

Ask HN: What encryption programs do you use? - josephriley

Recently I've been trying to secure almost everything on my company's computers/employee's computers.<p>I was wondering if you guy's have any recommendations on file encryption; and what encryption software do you use/trust?
======
olefoo
Encryption software is not something to be trusted; it's use is to be regarded
as a necessary evil, likely to fail without warning, and prone to catastrophic
failures in two modes; that of being completely ineffective and that of being
all too effective. People are not good at Key Management, and if you ever
think that you have learned how to be good at Key Management, that is the day
that you will screw it up royally.

That said.

1\. Generate private keys on a host that is fully disconnected from the
network using an OS image dedicated to that purpose.

2\. Make backups, on paper, keep them in separate locations, take reasonable
precautions to make sure that root keys are recoverable. Be aware of how this
compromises your security, and what tripwires and alarms you need to have in
place to deal with those vulnerabilities.

3\. Do create intermediate signing keys, you shouldn't need to open the vault
to create an email alias or process a new hire.

4\. Do re-key on a schedule. Do not generate fresh keys ahead of time.

5\. You are not MI-6 or the NSA, you will screw it up. Have a plan for when
that happens.

------
JoachimSchipper
Use full-disk encryption (TrueCrypt for Windows, LUKS for Linux, softraid
crypto for OpenBSD, etc.) File-based encryption is too hard to get wrong - are
you _sure_ that your editor didn't write an unencrypted copy to disk and
deleted it immediately after?

------
mike-cardwell
LUKS/dm-crypt for file system encryption on Linux

Encfs and Truecrypt for encrypted file stores

GnuPG for encrypted files and email

Enigmail to integrate GnuPG with Thunderbird

------
mkhattab
GnuPG on OSX and I use it mostly via Emacs. PGP would probably be a good
choice for some companies since it relies on a concept called the "web of
trust."

------
fekberg
TrueCrypt is good and quite common.

------
josephriley
Thanks for the insight!

