Jump to content
Not connected, Your IP: 3.129.69.134
CriticalRabbit

Encryption Application

Recommended Posts

 

Hi,

 

What encryption program for encrypting whole folders do you use on Linux?

 

I've used 7-zip on Windows but cannot find a good tutorial for Linux. I've also considered using Truecrypt; however, while I've checked the SHA256, I cannot verify the sig. For example, when I type gpg --verify [ truecrypt.sig] [truecrypt.tar.gz] I get “Can't check signature: public key not found”. I'm a bit of noob so no idea what to do here.

 

Any suggestions welcome.

 

Best,

Rabbit

Share this post


Link to post

The developers use their private key to create the signature.
In order to verify a signature, gpg needs to have the corresponding public key.
Take a closer look at gpg's output:

 

gpg --verify file.tar.sig

gpg: assuming signed data in `file.tar'
gpg: Signature made $some_date using RSA key ID 1234ABCD
gpg: Can't check signature: public key not found

It tells you the ID of the key you need to import:

gpg --recv-keys 1234ABCD

gpg: key 1234ABCD: public key "John Doe" imported

Now gpg will be able to verify the signature:
 

gpg --verify file.tar.sig

gpg: assuming signed data in `file.tar'
gpg: Signature made $some_date using RSA key ID 1234ABCD
gpg: GOOD signature from "John Doe"

There is, as you may have guessed, a major problem here: How do you know this key actually belongs to the person you think it does? If your download of both file and signature had been man-in-the-middled, you might have imported a fake key and blindly accepted a spoofed "GOOD signature" result.

That's a somewhat tricky problem to address.
Ideally, you would have a "Web of Trust", meaning that people you already trust have signed this key.

Practical example: here are two keys, both claiming to belong to "Erinn Clark <erinn@torproject.org>":

 

Key #1:

 

 

pdqrqqW.png

Key #2:

 

8A4WlgU.png

 

Weird, right? Over the years, one key has been signed by many people from Debian, Tor, Guardian Project, while the other key has no sigs at all.
Of course, all of Key #2's sigs could be fake too, but ideally you would find at least one among them that you already trust - that's the whole idea of the Web of Trust.
But even without a proper WoT, you can easily spot the suspicious key in this particular case.

If you want to spend even more time thinking about this problem, the Tails Project has elaborated on some interesting ideas on how to trust their signing keys.    

What to use for file/folder encryption on Linux:
I use gpg / gpg-zip, it's not the most convenient solution but I don't need it a lot. Truecrypt or one of its hopefully trustworthy forks is probably still the most secure and convenient solution. EncFS is also worth a look (doesn't Ubuntu use it for /home/ encryption?) but its security audit wasn't exactly cheerful.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

 

Thanks for your reply. I did as you suggested and I got the “Good Signature”.To get around the potential 'man-in'the'middle' problem, would it be a good idea to download the sig from different computers via different IPs (using AirVPN to rotate the IP for example)?

 

I would prefer Truecrypt mainly because the audit found nothing serious, it's cross-platform and because it's very easy to use. It's mainly for keeping financial info secure on a portable USB.

 

Cheers

Share this post


Link to post

I use EncFS (Linux and Windows) and Boxcryptor Classic which is also EncFS. You can create encrypted folders with Boxcryptor Classic and open those folders with any program that is able to read EncFS encrypted folders. Example for Linux (with gui): Gnome-Encfs-Manager. And on Windows there is encfs4win.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...