File encryption: bdes or gpg
Simon Bates
simon.bates at utoronto.ca
Wed May 26 10:53:39 PDT 2004
Thank you very much for your reply, for your comments on temp file
usage, and your suggestion to use gbde. Right now I am using FreeBSD 4.9
but moving to 5 is definitely an option. I'll have a look at gbde.
Thanks!
Simon
Cordula's Web wrote:
>>I am hoping someone can give me advice on file encryption. I would like
>>to encrypt a file and store it on my filesystem. I would like to encrypt
>>the file so that my data is not readable by someone who gains root
>>access or physical access to my computer. I do not intend to share the
>>data with anyone else so a public/private key system is optional.
>>
>>I did some Googling and some reading of man pages and I have come up
>>with 3 options thus far:
>>
>>1. bdes(1)
>>
>>2. gpg -c (/usr/ports/security/gnupg)
>>
>>3. gpg (/usr/ports/security/gnupg) with a public/private key pair for me
>>plus a passphrase
>
>
> 4. gbde (on FreeBSD >= 5.X) encrypts a whole filesystem.
> It is much easier to use than utilities that encrypt
> single files.
>
> 5. bdes/idea/gpg/... on top of gbde (storing an encrypted file
> on an encrypted filesystem).
>
> IMHO, it's not really the encryption algorithm that is the weak
> link, but:
> a. tempfiles (or shreds of temp files) that are not physically
> overwritten (including swap memory),
> b. poor passphrases (too short or not random enough)
> c. human error.
>
> Many programs write to temporary files (including buffers), before
> writing the final versions out to disk. If you use encrypted filesystems
> (like gbde) everywhere a tempfile is likely to be dropped (don't forget
> [/var]/tmp and swap), your data would be much safer.
>
More information about the freebsd-questions
mailing list