Easy Encryption: Difference between revisions

From KDE Community Wiki
(More work)
(Mention also openssl)
 
Line 15: Line 15:
=== Full-disk encryption ===
=== Full-disk encryption ===
Distributions may automatically provide full-disk encryption upon installation to their users.
Distributions may automatically provide full-disk encryption upon installation to their users.
* '''Pro''': full-disk encryption is good (e.g. when a laptop is stolen)
* '''Pro''': full-disk encryption is good (e.g. when a laptop is stolen).
* '''Cons''': what if Alice wants to send an encrypted file to Bob? Full-disk encryption won't help for that.
* '''Cons''': what if Alice wants to send an encrypted file to Bob? Full-disk encryption won't help for that.


=== GPG ===
=== GPG ===


* '''Pro''': <tt>gpg</tt> provides excellent symmetric encryption capabilities
* '''Pro''': <tt>gpg</tt> provides excellent symmetric encryption capabilities.
* '''Pro''': cross-desktop and cross-platform.
* '''Pro''': cross-desktop and cross-platform.
* '''Cons''': requires knowlegde of the command line client.
=== OpenSSL ===
* '''Pro''': another cross-platform tool that does symmetric encryption.
* '''Cons''': less secure than gpg. See [https://security.stackexchange.com/questions/29106/openssl-recover-key-and-iv-by-passphrase/29139#29139].
* '''Cons''': requires knowlegde of the command line client.
* '''Cons''': requires knowlegde of the command line client.


Line 27: Line 33:
KGpg is a graphical front-end for gpg. It provides an '''Encrypt File''' action in Dolphin's context-menu
KGpg is a graphical front-end for gpg. It provides an '''Encrypt File''' action in Dolphin's context-menu


* '''Pro''': all the good things about gpg
* '''Pro''': all the good things about gpg.
* '''Pro''': encryption progress is nicely reported through the KJob api
* '''Pro''': encryption progress is nicely reported through the KJob api.
* '''Cons''': asymmetric encryption is preferred while the symmetric one is hidden by default.
* '''Cons''': asymmetric encryption is preferred while the symmetric one is hidden by default.
* '''Cons''': it requires that <code>pinentry-program /usr/bin/pinentry-qt</code> (or <tt>pinentry-gtk</tt>) be set in <tt>gpg-agent.conf</tt> in order to show a user-friendly dialog for passwords input. This is something that distributions should make sure to setup.
* '''Cons''': it requires that <code>pinentry-program /usr/bin/pinentry-qt</code> (or <tt>pinentry-gtk</tt>) be set in <tt>gpg-agent.conf</tt> in order to show a user-friendly dialog for passwords input. This is something that distributions should make sure to setup.
Line 37: Line 43:


* '''Pro''': users only have to type the passphrase.  
* '''Pro''': users only have to type the passphrase.  
* '''Pro''': less dependencies than KGpg
* '''Pro''': all the good things about gpg.
* '''Cons''': the pinentry thing also applies here
* '''Pro''': less dependencies than KGpg.
* '''Cons''': no progress report through KJob (for now)
* '''Cons''': the pinentry thing also applies here.
* '''Cons''': no progress report through KJob (for now).

Latest revision as of 22:32, 26 August 2016

Status of Easy (Symmetric) Encryption

KDE's vision ("A world in which everyone has control over their digital life and enjoys freedom and privacy") includes also privacy, thus it would be great if our users were able to easily encrypt their files.

This page aims to discuss possible implementations.

Requirements

  • Users should be able to encrypt a file with a single click, e.g. Right Click -> Encrypt in Dolphin.
  • Symmetric Encryption with a strong and peer-reviewed cipher algo (e.g. AES256)
  • Users should be able to encrypt on a computer and decrypt on another one (and viceversa). Operating systems and desktop environments may be different.

Analysis of existing solutions

Full-disk encryption

Distributions may automatically provide full-disk encryption upon installation to their users.

  • Pro: full-disk encryption is good (e.g. when a laptop is stolen).
  • Cons: what if Alice wants to send an encrypted file to Bob? Full-disk encryption won't help for that.

GPG

  • Pro: gpg provides excellent symmetric encryption capabilities.
  • Pro: cross-desktop and cross-platform.
  • Cons: requires knowlegde of the command line client.

OpenSSL

  • Pro: another cross-platform tool that does symmetric encryption.
  • Cons: less secure than gpg. See [1].
  • Cons: requires knowlegde of the command line client.

KGpg

KGpg is a graphical front-end for gpg. It provides an Encrypt File action in Dolphin's context-menu

  • Pro: all the good things about gpg.
  • Pro: encryption progress is nicely reported through the KJob api.
  • Cons: asymmetric encryption is preferred while the symmetric one is hidden by default.
  • Cons: it requires that pinentry-program /usr/bin/pinentry-qt (or pinentry-gtk) be set in gpg-agent.conf in order to show a user-friendly dialog for passwords input. This is something that distributions should make sure to setup.

A possibly better solution

This PoC is a tiny front-end for gpg that only does symmetric encryption. It uses gpgme and provides Encrypt and Decrypt actions in Dolphin's context menu.

  • Pro: users only have to type the passphrase.
  • Pro: all the good things about gpg.
  • Pro: less dependencies than KGpg.
  • Cons: the pinentry thing also applies here.
  • Cons: no progress report through KJob (for now).