So no one got back to me.
Does anyone use symmetric file encryption? What is the best practice
here? I heard of another solution which was to mount an encrypted
directory with fuser to drop files into. I think I would wounder how
safe the passphrase was for mounted filesystems, though I know of some
techniques for protecting them.
Any pointers regarding best practices for symmetric file encryption
would be much appreciated.
Thanks,
Clif
On 01/17/2014 01:15 PM, Mr. Clif wrote:
Greetings!
I've been happily using pgp and gpg off and on for decades. One thing
I never quite figured out was what the best way to use it for
encrypting sensitive files on disk. After doing that one has to
remember to cleanup after themselves and delete all the leftover
plaintext versions of the file, or it kind of defeats the whole
purpose, and its pretty easy to make a mistake when doing it manually.
I always felt that GPG should help you a bit more in that regard. Now
I know that full disk encryption might be a way around this, but it
seems like overkill if you just have a couple of files to protect.
I have searched high and low and checked out GnuPG Shell, GPA,
Seahorse, XAP, and some other misc wrappers but nothing seemed to fit
my use case. So I wrote a simple wrapper in perl. Basically it just
lets you toggle a file between plaintext and encrypted forms without
letting the plaintext version touch/remain on the disk, unless that is
what you want.
#! /usr/bin/perl -U
# This Perl script is a wrapper around GPG to decrypt or encrypt
a file.
# It's goal is to try to prevent plaintext from touching, or remaining
# on the disk, something GPG fails to do. If there is a new file
created
# It will be in the same directory as the original unless you
specify a new
# path in a second arg.
#
# By Clif 12/05/13
#
# External utilities
$GPG = "/usr/bin/gpg"; # GnuPG 1.4.15
$SHRED = "/usr/bin/shred"; # secure file deleter
(GNU coreutils) 8.13
# Arguments
($arg, $dest) = @ARGV;
# Break down the pathname
$path = $1 if $arg =~ /^(.*?)(\/[^\/]*)$/;
$file = $1 if $arg =~ /([^\/]+)\/?$/;
$base = $1 if $file =~ /^(.+?)(\.[^.]*)?$/;
$ext = $1 if $file =~ /\.([^. ]*)\s*$/;
# Get destination
if ($dest) {
$destp = 1;
$dest .= "/$base" if (-d $dest);
$dest =~ s/\.asc\s*$//;
} else { $dest = $path ? "$path/$base" : $base }
# Is this a planetext or an encrypted file?
if (-r $arg) {
if ($ext eq "asc") { # Encrypted
if ($destp) { system("$GPG -o $dest $arg") }
else { system("$GPG -o - $arg") }
} else { # Plaintext
unlink "${dest}.asc";
$err = system("$GPG -o ${dest}.asc -ca --cipher-algo AES256
$arg");
if ($err) { print "ERROR = $err\n" }
else { system("$SHRED -un9 $arg") }
}
} else { warn "No such file: $arg\n" }
# All done
Obviously it could be much more thorough but I just wanted to get the
idea across. I was also thinking about adding a RAM based editing
feature but I didn't want to reinvent the wheel if someone knows of a
similar project.
Thanks for any comments you might have,
Clif
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
