14

How secure is the encryption of files when using GPG this way?

gpg -c personal.zip

It will not use any keys or other lines. And how good is it compared to TrueCrypt?

Note that I will upload encrypted files to my email for backup reasons, and bigger files go to 4shared and they will be public. Is it secure (assuming I'm using a good password)?

user
  • 7,700
  • 2
  • 30
  • 54
rezx
  • 1,069
  • 3
  • 12
  • 21

2 Answers2

12

It depends on the quality of your pass phrase really. If that is long enough, generated securely and kept secret such as 128 bits from a random device, very secure:

> dd if=/dev/random of=- bs=1 count=16 | md5sum
d41d8cd98f00b204e9800998ecf8427e  -

GPG will, in this mode, encrypt with CAST5, but you can use a different cipher, such as AES256. (To make use of 256 bits, take two MD5 outputs as the key, or create 32 Bytes of random data some other way.)

Shadok
  • 509
  • 4
  • 12
Christopher Creutzig
  • 331
  • 2
  • 4
  • and whats more secure truecrypt or gpg or they r the same and all back to the passwd – rezx May 11 '12 at 09:09
  • 1
    The weak point will always be the password, and both use good standard algorithms, so yes, in terms of security, if everything is set up to work transparently and we only look at the off-site backups, they are equivalent. Obviously, the more convenient solution wins then, and TrueCrypt has additional protection in case your hardware is stolen. On the other hand, afaik, it doesn't encrypt individual files, meaning you can't (mis-)use your Mailbox as outlined in your question. – Christopher Creutzig May 11 '12 at 12:18
12

GPG is very secure, as long as your passphrase is long and strong enough. In practice, your passphrase will almost always be the weakest link.

I recommend using the following command-line flags:

gpg -c --force-mdc --s2k-mode 3 --s2k-count 65011712 personal.zip

This instructs GPG to use a password hashing method that is as slow as possible, to try to provide a bit of extra resistance against password guessing attacks. It is not a replacement for a good password, but every little bit helps. You can put the --force-mdc --s2k-mode 3 --s2k-count 65011712 in your ~/.gnupg/gpg.conf configuration file, so you don't have to type it every time.

Note that GPG does not conceal the filename, so make sure the filename is not sensitive. (I think this is pretty obvious.)

D.W.
  • 98,860
  • 33
  • 271
  • 588