On Tue, May 17, 2011 at 14:22, Turbo Fredriksson <tu...@bayour.com> wrote:
> On 16 maj 2011, at 21.11, Jerome Baum wrote: > > On Mon, May 16, 2011 at 19:08, Turbo Fredriksson <tu...@bayour.com> wrote: > >> I've locked at some encrypted FS's, but none of them where secure enough. >> > > In what sense? Can you elaborate? See also my comment below. > > > Didn't allow big enough keys of good algorithms for one... > IIRC, OpenSSL places no limit on key-size. However, try "openssl genrsa 16384" and see how long that takes... > I would suggest you just symmetrically encrypt the data. If you really need >>> public-key encryption, use gpg to encrypt the key-file. The theoretical >>> security is about the same, and practically the significant factors will be >>> where you store your key, what temp files you leave around, etc. >> >> > It was many years since I looked at encryption, so I've forgot most of what > I once learned (never actually needed it :). But isn't symmetric encryption > 'easy' to crack? Given enough CPU? > Not at all. In fact, most public-key crypto systems will symmetrically encrypt your data with a random session key and only asymmetrically encrypt the session key. This is a Good Thing in performance and security terms -- performance because AES tends to be faster than RSA (for instance), and security because this method has been extensively studied. > I find it hard to believe that anything would be better than a 3072 bit DSA > key > with a 4096 bit ELG key which expires in a month... ? > Those are very absolute numbers and the statement is very strong. In practice it's much more about key management than about key-size. Personally I opted for a 4096-bit RSA key, which is a somewhat arbitrary choice based on my gut and the intended duration of the key. Others go for 2048 bits, some go for a DSA master key, etc. -- it's just a matter of preference and in most cases you should be focusing your efforts elsewhere. As Werner has correctly pointed out, you _can_ use gpg for this task. I would personally still opt for OpenSSL, though. It feels like the right tool for this, and gpg seems designed more for block data than streams, more for communication than personal encryption, etc. -- there's lots of WoT stuff built-in that you get with the package and may never use, which OpenSSL doesn't have. etc. -- Jerome Baum tel +49-1578-8434336 email jer...@jeromebaum.com -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users