Results 1 to 5 of 5

Thread: gpg vs openssl

  1. #1
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,175

    Default gpg vs openssl

    I want to encrypt backups of users' directories. I'm a part-time sysop (we are very poor here). I was able to get a convenient encryption with the stream cypher openssl:
    Code:
     # tar -cf - /dir | openssl enc -e -aes256 -out dirbackup.tgz.openssl
    tar: Removing leading `/' from member names
    enter aes-256-cbc encryption password:
    Verifying - enter aes-256-cbc encryption password:
    I would prefer a block cypher for security, but the gpg tool interacts directly with the OS 12.3x64 key storage system. These can get borked and require a lot of care to maintain - I would rather just remember a very complex passphrase, which is automatically continuous across system crashes/reinstalls - but I cannot get gpg to work outside the shared-key system (i.e., just using a passphrase):

    Code:
     # tar -cz c /dir | gpg -c -o -aes256 dirbackup.tgz.gpg
    tar: Removing leading `/' from member names
    gpg: can't open `dirbackup.tgz.gpg': No such file or directory
    gpg: symmetric encryption of `dirbackup.tgz.gpg' failed: No such file or directory
     # tar -cz c /dir | gpg -c -o dirbackup.tgz.gpg
    tar: Removing leading `/' from member names
    gpg: problem with the agent: No pinentry
    gpg: error creating passphrase: Operation cancelled
    gpg: symmetric encryption of `[stdin]' failed: Operation cancelled
    I've been googling around for an answer and came across a lot of bug reports on gpg.

    Patti

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,886
    Blog Entries
    3

    Default Re: gpg vs openssl

    Quote Originally Posted by PattiMichelle View Post
    Code:
     # tar -cf - /dir | openssl enc -e -aes256 -out dirbackup.tgz.openssl
    tar: Removing leading `/' from member names
    enter aes-256-cbc encryption password:
    Verifying - enter aes-256-cbc encryption password:
    I considered doing something like that (perhaps with gpg). But then I discovered "dar" which has encryption support built-in.

    I pretty much concluded that the best way to proceed was to either:

    • use a backup/archive program with builtin crypto support;
    • do backups to an encrypted disk (or encrypted partition).


    Either of those looks more straightforward than concocting something with an in-stream encryption.

    I currently use "dar" for linux backups, and Acronis for Windows backups. Both support encrypted archives.

    If I were to use "clonezilla", then I think I would need to go with the alternate of an encrypted disk to store the image.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,079

    Default Re: gpg vs openssl

    On Fri, 23 May 2014 21:26:01 +0000, nrickert wrote:

    > I considered doing something like that (perhaps with gpg). But then I
    > discovered "dar" which has encryption support built-in.


    I would second the use of dar. I've used it myself, and it's simple and
    easy to use, especially with one of the graphical frontends like kdar.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  4. #4
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,175

    Default Re: gpg vs openssl

    Very cool! Thank you very much for the replies. Do you know of any reviews ranking security? I'm wondering why everything seems to be going to public-key type encryption. That's really pretty much wasted except for emails, sending files (like making sure a repo file hasn't been hacked), and stuff like that... Most backups are wayyy too big to be sending anywhere except, maybe, another drive in the datacenter... Most of what I see talked about in crypto these days is online (websites, emails, small files...) but backups aren't normally like that.

    Patti

    Cool class:
    https://www.coursera.org/course/crypto

  5. #5
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,886
    Blog Entries
    3

    Default Re: gpg vs openssl

    Quote Originally Posted by PattiMichelle View Post
    I'm wondering why everything seems to be going to public-key type encryption.
    You need to understand how public key crypto is used in practice. The actual encryption is done using symmetric encryption with a random key. The random key is then encrypted with public key crypto. So, in practice, there is very little actual encryption with a public key, even when using gpg or X.509 methods. The public key crypto is mostly used for digital signatures and for key management, not for the actual encryption of content.

    Public key encryption is used because it simplifies key management.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •