Feature request: encrypt the final archive using gnupg

Question

Feature request: encrypt the final archive using gnupg

j667300 opened this issue 8 years ago · 8 comments

Hi,
First of all - great job making ir-rescue!
Secondly - I think that it will be great if the archive can be encrypted using provided gpg public key.
This way - the archive can be decrypted without password being stored on the infected computer (on the HDD or in memory).

Here is a link with a simple workaround how to encrypt providing a key-file - https://security.stackexchange.com/questions/86721/can-i-specific-a-public-key-name-instead-of-recipient-when-encrypt-with-gpg

Also, it will be great if the archive can be encrypted using several key-files (e.g. stored in a folder named "keys").

So, I hope you will consider the gpg idea!

Answer 1 · 2016-12-05T21:28:27.000Z

You are talking about Linux only, right?
I think it can be done.

Answer 2 · 2016-12-06T07:04:06.000Z

Well, there is also a gnupg command line version for windows, so i think it is possible for windows also.

Answer 3 · 2016-12-07T17:22:27.000Z

The generated portable version of GPG is quite large (13 MB) in size for Windows. I would like to keep ir-rescue reasonably small-sized.
OpenSSL is way smaller and seems more suitable for this feature, using RSA key-pairs for the encryption.

Would that still suit you?

Answer 4 · 2016-12-08T03:45:57.000Z

Well, I didn't taught about the size. Maybe just te gpg.exe from https://www.gpg4usb.org/ can be used? It's about 400k.

About OpenSSL - well, the result will be simillar (the archve will be encypted using asymetric crypto). Anyway, most of the people who performs IR uses PGP (daily or only during IR), so it will be more suitable I think.

Answer 5 · 2016-12-08T08:07:16.000Z

I would like to avoid anything outside of the binaries listed on the official gnupg.org website.

In addition, OpenSSL provides way more flexibility and cryptographic features which GPG is not designed for. For example, you have to import keys on GPG, which is cumbersome and not ideal on a potentially infected or compromised system.

Answer 6 · 2016-12-13T09:39:42.000Z

I just remembered that asymmetric encryption is not designed to encrypt large files, therefore making either GPG or OpenSSL not good when using RSA. The best option is really to generate symmetric keys and use that with symmetric cyphers. However, the current solution using compression is good enough to fulfill the purpose of the tool.

I will close this issue.

Answer 7 · 2016-12-15T19:02:31.000Z

Hi,

Encrypting using GPG will generate a random symmetric key (e.g. for AES), the encrypt the data using AES. After that, the symmetric key will be encrypted using RSA.
So, the actual encryption of the data will be with symmetric algorithm (see the following link: https://security.stackexchange.com/a/56209 or just verify it using verbose option of gpg).

touch 1
gpg -v -r XXXXXXXXXXXXXXXXXX -e 1
gpg: reading from '1'
gpg: writing to '1.gpg'
gpg: RSA/AES256 encrypted for: "XXXXXXXXXXXXXXXXXX"
gpg: WARNING: '1' is an empty file

Answer 8 · 2017-01-13T07:55:32.000Z

This has not been forgotten. I will try to incorporate it in the next release.