. regards, gerry (lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What do if forgot password?
even if the rumours are true that the government may have such an ability, we'd never know. If you still know your passphrase, and have not done so, create a revocation certificate. Keep both the revocation certificate and your passphrase in a secure and secret (to you) place (but remember where you put them). Anyone who has your passphrase and your private key can decrypt things encrypted for you. Anyone who has your revocation certificate can revoke your key. g. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What do if forgot password?
Hello Robert ... the original poster, Don Rhummy, did NOT make it clear, you missed his if: What does GPG have to recover my data if i forgot my password?. Thank you for your excellent advice about using a lawyer ... my safe and secure places tend to be so secure that even I can not find them. B-) http://sixdemonbag.org/cryptofaq.xhtml#agencies does not like my IE7. Your link takes me to http://www.secret-alchemy.com/why_xhtml.html and explains how this occurs. Fortunately, I also have Safari installed and have read your fine article. You may enjoy The Last Theorem, a science fiction novel, Arthur C. Clarke's last AFAIK, in collaboration with Frederik Pohl, published by Ballantine Books/DEL REY/Random House. regards ~~ gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG and PKI compatibility (?)
These may be some keyservers to use for looking up keys with gpg --recv-key keyserver hkp://subkeys.pgp.net keyserver hkp://pgp.mit.edu keyserver hkp://pool.sks-keyservers.net (random server) keyserver hkp://keys.nayr.net Not all of the above may be up. Here's a place to build trust: http://www.biglumber.com/ This site is designed to help expand webs of trust by coordinating key signings. Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG and PKI compatibility (?)
John / thank you for your insights; like your haiku - Original Message - From: John Clizbe j...@mozilla-enigmail.org To: GnuPG Users gnupg-users@gnupg.org Cc: Gerry Lowry gerry.lo...@abilitybusinesscomputerservices.com Sent: Thursday, February 05, 2009 8:20 PM Subject: Re: GNUPG and PKI compatibility (?) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users