Re: Encrypting 27 TB RMAN Backup with GPG
On 22.10.2018, Satendra Tiwari wrote: > In this case, we want to use GPG to encrypt Oracle backup. We have two > databases of 17 TB and 7 TB they compress to 2.6 TB and 1.3 TB > respectively. > What would be the best way to encrypt our backup and how long would it take? I would create a LUKS/cryptsetup container or partition. Using rotational storage, you will have the same copy speed as the underlying unencrypted device. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: storing PINs of credit / EC cards with GnuPG
On 10.07.2017, Matthias Apitz wrote: > This question is perhaps only for German users of GnuPG. In the past > German banks and credit institutes prohibited the storing of PIN numbers > etc. on personal computer systems Does anybody care? > even claiming that in the case of storing > they would not have been responsible anymore for the abuse of stolen > credit cards. ..what still has to be proofed in case this happens. > What is the current situation about this issue in the German law if such > PIN numbers are stored ciphered with GnuPG? If storing the PIN on personal computers is prohibited, then... it's prohibited. Cheers, Heinz (not living in Germany and storing all PINs within a password manager) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.17 released
On 20.12.2016, Christoph Moench-Tegeder wrote: > Or is that just me and a local issue? Most probably. For me, it works: [htd@chiara Downloads]$ gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2 gpg: Signature made Tue 20 Dec 2016 14:59:50 CET using RSA key ID 4F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Terminology - certificate or key ?
On 03.10.2016, Werner Koch wrote: > We would call the left one a "normales Vorhangeschloss" (simple > padlock). But the middle one is known as a "Schappschloss" - referring > to the feature that you do not need a key to lock it. The left one is a modular padlock, and the one in the middle is an integrated padlock. According to one of my friends who is a native en_GB speaker. Not shure if this helps, though. I guess most languages simply use "padlock" for both types. Haengeschloss in German, hengelås in NO, hänglås (SE), hængelås (DK).. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Terminology - certificate or key ?
On 01.10.2016, Werner Koch wrote: > Frankly, I did not know how to translate the German term > "Schnappschloss". Visualising a picture of what is meant by the German term, I would intuitively translate it to something like a hasp, a snap lock or even a spring lock. And you're right, I also heard the term latch lock. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The FAQ's 4GiB recommendation
On 27.08.2015, Robert J. Hansen wrote: > I had someone wonder why the FAQ recommends avoiding CAST, BLOWFISH, > IDEA, or 3DES for bulk encryption. > Q: Why should some ciphers be avoided for bulk encryption? "Some ciphers" is probably not enough for those who frequently ask about that topic. I therefore suggest to give an example and to connect the above mentioned ciphers to the term "64-bit ciphers", which would make the text more understandable for the "common reader", e.g. Q: Why should some 64-bit ciphers like CAST, BLOWFISH... be avoided for bulk encryption? The text as-is assumes that the reader knows what you mean by "64-bit ciphers", which most probably isn't the case. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Optimal setup for corporate keys
On 19.07.2015, F Rafi wrote: Does it make sense to use a key-server? You just answered yourself: The public key will only be use by a single partner organization. We were thinking about exchanging it over e-mail. So no need to upload it to a keyserver. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to Know keys expiration date for Already created keys using gpg in command prompt
On 17.04.2015, Venkatramana Parapatla wrote: How to Know keys expiration date for Already created keys using gpg in command prompt? gpg --list-keys will give you an oversight over all keys in your public key ring including their expiry date. How to renwal existing keys? You can (of course) only change the expiry dato of your own key. gpg --edit-key your-key and the expire command will let you perform the desired changes. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg in a cybercafé
On 05.03.2015, Robert Deroy wrote: How could i do for use gpg on a usb key, because i have no computer, i only go in cybercafé. Don't do it, it's not safe. In case you're allowed to boot from an external medium, this still won't be secure. Because you have no control over the hardware built into the computer, a keylogger could read your input (read: passphrase), and somebody else with remote access could copy your secret key. After all, it boils down to what your thread model is, and how much unsecurity you can live with. If your data is crucial: don't do it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please remove MacGPG from gnupg.org due to serious security concerns
On 17.02.2015, Werner Koch wrote: git meanwhile allows to sign commits. If anyone knows a method to set a different key for tagging and commits, I would soon start to sign each commit. I can be seriously wrong, but is that not something the LKML people do? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Symmetric encrypt many files (batch mode)
On 02.01.2015, Egon wrote: I want to symmetrically encrypt many hundreds of files under Linux, the files stored in many subdirectories. Mabe you should consider using a LUKS/dmcrypt container/partition. It would make things a lot easier and more fail-proof for you. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The Facts:
On 16.11.2014, da...@gbenet.com wrote: So am going to install a copy of Thunderbird at least 4 years older than the current version with an appropriate Enigmail. As stated and as aa fact of daily life there are problems running a Linux distro in x86_64 there are problems with gnupg2 there are problems with Thunderbird and there are problems with Enigmail. I have installed several 64-bit Linux distributions in the last 6 months (mainly Fedora and Arch), and most of the users have Thunderbird as their email client. All of them run gnupg, thunderbird and enigmail, and none has encountered a single problem so far. Furthermore, if you think your problems are related to Thunderbird, there's also Sylpheed, which has great gnupg support natively (and which I for myself would prefer over Thunderbird): http://sylpheed.sraoss.jp/en/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why the software is crap
___ /| /| | | ||__|| | Please don't | / O O\__ feed | / \ the troll | / \ \| / _\ \ -- /|\\ \ || / | | | |\/ || / \|_|_|/ |__|| / / \|| || / | | /|| --| | | |// | --| * _| |_|_|_| | \-/ *-- _--\ _ \ // | / _ \\ _ // |/ * / \_ /- | - | | * ___ c_c_c_C/ \C_c_c_c ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Restoring GnuPG
On 19.10.2014, Sudhir Khanger wrote: 1. Is secret key the most important part of GnuPG? By important I mean if you only had your secret key could get back to your original setup ignoring the imported public keys. Of course, you can omit/delete your pubring.gpg, if you like. However, unless you import a public key, you won't be able to communicate using gpg encryption. 2. gpg --import secret.key I suppose this is the command I have to use to import the secret key on a new system. You can just copy your secring.gpg into your freshly installed ~/.gnupg directory. Importing your secret key would also re-install your public key.. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Restoring GnuPG
On 19.10.2014, m...@sudhirkhanger.com wrote: Are you trying to say if I don't import pubring.gpg I won't import the previously exchanged keys and hence I won't be able to send them encrypted messages as I won't have access to other people's public keys? Exactly. In order to be able to send an encrypted mail to somebody, you have to encrypt it with the appropriate public key of the receiver. I currently don't have any public keys imported/exchanged. So you won't be able to send any encrypted mail. I am just learning GnuPG. You're welcome! If you have to move your gpg installation to a new system, just copy the secring.gpg, pubring.gpg, trustdb.gpg and gpg.conf from your ~/.gnupg directory into your new installation. It's not necessary to export/import keys from the keyrings. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Restoring GnuPG
On 19.10.2014, MFPA wrote: Importing your secret key would also re-install your public key.. In order to achieve that, don't you have to run something like:- gpgsplit --secret-to-public YourPrivateKeyFile.asc No, that's not neccessary. A gpg --import your_secret_key.asc into a freshly installed and completely clean gpg system would restore your public key as well. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Smartcard and PIN cache
Hi, when decrypting a file with gpg2 in combination with a GnuPG v2.0 smartcard, my PIN, once entered, is cached a long time. Removing the smartcard or the reader deletes the cache, of course. Although I've read a bunch of documents and searched the net, I haven't managed yet to find out how I can disable PIN caching *completely* in this case. I'm aware of the Signature PIN option, and it's set to forced, but this does of course not affect decryption. Is it possbile to disable PIN caching entirely when using a smartcard, and if so, how can I do this? Thanks, Heinz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard and PIN cache
On 02.09.2014, Werner Koch wrote: There is no command to explicitly do that. You may run gpgconf --reload scdaemon to power down the card. Thanks a lot for explaining this to me. Now it is clear. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It's time for PGP to die.
On 16.08.2014, Kristy Chambers wrote: Sorry for that crap subject. I just want to leave this. [] The use of PGP/GPG depends entirely on the respective needs and and context. For me, it has been working perfectly in many years, and thus, what's described in this article is a good example for theory which doesn't affect practice. At least in my case. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It's time for PGP to die.
On 17.08.2014, da...@gbenet.com wrote: Leaving aside the issue of how popular encryption of mail is - we are faced with the fact that 98 per cent of computer users are completely ignorant about software and hardware. They just go into PC World and buy what they like. Looking around where I live and work, nearly nobody is even able to install Windows itself, and software installation is mainly done by IT specialists. I agree that this phenomenon is caused at least halfways by ignorance. How would these people ever be able to use GPG? The anwer is: they would if they would care - but they don't. I've got nothing to hide, so why bother? (*). These people won't use GPG, even if they were capable to do so. Even in the light of the recent spying on the privacy of the general public. I've got nothing to hide, so I can be sure that they didn't that to me. You won't change those peoples attitudes and perception - ever. We make an effort - but I have very very few friends that I have had to install gnupg on their computers - every one I know knows nothing about computers. While we are concerned with our rights to private communication - concerned with NSA GCHQ 99.99 per cent of the world's population while having a general or non-existent idea of security have no idea of what they should do. We fiddle while Rome burns. I'm afraid this won't change. After 20 odd years while there has been advances in cryptography and GUIs there has been an almost zero growth in take up. This is a global phenomenon wrt the information society. Knowledge as a capacity for action has never worked. The know-do gap, failing in getting evidence into action, is well documented (**). No wonder Yahoo and Google (who can not be trusted) are providing solutions to end users who are completely ignorant. Giving the people what they want is a common marketing strategy. This is not about security, it's all about binding the customers. Time to die? Not for me. Never. I appreciate to be able to have at least a little bit of privacy when communication via the Internet. Even if the use of GPG encrypted email is limited to 4-5 persons. It's worth every word written, in every email. The implications for security and intelligence services are a real head ache but who cares!! I also care about the personnel working for my uplink who is tempted to snook in other peoples email. Some countries do not allow encryption by law and those that do will change their laws to have access to All private keys or face long term jail sentences. They fear their own population, because they lie and misbehave. Unfortunately, this is nothing new either. GNUpg would have a great future if the developers had greater vision. We are in a very very tiny minority of people. So small we are insignificant. The use of gpg will die out because we are ALL getting a bit long in the tooth. It won't. At least not for me. We (= the people using it) have never been more. I'm quite sure this won't change. Service providers will make their own solutions available simply as an added end-user benefit but without any legal binding on their own security. We know that the NSA and GCHQ would be horrified by the thought of every one in the entire world encrypting their emails. Provider encryption is useless if you don't trust your provider. It's like letting your private key get handled by somebody else who does the decryption for you. The fact is 99.99 per cent of the world's population does not know gnupg exists. Or GPG4WIN. Perhaps when we are all in our 90's we will say Oh gpg was a good idea, pity it did not catch on. And that's where the big providers like Go*gle and Yah*o step in. Wonder why they exactly came on with that after Snowden (and others) blowed the whistle? Now, at least some are frightened they could be a target for spying and surveillance, and the big providers give them what they need... Just my 5ø. (*) http://tinyurl.com/45xpmjr (**) http://www.inco.hu/inco3/kozpont/cikk0h.htm ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [openpgp] SHA-2 support should be mandatory – change defaults
On 13.08.2014, Johan Wevers wrote: Most people, inclusing me, have stopped using it. However, I still have a lot of mail archives from those days. Removing support would mean I have to start using pgp 2 again to access them. Or the most recent version of gnupg with support for those mail archives.. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: checking created signature failed: Bad signature
On 05.08.2014, Peter Lebbing wrote: I'm sure pictures can be found, although I'm not sure blown capacitor is the correct English term... in Dutch we say geplofte condensator, and I never discussed the issue in any other language ;). Blown capacitor is the correct term, and has widespread use. Actually, most of the capacitors do not blow, but the electrolyte inside the aluminium/metal can dries out after the pressure relief ventil on top of them has opened due to a failure (to avoid blowing). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where to save passphrases?
On 28.07.2014, Bob (Robert) Cavanaugh wrote: It is a pain to re-enter the passphrase, but is required by our threat model. Maybe a smartcard could be the solution. After you have installed your key on the card, only a numeric PIN is required, which is MUCH easier to enter frequently. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where to save passphrases?
On 26.07.2014, Sudhir Khanger wrote: Or does that again fall in risky behavior category? Only you can answer this question, because the answer depends entirely on your thread model. How big is the danger of your passphrase getting stolen when kept in memory? Are there others which have physical access to your machine? Is there swapspac which the passphrase could be dumped into? Does the (any) risk increase because gpg-agent holds the passphrase over time? Is it worth the risk, matched up against the drawbacks? Only you can know. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where to save passphrases?
On 26.07.2014, Peter Lebbing wrote: If an attacker has physical access, you've lost; game over. Yes. But it must not neccessarily be an attacker. It's e.g. quite common that members of a familiy share a computer. It would be less likely that one of them installs malicious software on it. But it can have some serious sideeffects if somebody else than you e.g. could read your encrypted email, because all he/she has to do is to click on it (because the passphrase is still cached). It entirely depends. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mutt: Decrypting inline gpg format directly
On 21.07.2014, Werner Koch wrote: IIRC, I implemented that about a decade ago. Simply put set crypt_use_gpgme into your ~/.muttrc. Besides that this requires mutt to be compiled with --enable-gpgme, it never worked for me. The inline gpg/pgp mail is just showed as plain text. Anyway, nobody really wants inline pgp email either, so I'm just happy with my simple procmail rules. Thanks, Mathias, for your improvements! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mutt: Decrypting inline gpg format directly
On 18.07.2014, The Fuzzy Whirlpool Thunderstorm wrote:
I wonder if Mutt can be configured to decrypt inline pgp messages
automatically, without piping the attachment to `gpg --decrypt`.
You can't. Put this into your .procmailrc. It'll transform your inline
pgp mails accordingly:
:0
* !^Content-Type: multipart/encrypted
{
:0 fBw
* ^-BEGIN PGP MESSAGE-
* ^-END PGP MESSAGE-
| formail \
-i Content-Type: application/pgp; format=text;
x-action=encrypt
}
:0
* !^Content-Type: multipart/
{
:0 fBw
* ^-BEGIN PGP SIGNED MESSAGE-
* ^-BEGIN PGP SIGNATURE-
* ^-END PGP SIGNATURE-
| formail \
-i Content-Type: application/pgp; format=text;
x-action=sign
}
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificates [was: time delay unlock private key.]
On 24.01.2014, Leo Gaspard wrote: Actually, this is something I never understood. Why should people create a revocation certificate and store it in a safe place, instead of backing up the main key? Because a backup only makes sense when it's stored in a diffrent place than the key itself: With every backup you create, you have one place more you'll have to keep secure, and doubled the chance that your key can be accessed. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Duplicating smartcard
On 10.11.2013, Alexander Truemper wrote: But if I run 'gpg --export-secret-keys' for my keys, it actually seems to export the private keys according to pgpdump. How can this be? (I see no smartcard activity on the terminal and no PIN is asked) It's not the real secret key, but the stub which points to it which gets exported. So don't panic :-) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On 04.11.2013, MFPA wrote: GPG - keeps the XXX from your door! :-) [Replace XXX with any three letter agency of your choice] Is that actually true, rather than bringing you to their attention? It depends. My key is publically available, with my current email address in it. Thus, anybody knows that I'm using gpg from time to time, at least those who are interested to. But that doesn't mean that I'm encrypting information which could be of importance for a three letter agency. In fact, I'm much more concerned about all the people sitting in-between (e.g. provider employees etc.) who could use content of my emails to spam on me or to sell it to advertisers and the like. After all, I have a private life.. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On 02.11.2013, Sam Tuke wrote: Research would definitely be helpful. There are many well written guides, video tutorials, and even e-learning courses on how to setup GPG however, and some applications make it very easy. When you think of the common windows user who solely wants to double click on install.exe and send encrypted mail after it finished: are these people aware of those applications? While technical complexity is undoubtedly a problem, a huge number of technically proficient people are not using GPG simply because they aren't aware of its existence or importance. At least, that's what my own experiences tell me. Now that you have the NSA scandal and the mass media have done its job, you have a perfect growing place to start an awareness campaign :-) So what do people want? Either they give a shit in the NSA and have nothign to hide, or they want to encrypt just everything. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On 30.10.2013, Sam Tuke wrote: I'll collect them and pick the best for use now and in future. GPG - keeps the XXX from your door! :-) [Replace XXX with any three letter agency of your choice] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On 30.10.2013, Sam Tuke wrote: I'm working with Werner to promote GnuPG and raise awareness. Just my 5ø: Raised awareness does seldom lead to change (just as knowledge and attitudes). Before developing a strategy on promoting the use of GPG, the barriers which prevent people from using it should be explored and fed back into the implementation strategy. Maybe some principles from social marketing (insight, exchange..) would fit as a good starting point for a campaign. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2048 or 4096 for new keys? aka defaults vs. Debian
On 25.10.2013, Sylvain wrote: Is this zealotry on the Debian front, or something to update in gnupg? It's a matter of taste, and there are arguments both for and against. In my case, having a 4096 bit key has no major drawbacks, so I'm using one. If you trust gpg, you can safely trust the standards Werner and the other developers have pre-defined for us. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about a perfect private Key store for today's environment
On 22.09.2013, Aleksandar Lazic wrote: What could be a perfect or at least a very good storage of the private Key. Spend a little bit money and buy you a smartcard and a reader. Then, boot a machine without internet connection from an USB-stick or CD/DVD with some live version (e.g. http://www.sysresccd.org ), generate a fresh key pair and install it on your smartcard. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: NSA backdoors and Set Preferred Cipher
On 07.09.2013, Mike Acker wrote: based on recent revelations we should probably not use any commercially offered cipher Define commercially used cipher. I don't think the crypto ist the problem or the solution. Prism is mostly about traffic analysis, which is not significantly affected by encryption. The weakest link is most probably a flaw in the crypto environment which can be exploited, or backdoors already placed in the binaries/source code. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 06.08.2013, Jean-David Beyer wrote: I thought I posted to gnupg-users list. I was making a remark to a previous post. I was not filing a trouble report, and do not think I was even addressing the issue of piracy. Put something like this in your mailfilter (this is procmail): :0 * ^From:[ ]+.*@teamspeakusa\.com) /dev/null ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Successful experiment boosting the number of users using OpenPGP verification for file download
On 02.08.2013, Doug Barton wrote: However, what you really want to encourage is the verification of the signature (ignoring the bootstrapping problem for the moment), and even forcing people to download the signature file won't do that. Enforcing something to people mainly results in the opposite of what you want them to do. In fact I would argue that the only folks interested in verifying the signature already do that You can't know. There can be people who download the sig but doesn't manage to get it checked afterwards. Quality improvement should both target these and all the others who don't bother. Show them why it is important, how they could be affected of the negative consequences of not checking the signature. And show them how they can do that. and that any increase in downloads of the signature files is statistically meaningless. There is no such thing as statistically meaningless. A difference can be statistically significant (it's unlikely the result occured by chance) or non-significant (it's likely that the results you observe is due to natural variation/chance). What you mean is that the increased download rate isn't relevant (because it's flawed by the fact that downloading the sig doesn't indicate that is has been checked) ;-) You can only find out if an increased download rate is related to an increased signature check if you ask the downloaders themselves. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Successful experiment boosting the number of users using OpenPGP verification for file download
On 31.07.2013, adrelanos wrote: Downloading a signature doesn't imply, the user successfully managed to use OpenPGP verification or that the user couldn't be tricked or just ignored an invalid signature error message. And therefore, these numbers are without meaning. While there is evidence that reminders can have a slight impact on quality improvement, it would be a lot more effective to explain to the downloader what could happen if he/she does NOT check the signature before using the downloaded software (*). This should come with an easy instruction how to do that. I'm quite shure that would boost the number of downloaders who actually check the signature. (*) This has been used i a variety of different quality improvement strategies, with moderate to great effect (e.g. the health belief model, social marketing..). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG and Thunderbird
On 26.07.2013, dyola wrote: I am confused. I have also downloaded gnupg-2.0.20.tar.bz2, but I cannot open it. You downloaded the Linux version of gnupg. As far as I know, the right site to download gnupg for Windows from is gpg4win.org . ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple email addresses - any alternative to ask everyone to sign all my keys?
On 24.07.2013, Philipp Klaus Krause wrote: I do not trust the computer at university with the secret key used to decrypt my private mail. [] Still, I want to be able to read any encrypted mail sent to my unversity addresses on the computer at university. And I want to use encryption, since the mails might contain sensitive information, such as exams, grades, etc (and the mail servers are maintained by students). You can't have security on a machine which is out of your control. If others have physical access to your machine at university, what you want isn't possible. They could simply install a keylogger or other monitoring. (Btw: here in Norway, the results of your exams are never sen2d via email. They get send to you via a specially designed website (StudentWeb) which you can connect to providing your identity number and using encryption. Here's an example, choose one: https://www.studweb.no/ ) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple email addresses - any alternative to ask everyone to sign all my keys?
On 24.07.2013, Philipp Klaus Krause wrote: How else would others know that the key they use to encrypt is mine They would know if they would check your identity. and assume that only I can decrypt it? Most people would silently assume that, if they had checked your identity and concluded with that it's actually you. Nobody can be shure for a 100%, though.. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple email addresses - any alternative to ask everyone to sign all my keys?
On 24.07.2013, Mark H. Wood wrote: Absolute security isn't possible. Any machine you are not shackled to is sometimes out of your control. It depends. In my workingplace, nobody can access my own machine physically. I don't claim that there will be 100% security, though. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple email addresses - any alternative to ask everyone to sign all my keys?
On 23.07.2013, Philipp Klaus Krause wrote: Of course it is annoying to have to ask everyone to sign three keys - after all they are all my keys, and the people I ask to sign my key all get to see the same passport. Is there a better alternative? Create/use one key, and add all the different addresses. I do not consider my university computer safe enough to trust it with the private key for my private mail. In this case, why should anybody else trust in the integrity of your identity? If you don't trust this machine, revoke the key and don't do anything confidential on/with it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG keys for multiple email accounts
On 07.07.2013, Hauke Laging wrote: Even with the default settings a 19-digits passphrase (upper and lower case ASCII letters and digits) is as hard as AES (without flaws). When you take all printable ASCII-chars as headroom, with B = entropy in bits L = length of the passphrase P = amount of possible chars (headroom) then B = (L*log P / log2) will calculate your passwords entropy in bits. Your 19-chars password accounts for 124 bits of entropy, which is nearly half of AES-256's strength (there are P^L different passwords). One assumes that in most cases, trying 50% of all possible passwords will lead to success). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG keys for multiple email accounts
On 07.07.2013, Robert J. Hansen wrote: A keyspace of 2^124 is nowhere near half of 2^255; it's not even particularly close to the square root of 2^255. Thanks for clarifying, you are (of course) right. Didn't think for a second before posting :-( However, I wanted to demonstrate the relationship between the length/keyspace of a password and the cryptography actually used. Or the other way 'round: why use (waste?) a lot of bits on cryptography when it's much easier to bruteforce the password itself? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG keys for multiple email accounts
On 07.07.2013, Robert J. Hansen wrote: Nobody with two brain cells to rub together is going to try brute-forcing either the crypto or your passphrase. This very much depends on how important the encrypted information is considered to be. However, I agree that most probably no one is especially interested in *my* passphrase :-) Further, who cares if the number of bits in different parts of the system aren't balanced? For some ciphers (incl. AES), a smaller key size means faster. While this doesn't matter for a reasonably fast desktop system, it can play a role for a lot of small computers and laptops running an Atom or AMD E processor. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG keys for multiple email accounts
On 06.07.2013, atair wrote: I want so set up a GnuPG infrastructure for my (lets say) 20 email accounts. Keep it simple: You create *one* keypair and add all email-accounts to it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How do I make the private key on a OpenPGP smartcard non exportable ?
On 20.06.2013, Henry Hertz Hobbit wrote: Try the backup from GPA's menu. I doubt you will get anything that can be exported. If you get a backupg.gpg (or similar), then try importing your secret keys onto a second system with GPGWIN installed. The thing is, if there's a command to export the private keyring, you're hosed. Somebody who has access to your machine could simply install his own software. Besides: what would you do if you had discovered that somebody had gained root-access to your machine? I bet you would use your revocation certificate anyway. Let's say your machine gets infected. Let's also suppose that a key logger has been installed. Then, your PIN and passphrase is known to the adversary, and you're f*cked up. The whole point with a smartcard is that it's a lot easier to memorize the PIN than a long and complicated passphrase, and that the private key can't be exported. If it can, there's no need for a smartcard. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How do I make the private key on a OpenPGP smartcard non exportable ?
On 18.06.2013, NdK wrote: If the key is generated on-card, you have no way to backup it. No need for unexportable flag: simply there's no command to export it. And if the key is generated off-card and properly moved to the smartcard afterwards, there's no way to export it either. It's only the stub which points to the smartcard left on disk. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A safe text editor // why??
On 11.09.2012, Peter Lebbing wrote: The only sure-fire remedy against a temp file that got deleted is a full wipe of the partition the file was on, as far as I know. You can mount /tmp and the various other tmpfiles to memory. That's what I do (not for security reasons, but to have the tmp stuff deleted on reboot). I have done this one time or another. I knew I wanted to edit some document which would or might end up on my hard disk, but I absolutely wanted it kept safe. So I made a full image of the hard disk (every single byte of the hard disk), edited the file, then restored the full image, every single byte of it. If this makes sense for you, you could easily edit your file, save it somewhere where it is secured, delete it on the harddisk and fill the unused space with random noise via dd or similar. It's a lot of work, but by far easier than what you did. Why don't you just boot from USB-stick or DVD, edit your file, save it away and reboot? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
On 28.08.2012, No such Client wrote: I simply chose to keep my name private. Surely, on a public, crypto mailing-list, with all sorts of interesting people, the idea of privacy would be understood no? real names or pseudonyms should be quite irrelevant.. Is it not the content that counts? My personal opinion on this topic is: I don't care about realnames. I'm posting with my realname in the From: header, but does anybody know that this name really belongs to me? (It actually does, but nobody can know this for shure). So where's the difference between No such Client and my realname? Or your realname? Or the realname of anybody else? :-) Just my 5ø. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP smartcard, how vulnerable is it?
Hi, if someone gets physical access to an openpgp smartcard, where is the weakest spot in the whole scenario then? Can the contents of the card be copied, e.g. to circumvent the limited possibilities entering the correct PIN / admin-PIN? Can the secret key be extracted to brute-force the PIN / passphrase? Reverse engineering?! What else?? Me thinking: using this smartcard and a 10-digits PIN should be more than sufficient, because the attacker has only three chances to get the PIN right, and in case of a 10 digits PIN will he/she be quite unlikely to succeed. (The passphrase itself may be a 50 chars random concatenating of numbers, letters and special chars). What am I missing? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard, how vulnerable is it?
Hi David, On 15.08.2012, David Tomaschik wrote: [] Thanks for answering. There's no thread model so far - and I'm quite shure that I'm not a target for any security agency :-) The background for my question is simply what's in it for me if I use such a card. Will the benefits outweight the drawbacks, and what are in fact such drawbacks, if there are some? Frankly, I find it very convenient to be able to use a simple PIN for nearly all operations, and not the long and compilcated passphrase. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
On 26.07.2012, Ben McGinnes wrote: Also, if you had to pick one of those three, which would you choose (for general purposes rather than a specific threat model and ignoring the possible speed differences between AES and Serpent)? As far as I know, none of those three is broken. So if neither your security concept nor the algorithms speed matters: using Occam's razor, I would suggest use the one which is preinstalled/predefined in your distribution. If it's none of those three, use the one which is easiest to set up / to use for you. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
On 26.07.2012, Faramir wrote: That's security through obscurity assuming the other one won't know where to search for the key, which is not stored with the right extension or in the most common place. Not right, if your secret key is protected by a passphrase (or strong password), it doesn't matter if the attacker know where to find it. It does matter. Because the software which has generated the key can be flawed, and thus can have generated a flawed key. Nobody has to know about such flaws, it's quite likely that an attacker chooses not to publicate information about that, with the effect that he/she can use the security hole longer (maybe forever). If it's reported, it will be fixed immediately. Actually, the attacked is very likely to know where it is, since probably it will be at the default folder. This is why smartcards exist. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
On 25.07.2012, Faramir wrote: Clearly I'm out of my league there. I had heard about that, but later I also heard about stacking different algos (with different keys of course) to increase security. What's the model of threat in your case, actually? Usually, the crypto algorithm isn't the weakest part in the whole scenario, and stacking different algorithms will therefore not make any sense at all. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: US 11 Circ: 5th Am. passphrase demands
On 25.02.2012, Gregor Zattler wrote: obviousely not: http://www.crypto.com/blog/wiretap2010/ this blogpost says that the 2010 US wiretap report says there were zero cases where encryption blocked access for state agencies to interesting data. As far as I can see, this article totally lacks any evidence of proof for its statements... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with GPG
On 10.08.2011, MFPA wrote: The output from gpg --dump-options shows that both spellings are valid (for v 1.4.11 at least). Yes, now I see it, after you mentioned it. However, the manpage doesn't know about armour, and that was the motivation for my mail. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with GPG
On 08.08.2011, Werner Koch wrote: echo | /usr/bin/gpg --batch --sign --armour --clearsig --passphrase-fd 0 $1 gpg --batch --sign --armour --clearsig --passphrase-fd 0 --yes -o $1.asc $1 Shouldn't this be --armor (and not --armour)?! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how slow are 4Kbit RSA keys? [was: Re: multiple keys vs multiple identities]
On 27.09.2010, Vjaceslavs Klimovs wrote: 2048 bit keys are suitable - it's user+sys what matters in this case, but not real by all means, as that includes waiting for passphrase input too. Hmm, maybe I miss the point, but hey, we're living in the age where dual- and quadcore processors are as common as our daily bread, who cares about 1 second? Regarding an ARM or any other tablet pc, it doesn't really matter eiter, does it? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED)
On 23.07.2010, Grant Olson wrote: Just keep in mind that if you're not encrypting the whole disk, your sensitive data can leak to /tmp and swap. I'm only bringing this up because it seems like you've taken some elaborate steps to protect your data. I second that. Besides, holding a GPG encrypted keyfile on unencrypted space to open a LUKS/dmcrypt encrypted device, opening/decrypting the keyfile in the boot process by entering the correct passphrase, to finally open the LUKS/dmcrypt secured device seems broken to me. Why not just use the same secure passphrase for the LUKS keyslot directly, instead of using a keyfile? Seems a little bit like security by obscurity to me.. (Malte: I hacked a lot on the opensuse bootscripts related to LUKS/dmcrypt in the last 2 years, if you need to customize your system in such a way that is not possible to achieve with the opensuse installer, feel free to drop me a note) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 09.01.2010, RobertHoltzman wrote: Personally I think a lot of people care about privacy, but are just not able and/or frightened to install something complex on their machines. Then you get the contingent that sats I have nothing to hide. What I've encountered is that lots of people answering that way do not actually mean what these words say, but use them as a way to avoid saying the truth: I'm not able to install such software, I can not understand how this works at all, it seems way too complicated to me, and I do not want you to know that I do not even understand the slightest bit at all of what you're talking about :-) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 07.01.2010, Mario Castelán Castro wrote: I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. I think the overall stats for people using cryptography is that low because it is or seems too complicated for them. A lot of people in the world do not even know how to install Windows, and a whole lot of people even can't install programs on their computers properly. This is not meant in a discriminating way at all, this is the real life. Personally I think a lot of people care about privacy, but are just not able and/or frightened to install something complex on their machines. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Algorithm used to encrypt
Hi, seems I'm just too stupid today to find what's maybe obvious: given an ascii armored gpg encrypted file, how can I find out what algorithm has been used to encrypt the file? Thanks, Heinz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.0.13 released
On 05.09.2009, Werner Koch wrote: The devolpment package is missing; i.e. the file pth.h . The developement package was installed, but I found out that opensuse compiles their packet with --disable-static --with-pic --enable-optimize=yes --enable-pthread=no --with-gnu-ld One or more of these options collide with the gnupg build. After a manual compilation of pth with the defaults, all went ok. Didn't try to figure out which ones were the cause for the build failure. So if anbody feels like having gnupg-2.0.13 installed on the latest opensuse, here are the facts :-) Thanks Werner for your help! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.0.13 released
On 04.09.2009, Werner Koch wrote: We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.13. [] I'm unable to compile this version on my system. The configure script bails out with the following message: [] checking for nl_langinfo and THOUSANDS_SEP... yes configure: checking system features for estream configure: *** *** It is now required to build with support for the *** GNU Portable Threads Library (Pth). Please install this *** library first. The library is for example available at *** ftp://ftp.gnu.org/gnu/pth/ *** On a Debian GNU/Linux system you can install it using *** apt-get install libpth-dev *** To build GnuPG for Windows you need to use the W32PTH *** package; available at: *** ftp://ftp.g10code.com/g10code/w32pth/ *** configure: error: *** *** Required libraries not found. Please consult the above messages *** and install them before running configure again. *** Both 32 and 64 bit pth is installed, and pointing configure to the libs using --with-pth-prefix=PFX doesn't help either. liesel:# ls -l /usr/lib64/libpth* -rw-r--r-- 1 root root 598616 2008-12-03 12:00 /usr/lib64/libpth.a -rw-r--r-- 1 root root 1677386 2009-02-22 12:23 /usr/lib64/libpthread.a -rw-r--r-- 1 root root4796 2009-02-22 12:32 /usr/lib64/libpthread_nonshared.a -rw-r--r-- 1 root root 222 2009-02-22 12:23 /usr/lib64/libpthread.so lrwxrwxrwx 1 root root 17 2009-05-18 20:17 /usr/lib64/libpth.so - libpth.so.20.0.27 lrwxrwxrwx 1 root root 17 2009-05-18 20:17 /usr/lib64/libpth.so.20 - libpth.so.20.0.27 -rwxr-xr-x 1 root root 101840 2008-12-03 12:00 /usr/lib64/libpth.so.20.0.27 liesel:# ls -l /usr/lib/libpth* -rw-r--r-- 1 root root 401812 2008-12-03 06:02 /usr/lib/libpth.a lrwxrwxrwx 1 root root 17 2009-09-04 19:57 /usr/lib/libpth.so - libpth.so.20.0.27 lrwxrwxrwx 1 root root 17 2009-09-04 19:57 /usr/lib/libpth.so.20 - libpth.so.20.0.27 -rwxr-xr-x 1 root root 100444 2008-12-03 06:02 /usr/lib/libpth.so.20.0.27 Does anybody know what's wrong here? Thanks, Heinz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: DH/DSS vs ElGame/DSS?
On 25.04.2009, David Shaw wrote: Plus, both the GnuPG implementation and the PGP implementation are available for review by anyone who wants to look at them. (PGP isn't open source of course, but you can still get the source for review). The PGP 9.xx sourcecode you can obtain from the PGP website doesn't even compile, so doin' a review on it IMO isn't worth a f*ckin' shit.. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
