2

Suppose I have generated a public/private RSA4096 keypair using GPG. Is it secure to use this keypair to encrypt/decrypt documents solely for personal use, i.e., have an encrypted backup of some very important files of mine. In that case I'd be using something like:

gpg --encrypt --recipient "<my info>" a_document.pdf

# Then when I need to recover that document:
gpg --decrypt a_document.pdf.gpg

Is this a secure practice? Could an attacker recover the original PDF? As a separate note, if they also have the secret GPG key file (but obviously not the passphrase itself) would they be able to recover it?

Would it be better to encrypt using --symetric?

Until now I was thinking of this practice (encrypting files using public/private key pair) as perfectly secure (even when somebody has the private key but not the passphrase) but now I'm going through the Coursera Cryptography I course and one of the first points mentioned in the RSA cryptography is to never encrypt the message itself using RSA.

bergercookie
  • 143
  • 4

3 Answers3

2

It depends on your use case.

From cryptanalysis point of view, symmetric is theoretically better as long as you have a really strong passphrase, because:

  • GPG encryption with RSA just encrypts the symmetric key which encrypts the actual file. So, there are two potential weak points instead of just one.
  • RSA and many asymmetric ciphers can be theoretically cracked by a quantum of computer with enough of memory. I am not aware of any quantum computer that can really do that today.

But most likely, those two threats are rather theoretical today. Unless the document needs to be kept secret for a very long time, I would not care too much about them.

From availability point of view, do you have a backup of your private key? If not, your backup with RSA might be useless. Imagine the storage (HDD/SSD) in your computer is gone. If you lose your private key, any backup encrypted by this private key is useless then. On the other hand, if you have your private key backed up, how secure is the backup of your private key.

From authenticity point of view: If you just encrypt your file by your public key, an attacker that can modify your storage can create a completely new document and encrypt it with your public key (unless you keep your public key private, which does not make much sense). That implies the file is not protected from modification this way. You would also need to sign it and then to verify the signature. I believe symmetric option handles this fully.

Note that secure passphrase matters a lot. An attacker can try to brute-force it offline and nothing but their budget and time restricts the number of attempts. This is not a PIN handled by a TPM or an online service that rescricts the number of attempts.

v6ak
  • 609
  • 5
  • 12
1

If an attacker was able to recover your encrypted file without the private key, then RSA would be broken, and you'd have much bigger things to worry about than just an encrypted file. If they somehow have the private key (again, you probably have bigger things to worry about if this is the case), they will not be able to use it without knowing the passphrase. That said, if your passphrase is guessable or crackable, they will be able to use it.

What was the specific reason your course said to not use RSA to encrypt a message? The standard reason is largely for performance, as using an asymmetric cipher will perform much worse than a symmetric one. Symmetric cryptography may also be stronger, but not to the point where it should replace asymmetric crypto in practice. The OpenPGP standard and thus GnuPG implements hybrid encryption, meaning your message/data is encrypted with a symmetric cipher, whose key is encrypted with the asymmetric cipher. Even though both asymmetric and symmetric are used, the encryption is only as strong as the weakest link, which is asymmetric, but this is mostly negligible in practice. See this answer for more details.

Personally, asymmetric encryption is more reassuring to me, since an attacker would need to steal the encrypted file, my private key, and my passphrase before being able to decrypt the file, versus just the file and a passphrase (which could be bruteforced if weak). It would also be more cumbersome to deal with multiple passwords for different encrypted files, which leads into the separate issue of password management.

Community
  • 1
multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
0

Although a strong passphrase coupled with a good password hash or - in this case - PBKDF can be secure, often it is not. The reason is that passphrases are commonly just not strong enough. Keeping the private key file secure is therefore highly recommended. If you use just symmetric cryptography then you might be relying on just the passphrase. Furthermore, you need the passphrase both during encryption and decryption now, making your passphrase more vulnerable.

OpenPGP, which GPG implements specifies a so called container format. When you encrypt using RSA then you are actually already using hybrid cryptography, where the actual message is encrypted with a symmetric cipher (such as AES in a secure mode). Furthermore, the secret key will also be padded securely. So the dangers that Coursera mentions are not applicable.

All that said, OpenPGP is getting old, and is very due for an update. Using e.g. a NaCl compatible library may be more secure.

Maarten Bodewes
  • 4,562
  • 15
  • 29