> I'm considering encrypting a tar archive and optionally a block file system (via FUSE) using either utility
Linux has good support for encrypted filesystems. Google LUKS. Most (all?) distros allow you to install on an encrypted filesystem and with a little bit of research you can have encrypted external drives and thumb drives. If you dig into /etc/crypttab and udevadm you can even have encrypted drives automount as long as LUKS already has your passphrase. (E.g., I'm a bad bear because I used the same passphrase on my laptop and my thumb drives.) It's not limited to passphrases - you could use a hardware device like digikey or a file containing the secret key.
> I am also curious to why GPG is used for file based encryption when only a single key is required.
As I recall PGP always uses a random session key* for the actual encryption. with N copies of the key encrypted using a PBE passphrase, a public key in the keyring, etc. That's how multiple people can decrypt a file even though they don't share any keys. The data itself is chunked into blocks and each block uses the same key but a different random salt.
I don't recall if also it prepends or appends random data. That's a common counter to known-text attacks like knowing that a zip file always starts with the same few bytes.
(* Well, "session key" when it's data-in-flight. I don't remember the term when it's data-at-rest.)
BTW a tar file starts with the name of the first entry. The 'magic numbers' are at offset 128 or so. However a compressed tar file will start with a known value since gzip, b2zip, and 7zip?, all start with their magic values.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
