20

My knowledge about these topics is very elementary, please "school me" if I said something completely wrong, it would surely help me understand these things better. Now, to my issue.

Now that I have a laptop and didn't encrypt the entire disk during installation I was looking for ways to encrypt some particular folder or files. I found two different ways to protect the files but I don't grasp the difference between the two: password and a pair of public/private key.

Option 1: I encrypt a file and to decrypt it I have to insert a password, I'm ok with that and understand it.

Option 2: I want to instead use a pair of public/private keys. So I generate the pair and I encrypt the file with the public key. At this point, when I create the private key, I should password protect it, otherwise anyone that has access to my laptop can access and use the key and be therefore able to decrypt the file.

So what's the point of using a private key instead of a password if the private key itself is password protected? Why wouldn't I want to straightforwardly use option 1?

Sorry for my lack of understanding about these topics, feel free to explain it to me like I'm 5.

RenatoRenatoRenato
  • 321
  • 2
  • 6
  • 6
    This doesn’t answer your question, but you should check how much effort it would be to enable full disk encryption now. It’s trivial on a Mac, for example. – Carsten S Jul 17 '21 at 19:35
  • Re @CarstenS comment: on MS Windows as well (right-click on the disk and choose Bitlocker, and **closely** follow the instructions) – WoJ Jul 18 '21 at 16:16

3 Answers3

47

The two options are intended for different use cases.

Option 1 is intended for your use case. It encrypts the file with a key derived from a password, so that only the person who knows the password (i.e. most likely the person who encrypted it in the first place) can decrypt it.

Option 2 is designed so you can share encrypted files/messages with others. The idea behind it is that you can encrypt the file to someone else's public key, send them the encrypted file, and they (an only they) can decrypt it, without the need of establishing a pre-shared secret password/key between the two of you. Additionally, you can sign the file with your own private key, so that the recipient can confirm that the file did indeed come from you.

Of course, you can use this system to encrypt the file to your own key, but as you point out, you would still need a password to decrypt your own private key before decrypting the file (and it would add some (usually negligible) extra computational overhead). Some people might prefer to use this method for encrypting their own files, since it means that, instead of maintaining both systems, they can use the same system for both use cases.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • 7
    Option 2 also means you need the private key file to decrypt the encrypted file. Not *just* the password. – user253751 Jul 18 '21 at 20:34
  • 3
    And specifically a private key file that you can store somewhere else on e.g. an offline usb stick. It's a classic "something you know and something you have" two step authentication vs just "something you know" (which is more vulnerable to the [$5 wrench attack](https://xkcd.com/538/)..). – Luke Briggs Jul 19 '21 at 12:02
  • @LukeBriggs You can use a key file with symmetric encryption too. But if the attacker has a $5 wrench, you'll probably hand over the key file as well. A key file *will* provide protection against shoulder surfing though, but that's about all. If malware is keylogging your password, it can grab the key file too. – nobody Jul 19 '21 at 12:13
  • @LukeBriggs, you could also just store the private key on the *same* media; you just don't have additional security over plain old password encryption that way. – Matthew Jul 19 '21 at 19:02
  • 1
    @Matthew sure, but the question is about what's the point of using a key vs. a password - a key has the ability to be stored separately including in e.g. specialised hardware, adding an extra (but optional) layer of physical security. – Luke Briggs Jul 19 '21 at 22:11
  • @nobody: To defend against the wrench, you can consider [deniable encryption](https://crypto.stackexchange.com/a/75694/74387). – user21820 Jul 20 '21 at 13:36
22

There's one advantage of using public key cryptography over private key cryptography when you're encrypting file for yourself.

When you use symmetric cryptography, you need to expose the password every time you need to encrypt or decrypt a file.

With public key cryptography, you only need to decrypt the private key if you need to decrypt the file.

In public key cryptography, you encrypt a file with just the public key, which can sit unencrypted (or encrypted with a different password than the private key). So you only need to decrypt the private key when you need the data.

This means that if your use case is for backups or data archival, where most days you only need to append to your backups, but only decrypt to restore data rarely, you don't need to expose the decryption key to the machine that holds the live data. This also allows you to delete old data that are already archived from the live machines, but still be able to decrypt them from backup in case you need them again.

You can, for example, put your decryption key in a tamper proof/evident envelope or safe, or more commonly in a cryptographic smart card, and you'll know that your data is still safe if the tamper evident seal isn't broken.

Do you need these capabilities? In many cases, you don't, so symmetric cryptography is much simpler, and simplicity is good for security. But if you need a security system with these properties, then asymmetric cryptography can be useful even when you're encrypting files for yourself only.

iBug
  • 1,378
  • 1
  • 9
  • 12
Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
7

So what's the point of using a private key instead of a password if the private key itself is password protected? Why wouldn't I want to straightforwardly use option 1?

In this case it's probably not a big point. But certificates can be stored on smart cards. Smart cards refuse to hand out a copy of the certificate, but they can do computations based on the certificate - so you can use it to authenticate - but an attacker will not be able to copy the smart card. In addition it can limit the number of pin attempts, and securely destroy key material if you exceed the counter.

Now that I have a laptop and didn't encrypt the entire disk during installation I was looking for ways to encrypt some particular folder or files.

Don't. Go with full disk encryption. Otherwise there's a very real risk that temporary copies of the files will be stored in unencrypted locations. In addition a unencrypted disk makes it trivial for an attacker with physical access to your disk to replace a program you use with a version that distributes the encrypted files.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • Ok, thanks. So correct me if I'm wrong: the main point of using a private key is if I could store it physically somewhere else outside my laptop, like in a smart card, right? Sorry, maybe it's because english is not my first language but I did not understand the following sentence and the implications of it "In addition a unencrypted disk makes it trivial for an attacker with physical access to your disk to replace a program you use with a version that distributes the encrypted files." . What does it mean to replace a program I use with a version that distributes the encrypted files? – RenatoRenatoRenato Jul 17 '21 at 10:46
  • 5
    The OS can leak the file into swap, temporary directories and so forth. An attacker can replace the application you use to edit the encrypted files with a version that sends the files to them. In short: use FDE. You may in *addition* want to use file encryption to further protect it in some scenarios. – vidarlo Jul 17 '21 at 21:03
  • Thank, I guess you have convinced me to use FDE :) – RenatoRenatoRenato Jul 18 '21 at 08:08