encryption?
chris
into how to use encryption. I'll admit that I'm still a bit lost as
how to do it.
My goal is to use the strongest encryption available. I'm familiar
with AES and DES from my dealing with SSL at work but I'm not sure how
or what to use with gpg. From what I've read about duplicity, it looks
like something I'd be interested in. Therefore, I'm currently working
on testing my options before I commit to the service.
I installed gpg, gpg2, duplicity & GNU Privacy Assistant. My first
task is to create a key. I created a key using GNU Privacy Assistant
and it used elgamal 1024. Is that the best it offers? It only lists
elgamal, DSA and RSA. Where is AES?
Then there's encfs. I don't know what advantages or disadvantages to
either way and I'm kinda stuck at this point. Any help would be
greatly appreciated.
thanks,
chris
Martin Larsen
I don't have any experience with either duplicity and gpg, and I don't
know much about the different encryption ciphers.
But I use encfs with great success. By far, the most efficient way to
use it is to create and mount the encrypted folder directly on the
server as encfs is installed and ready to use on it. However, if the
server is compromised while the folder is mounted, someone else could
access your data.
Therefore you can also choose to mount the remote folder locally and
then mount it (again locally) with encfs. This is 100% safe (unless your
own system is compromised) but to me it appears much slower. One of the
reasons is probably that rsync's (which I use) compression and delta
algorithm is far less effective on encrypted data.
Since my data is really not top secret, I simply mount it with encfs
remotely on the server, do the backup and unmount it again. To me,
having a slow upload speed, efficiency is more important than security
given the characteristics of my data.
Yes another option would be to use truecrypt on the locally mounted folder.
Martin
chris wrote:
> I'm a potential new user of this service and I've done some research
> into how to use encryption. I'll admit that I'm still a bit lost as
> how to do it.
>
> My goal is to use the strongest encryption available. I'm familiar
> with AES and DES from my dealing with SSL at work but I'm not sure how
> or what to use with gpg. From what I've read about duplicity, it looks
> like something I'd be interested in. Therefore, I'm currently working
> on testing my options before I commit to the service.
>
> I installed gpg, gpg2, duplicity& GNU Privacy Assistant. My first
> task is to create a key. I created a key using GNU Privacy Assistant
> and it used elgamal 1024. Is that the best it offers? It only lists
> elgamal, DSA and RSA. Where is AES?
>
>
> Then there's encfs. I don't know what advantages or disadvantages to
> either way and I'm kinda stuck at this point. Any help would be
> greatly appreciated.
>
>
>
> thanks,
>
> chris
>
> To unsubscribe from this group, send email to datastorageunit+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
>
knnniggett
I'm wrong about this but it seemed that encfs does the same thing that
gpg does. However, encfs does it transparently... because of the way
encfs works you don't have to issue an encrypt/decrypt command anytime
you want to encrypt/decrypt a file.
Like Martin, I don't know a whole lot about the differences in
different types of encryption. When I use encfs, I just stick with
the default AES and a 192 bit key size. Here are two "canned"
settings that encfs provides:
Standard mode uses the following settings:
Cipher: AES
Key Size: 192 bits
PBKDF2 with 1/2 second runtime, 160 bit salt
Filesystem Block Size: 1024 bytes
Filename Encoding: Block encoding with IV chaining
Unique initialization vector file headers
Paranoia mode uses the following settings:
Cipher: AES
Key Size: 256 bits
PBKDF2 with 3 second runtime, 160 bit salt
Filesystem Block Size: 1024 bytes
Filename Encoding: Block encoding with IV chaining
Unique initialization vector file headers
Message Authentication Code block headers
External IV Chaining
You probably understand the above parameters better than I do. All I
know is more bits are better.
You can of course create your own configuration if neither suites your
needs.
Here are the sated disadvantages of encfs:
* Meta-data: Meta-data remains visible to anyone with access to
your encrypted files. This means that Encfs does not encrypt or
otherwise hide the following information:
o The number of files you have encrypted
o The permissions on the files (readable, writable,
executable)
o The size of each file
o The approximate size of each filename (to within 16 bytes
using AES, or 8 bytes using Blowfish)
Before I stumbled across encfs, I too looked into duplicity. The
thing with duplicity is that, if you want to avoid having to restore
many differential backups after loosing your data, you have to
routinely create new, full backups. For me, a full backup literally
takes a month of continual uploading so that was out of the question.
I also vaguely recall a thread in the duplicity forum that
acknowledged that, if one of the differential backups in your chain of
backups was bad, you would be unable to restore any backups made after
the faulty backup.
Chris, as you have found out, there is quite a bit of information out
there which unfortunately can make it difficult to arrive at the
"best" solution for your needs. While I'm not trying to claim that
anything other than encfs won't work well for you, what I'm trying to
convey is that, during my own personal quest, I kept arriving back at
encfs as being the best solution for what I needed.
Hopefully I have provided enough information in way that helps you
make your own decision.