You can use GPG to symmetrically encrypt a file with a passphrase (gpg -c
). If the passphrase has enough entropy, you don't need an extra step of generating a secret key. What does “enough entropy” mean? Your encryption needs to withstand offline attacks, where the attacker can make cracking attempts as fast as his hardware allows it. With a small PC farm, the attacker might be able to make a couple hundred billion attempts per second, which is roughly 2^69 per decade. So with an entropy of 2^70 you'll be safe. That means if your passphrase consists of completely random letters (lower or upper case) and digits, it should be 12 characters long.
Now to store that passphrase, you can use GPG with its usual key pairs. Use gpg --gen-key
to generate a key pair, and gpg -e
to encrypt the passphrase used to encrypt the large file for one or more key pairs.
Here's a sketch on how to do the encryption (note that I avoid putting the passphrase on the command line or in the environment, so as to make sure another user can't find it by looking at the ps
output while the command is running):
passphrase=$(pwgen -s 12 -1)
echo "The passphrase for myiso.iso.gpg is: $passphrase" |
gpg -e -r somebody -r somebodyelse >passphrase.gpg
echo "$passphrase" | gpg -c --passphrase-fd 3 3<&0 <myiso.iso >myiso.iso.gpg
and how to decrypt:
passphrase=$(gpg -d <passphrase.gpg)
echo "$passphrase" | gpg -d --passphrase-fd 3 3<&0 <myiso.iso.gpg >myiso.iso
The reason to use a passphrase (a shared secret) rather than directly encrypt is that it allows the file to be shared between several people. Only the small passphrase needs to be reencrypted if you want to add a recipient (removing a recipient only makes sense if you know the recipient hasn't had access to the plaintext and requires reencoding the ciphertext anyway).
Another method of leaving offlineimap running with knowledge of your password, but without putting the password on disk, is to leave offlineimap running in tmux/screen with the autorefresh
setting enabled in your ~/.offlineimaprc
You need to add autorefresh = 10
to the [Account X]
section of the offlineimaprc file, to get it to check every 10 minutes. Also delete any config line with password
or passwordeval
.
Then run offlineimap - it will ask for your password and cache it in memory. It will not exit after the first run, but will sleep for 10 minutes. Then it will wake up and run again, but it will still remember your password.
So you can leave a tmux session running with offlineimap, enter your password once, and offlineimap will be fine there after.
Best Answer
Why not
tar
the files to be encrypted and then encrypt the tarball?