[clue] gpg question

Stephen Queen svqueen at gmail.com
Sun Aug 26 06:40:04 MDT 2012


On 8/25/12, Michael Fierro <miguelito at biffster.org> wrote:
> On Sat, Aug 25, 2012 at 11:41 AM, Yaverot <Yaverot at computermail.net> wrote:
>>
>> --- miguelito at biffster.org wrote:
>>
>> >> Why not just use an encrypted file system?
>>
>> >Sometimes you need a hammer instead of a sledgehammer.
>>
>> "Cover your tracks" is a sledgehammer requirement. GPG shouldn't care
>> about what filesystem it is on.  Is it a FAT variant, so you can "just"
>> ovewrite the data from a random source? Is it ext3 or 4 where you have to
>> worry about journaling? Is it a CoW setup, a SSD, ZFS or btrfs -> can you
>> even overwrite the "plaintext" data?
>
> I think we got off-track from the original question: how can you get
> gnupg to delete a file after it encrypts it.
>
>> If you're worrying about this then you definitely don't want GPG to "do it
>> wrong" by just issuing a rm.
>
> The best idea is to have gnupg to not have an option to delete, but to
> be able to pass this functionality on to the OS. You can then use
> OS-specific utilities to delete the file at whatever security level
> you need. (e.g. using shred or srm to overwrite the file.
>
> gpg --batch ---armor --encrypt $1 --outfile secure.gpg
>
> if [ $@ ] then
>    shred --remove
>
>From the man page for shred
" CAUTION: Note that shred relies on a very important assumption: that
the file system overwrites data in place.  This is the traditional way
to do things, but many modern file  sys‐
tem  designs  do  not  satisfy this assumption.  The following are
examples of file systems on which shred is not effective, or is not
guaranteed to be effective in all file system
modes:

       * log-structured or journaled file systems, such as those
supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)

       * file systems that write redundant data and carry on even if
some writes fail, such as RAID-based file systems

       * file systems that make snapshots, such as Network Appliance's
NFS server

       * file systems that cache in temporary locations, such as NFS
version 3 clients

       * compressed file systems"

So shred has to be used with caution.


More information about the clue mailing list