-4

I want code very secure system and I need some answers and help.

Is this secure if encrypting file and it is possible decrypt with barcode/QRCode where is decryption key to view it.

I've thinking of use libsodium and ARGON2.

I hold sensitive data in file what I want encrypt.

Maybe some advice?

Image: Decryption key stored in barcode/QRCode

KristenL
  • 1
  • 1
  • 2
    The public key to *decrypt*? Are you sure about that? Forget about bar/QRcode, you have a problem before you start. – schroeder May 04 '19 at 21:35
  • The image does not help. Is that a ***public*** key or a ***decryption key***? – schroeder May 05 '19 at 08:17
  • Offline Storage of keys on paper is not a bad idea for example for offline crypto(currency) wallets. However you still are at risk when you need to use a device and software to scan the key and of course you also need to protect the printout. So maybe using a smart card (with pin) is safer (and it has already enough software/hardware solutions for it) – eckes May 05 '19 at 14:32

1 Answers1

2

I want code very secure system and I need some answers and help.

Don't. Use some existing system, such as gpg. There's a significant chance that you make some fatal mistakes in how you handle secrets that makes the system insecure.

Is this secure if encrypting file and it is possible decrypt with barcode/QRCode where is decryption key to view it.

Barcode or qrcode is a red herring. That's simply a way to store data in a machine readable format. Sure, you can stash a cryptographic key in a QR code, but that would not make it any more secure than storing it on a USB memory stick.

I hold sensitive data in file what I want encrypt.

Use well tested software. If you want to secure data at rest, gpg or encrypting file systems such as bitlocker or LUKS may be the way to go. To secure data in transit, you may want to look at for instance GPG, or even just use TLS for the transport channel.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • I must find way if ethernet connection lost then in internal network still can work fine. Thats why I thinked store decryption key in pocket (barcode/QRCode).. – KristenL May 04 '19 at 22:31
  • Please explain your problem in some more detail. If you want to store keys in a secure, offline, fashion, you may want to have a look at for instance [yubikeys](https://www.yubico.com/), which implements gpg-card structure, allowing you to store gpg keys in a very secure, uncopyable, fashion. I repeat;Do not try to dream up your own schemes. – vidarlo May 04 '19 at 22:33
  • Why not create own security, if not share your security codes in githubs and places it someway harder to access or I'm again wrong? Maybe I can implement really good security web system or something.. PS: Edited post and added image. – KristenL May 04 '19 at 23:04
  • 1
    No one stores secrets in GitHub. If you need to store secrets offline, yet readily available, smart cards such as yubikey is exactly what you need. If you create your own scheme it is more or less guaranteed to leak key material or have other serious flaws. – vidarlo May 04 '19 at 23:09
  • But it is not always offline. I mean if you have internal network and there apache server you can still work on web if ethernet connection lost, so security must also work on offline.. I want like hold decryption key with me so it is not stored in server if someone gets into server or something.. Yeah yubikey is intresting, but I dont think thats for me.. – KristenL May 04 '19 at 23:12
  • 1
    What do you plan to use the encryption for? TLS for an apache server? If so, a yubikey or a similar hardware solution is ***exactly*** what you need to protect key material. It would also be interesting to know what data you are protecting, and against whom, because this makes less and less sense. – vidarlo May 05 '19 at 07:07
  • 2
    @KristenL "you can still work on web if ethernet connection lost" - no, no you cannot. If your goal is to have the key in your pocket, why use barcode/QRcode? Why not just write it down? What you have described is already solved by using GPG encryption. How you print out the key is just a matter of convenience, not security. – schroeder May 05 '19 at 08:23