Date: Wed, 26 May 2004 17:22:13 +0200 (CEST) From: Cordula's Web <cpghost@cordula.ws> To: simon.bates@utoronto.ca Cc: freebsd-questions@freebsd.org Subject: Re: File encryption: bdes or gpg Message-ID: <20040526152213.A50D94082C@fw.farid-hajji.net> In-Reply-To: <40B4A372.5020506@utoronto.ca> (message from Simon Bates on Wed, 26 May 2004 10:02:26 -0400) References: <40B4A372.5020506@utoronto.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am hoping someone can give me advice on file encryption. I would like
> to encrypt a file and store it on my filesystem. I would like to encrypt
> the file so that my data is not readable by someone who gains root
> access or physical access to my computer. I do not intend to share the
> data with anyone else so a public/private key system is optional.
>
> I did some Googling and some reading of man pages and I have come up
> with 3 options thus far:
>
> 1. bdes(1)
>
> 2. gpg -c (/usr/ports/security/gnupg)
>
> 3. gpg (/usr/ports/security/gnupg) with a public/private key pair for me
> plus a passphrase
4. gbde (on FreeBSD >= 5.X) encrypts a whole filesystem.
It is much easier to use than utilities that encrypt
single files.
5. bdes/idea/gpg/... on top of gbde (storing an encrypted file
on an encrypted filesystem).
IMHO, it's not really the encryption algorithm that is the weak
link, but:
a. tempfiles (or shreds of temp files) that are not physically
overwritten (including swap memory),
b. poor passphrases (too short or not random enough)
c. human error.
Many programs write to temporary files (including buffers), before
writing the final versions out to disk. If you use encrypted filesystems
(like gbde) everywhere a tempfile is likely to be dropped (don't forget
[/var]/tmp and swap), your data would be much safer.
--
Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040526152213.A50D94082C>