On Sat, Jan 17, 2015 at 12:24:01PM +0000, Chris Green wrote:
On Fri, Jan 16, 2015 at 07:32:20PM +0000, Chris Green wrote:
Use 'pass' with a GnuPG key
The 'pass' program is effectively a wrapper script that makes it easy to use a GPG key for encrypting files. I've played with it a bit and (once I'd worked out how to generate my GPG key) it was pretty simple to use and provides me with the sort of interface I want. This thus gives a choice of key types and sizes.
I've just realised that the (much hyped?) security of using a GPG Key is totally pointless in my usage. The key itself is *way* weaker than the encryption it provides. So, there's no chance of anyone cracking one of the files, but *much* more chance of someone cracking the encrypted key itself. A GPG Key makes sense where the key itself is kept safe and separate from the things it's used to protect but when they're together it's just another layer of useless complexity. I may as well encode the files themselves with the same algorithm that's used for the pass-phrase on the key.
Using 'gpg --symmetric <filename>' makes *much* more sense for encrypting files that you're going to keep on a machine where you probably have your keyring as well. You can specify the cipher you want to use and there's nothing to brute-force to get at the password, it isn't stored anywhere. With the separate key protected by a passphrase there's an obvious thing to attack.