[Mark Wall <wall@chop.swmed.edu>]

Leigh S. Jones kr6x@kr6x.com
Sun Apr 28 04:06:01 2002

Hello Mark:
1 -- no
2 -- yes
3 -- no

Expanded answers:

1) Although gpg is a program written primarily for Gnu/Linux systems,
it has been laboriously adapted to multiple platforms.  Linux and Unix
systems are occasionally quite different, and there may be no
guarantee that a file image on disk that has been overwritten will
actually be overwritten.  On many platforms an update to a file will
be written to a new location on the disk, leaving the old image on
disk unchanged.  Overwriting a file with random data to obliterate
all traces of a file from the disk image has to be done by programs
that are written for particular platforms using very low level
commands.  Look for a program that is written for your particular
platform (Linux, Unix -- of a particular release, Windows, etc.)
that offers this capability.  For instance, because there may be an
interest in this capability, future releases of programs like WinPT
might include this feature (it doesn't include the capability right
now).  Of course, some platforms already include commands that
will obliterate all data from one file or another on disk already.

2) GnuPG doesn't care whether the file is text or binary.

3) Tough question.

Coming from the Unix/Linux world, GnuPG assumes a certain
level of sophistication among its users.  Unix/Linux users can
usually write quick scripts that satisfy the need to perform
multiple operations like this one very quickly.  To make this
possible, GnuPG's default encrypting/decrypting capability
channels input into it through "stdin" and channels output out
through "stdout".  This is like encrypting the keyboard entries
and sending the output to the screen.  Then the operating system
"pipe" and "redirect" features (usually the "|" and ">" characters
on the command line are used) will direct input and output from
whatever files are required.  Building scripts from "ls -1" and
"args" commands allows whole directories to be encrypted.

Decryption is more difficult.  For each file decrypted, GnuPG
will usually prompt for a password.  If it's not important to
decrypt whole directories at once, this might not be a problem.
But it would be a problem to be forced to enter your password
a few hundred times to decrypt a directory.

On Unix/Linux systems, the GnuPG Agent program can
sometimes help.  There are security problems associated with
GnuPG Agent on systems where shared use of the system is
part of the reality.  At my work there is an extensive network
of Sun systems.  Each system allows anyone to log on.  No
one needs to be at the particular system to log onto it.  Nothing
flags a user that someone else has logged onto his desktop Sun
system, except perhaps the response by the system to "who"
commands.  Almost all user data is written to a user's home
directory, and all user's home directories are on a server and
never locally stored -- in fact it nearly takes root privileges
to put anything onto your own Sun computer.  In such an
environment, use of GnuPG Agent would compromise a
password.  One might be able to get away with it, but it
wouldn't be wise.

Often add-in programs can help where the native capability
is weak.  For instance, on windows systems there is a
program named WinPT that can make it possible to
encrypt multiple files.  I wouldn't recommend using WinPT
for encrypting large directories at a time quite yet, but
perhaps a dozen small files at once is quite practical.  They
are still working bugs out of WinPT, but it's a great start
for making GnuPG a real good tool on windows.

Check the archives of the gnupg-users list for a program
I wrote for Borland C that interfaces with the windows
version of gpg to make multiple accesses of a password.
The program was written for signing, but decrypting
would only require a tiny rewrite.  A batch file could
call this program.

----- Original Message -----
From: "Werner Koch" <wk@gnupg.org>
To: <gnupg-users@gnupg.org>
Sent: Saturday, April 27, 2002 2:24 PM
Subject: [Mark Wall <wall@chop.swmed.edu>]

> -------------------- Start of forwarded message --------------------
> Date: Wed, 24 Apr 2002 11:06:59 -0500
> To: gnupg-users-admin@gnupg.org
> From: Mark Wall <wall@chop.swmed.edu>
> Hello!
> Please redirect if this was incorrectly addressed.  I was unable to
> find archived mailing list messages, so I have 3 simple GnuPG
> questions:
> Can GnuPG:
>    1. completely erase/"shred" origninals after encryption?
>    2. encrypt/decrypt binary files?
>    3. encrypt/decrypt filled directories or multiple files in one
> Thank you,
> Mark Wall
> -----------
> HHMI/UT Southwestern Med. Ctr.
> 5323 Harry Hines Blvd.
> Dallas, TX  75390-9050
> -------------------- End of forwarded message --------------------
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users