GPG2 encryption options

[Peter Lebbing]

On 07/10/13 20:44, Peter Humphreys wrote:
> Firstly I'm not 100% sure your getting my replies if I reply directly from
> my mail client (new to mailing lists).

As long as you send it to gnupg-users at gnupg.org, people on the list will get the
mail. Additionally, you can add specific people to To: and Cc: who you want to
mail directly.

The only thing is the Reply-To: header you set. It doesn't always do what you'd
expect for a mailing list. For instance, I had your yahoo address in Cc: when I
pressed reply for this mail. I removed it manually.

> My attempt at creating random passphrases is finished. I now have a script
> which generates these randomly and passing these through thanks to your
> previous advice is working nicely to encrypt and decrypt files.

Can you describe what you are trying to achieve? Not how, but what, or perhaps
how you intend to use it. Because I don't think you're going about it the right
way, but I'm not sure what you're trying to do anyway.

I don't think it's a good idea to generate random passphrases or something like
that. If your use case is this:

- You have a lot of files you wish to use often
- You don't want them to be in plaintext, because you're afraid someone might be
able to get at your backups
- You don't want to enter a passphrase each time

Then I think this scenario is best met by using public-key encryption and having
gpg-agent store the passphrase after you enter it the first time after you
booted the system and use one of the files.

In this case, you're not using public-key crypto because you want to give your
key to the public, but because it is a good way to gave gpg-agent keep the
passphrase for you. If it weren't for your requirement that you don't want to
enter those passphrases, you could also use symmetric crypto, but then gpg-agent
doesn't know that it should have the passphrase for a file. By using public-key
crypto, gpg-agent sees that the file is encrypted to that key, and it knows the
passphrase, so it can just unlock the file without bothering you any further.

If you so wish, you could create a keypair specifically for this purpose, and
not give the public key to anyone or send it to a keyserver. I'm not saying it
gives some extra layer of protection, and I'm not suggesting you do. I'm simply
saying it's a possibility should you want to.

Note that the second point of the scenario I give ("you're worried about people
having access to your backups") is part of a very important thing you should
consider: what is your threat model?  What do you want to protect against? If
you just go and blindly encrypt stuff because it feels safe, you're not going to
end up with something that is actually helpful.

> What I would now like to know is how to securely store and access the
> passphrase file for decrypting files.

A passphrase is something you know. You store it in your mind and access it
through neurons. If you store it on your harddrive, I wouldn't consider it a
passphrase anymore. Surely, you can build some wrapper around GnuPG, but you're
changing the concept from a passphrase to key material.

But, gpg-agent can cache a passphrase for you. It doesn't store it unencrypted
on the hard disk. I think it keeps it in a piece of main memory that it told the
operating system about to keep the OS from writing it to swap, so it stays off
your disk.

> Also how do I go about setting up the gpg-agent to cache my main passphrase 
> for X number of minutes for example?

$ man gpg-agent
[...]
--default-cache-ttl n
   Set the time a cache entry is valid to n seconds.  The default is 600 seconds.

You would put this without the two dashes on a single line in your gpg-agent.conf:
default-cache-ttl 1800

to cache it for half an hour. Also see max-cache-ttl; they probably need to be
consistent.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>