Re: Support for RSA keys > 4096 bits

[Wiktor Kwapisiewicz via Gnupg-users]

Hi Nicolas,

There is also this site that may be of interest:

https://www.keylength.com/

As for your question, actually that was answered in GnuPG FAQ:

https://www.gnupg.org/faq/gnupg-faq.html#default_rsa2048

Kind regards,
Wiktor

On 07.11.2018 07:53, Nicholas Papadonis wrote:
> For those interested, link to the NIST document:
> 
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
> 
> On Wed, Nov 7, 2018 at 1:50 AM Nicholas Papadonis
> mailto:nick.papadonis...@gmail.com>> wrote:
> 
> I read in NIST 800-57 Part 1 Rev. 4 pg 53 that RSA keys length of
> 15360 bits is equivalent to a 256 bit AES symmetric key.  I also
> read in other documentation that NIST recommends such key lengths to
> protect data beyond 2030.  As email may be retained for many years
> it would seem appropriate to secure such communications with a
> larger key.
> 
> Does this data agree with security experts?  Is there a reason why
> GnuPG limits RSA key length to 4096 bits?
> 
> Thank you,
> Nicholas
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Support for RSA keys > 4096 bits

[Nicholas Papadonis]

For those interested, link to the NIST document:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

On Wed, Nov 7, 2018 at 1:50 AM Nicholas Papadonis <
nick.papadonis...@gmail.com> wrote:

> I read in NIST 800-57 Part 1 Rev. 4 pg 53 that RSA keys length of 15360
> bits is equivalent to a 256 bit AES symmetric key.  I also read in other
> documentation that NIST recommends such key lengths to protect data beyond
> 2030.  As email may be retained for many years it would seem appropriate to
> secure such communications with a larger key.
>
> Does this data agree with security experts?  Is there a reason why GnuPG
> limits RSA key length to 4096 bits?
>
> Thank you,
> Nicholas
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Support for RSA keys > 4096 bits

[Nicholas Papadonis]

I read in NIST 800-57 Part 1 Rev. 4 pg 53 that RSA keys length of 15360
bits is equivalent to a 256 bit AES symmetric key.  I also read in other
documentation that NIST recommends such key lengths to protect data beyond
2030.  As email may be retained for many years it would seem appropriate to
secure such communications with a larger key.

Does this data agree with security experts?  Is there a reason why GnuPG
limits RSA key length to 4096 bits?

Thank you,
Nicholas
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?

[Nicholas Papadonis]

Interesting.  How about this for a start?

http://nickpapadonis.com/images-share/summerian-ancient-mesopotamia-ancient-lock.jpg
http://nickpapadonis.com/images-share/anunnaki1.jpg
http://nickpapadonis.com/images-share/summerian-Winged_Human-headed_Bulls.JPG

On Sun, Nov 4, 2018 at 7:21 PM open...@foocrypt.net 
wrote:

> Hi Nick
>
> Have You tried The FooKey Method ? https://foocrypt.net/the-fookey-method
>
> Also,
>
> I will be sourcing public addendum's as addendum's to my submission into
> the Parliamentary Joint Committee on Intelligence and Security [
> https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions
> ] regarding the committee’s review of the 'Telecommunication and Other
> Legislation Amendment (Assistance and Access) Bill 2018' after the
> Melbourne Cup. It will be similar to the open request for the Defence Trade
> Control Act review performed by the former Inspector General of
> Intelligence, Dr Vivian Thom.
>
>
> https://foocrypt.net/independent-review-of-the-defence-trade-controls-act-2012-cth-call-for-information-for-submission-as-a-case-study-from-the-openssl-community
>
>
> --
>
> Regards,
>
> Mark A. Lane
>
> Cryptopocalypse NOW 01 04 2016
>
> Volumes 0.0 -> 10.0 Now available through iTunes - iBooks @
> https://itunes.apple.com/au/author/mark-a.-lane/id1100062966?mt=11
>
> Cryptopocalypse NOW is the story behind the trials and tribulations
> encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption."
>
> "FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening
> several commonly used Symmetric Open Source Encryption methods so that they
> are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'.
>
> "FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under
> export control by the Australian Department of Defence Defence Export
> Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology
> as per the ‘Wassenaar Arrangement’
>
> A permit from Defence Export Control is expected within the next 2 months
> as the Australian Signals Directorate is currently assessing the associated
> application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical
> Encryption."
>
> Early releases of "Cryptopocalypse NOW" will be available in the period
> leading up to June, 2016.
>
> Limited Edition Collectors versions and Hard Back Editions are available
> via the store on http://www.foocrypt.net/
>
> © Mark A. Lane 1980 - 2016, All Rights Reserved.
> © FooCrypt 1980 - 2016, All Rights Reserved.
> © FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2016, All Rights
> Reserved.
> © Cryptopocalypse 1980 - 2016, All Rights Reserved.
>
>
>
> On 5 Nov 2018, at 10:35, Nicholas Papadonis 
> wrote:
>
> Comments
>
> On Sat, Nov 3, 2018 at 5:56 PM Bear Giles  wrote:
>
>> > I'm considering encrypting a tar archive and optionally a block file
>> system (via FUSE) using either utility
>>
>> Linux has good support for encrypted filesystems. Google LUKS.
>>
>
>
>> BTW a tar file starts with the name of the first entry. The 'magic
>> numbers' are at offset 128 or so. However a compressed tar file will start
>> with a known value since gzip, b2zip, and 7zip?, all start with their magic
>> values.
>>
>
> Does tar placing known data at a certain offset increase the probability
> that someone can perform an attack easier?  They may already know the data
> to decrypt at that offset and if the encrypted block overlaps, then the
> attack is easier.
>
> Thanks
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Kaushal Shriyan]

Hi Francesco,

Thanks Francesco for the email. I have encrypted the file using my gpg key. How
do i share the encrypted helloworld.gpg file to the recipients. For example
j...@example.com.  Do I need to encrypt the file to the recipients id using
gpg pub key? Any examples to understand it better. Please comment.

This works for me.
#gpg-zip --encrypt --output helloworld.gpg -r kaushal helloworld

Thanks in Advance and i look forward to hearing from you.

Best Regards,

On Wed, Nov 7, 2018 at 8:39 AM Francesco Ariis  wrote:

> On Wed, Nov 07, 2018 at 08:10:48AM +0530, Kaushal Shriyan wrote:
> > Hi Francesco,
> >
> > Whom do i need to contact to correct the examples provided in manual
> page?
>
> I opened a bug in Debian yesterday (after replying to you), albeit
> with no patch:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913060
>
> Let's hope it gets fixed soon!
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Francesco Ariis]

On Wed, Nov 07, 2018 at 08:10:48AM +0530, Kaushal Shriyan wrote:
> Hi Francesco,
> 
> Whom do i need to contact to correct the examples provided in manual page?

I opened a bug in Debian yesterday (after replying to you), albeit
with no patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913060

Let's hope it gets fixed soon!


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Kaushal Shriyan]

Hi Francesco,

Whom do i need to contact to correct the examples provided in manual page?

GPG-ZIP(1)
>GNU Privacy Guard
> GPG-ZIP(1)
> NAME
>gpg-zip - Encrypt or sign files into an archive
> SYNOPSIS
>gpg-zip [options] filename1 [ filename2, ... ] directory1 [
> directory2, ... ]
> DESCRIPTION
>gpg-zip encrypts or signs files into an archive.  It is an gpg-ized
> tar using the same format as used by PGP's PGP Zip.
> OPTIONS
>gpg-zip understands these options:
>--encrypt
>-e Encrypt data.  This option may be combined with --symmetric
> (for  output that may be decrypted via a secret key or a passphrase).
>--decrypt
>-d Decrypt data.
>--symmetric
>-c Encrypt with a symmetric cipher using a passphrase.  The
> default symmetric cipher used is CAST5, but may be chosen with the
> --cipher-algo option to gpg.
>--sign
>-s Make a signature.  See gpg.
>--recipient user
>-r user
>   Encrypt for user id user. See gpg.
>--local-user user
>-u user
>   Use user as the key to sign with.  See gpg.
>--list-archive
>   List the contents of the specified archive.
>--output file
>-o file
>   Write output to specified file file.
>--gpg gpgcmd
>   Use the specified command gpgcmd instead of gpg.
>
> --gpg-args args
>   Pass the specified options to gpg.
>--tar tarcmd
>   Use the specified command tarcmd instead of tar.
>--tar-args args
>   Pass the specified options to tar.
>--version
>   Print version of the program and exit.
>--help Display a brief help page and exit.
> EXAMPLES
>Encrypt the contents of directory ‘mydocs’ for user Bob to file
> ‘test1’:
>  *gpg-zip --encrypt --output test1 --gpg-args  -r Bob mydocs*
>List the contents of archive ‘test1’:
>  gpg-zip --list-archive test1
> DIAGNOSTICS
>The program returns 0 if everything was fine, 1 otherwise.
> SEE ALSO
>gpg(1), tar(1),
>The full documentation for this tool is maintained as a Texinfo
> manual.  If GnuPG and the info program are properly installed at your site,
> the command
>  info gnupg
>should give you access to the complete manual including a menu
> structure and an index.
> GnuPG 2.0.22
> 2018-07-13
>   GPG-ZIP(1)


 Best Regards,

Kaushal

On Wed, Nov 7, 2018 at 7:53 AM Kaushal Shriyan 
wrote:

>
> On Tue, Nov 6, 2018 at 7:12 PM Francesco Ariis  wrote:
>
>> On Tue, Nov 06, 2018 at 05:32:40PM +0530, Kaushal Shriyan wrote:
>> > [centos]# ls helloworld/
>> > check_cpu_perf.sh  check_mem.pl  jdk-8u162-linux-x64.rpm
>> > [centos]# gpg-zip --encrypt --output hellogpg --gpg-args  -r kaushal
>>
>> Ah, the example in the manual is wrong. This should work
>>
>> gpg-zip --encrypt --output hellogpg -r kaushal somefile.xyz
>>
>>
> Thanks  Francesco and i am still working on it. Appreciate your help
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Kaushal Shriyan]

On Tue, Nov 6, 2018 at 7:12 PM Francesco Ariis  wrote:

> On Tue, Nov 06, 2018 at 05:32:40PM +0530, Kaushal Shriyan wrote:
> > [centos]# ls helloworld/
> > check_cpu_perf.sh  check_mem.pl  jdk-8u162-linux-x64.rpm
> > [centos]# gpg-zip --encrypt --output hellogpg --gpg-args  -r kaushal
>
> Ah, the example in the manual is wrong. This should work
>
> gpg-zip --encrypt --output hellogpg -r kaushal somefile.xyz
>
>
Thanks  Francesco and i am still working on it. Appreciate your help
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Most secure GPG combination for Mac OS X

[Nicholas Papadonis]

comments
On Tue, Nov 6, 2018 at 7:54 AM Damien Goutte-Gattat <
dgouttegat...@incenp.org> wrote:

> Hi,
>
> First, a warning: I am by no means a "security expert" and I have
> very little experience with Mac OS X, which I only use at my
> workplace (and only because my employer didn't let me use a
> GNU/Linux workstation...).
>
> However and for what it's worth:
>
> On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote:
> > I noticed that there are two OSX packages for GPG:
> >
> >   Mac GPG Installer from the gpgtools project
> >   GnuPG for OS X Installer for GnuPG
>
> There's a third possibility, which is the one I use: install the GnuPG
> provided by the MacPorts project [1].
>
>
This raises another question about the security of the ports project
itself.  I read that Homebrew had some security issues, a majority which
come from the installer making /usr/local/bin writable by users other than
root.  This allows an unprivileged application to inject a malicious binary
there, for instance sudo.  /usr/local/bin is first in the search path and
therefore the administrator password could be captured.  I also read
Macports may not have this security issue because the installer runs as
root and all installations run as root.


> Install MacPorts and then simply run:
>
>   $ port install gnupg2
>
> MacPorts packagers seem keen to provide the latest versions and to
> update their ports quickly when upstream publishes a new release.
> For example, Libgcrypt was updated to version 1.8.4 the day after
> that version was released.
>
> Thanks for the suggestion.  I'm hoping to clear up my security questions
on Macports as well.  I suspect there could be many security holes based
upon the tool chain to compile the ports and all hands involved in the
source trees.

Nicholas

>
> > I'm considering using the Mac Mail.app
>
> I tried to build the Mail.app plugin from the gpgtools project,
> but failed. I don't remember what the problem was, just that I
> gave up.
>
> I am currently using alternatively Neomutt (also installed through
> MacPorts), which natively supports GnuPG, and Thunderbird with
> Enigmail. Everything is working fine, including smartcard support.
> Whether this is a "better integrated" solution than using Mail.app
> I cannot tell.
>
> Hope that helps a bit.
>
> Damien
>
> [1] https://www.macports.org/
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP key verification + legal framework

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Montag, den 05.11.2018, 21:47 +0200 schrieb Viktor:
> 
> And we actually not sign keys. From two reasons:
> a. If you automatically trust the signing key, compromising the
> signing key breaks the entire system. b. In many countries,
> generating or signing cryptographic keys requires a license. We
> create a system that should work the same way and legally 
> in all countries. And we do not sign key certificates. We only attach
> to  them information about the owner of the key, which the user
> manually  checks before adding this certificate to his list of
> trusted certificates.

In the EU the use of "qualified" signature is mandatory if it comes to
legal issues. Between private companies it is okay to just use OpenPGP,
but, if it comes to legal issues, one party could deny the validity of
the signature because it is not accepted as a legal signature format,
at least in Germany.

We have the "qualified signature problem" here. In my Opinion a bad
solution, but, the EU is known to make more Bullsh*t as reasonable
things.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Most secure GPG combination for Mac OSX

[Nicholas Papadonis]

Hi Folks,

Does anyone have suggestions on the most secure and reviewed combination
for bits for sending secure email on OSX?

I noticed that there are two OSX packages for GPG:

  Mac GPG Installer from the gpgtools project
  GnuPG for OS X Installer for GnuPG

Is any one preferred, have more eyes reviewing source, better release
management in terms of security concerns?  Any details?  Am I better off
building from source?

I'm considering using the Mac Mail.app, however am interested if
Thunderbird is better integrated from a security standpoint.  At the lowest
level, my assumption is that the command line tools can be used to encrypt
/ decrypt blocks of text, which I will also be interested in using.

Appreciate a security experts guidance immersing myself into more secure
communication.

(ps please reply to my personal email as well, for some reasons my
subscription request won't go through.  Maybe for accepting that the
confirmation is sent through an insecure channel. :| )

Thank you,
Nicholas
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Most secure GPG combination for Mac OS X

[Ralph Seichter]

* Nicholas Papadonis:

> I'm considering using the Mac Mail.app, however am interested if
> Thunderbird is better integrated from a security standpoint.

Apple's on-board Mail requires a plugin to encrypt/decrypt messages.
While GPG Suite (https://gpgtools.org) provides said plugin, it is no
longer free to use. Once the trial period runs out, you won't be able to
encrypt, sign or verify unless you pay for a "support plan".

I suggest you go for Thunderbird plus Enigmail, unless you are really
keen on using Apple software.

If you're willing to stray off the beaten path, you may also want to
evaluate the Notmuch mail system (https://notmuchmail.org). I use EMACS
as a frontend for Notmuch, meaning that I have powerful GPG integration
provided by the editor, but there are other UIs as well.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Francesco Ariis]

On Tue, Nov 06, 2018 at 05:32:40PM +0530, Kaushal Shriyan wrote:
> [centos]# ls helloworld/
> check_cpu_perf.sh  check_mem.pl  jdk-8u162-linux-x64.rpm
> [centos]# gpg-zip --encrypt --output hellogpg --gpg-args  -r kaushal

Ah, the example in the manual is wrong. This should work

gpg-zip --encrypt --output hellogpg -r kaushal somefile.xyz

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Most secure GPG combination for Mac OS X

[stefan . claas]

Am 06.11.2018 12:48 schrieb Nicholas Papadonis:

Does anyone have suggestions on the most secure and reviewed
combination for bits for sending secure email on OS X?

I noticed that there are two OSX packages for GPG:

  Mac GPG Installer from the gpgtools project
  GnuPG for OS X Installer for GnuPG

Is any one preferred, have more eyes reviewing source, better release
management in terms of security concerns?  Any details?  Am I better
off building from source?


Well, i never have read that GnuPG had a security audit, regardless
of platform used, nor the plug-ins for various apps.

For example recently Enigmal for Thunderbird had a fatal security
bug which send encrypted email unencrypted under Windows.

You can build from source, which i did also in the past or use for
example MacPorts GnuPG distribution.


I'm considering using the Mac Mail.app, however am interested if
Thunderbird is better integrated from a security standpoint.  At the
lowest level, my assumption is that the command line tools can be used
to encrypt / decrypt blocks of text, which I will also be interested
in using.


I used Mail.app in the past too and later switched to 
Thunderbird/Eingmail.


Currently i use the GnuPG package from Patrick Brunschwieg (Enigmail
developer) in combination with Claws-Mail (MacPorts). I also use GnuPG
often as commandline tool.


Appreciate a security experts guidance immersing myself into more
secure communication.


While i am no security expert and only a Mac dummie i like the fact that
one can build from source and use it on an off-line computer, even
if the email received is in PGP/MIME format, because scripts are 
available

which allows a conversion.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Most secure GPG combination for Mac OS X

[Damien Goutte-Gattat via Gnupg-users]

Hi,

First, a warning: I am by no means a "security expert" and I have
very little experience with Mac OS X, which I only use at my
workplace (and only because my employer didn't let me use a
GNU/Linux workstation...).

However and for what it's worth:

On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote:
> I noticed that there are two OSX packages for GPG:
> 
>   Mac GPG Installer from the gpgtools project
>   GnuPG for OS X Installer for GnuPG

There's a third possibility, which is the one I use: install the GnuPG
provided by the MacPorts project [1].

Install MacPorts and then simply run:

  $ port install gnupg2

MacPorts packagers seem keen to provide the latest versions and to
update their ports quickly when upstream publishes a new release.
For example, Libgcrypt was updated to version 1.8.4 the day after
that version was released.


> I'm considering using the Mac Mail.app

I tried to build the Mail.app plugin from the gpgtools project,
but failed. I don't remember what the problem was, just that I
gave up.

I am currently using alternatively Neomutt (also installed through
MacPorts), which natively supports GnuPG, and Thunderbird with
Enigmail. Everything is working fine, including smartcard support.
Whether this is a "better integrated" solution than using Mail.app
I cannot tell.

Hope that helps a bit.

Damien

[1] https://www.macports.org/


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Kaushal Shriyan]

Hi Francesco,

Thanks for the reply. I did the below

[centos]# ls helloworld/
check_cpu_perf.sh  check_mem.pl  jdk-8u162-linux-x64.rpm
[centos]# gpg-zip --encrypt --output hellogpg --gpg-args  -r kaushal
helloworld
/usr/bin/tar: kaushal: Cannot stat: No such file or directory
gpg: missing argument for option "-r"
[centos]#

Am i missing something?

Thanks Wiktor, I'll check it out.

Best Regards,

Kaushal

On Tue, Nov 6, 2018 at 4:52 PM Wiktor Kwapisiewicz 
wrote:

> On 06.11.2018 10:42, Francesco Ariis wrote:
> > Hello Kaushal,
> >
> > On Tue, Nov 06, 2018 at 11:25:47AM +0530, Kaushal Shriyan wrote:
> >> I am using CentOS 7.5 Linux OS in my setup. I have compressed a folder
> >> using tar utility tar czvf backupfolder.tar.gz backupfolder. Is there a
> way
> >> to encrypt backupfolder.tar.gz using gpg? Are there any best practices
> to
> >> use gpg application to encrypt the data. Any help will be highly
> >> appreciated and i look forward to hearing from you.
> >
> > in Debian is there a small utility (`gpg-zip`, found in the `devscripts`
> > package) which does just that. Maybe it's packaged in CentOS too!
> > -F
>
> Maybe that's too simple but what about just:
>
>   gpg --encrypt --recipient $YOU backupfolder.tar.gz
>
> Of course after generating the key (gpg --gen-key).
>
> Best practices:
>   - use most recent GnuPG,
>   - you can generate keys on another computer (offline?) and export just
> public parts to the one that does encryption,
>   - you can move decryption keys to a hardware token.
>
> Kind regards,
> Wiktor
>
> --
> https://metacode.biz/@wiktor
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.2.11 released

[Werner Koch]

Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.2.11.  This is a maintenance release; see below for a list
of fixed bugs.


About GnuPG
===

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an Universal Crypto
Engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.11


  * gpgsm: Fix CRL loading when intermediate certicates are not yet
trusted.

  * gpgsm: Fix an error message about the digest algo.  [#4219]

  * gpg: Fix a wrong warning due to new sign usage check introduced
with 2.2.9.  [#4014]

  * gpg: Print the "data source" even for an unsuccessful keyserver
query.

  * gpg: Do not store the TOFU trust model in the trustdb.  This
allows to enable or disable a TOFO model without triggering a
trustdb rebuild.  [#4134]

  * scd: Fix cases of "Bad PIN" after using "forcesig".  [#4177]

  * agent: Fix possible hang in the ssh handler.  [#4221]

  * dirmngr: Tack the unmodified mail address to a WKD request.  See
commit a2bd4a64e5b057f291a60a9499f881dd47745e2f for details.

  * dirmngr: Tweak diagnostic about missing LDAP server file.

  * dirmngr: In verbose mode print the OCSP responder id.

  * dirmngr: Fix parsing of the LDAP port.  [#4230]

  * wks: Add option --directory/-C to the server.  Always build the
server on Unix systems.

  * wks: Add option --with-colons to the client.  Support sites which
use the policy file instead of the submission-address file.

  * Fix EBADF when gpg et al. are called by broken CGI scripts.

  * Fix some minor memory leaks and bugs.

  Release-info: https://dev.gnupg.org/T4233


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.2.11 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.11.tar.bz2 (6496k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.11.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.11_20181106.exe (3928k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.11_20181106.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  A new Gpg4win installer featuring
this version of GnuPG will be available soon.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.11.tar.bz2 you would use this command:

 gpg --verify gnupg-2.2.11.tar.bz2.sig gnupg-2.2.11.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.11.tar.bz2, you run the command like this:

 sha1sum gnupg-2.2.11.tar.bz2

   and check that the output matches the next line:

c762d300c6c5616c14abff1cfaa099baa5fcbd2c  gnupg-2.2.11.tar.bz2
e6c64cae60ced795046fd381e39ed207e94b53d2  gnupg-w32-2.2.11_20181106.tar.xz
d1b1ba1bcf433cd1accf22772600f8a5186e156c  gnupg-w32-2.2.11_20181106.exe


Internationalization


This version of GnuPG has support for 26 languages with Chinese, Czech,
French, German, Japanese, 

Most secure GPG combination for Mac OS X

[Nicholas Papadonis]

Does anyone have suggestions on the most secure and reviewed combination
for bits for sending secure email on OS X?

I noticed that there are two OSX packages for GPG:

  Mac GPG Installer from the gpgtools project
  GnuPG for OS X Installer for GnuPG

Is any one preferred, have more eyes reviewing source, better release
management in terms of security concerns?  Any details?  Am I better off
building from source?

I'm considering using the Mac Mail.app, however am interested if
Thunderbird is better integrated from a security standpoint.  At the lowest
level, my assumption is that the command line tools can be used to encrypt
/ decrypt blocks of text, which I will also be interested in using.

Appreciate a security experts guidance immersing myself into more secure
communication.

(ps please reply to my personal email as well, for some reasons my
subscription request won't go through.  Maybe for accepting that the
confirmation is sent through an insecure channel. :| )

Thank you,
Nicholas
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Wiktor Kwapisiewicz via Gnupg-users]

On 06.11.2018 10:42, Francesco Ariis wrote:
> Hello Kaushal,
> 
> On Tue, Nov 06, 2018 at 11:25:47AM +0530, Kaushal Shriyan wrote:
>> I am using CentOS 7.5 Linux OS in my setup. I have compressed a folder
>> using tar utility tar czvf backupfolder.tar.gz backupfolder. Is there a way
>> to encrypt backupfolder.tar.gz using gpg? Are there any best practices to
>> use gpg application to encrypt the data. Any help will be highly
>> appreciated and i look forward to hearing from you.
> 
> in Debian is there a small utility (`gpg-zip`, found in the `devscripts`
> package) which does just that. Maybe it's packaged in CentOS too!
> -F

Maybe that's too simple but what about just:

  gpg --encrypt --recipient $YOU backupfolder.tar.gz

Of course after generating the key (gpg --gen-key).

Best practices:
  - use most recent GnuPG,
  - you can generate keys on another computer (offline?) and export just
public parts to the one that does encryption,
  - you can move decryption keys to a hardware token.

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt linux backup folder using gpg

[Francesco Ariis]

Hello Kaushal,

On Tue, Nov 06, 2018 at 11:25:47AM +0530, Kaushal Shriyan wrote:
> I am using CentOS 7.5 Linux OS in my setup. I have compressed a folder
> using tar utility tar czvf backupfolder.tar.gz backupfolder. Is there a way
> to encrypt backupfolder.tar.gz using gpg? Are there any best practices to
> use gpg application to encrypt the data. Any help will be highly
> appreciated and i look forward to hearing from you.

in Debian is there a small utility (`gpg-zip`, found in the `devscripts`
package) which does just that. Maybe it's packaged in CentOS too!
-F

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users