From owner-freebsd-questions@FreeBSD.ORG Wed May 26 10:53:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 007B516A4CE for ; Wed, 26 May 2004 10:53:39 -0700 (PDT) Received: from bureau14.utcc.utoronto.ca (bureau14.utcc.utoronto.ca [128.100.132.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7FBA43D31 for ; Wed, 26 May 2004 10:53:38 -0700 (PDT) (envelope-from simon.bates@utoronto.ca) Received: from seahorse.ic.utoronto.ca ([142.150.64.81] EHLO utoronto.ca ident: IDENT-NOT-QUERIED [port 2733]) by bureau14.utcc.utoronto.ca with ESMTP id <890085-17040>; Wed, 26 May 2004 13:53:00 -0400 Message-ID: <40B4D997.10807@utoronto.ca> Date: Wed, 26 May 2004 13:53:27 -0400 From: Simon Bates User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031008 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <40B4A372.5020506@utoronto.ca> <20040526152213.A50D94082C@fw.farid-hajji.net> In-Reply-To: <20040526152213.A50D94082C@fw.farid-hajji.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: File encryption: bdes or gpg X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 May 2004 17:53:39 -0000 Thank you very much for your reply, for your comments on temp file usage, and your suggestion to use gbde. Right now I am using FreeBSD 4.9 but moving to 5 is definitely an option. I'll have a look at gbde. Thanks! Simon Cordula's Web wrote: >>I am hoping someone can give me advice on file encryption. I would like >>to encrypt a file and store it on my filesystem. I would like to encrypt >>the file so that my data is not readable by someone who gains root >>access or physical access to my computer. I do not intend to share the >>data with anyone else so a public/private key system is optional. >> >>I did some Googling and some reading of man pages and I have come up >>with 3 options thus far: >> >>1. bdes(1) >> >>2. gpg -c (/usr/ports/security/gnupg) >> >>3. gpg (/usr/ports/security/gnupg) with a public/private key pair for me >>plus a passphrase > > > 4. gbde (on FreeBSD >= 5.X) encrypts a whole filesystem. > It is much easier to use than utilities that encrypt > single files. > > 5. bdes/idea/gpg/... on top of gbde (storing an encrypted file > on an encrypted filesystem). > > IMHO, it's not really the encryption algorithm that is the weak > link, but: > a. tempfiles (or shreds of temp files) that are not physically > overwritten (including swap memory), > b. poor passphrases (too short or not random enough) > c. human error. > > Many programs write to temporary files (including buffers), before > writing the final versions out to disk. If you use encrypted filesystems > (like gbde) everywhere a tempfile is likely to be dropped (don't forget > [/var]/tmp and swap), your data would be much safer. >