A plug: If you're worried about "lead pipe" attacks, I've set up a simple service for remote-activated duress codes at http://unduress.com. I'm not sure anyone actually uses it, but it passes the tests I've written and it seems to work in practice...
I've been using GPG to password-protect files for a long time. It's so easy that I'm surprised more people don't use it.
(Non-security-researcher suggestion follows, take with a grain of salt): Note that the default encryption algo used with the -c option is usually CAST5. Though there haven't been any successful attacks against it yet, in today's world of the NSA storing communications indefinitely you might want to consider using AES256 instead of CAST5 to (semi) future-proof your encrypted files. You can do that by adding the following line to ~/.gnupg/gpg.conf:
personal-cipher-preferences aes256 3des
If I'm misguided in that suggestion please do let me know!
I'm likely denser than you. I find gpg so obtuse that one of the first things I built at Elation was a python app that wraps it. We keep passwords in structured text files which are encrypted using gpg, then the python file wraps all the gpg bits, keeps the stuff organized, and lets us do things like tab-complete the username we're pulling a password from, and copies the password to our clipboard so that we don't have to ever see the passwords, much less all of them.
In fact, we're interesting in open-sourcing it since it's really rough around the edges. If anyone is interested in working on it with us, hit me up and maybe we can toss it up on github and make it more nice together.
If you structure the file, say, passswords, appropriately, or even very loosely (one record per line), you can write a bash script or function to query the file. More useful if you've got a pgp-agent running. Say:
qpass () { gpg -d ~/passwords.asc | grep $1; }
... and when you want to know your HN password, you query it with 'qpass ycomb'
Great idea. I have a little Python wrapper around that, which also copies the password to your buffer (so you never actually see it), and password generation.
That's nice for your personal files -- is there something similarly simple with an escrow option?
I.e. Bob encrypted a bunch of critical files and left the company. While I don't want someone that hacks into the server to be able to decrypt them (so the key must be kept in a separate location, like Bob's head) I do want to make sure I can decrypt the files under those special circumstances, but they have to be stored in a way that makes them hard to get.
When the VA had a laptop theft that resulted in a large identity breach, many government entities freaked and implemented policies that they didn't understand. Think schools, local government, etc.
In these situations, you may find yourself in trouble when auditors catch a security issue violating your own policy, because dog licensure data isn't properly encrypted.
I enjoy how easy it is to have good encryption these days. I still lean too heavily on TrueCrypt when I need a cross-platform portable encrypted device, but when I'm in only-linux land I have all sorts of awesome choices as well
It uses GPG for symmetric encryption as per TFA.