Chuck hit the nail on the head... The general question that is best to begin with is 'what do you want to protect and what is it worth?' The common metaphor used in security is 'how much does it cost to build the wall versus the value of what the wall protects.' In other words, long keys and the time to encrypt/decrypt, etc., etc., is probably not what you want for your everyday files. It this really is required for everyday files, you are into a model similar to what government agencies do (google "Orange Book" - the nickname for the US standards for computing security - at least when I was into this stuff - but the concepts remain the same). If there are a few things that are really vital, then compartmentalize them and apply lots of security to them (i.e., don't keep them on a hard drive that is on a network - physical security - or encrypt them on removable media - soft and physical security). Depending on what the value is, you can start getting into all kinds of systems that are a real pain to use (and that is another reason why they are more secure). There are lots of other ways to make security easier and still useful. Another approach is "something you have and something you know" - that is how ATMs work. You could put your rings on a thumb drive (like the ATM card) that you unlock with a simple key (pin) that gets you to the next step - using the ring for the encryption you were after to begin with. Retinal and finger print scanners (biometrics in general) are essentially this model. If you loose either piece of the system, the other is no longer useful. Another approach is a so-called "smart card" - these are used in Europe for money, but variations are also used to turn the "key" into something approaching a "one time pad"... The card calculates a decay sequence of some sort (a non-linear countdown with a seed you select) that is also calculated on the system you want access to. You type in the calculated value as *part* of the password (valid for say 5 seconds to allow for boundary conditions) and if the system has the same pattern - your are in. I personally think encrypting entire file systems is far less secure than you might think - it is better to protect several areas with several different methods so that compromise of the entire system with one successful attempt doesn't happen. To be honest with you, my bias is towards physical security - I use a thumb drive and then only parts of it are encrypted. Steve Chuck Anderson wrote:
On Wed, Jan 11, 2006 at 06:22:53PM -0500, Bill Mills-Curran wrote:
Symmetric? (gpg -c) This seems the most secure and flexible, but I'm getting tired of typing the key so often.
Public/private? This seems enticing, because encryption is done without needing to type a password. However, the keyring is on the same system as the encrypted file, and thus is vulnerable.
Symmetric keys may be more secure with a caveat: you have to pick a very good key. This is harder than it seems, since it should be long and have lots of entropy. English text doesn't have much entropy per character. So in practice, using a passphrase to unlock a good, long, randomly generated key that you would never remember is better. You can always store the keyring on a removable device, like a USB flash drive and keep that in your safe... _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug