Encryption Application

[CriticalRabbit 6]

 

Hi,

 

What encryption program for encrypting whole folders do you use on Linux?

 

I've used 7-zip on Windows but cannot find a good tutorial for Linux. I've also considered using Truecrypt; however, while I've checked the SHA256, I cannot verify the sig. For example, when I type gpg --verify [ truecrypt.sig] [truecrypt.tar.gz] I get “Can't check signature: public key not found”. I'm a bit of noob so no idea what to do here.

 

Any suggestions welcome.

 

Best,

Rabbit

[InactiveUser 188]

The developers use their private key to create the signature.
In order to verify a signature, gpg needs to have the corresponding public key.
Take a closer look at gpg's output:

 

gpg --verify file.tar.sig

gpg: assuming signed data in `file.tar'
gpg: Signature made $some_date using RSA key ID 1234ABCD
gpg: Can't check signature: public key not found

It tells you the ID of the key you need to import:

gpg --recv-keys 1234ABCD

gpg: key 1234ABCD: public key "John Doe" imported

Now gpg will be able to verify the signature:
 

gpg --verify file.tar.sig

gpg: assuming signed data in `file.tar'
gpg: Signature made $some_date using RSA key ID 1234ABCD
gpg: GOOD signature from "John Doe"

There is, as you may have guessed, a major problem here: How do you know this key actually belongs to the person you think it does? If your download of both file and signature had been man-in-the-middled, you might have imported a fake key and blindly accepted a spoofed "GOOD signature" result.

That's a somewhat tricky problem to address.
Ideally, you would have a "Web of Trust", meaning that people you already trust have signed this key.

Practical example: here are two keys, both claiming to belong to "Erinn Clark <erinn@torproject.org>":

 

Key #1:

 

 

Key #2:

 

 

Weird, right? Over the years, one key has been signed by many people from Debian, Tor, Guardian Project, while the other key has no sigs at all.
Of course, all of Key #2's sigs could be fake too, but ideally you would find at least one among them that you already trust - that's the whole idea of the Web of Trust.
But even without a proper WoT, you can easily spot the suspicious key in this particular case.

If you want to spend even more time thinking about this problem, the Tails Project has elaborated on some interesting ideas on how to trust their signing keys.    

What to use for file/folder encryption on Linux:
I use gpg / gpg-zip, it's not the most convenient solution but I don't need it a lot. Truecrypt or one of its hopefully trustworthy forks is probably still the most secure and convenient solution. EncFS is also worth a look (doesn't Ubuntu use it for /home/ encryption?) but its security audit wasn't exactly cheerful.

[CriticalRabbit 6]

 

Thanks for your reply. I did as you suggested and I got the “Good Signature”.To get around the potential 'man-in'the'middle' problem, would it be a good idea to download the sig from different computers via different IPs (using AirVPN to rotate the IP for example)?

 

I would prefer Truecrypt mainly because the audit found nothing serious, it's cross-platform and because it's very easy to use. It's mainly for keeping financial info secure on a portable USB.

 

Cheers

[InactiveUser 188]

Yeah that would work. Or just download the sig through Tor and the file through VPN. Of course, if the source (website) is compromised, it doesn't matter how you download. In that case, only checking the key will help.

[altae 22]

I use EncFS (Linux and Windows) and Boxcryptor Classic which is also EncFS. You can create encrypted folders with Boxcryptor Classic and open those folders with any program that is able to read EncFS encrypted folders. Example for Linux (with gui): Gnome-Encfs-Manager. And on Windows there is encfs4win.