Re: encrypt file in batch mode

2019-11-05 Thread Aleksandar Lazic via Gnupg-users 

Hi.

Am 02.11.2019 um 15:35 schrieb Fourhundred Thecat:

Hello,

how can I simply encrypt a file in "batch mode", ie in a script, without
user interaction, without need for the user to type password, without
gpg agent?


Maybe you can try https://github.com/jedisct1/encpipe for such a simple usecase?


Below are the errors that I get when running:

$ gpg --lock-never -e -s -r u...@domain.com --output zz zz.gpg

What is the reason why simple operations should not be possible without
gpg-agent ?

gpg: starting migration from earlier GnuPG versions
gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: error: GnuPG agent unusable. Please check that a GnuPG agent can be
started.
gpg: migration aborted
gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: keydb_search failed: No agent running
gpg: no default secret key: No agent running
gpg: gpg.conf.gpg: sign+encrypt failed: No agent running

my version: gpg (GnuPG) 2.2.12

thanks,


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Need to implement a gpg/gpg2-compatible tool to encrypt millions of files in unsupervised mode

2019-07-27 Thread Aleksandar Lazic via Gnupg-users 
Hi.

Am 25.07.2019 um 15:46 schrieb Kynn Jones via Gnupg-users:
> Hi everyone,
> 
> First, please allow me to define a bit of ad-hoc
> nomenclature.  I will use the uppercase tems "ENCRYPT",
> "ENCRYPTION", etc. as shorthands for "compress and
> AES256-encrypt", "compression and AES256 encryption", etc.
> Likewise, I will use "DECRYPT", etc. as shorthands for
> "[AES256] decrypt and decompress", etc.
> 
> I need to ENCRYPT ~20 million files (~150TB) for long-term
> (>15y) storage.  This ENCRYPTION will be done in several
> batches, and will take place over many months (due to CPU and
> bandwidth limitations).
> 
> The ideal solution would produce ENCRYPTED files that can be
> decrypted using standard off-the-shelf gpg/gpg2. [1]
> 
> In my search for a library I could use to do this, I found
> gpgme and libgcrypt.  I tried the former, and found it not
> suitable, due to frequent gpg-agent-related failures.
> 
> libgcrypt, on the other hand, is a bit too low-level for
> someone who is not acquainted with the fine details of gpg's
> ENCRYPTION to replicate it.  (AFAICT, using straight-up
> gcry_cipher_encrypt would not necessarily produce an
> encrypted file (let alone an ENCRYPTED file) that could be
> decrypted/DECRYPTED with standard gpg/gpg2.)
> 
> Is there something in-between gpgme and libgcrypt that would
> allow me implement the required tool?
> 
> *Alternatively*, can someone tell me of a more efficient way
> than reading the gpg2 source code for me to learn how to
> implement gpg-compatible ENCRYPTION/DECRYPTION using
> libgcrypt?
> 
> Thank you all in advance!

Have you take a look into libsodium based tools?
https://download.libsodium.org/doc/libsodium_users

For example https://github.com/TLINDEN/pcp

> kj

Best regards
Aleks

> [1] This gpg/gpg2 compatibility requirement is important, as
> an insurance that the files will be DECRYPTABLE in the
> "distant" future (10-15y), even the my tool is not properly
> enough maintained to be operational then.  This, of course,
> assumes that gpg will have greater longevity than a privately
> implemented, single-user tool like mine.
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP Anonymous Board Idea

2019-03-07 Thread Aleksandar Lazic 

Hi.

Am 06-03-2019 17:57, schrieb Ralph Seichter:

* Farhan Khan via Gnupg-users:


Obviously this would not be the next big method of communication, but
an interesting niche idea and it seems easy to produce a 
proof-of-concept.


Not meaning to rain on your parade, but after mulling over your idea, I
don't see benefits over what can already be done using the Tor Network
as a foundation.


Is Tor really as anonymous as is was in the past?
I think the mixmaster approach should be still in place also when you 
use Tor, IMHO.



-Ralph


Aleks


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP key verification + legal framework

2018-11-10 Thread Aleksandar Lazic 

Hi Viktor.

Am 05-11-2018 15:21, schrieb Viktor:

Dear All,

we create a service for OpenPGP key verification: 
https://cryptonomica.net


It's open sourced https://github.com/Cryptonomica/cryptonomica and it
has legal part ( see:
https://github.com/Cryptonomica/cryptonomica/wiki/Cryptonomica-White-Paper
) aimed at creating an international system of legally recognized and
enforceable contracts based on OpenPGP.

I would be very interested to hear feedback, criticism and suggestions
on our project. And also to establish contacts with people interested
in cooperation.


As the site is unusable without javascript it's hard do use it without 
it. This looks pretty common today that even a startpage requires 
javascript.


What I more dislike is that you request for a privacy site code from 
"ajax.googleapis.com". I suggest to deliver all your requierd JS parts 
from your site to be on the save site. Jm2c



Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net


Best regards
Aleks


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Forward gpg-agent to container

2018-06-05 Thread Aleksandar Lazic 

Hi.

On 05/06/2018 18:02, Benjamin Kircher wrote:




On 5. Jun 2018, at 10:54, Benjamin Kircher  wrote:




On 5. Jun 2018, at 08:56, Andrew Gallagher  wrote:



On 4 Jun 2018, at 19:44, Benjamin Kircher  wrote:

Now inside the container I can see my socket

# ls -l /gpg-agent
srwx-- 1 root root 0 Jun  4 17:45 /gpg-agent

From here on, I am kind of stuck. I fail to somehow make gpg-agent
inside the container “use” the extra-socket. Here is what I am
doing:


This sounds overly complicated. Once you have the extra socket
visible inside the container, it should be sufficient to set the
environment variable GPG_AGENT_SOCK. You don’t need to start an
extra agent inside the container.


Andrew, thanks for looking into this.

Is this documented somewhere? I can’t find this environment variable
in the man-pages and a quick code search over gnupg, libassuan,
gpgme, and friends shows no such environment variable.


Sorry, but GPG_AGENT_SOCK doesn’t work at all.

 $ docker run --volume $(gpgconf --list-dirs agent-extra-socket):/gpg-agent 
--env GPG_AGENT_SOCK=/gpg-agent --entrypoint=sh -ti fedora:latest

 # env
 HOSTNAME=26e366f60fc8
 PWD=/
 HOME=/root
 FBR=f28
 DISTTAG=f28container
 FGC=f28
 GPG_AGENT_SOCK=/gpg-agent
 TERM=xterm
 SHLVL=1
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 _=/usr/bin/env

# gpg2 --keyserver pgp.uni-mainz.de --recv 325F3B76
# gpg2 --list-secret-keys


Please can you try to run this from none /root dir.

For example use the /tmp/gpg-dir and put all files there, just for
testing.

In the past I had some troubles to mount files in /root from

`docker run ...`

Do you have selinux in place?


BK


BR
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

2018-05-20 Thread Aleksandar Lazic 
On 19/05/2018 14:15, Werner Koch wrote:
> On Fri, 18 May 2018 12:18, patr...@enigmail.net said:
> 
> > How far back will that solution work? I.e. is this supported by all
> > 2.0.x and 2.2.x versions of gpg?
> 
> 2.0.19 (2012) was the first to introduce DECRYPTION_INFO  In any case
> 2.0 is end-of-life.  In theory we could backport that to 1.4 but I don't
> think that makes sense.

On windows is the situtiaon really bad.

###
aleks@aleks-PC MINGW64 ~
$ uname -a
MINGW64_NT-6.1 aleks-PC 2.10.0(0.325/5/3) 2018-02-09 15:25 x86_64 Msys

aleks@aleks-PC MINGW64 ~
$ pacman -Ss gpg
mingw32/mingw-w64-i686-gpgme 1.11.1-1
A C wrapper library for GnuPG (mingw-w64)
mingw32/mingw-w64-i686-libgpg-error 1.29-1
Support library for libgcrypt (mingw-w64)
mingw64/mingw-w64-x86_64-gpgme 1.11.1-1
A C wrapper library for GnuPG (mingw-w64)
mingw64/mingw-w64-x86_64-libgpg-error 1.29-1 [Installiert]
Support library for libgcrypt (mingw-w64)
msys/libgpg-error 1.27-1 (libraries) [Installiert]
Support library for libgcrypt
msys/libgpg-error-devel 1.27-1 (development) [Installiert]
Libgpg-error headers and libraries
msys/libgpgme 1.6.0-1 (libraries) [Installiert]
A C wrapper library for GnuPG
msys/libgpgme-devel 1.6.0-1 (development)
Libgpgme headers and libraries
###

I have installed the latest gpg4win 3.1.1 and then you are able to run a
more or less recent version of gpg

###
aleks@aleks-PC MINGW64 ~
$ LANG=C /c/Program\ Files\ \(x86\)/GnuPG/bin/gpg --version
gpg (GnuPG) 2.2.7
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/aleks/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
###

The point is that as long as the distribution does not update there
packages they will be always complains from the users.


> Shalom-Salam,
> 
>Werner
> 
> -- 
> #  Please read:  Daniel Ellsberg - The Doomsday Machine  #
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Best regards
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A postmortem on Efail

2018-05-20 Thread Aleksandar Lazic 
Hi Robert.

On 20/05/2018 02:26, Robert J. Hansen wrote:
> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on Efail.
> You may find it worth reading.  You may also not.  Your mileage will
> probably vary.  :)
> 
> https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08

As a long time reader and partly gpg user I would like to thank you for
the post.

>From my point of view must be something more behind the curtain.

I do not want to create a conspiracy theory but it's wiggy that
EFF favors *NO* security ,pgp or s/mime, instead to fix the current
possibilities and promote signal.

As serveral people mentioned in the different Internet medias is signal
not a replaceable for e-mail, until the signal company does not offer a
own e-mail service.

That's just my gut instincts the future will share some lights into this
EFAIL scandal.

jm2c

Best regards
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-03-15 Thread Aleksandar Lazic 

Hi.

Am 13-03-2015 21:13, schrieb Joey Castillo:

Hi there,

I'm working on a Kickstarter right now that aims to popularize smart
cards as an easier way for the average user to adopt GnuPG.

https://www.kickstarter.com/projects/joeycastillo/signet-simple-online-privacy-cards

Putting aside any security benefits, smart cards seem simpler to use
for the average person. Unlocking a card with a PIN is a metaphor that
people already know and use with bank cards. Choosing and memorizing a
strong passphrase, by comparison, is something the average user is
likely to have trouble with.


[snipp]

Today a lot of people sends there mail over smart phone (Androdid, 
IPhone, Blackberry, )

How can I use any smartcard with this devices?

BR Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

googles End-To-End plugins opinions

2014-08-08 Thread Aleksandar Lazic 

Hi.

today a message from german site heise have pointed me to a google 
openpgp solution.


https://code.google.com/p/end-to-end/


End-To-End is a Chrome extension that helps you encrypt, decrypt, 
digital sign, and verify signed messages within the browser using 
OpenPGP.


This is the source code for the alpha release of the End-To-End Chrome 
extension. It's built upon a newly developed, JavaScript-based crypto 
library. End-To-End implements the OpenPGP standard, IETF RFC 4880, 
enabling key generation, encryption, decryption, digital signature, and 
signature verification. We’re releasing this code to enable community 
review; it is not yet ready for general use.



German News info

http://www.heise.de/newsticker/meldung/Yahoo-Mail-will-Ende-zu-Ende-Verschluesselung-einfuehren-2288983.html

Have anybody seen this plugin or maybe used it?

Best regards
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: X.509 certificates for https://gnupg.org

2013-12-17 Thread Aleksandar Lazic 

Hi Werner.

Am 17-12-2013 16:37, schrieb Werner Koch:

On Mon, 16 Dec 2013 21:35, d...@fifthhorseman.net said:

Werner, if i can help with configuring or maintaining the web server 
for

gnupg.org to address some of these issues, please let me know.


Yes, I have problems to figure out a woking cipher list which also
allows for IE.  What DHE cipher suite may I use with IE given that I
have only an RSA certificate. Or should I simply give up on PFS for IE
users?  The active ciphers are right now:

ECDHE-RSA-AES128-SHASSLv3 Kx=ECDH Au=RSA  Enc=AES(128)  
Mac=SHA1
DHE-RSA-AES128-SHA  SSLv3 Kx=DH   Au=RSA  Enc=AES(128)  
Mac=SHA1
DHE-RSA-AES256-SHA  SSLv3 Kx=DH   Au=RSA  Enc=AES(256)  
Mac=SHA1


You can test your client with the Experimental SSL Client Test

https://www.ssllabs.com/ssltest/viewMyClient.html

The following site also explain how you can change the order of the 
ciphers in Windows Vista, maybe it is also possible in this way on other 
Windows versions.


http://www.ditii.com/2007/11/07/windows-vista-changing-the-ssl-cipher-order-in-internet-explorer-7/

Cheers
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about a perfect private Key store for today's environment

2013-09-22 Thread Aleksandar Lazic 

Hi Marko,

Am 22-09-2013 10:29, schrieb Marko Randjelovic:

Of course it is not safe. If you realy need a smartphone, use some of
those that are supported by Replicant OS. http://replicant.us/


Thank you for your feedback.

I'm not sure how much 'normal' or mass user are able to use this OS.

Maybe there is a possibility to get pre-installed Replicant OS for the 
main stream, like the current devices with the pre-installed Vendor OS.


Currently i don't know this possibility.

Do you see any other solution for the users to use safely the private 
key?


Best regards
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about a perfect private Key store for today's environment

2013-09-22 Thread Aleksandar Lazic 

Dear Diego,

Am 22-09-2013 10:37, schrieb NdK:

Il 21/09/2013 23:06, Aleksandar Lazic ha scritto:


What solution is available for public Web mail providers like gmail,
gmx, hotmail,  .?

Firefox+GreaseMonkey+script to interface to card?


Your solution implies that you need to install all this components on 
all devices.

I'm not sure that this is always possible.

Do you see any other solution for the users to use safely the private 
key?


Best regards
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about a perfect private Key store for today's environment

2013-09-22 Thread Aleksandar Lazic 

Dear Heinz,

Am 22-09-2013 10:45, schrieb Heinz Diehl:

On 22.09.2013, Aleksandar Lazic wrote:


What could be a perfect or at least a very good storage of the
private Key.


Spend a little bit money and buy you a smartcard and a reader. Then,
boot a machine without internet connection from an USB-stick or
CD/DVD with some live version (e.g. http://www.sysresccd.org ),
generate a fresh key pair and install it on your smartcard.


Ok, that sound possible for people which have linux or unix experience, 
not the 'normal' mainstream user.


The other question was how can a user could use such a key to sign or 
encrypt his or her mail on e.g. Smartphones?


Best regards
Aleks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Question about a perfect private Key store for today's environment

2013-09-21 Thread Aleksandar Lazic 

Hi all.

Due to the fact that more and more users, including me,
want to use pgp and smime for end-to-end-encryption I asked myself the 
following.


What could be a perfect or at least a very good storage of the
private Key.

What could be a secret use of the pgp and smime technology implemented 
for

today's user environment.

My definition of today's user environment:

1.) Private  mobile device, tablet, notebook with private E-Mail program
2.) Business mobile device, tablet, notebook with company E-Mail program
with company key and private key
3.) Private  mobile device, tablet, notebook with Web mail only access
4.) Business mobile device, tablet, notebook with Web mail only access
5.) more to defined

There are for different clients different tools available but the 
problem from my point of view is that you must always add your private 
key into the different clients.


This is a lot of work and sometimes not possible as in point 3+4 
defined.


Point 1+2 are also not very secure due to the fact that nobody knows 
what really happen on such devices.


There are some HW-Solutions like

http://g10code.com/p-card.html
http://shop.kernelconcepts.de/product_info.php?cPath=1_26products_id=133osCsid=503b6045b0863ea8f4bc84757e89ee81

but how could this or other HW-Solutions be usable along with Point 1+2 
definitions?


In case you have your own server with your own web mail solution like 
roundcube, Horde or any other and you have secured your private Key on 
this server then you have a solution for point 3+4  but not for 1+2.


What solution is available for public Web mail providers like gmail, 
gmx, hotmail,  .?


In this case there must be a way to sign the message with the private 
key on disc or USB-Stick.


From my point of view I don't see a secure and usable solution for the 
most users out there.


Maybe I have the wrong point of view.
I'm sure that I don't know not all possible solutions.

What are your opinions about the thought above?
What are your solution which you use?

Thanks for reading and looking forward to your answers.

Aleksandar Lazic

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users