First, a restriction on who can access folder restricted to just a group on 'nix should probably be:
drwxrwx--- (chmod 770 dir - all group members can write) drwxr-x--- (chmod 750 dir - only owner can write) http://www.securemecca.com/public/ChmodTable.txt On OpenVMS you can and the military does just turn off the world permiesions leaving only SOG (System, Owner, Groupm originally it was SOGW). But OpenVMS has theirs done via a DACL. Windows has DACLs but really not for files / folders in the same way that OpenVMS / Unix / Linux do it. Unix / Linux file permission flags for the files is hard-wired (done deep within the bowels of the OS). Symmetric ciphers via GnuPG: ============================ You can use either a symmetric or public key cipher with GnuPG, but you really sort of need keys to even do symmetric ciphers via GnuPG or PGP from Symantec. This script is what I use if I want to make a file encrypted with a ymmetric cipher via GnuPG: http://www.securemecca.com/public/GnuPG (folder - I used decrypt for decrypting encrypted files) http://www.securemecca.com/public/GnuPG/ Pros: Can't think of any other than it saves all that typing. It MAY help you understand it. Maybe it will confuse you. Cons: Anybody who knows the password can decrypt it. Some times that is a positive. For top security it is a negative if the public key used to encipher a file is not yours (belongs to somebody else and you don't have the private keys). Symmetric cipher with AES-128 using 7-Zip: ========================================== You don't need keys. Just supply the password and let the other people know what the password is. on Unix / Linux you just use: this for a file: $ 7za a -p filename.7z filename and this for a directory (folder) $ 7za a -[ dirname.7z ./dirname Pros: provides symmetric encryption without keys! Blissfully dumps the UID:GID so it comes out right when root unzips it (owned by root in group root) no matter who it belonged to on the other system.. for 'nix. That is why I like it. Would love to have ClamAV source code in 7z format. It is great for sending lists of bad URLs / hosts to others since email scanner doesn't know what to do with it. Cons: Same as for GPG symmetric but no choice of CIPHER (uses AES-128) which may be unsatisfactory for some uses. Must build it yourself for 'nix. Do NOT use 7-zip for backups of system stuff or you wull have a chicken versus egg problem, encrypted or not. (APOLOGIES TO GNUPG ADVOCATES) Public / Private key implementation: ==================================== In reality there is a symmetric cipher hidden down in there. GnuPG pseudo-randomly (hopefully closer to randomly than to pseudo) creates a password for the symmetrically enciphered file and encrypts the password for the symmetric cipher using the other person's (people's) public key(s) with the ElGamal or similar public-key cipher. Each recipient gets their own copy (in the past the whole thing with Thunderbird plus Enitmail). But you do NOT encrypt the whole file with the public key. You use the public key to encipher only the password used to create the symmetric cipher. The way public / private key is normally used: ============================================== On Windows, GPG4WIN supplies an Outlook look-alike called Claws Mail that just looks at the recipients when you select encrypt and magically encrypts a message that the entire list of users can decrypt as long as you have the public key for each of the recipients on your key-ring. The enigmail plugin for the mail client program called Thunderbird does much the same thing. SEE! Public key encryption doesn't have to be all that complicated! Pros: When encrypted for JoeGoodGuy in Denver with the encryption being done in Syria (war-torn) nobody but JoeGoodGuy can decipher it. Be sure to wipe the original unenciphered file(s). Wikileaks Julian Assange knew this and encrypted all of those files with a symmetriic cipher anyway so everybody could decrypt the zip of all those files some time in the future no matter how long the password was. But if the journalist had their own public / private key pair it could have been encrypted with the journalist's public key and then only the journalist could have decrypted it. Pubic key encryption is used successfully for this purpose by civil rights activists world-wide. Cons: Initial confusion on how it works. Don't feel bad because even PhD engineers may need some time to finally understand how it works (which is why I recommended that book). Don't be afraid of using OpenPGP public key encryption. It really is superior when you have two people that semi-trust each other. "Spies take time to warm up to each other" said one of the people that broke the Enigma cipher machine. "Even if they are British and American spies they are hesitant to share secrets." If I encrypt a message to you using your public key, even I cannpt decipher it any more. Somehow that makes me feel SAFER. Don't give up on it - you can do it. GnuPG public key encryption is even used to make backups shipped over public networks because nobody but the person (hopefully not PEOPLE but maybe for companies) who has the private key and knows the pass-phrase can decipher it. public key encryption is superior for people in more than one geographic location. HHH
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
