

Simple Password Encrypted Files w/ GnuPG - era86
http://runtime-era.blogspot.com/2012/08/simple-password-encrypted-files-w-gnupg.html

======
repsilat
A plug: If you're worried about "lead pipe" attacks, I've set up a simple
service for remote-activated duress codes at <http://unduress.com>. I'm not
sure anyone actually uses it, but it passes the tests I've written and it
seems to work in practice...

It uses GPG for symmetric encryption as per TFA.

~~~
K2h
from you page: ... No. Mourn for your data ...

I like that.

------
acabal
I've been using GPG to password-protect files for a long time. It's so easy
that I'm surprised more people don't use it.

(Non-security-researcher suggestion follows, take with a grain of salt): Note
that the default encryption algo used with the -c option is usually CAST5.
Though there haven't been any successful attacks against it yet, in today's
world of the NSA storing communications indefinitely you might want to
consider using AES256 instead of CAST5 to (semi) future-proof your encrypted
files. You can do that by adding the following line to ~/.gnupg/gpg.conf:

    
    
        personal-cipher-preferences aes256 3des
    

If I'm misguided in that suggestion please do let me know!

~~~
famousactress
I'm likely denser than you. I find gpg so obtuse that one of the first things
I built at Elation was a python app that wraps it. We keep passwords in
structured text files which are encrypted using gpg, then the python file
wraps all the gpg bits, keeps the stuff organized, and lets us do things like
tab-complete the username we're pulling a password from, and copies the
password to our clipboard so that we don't have to ever see the passwords,
much less all of them.

In fact, we're interesting in open-sourcing it since it's really rough around
the edges. If anyone is interested in working on it with us, hit me up and
maybe we can toss it up on github and make it more nice together.

------
dredmorbius
Take this one step further with transparent editing of encrypted files in vim:

<http://vim.wikia.com/wiki/Edit_gpg_encrypted_files>

If you structure the file, say, passswords, appropriately, or even very
loosely (one record per line), you can write a bash script or function to
query the file. More useful if you've got a pgp-agent running. Say:

    
    
       qpass () { gpg -d ~/passwords.asc | grep $1; }
    

... and when you want to know your HN password, you query it with 'qpass
ycomb'

~~~
repsilat
Alternatively you can use something like EncFS.

<http://www.arg0.net/encfsintro>

To me it fits better with "The UNIX Way" - works with all the other tools and
so on. Doing it in vim is probably more portable, though :/

------
graham_king_3
Great idea. I have a little Python wrapper around that, which also copies the
password to your buffer (so you never actually see it), and password
generation.

<https://github.com/grahamking/kip>

------
Erwin
That's nice for your personal files -- is there something similarly simple
with an escrow option?

I.e. Bob encrypted a bunch of critical files and left the company. While I
don't want someone that hacks into the server to be able to decrypt them (so
the key must be kept in a separate location, like Bob's head) I do want to
make sure I can decrypt the files under those special circumstances, but they
have to be stored in a way that makes them hard to get.

------
Spooky23
Note that GPG is not FIPS 140 compliant, so if you encrypting for compliance
purposes, GPG may not be considered encryption by your governing policy.

~~~
tptacek
If you need to be FIPS 140 compliant, you probably don't need a blog post to
show you how to password protect files with GPG.

As a technical solution for encrypting data, GPG is peachy.

~~~
Spooky23
I agree that GPG is awesome.

When the VA had a laptop theft that resulted in a large identity breach, many
government entities freaked and implemented policies that they didn't
understand. Think schools, local government, etc.

In these situations, you may find yourself in trouble when auditors catch a
security issue violating your own policy, because dog licensure data isn't
properly encrypted.

------
viraj_shah
I like this _fat free_ guide to encrypting my files.

------
drivebyacct2
I enjoy how easy it is to have good encryption these days. I still lean too
heavily on TrueCrypt when I need a cross-platform portable encrypted device,
but when I'm in only-linux land I have all sorts of awesome choices as well

