Subject: Re: easiest way to encrypt a file?
To: Steven M. Bellovin <smb@research.att.com>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: netbsd-users
Date: 12/18/2004 14:34:30
--ZuvoxmZMh0nHqhEq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi,

On Fri, Dec 17, 2004 at 10:02:47PM -0500, Steven M. Bellovin wrote:
> Jeremy C. Reed" wrote:
> > I want to place a DSA key file on a server not maintained by myself.
> > It is pass-phrase protected, but still I don't want the file used.
> >
> > What is the easiest way to encrypt a file with a key to decrypt?
> >
> > I have used zip and pgp and gpg to encrypt files. But what other
> > ways do you suggest?
> >
> > Anything in the NetBSD base? (And examples?)
>=20
> What is your threat model?  Whom do you think might try to crack the
> encryption, and what resources can they bring to bear?  How long must
> it remain scret?  How many people need to retrieve and decrypt the
> file? =20
>
> You'll be prompted for a key; practically speaking, this is probably
> the weakest point.
>=20
> However -- you say that the key itself is "pass-phrase protected".
> What package did you use to create this key?  In most packages
> (including OpenSSL), when you "protect" a key with a passphrase you're
> actually encrypting it.  If you've used a decent cipher and passphrase
> to start with, there's probably little benefit to encrypting it again.

from what he said it seems that his aim is to protect the key from the
server administrator(s) and the key is a SSH2 DSA key.  in that case the
"protected" key is already encypted as you mentioned.  but there is no
way he could protect its contents by any amount of encrypted layers
since an altered ssh(1) binary would "take care" of everything and it's
just a waste of time and addition of pointless complexity.


regards,

--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --

--ZuvoxmZMh0nHqhEq
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFBxDHmiwjDDlS8cmMRAkJFAJwKwT0ZPP6TjAAXTEvJzYIXBPFR0QCfQUnO
yfMK+tMQjJdMCEFC5Ib2CMU=
=DRDh
-----END PGP SIGNATURE-----

--ZuvoxmZMh0nHqhEq--