In case you use OpenPGP on a smartphone ...

vedaal at nym.hush.com vedaal at nym.hush.com
Tue Aug 11 21:49:25 CEST 2020 


On 8/11/2020 at 3:00 PM, "Stefan Claas" <sac at 300baud.de> wrote:

...

>As understood a Pegasus operator can do what ever
>he likes to do remotely, anonymously with our (Android/iOS) 
>smartphone, without that we know that this happens.

...

>in form of a best practice FAQ (cross-platform), to no longer use 
>encryption software on online devices and work out
>strategies to use offline devices and how to handle this data 
>securely over to an online device, until proper and affordable
>hardware encryption devices for online usage are available?

=====

There is already a simple existing solution.

[1]  Encrypt and decrypt on a computer that has internet hardware disabled.

[2] Use an Orbic Journey V  phone that gets and sends *only text*

[3] Use a microsd expansion card on the orbis phone

[4] set up the phone to save encrypted texts on the microsd 'storage' card

[5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted) 

Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line.
(this includes audio, video .jpg, .png, pdf,  etc.    literally any and all possible file types.)

Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and transferring only text to a microsd, it is hard to see how it can be compromised.
(Yes *Anything* can happen, but without evidence, there is no end to paranoia)

It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file.

The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it.

The rest is up to the User's threat model.

(btw,   
There is, [afaik], no protection available in GnuPG
against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer,
and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message 
by flicking a wand at it, and using the simple charm   'Revelato'    )      

but not really in my threat model   8^))))


vedaal

More information about the Gnupg-users mailing list