Proper use of GPG

I am new to encryption in general and GPG in particular. My use case is storing personal documents on a network drive. These documents are scans (e.g. diplomas, papers). I generated a GPG key using gpg --gen-key, then encrypted a few images using gpg -e -r <name> <file>. By default it seems to output files named after the original and suffixed by .gpg, for instance diploma.jpg becomes diploma.jpg.gpg.

If the type of the document is known, am I opening the door to a known plaintext attack?

Also, what steps should I take to backup my key (print it on paper...)?

Rom1

Posted 2011-08-19T08:02:09.067

Reputation: 161

Answers

i would not worry about the filename and possible knowledge of the first few bytes. but if you are uneasy with that, consider this:

you might use a container, either .7z or .zip with aes encryption
you might use a container program such as truecrypt

keep in mind:

gpg encrypts your file in mixed mode, meaning: it uses the asymetric key to encrypt a "session key" and then use that session key to encrypt the actual data. so, you actually gain nothing by using asymetric keys to encrypt stuff that only you care about (remember: asymetric encryption is only useful for something like key-exchange when the amount of data is relatively small)
there is no reason to not use symetric encryption since you want to memorize the passphrase to your files / the container anyway: gpg --symmetric -e

since you described yourself as a newbie to the topic: read a little bit about it in the gnupg-manual:

http://www.gnupg.org/gph/en/manual.html#CONCEPTS

akira

Posted 2011-08-19T08:02:09.067

Reputation: 52 754

Thanks for the info, I did not know about the symmetric encryption feature. – Rom1 – 2011-08-19T08:26:22.040

GPG will compress the file prior to encrypting it, which reduces the chances of a plain text attack, regardless of file type. Furthermore, should a rare case of a message being compromised occur it is not indicative of a compromised key amongst the recipients of that message.

The reason for the latter part pertains to the process by which GPG encrypts messages and files. First the content is compressed, usually using zlib. Then the compressed data is symmetrically encrypted with a one time password called a session key. Then the session key is asymmetrically encrypted with the public keys of the recipients. When the message is decrypted the process is reversed: the recipient unlocks the session key using their secret key and passphrase, GPG uses the session key to decrypt the symmetrically encrypted data and finally it is uncompressed.

An attack on a single message is more likely to result in determining the session key than compromising any of the public keys.

If you still want to conceal the file types then do this:

gpg -ear $RECIPIENT_ID -o filename.asc filename.odt

To restore the original filename when decrypting, do this:

gpg --use-embedded-filename filename.asc

GPG will write the decrypted data to the original filename, which is stored in the symmetrically encrypted data, along with other information necessary to rebuild the data.

Note: do not use the above embedded filename flag if manually decrypting ciphertext from an email program, especially if using Thunderbird and Enigmail. Many email encryption programs (including Thunderbird and Enigmail) do not assign an original filename from the draft and decrypting that way could cause problems, like trying to write data to a null filename.

Ben

Posted 2011-08-19T08:02:09.067

Reputation: 1 258

To answer the second part of your question:

Also, what steps should I take to backup my key (print it on paper...)?

Let's talk about the Revocation Certificate first. You should definitely create and backup your master key's Revocation Certificate. Many people make a paper copy (ascii armored or QR code) and store it in a secure place such as a safe, locked fire-proof box, or safe deposit box in a bank. If your master key (the Certification key) becomes compromised, you will have a backup which can revoke it in case the Revocation Certificate disappears from your device, or the device is lost,etc.

If you do not have a Revocation Certificate, make it with the command below. "mykey" is the name of the key, which could be the last 8 characters of the fingerprint.

gpg --output revoke.asc --gen-revoke mykey

The Revocation Certificate will look something like this, which is easy to print. But you must be careful. Printing may expose it to compromise.

-----BEGIN PGP PUBLIC KEY BLOCK-----

Comment: This is a revocation certificate

iQG2BCABCAAgFiEEiz1thFzdqmEJkNsdNgBokN1gxcwFAlsrcOsCHQAACgkQNgBo kN1gxczZ1Qv/aUNZgG0Sjasbu2sDMcX+rjEUNpIGUB6zjcTsPwpXfFo11aM3yefb k0FgMohA8HUwmN4ka+P31jYuNuLNCqFdT8DKKuQk6XgKnX3NieahG/dFaVANXyHR .....................................this is merely an example revocation cert................................................... =4lcB

-----END PGP PUBLIC KEY BLOCK-----

Now, about backing up your master key:

Solution one: backing up the master key can be as easy as copying its entire file. Solution two: having an offline master key (C) does add to your security and might be worth doing, depending on one's risk assessment. If you are using a laptop or netbook for storing your keys, it might be an especially good idea to move your master key offline.

There are two ways to have an offline master key: the hard way and the easier hard way.

After you remove the secret key from your master key (C) and run

gpg2 -K

The result should look like this:

Notice the # next to sec--that indicates that the secret key is no longer there.

user916311

Posted 2011-08-19T08:02:09.067

Reputation:

AFAIK knowing the data type an encrypted file holds is of no use at all for cracking, since encryption doesn't care about the type of data. For encryption, they're mere bits (numbers) with no meaning at all.

About your key, most secure option is to remember it because your mind cannot be accessed ;)

m0skit0

Posted 2011-08-19T08:02:09.067

Reputation: 1 317

It does not care about the type of the data, but if a bad guy knows that my cleartext file begins with PNG it might tell something about the key...? Also the key is not something that I can commit to memory (unlike the passphrase), it is much too long. – Rom1 – 2011-08-19T08:10:18.947

Even if he knows it begins with PNG that tells nothing about the key. He might even know the whole data and still no go (unless brute-forcing or doing dictionary attacks). You can store your key in a keyring, or on another encrypted file with a different encryption scheme. I don't like the paper solution since paper is more easily accessable than one might think. – m0skit0 – 2011-08-19T08:16:26.673