aescrypt - asymmetric crypto instead of password?

[galpak09]

I have a suggestion to aescrypt code maintainers: there is a feature which I think could be fairly easy to implement, which could make this tool significantly more useful.

Here's a scenario: you are running some sort of security recording or online backup. Something that does not permit a person to enter password, so the password must be stored. But you don't want to store password for the fear that if you lose control over computer, all previously made encrypted files could be decrypted.

A solution could be to store only public key. AESCrypt will generate a random AES key, and encrypt it using public key supplied either on command line, or inside the file. The files generated using this methodology would not be decryptable using information available on computer, because decryption will require private key. Again, when decrypting, private key could be either supplied on command line or in the file.

[paulej]

That's not such a simple change. AES Crypt was design explicitly for use with passwords, not public/private keys. If you want a public/private key solution, those already exist in the form of GnuPG, etc.

Public/private key solutions are nice. However, they also have drawbacks for the average user. In instances where data needs to be decrypted using automated tools, then access to the private key is needed. This more-or-less recreates the same issues we have with AES Crypt today and the symmetric key that is used.

Using private keys is also a challenge for some users. They have to remember the fact that they had a private key and what the password is for that. Oh, and we would have to secure the private key file for the same reasons you're concerned about a key file today.

So, I use a combination of tools for encrypting data. I use AES Crypt for securely backing up data files to the cloud, for example. I'm not concerned that somebody will get the key file, because if they have access to that, they also have access to all files in the clear, anyway. However, copies of the encrypting key are stored encrypted ... and with a totally unrelated key.

Another solution might be to store the keys on an encrypted file system. That might protect you as well as a public/private key solution, though admittedly I've not looked at those much. I use True Crypt for some things, but I've not really used the encrypted file systems in Windows or Linux.

[galpak09]

I understand your point about users having to use a different paradigm in storing/remembering decryption info, and it's a valid point. Maybe there needs to be a separate tool to do asymmetric crypto.

Currently, the only tool which does it is gnupg (that I'm aware of). This one comes with a whole infrastructure, and it's impossible to have just a public/private keypair, it's all or nothing solution.

I reviewed a file format for aescrypt tool, and there really will not need to be a change. You already do generate symmetric key and store it encrypted. The only change for the tool would be to create key at random and encrypt using public key instead of password.

At any rate, I did have a need for it, and I wrote a simple encrypror/decryptor tool, here: https://github.com/galets/AsymmetricCrypt . If you need to use source code from it, you are welcome to help yourselfd.

[paulej]

On Windows, I use Power Archiver to do OpenPGP encryption. That's a good tool, but like so many others, it's hard for the average person to use it.

I've not looked at your code, but if one were to do RSA without the work of trying to maintain a key ring that encrypted like the PGP tools do, it would be simpler. The biggest challenge really is the fact that it's far less user-friendly. People often want to exchange files and they run into the key distribution problem. What people tend to do is just call the recipient and convey the password. Not nearly as secure as exchanging a public key, but easier for most end-users.

Anyway, I like PGP, but mostly stopped using it after commercial efforts nearly killed it. GnuPG is a little odd in that there is some agent running all the time. But, adding public/private keys to AES Crypt begs the question of why not just use the existing tools?

I appreciate the desire, though. I just wonder if influencing OpenPG might be the better approach. Maybe it's just way too complex and a simple public/private key option in AES Crypt is better?

[barefootNH]

Currently, the only tool which does it is gnupg (that I'm aware of). This one comes with a whole infrastructure, and it's impossible to have just a public/private keypair, it's all or nothing solution.

Here is a simple public/private key program that I recently found and I've been using it a lot (along with GPG/Thunderbird in Linux and Windoze):

http://gpg4usb.cpunk.de/

Because it's so simple, and runs "portable", I use it to encrypt/decrypt webmail messages offline, and store encrypted text files and notes. It will also handle file encryption, too.

Hope this is helpful.

[barefootNH]

On Windows, I use Power Archiver to do OpenPGP encryption. That's a good tool...

Power Archiver does OpenPGP?! I've been weaning myself off of Windoze in favor of Linux for about 4 years, and I'm an old paid home user of Power Archiver, so I will have to look into this! I haven't used or updated Power Archiver in at least a couple of years.

(I know PKzip can now use certificates (their SecureZIP product), and I think they patented it, but I may be wrong.)

[paulej]

Yeah, Power Archiver will handle OpenPGP files. I don't use it often, but it does work. I'm not sure in which release it was introduced, but it's definitely in the latest version. I created a 4096-bit public key with it.

If you click on "Encrypt Files" on the ribbon under "Home", you'll see OpenPGP as ans option. Before you can use that, of course, you need a public key of somebody (including yourself). Go to "Options" on the menu at the top and select "OpenPGP Keys". That interface reminds me a little of the PGP versions for Windows I used years ago. There you can create keys, import keys, export keys, sign keys, and revoke keys.

Power Archiver is one really cool product. It does way more than just compress files. You can encrypt files, uuencode files, and even create ISO files from DVDs. I love that product.