Arch Linux

PsychonauticFreckles

Member

Registered: 2020-09-13

Posts: 2

Few questions about GnuPG

I checked the official wiki, but I am not an expert in tech and the wiki page for GnuPG felt a bit too overwhelming. Regardless, I tried searching for the answers of my questions, but was unable to find anything absolute. Hence, I am forced to ask here. I wholeheartedly thank anyone who takes the time to answer and I do apologize for my naivete.

1. How secure is the GnuPG symmetric encryption? I mean, has it been audited? How is it compared to something like Veracrypt?

2. Are the defaults good enough for the symmetric encryption? Like can I just run gpg -c file and get the best possible security standard or do I need to pass something like "--s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-count 65536" as mentioned in the wiki?

3. Is it possible to disable creating the .gnupg directory and its files? It saves the password, which is something I don't want.

4. Are the symmetric encrypted files portable? Like, if I create an encrypted file, can I move it to my pen drive and decrypt it on another system?

5. Does the encrypted file contain any metadata about the encryption? Like, if someone grabs the encrypted file, will he be able to decipher whether GnuPG was used for encryption and which encryption algorithms were used?

EDIT: I am talking about the symmetric encryption of GnuPG, not the asymmetric one.

Last edited by PsychonauticFreckles (2020-09-13 15:57:30)

GaKu999

Member

From: US/Eastern

Registered: 2020-06-21

Posts: 696

Re: Few questions about GnuPG

1: Depends on the algorithm, a RSA4096 key is usually pretty strong, and of course don't go sharing your private key.

2: You can change some defaults with the .conf files inside $GPGHOME, usually ~/.gnupg

3: No, it's needed, why would you want it to not exists? Do you know how it works? It doesn't save any passwords...

4: Encryption requires public key, decryption requires private key, which is usually password protected, without the private key it's "impossible" to decrypt data.

5: IIRC no, but you may export an encrypted file in different ways, like ASCII armored, probably it haves some information to ease decryption with the private key, or key ID, or maybe not and it's just encrypted data.

Edit: my brain went on vacation this sunday

Last edited by GaKu999 (2020-09-13 16:36:00)

---

My repos • Some snippets

Heisenberg might have been here.

PsychonauticFreckles

Member

Registered: 2020-09-13

Posts: 2

Re: Few questions about GnuPG

1: Depends on the algorithm, a RSA4096 key is usually pretty strong, and of course don't go sharing your private key.

2: You can change some defaults with the .conf files inside $GPGHOME, usually ~/.gnupg

3: No, it's needed, why would you want it to not exists? Do you know how it works? It doesn't save any passwords...

4: Encryption requires public key, decryption requires private key, which is usually password protected, without the private key it's "impossible" to decrypt data.

5: IIRC no, but you may export an encrypted file in different ways, like ASCII armored, probably it haves some information to ease decryption with the private key, or key ID, or maybe not and it's just encrypted data.

Ummm... I think you missed the "symmetric" part. The questions I posted was about the symmetric encryption, not the asymmetric one.

solskog

Member

Registered: 2020-09-05

Posts: 416

Re: Few questions about GnuPG

Well I can only show you some of the common tasks, so that you get your foot wet. This topic is too hard to grasp so I just learn it as I go:

For symmetric encryption:
$ gpg --cipher-algo AES256 --no-tty --batch --symmetric --output\
    OUTFILE --armor --passphrase-fd 9 9<<<PASSWD INFILE

Decryption:
$ gpg --no-tty --batch --decrypt --no-verbose --quiet --batch \
        --output OUTFILE  --passphrase-fd 6 INFILE 6<<<PASSWD

Get keys from keyserver to local database
$gpg --homedir \$homedir --keyserver hkp://keys.gnupg.net --recv-keys 0xBFF2

Verify signature
$ gpg --homedir \$homedir --verify \$sigfile \$file

List keys from your local database using email
$gpg --homedir \$homedir --list-keys "\$email"

You can easily create another dozen of these common tasks and they are very handy, but to explain and understand the whole picture require another level of knowledge. maybe some of you can? I'll be listening.

Are the symmetric encrypted files portable?

Yes it's portable. You can even decrypt it from a windows OS with gpg4win.

Is it possible to disable creating the .gnupg directory and its files?

You will be losing your locale key database. you can save your locale key database in another encrypted shared folder/disk. a master passphrase can be used to decrypt your database, the passphrase is cached in memory for a short period of time.

Does the encrypted file contain any metadata about the encryption?

If yo wish to

$ gpg --hidden-recipient

Last edited by solskog (2020-09-14 02:45:51)

JimDeadlock

Member

From: London

Registered: 2019-03-20

Posts: 83

Re: Few questions about GnuPG

Symmetric encryption is not as secure as using a key. The reason is obvious - anyone can have a go at cracking the encrypted file without a key. It's convenient if you want to pass the file around to other people, or carry it around with you to places where you don't have access to your private key. It's better-than-nothing encryption basically.