Jump to content

Easy Encryption: Difference between revisions

From KDE Community Wiki
Elvis Angelaccio (talk | contribs)
Initial work
 
Elvis Angelaccio (talk | contribs)
Mention also openssl
 
(One intermediate revision by the same user not shown)
Line 11: Line 11:
* Users should be able to encrypt on a computer and decrypt on another one (and viceversa). Operating systems and desktop environments may be different.
* Users should be able to encrypt on a computer and decrypt on another one (and viceversa). Operating systems and desktop environments may be different.


== Existing solutions and their drawbacks ==
== Analysis of existing solutions ==


* Distributions may automatically provide full-disk encryption upon installation. This is good, but what if Alice wants to send an encrypted file to Bob? Full-disk encryption won't help for that.
=== Full-disk encryption ===
* <tt>gpg</tt> provides excellent symmetric encryption capabilities and it's cross-desktop/cross-platform, but requires knowlegde of the command line client.
Distributions may automatically provide full-disk encryption upon installation to their users.
* KGpg provides an '''Encrypt''' action in Dolphin's context-menu, as front-end for <tt>gpg</tt>. However, asymmetric encryption is preferred and it's not easy to reach the symmetric one in the dialog that shows up.
* '''Pro''': full-disk encryption is good (e.g. when a laptop is stolen).
* '''Cons''': what if Alice wants to send an encrypted file to Bob? Full-disk encryption won't help for that.
 
=== GPG ===
 
* '''Pro''': <tt>gpg</tt> provides excellent symmetric encryption capabilities.
* '''Pro''': cross-desktop and cross-platform.
* '''Cons''': requires knowlegde of the command line client.
 
=== OpenSSL ===
 
* '''Pro''': another cross-platform tool that does symmetric encryption.
* '''Cons''': less secure than gpg. See [https://security.stackexchange.com/questions/29106/openssl-recover-key-and-iv-by-passphrase/29139#29139].
* '''Cons''': requires knowlegde of the command line client.
 
=== KGpg ===
KGpg is a graphical front-end for gpg. It provides an '''Encrypt File''' action in Dolphin's context-menu
 
* '''Pro''': all the good things about gpg.
* '''Pro''': encryption progress is nicely reported through the KJob api.
* '''Cons''': asymmetric encryption is preferred while the symmetric one is hidden by default.
* '''Cons''': it requires that <code>pinentry-program /usr/bin/pinentry-qt</code> (or <tt>pinentry-gtk</tt>) be set in <tt>gpg-agent.conf</tt> in order to show a user-friendly dialog for passwords input. This is something that distributions should make sure to setup.


== A possibly better solution ==  
== A possibly better solution ==  


[https://quickgit.kde.org/?p=scratch%2Felvisangelaccio%2Fencryption-plugin.git This PoC] is a tiny front-end for <tt>gpg</tt> that nicely integrates symmetric encryption with Dolphin. It uses <tt>gpgme</tt> and provides '''Encrypt''' and '''Decrypt''' actions in Dolphin's context menu. The users only has to type the passphrase. As a downside, it requires that <code>pinentry-program /usr/bin/pinentry-qt</code> be set in <tt>gpg-agent.conf</tt> in order to show a user-friendly dialog for passwords input. This is something that distributions should make sure to setup.
[https://quickgit.kde.org/?p=scratch%2Felvisangelaccio%2Fencryption-plugin.git This PoC] is a tiny front-end for <tt>gpg</tt> that only does symmetric encryption. It uses <tt>gpgme</tt> and provides '''Encrypt''' and '''Decrypt''' actions in Dolphin's context menu.  
 
* '''Pro''': users only have to type the passphrase.  
* '''Pro''': all the good things about gpg.
* '''Pro''': less dependencies than KGpg.
* '''Cons''': the pinentry thing also applies here.
* '''Cons''': no progress report through KJob (for now).

Latest revision as of 22:32, 26 August 2016

Status of Easy (Symmetric) Encryption

KDE's vision ("A world in which everyone has control over their digital life and enjoys freedom and privacy") includes also privacy, thus it would be great if our users were able to easily encrypt their files.

This page aims to discuss possible implementations.

Requirements

  • Users should be able to encrypt a file with a single click, e.g. Right Click -> Encrypt in Dolphin.
  • Symmetric Encryption with a strong and peer-reviewed cipher algo (e.g. AES256)
  • Users should be able to encrypt on a computer and decrypt on another one (and viceversa). Operating systems and desktop environments may be different.

Analysis of existing solutions

Full-disk encryption

Distributions may automatically provide full-disk encryption upon installation to their users.

  • Pro: full-disk encryption is good (e.g. when a laptop is stolen).
  • Cons: what if Alice wants to send an encrypted file to Bob? Full-disk encryption won't help for that.

GPG

  • Pro: gpg provides excellent symmetric encryption capabilities.
  • Pro: cross-desktop and cross-platform.
  • Cons: requires knowlegde of the command line client.

OpenSSL

  • Pro: another cross-platform tool that does symmetric encryption.
  • Cons: less secure than gpg. See [1].
  • Cons: requires knowlegde of the command line client.

KGpg

KGpg is a graphical front-end for gpg. It provides an Encrypt File action in Dolphin's context-menu

  • Pro: all the good things about gpg.
  • Pro: encryption progress is nicely reported through the KJob api.
  • Cons: asymmetric encryption is preferred while the symmetric one is hidden by default.
  • Cons: it requires that pinentry-program /usr/bin/pinentry-qt (or pinentry-gtk) be set in gpg-agent.conf in order to show a user-friendly dialog for passwords input. This is something that distributions should make sure to setup.

A possibly better solution

This PoC is a tiny front-end for gpg that only does symmetric encryption. It uses gpgme and provides Encrypt and Decrypt actions in Dolphin's context menu.

  • Pro: users only have to type the passphrase.
  • Pro: all the good things about gpg.
  • Pro: less dependencies than KGpg.
  • Cons: the pinentry thing also applies here.
  • Cons: no progress report through KJob (for now).