diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2015-03-31 15:46:00 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2015-03-31 15:46:00 -0400 |
| commit | 0f8852dd24f1043bc49f44c2e99386e43642af4e (patch) | |
| tree | cf4e58392464c8463752fbb0e8d776a4a82ce5fb /doc | |
| parent | bbdd35fffadc8c441278a229c5819b619471b46f (diff) | |
close with comment
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/bugs/feature_request:_pubkey-only_encryption_mode.mdwn | 2 | ||||
| -rw-r--r-- | doc/bugs/feature_request:_pubkey-only_encryption_mode/comment_1_684d36c06429306be68fd60019564db3._comment | 23 |
2 files changed, 25 insertions, 0 deletions
diff --git a/doc/bugs/feature_request:_pubkey-only_encryption_mode.mdwn b/doc/bugs/feature_request:_pubkey-only_encryption_mode.mdwn index af05993d4..ff2fe7fae 100644 --- a/doc/bugs/feature_request:_pubkey-only_encryption_mode.mdwn +++ b/doc/bugs/feature_request:_pubkey-only_encryption_mode.mdwn @@ -2,3 +2,5 @@ It is not possible to put encrypted content in place on remotes with just a public GPG key. You always need the private key, even for encryption. I guess this is because how the cipher HMAC is used for replacing file names with their hashes. However, if that requirement (having secret file names) was dropped, I assume a pubkey-only mode could be implemented? My specific use case is backup archiving. I have my backups packed in archive files and want to use git-annex to copy the archives to offsite remotes (S3). In that case, I don't care much about hiding file names, but would appreciate the increased security of not having the secret key on the backup server. It would only be needed if I wanted to verify or restore backups. + +> [[closed|done]] per my comment --[[Joey]] diff --git a/doc/bugs/feature_request:_pubkey-only_encryption_mode/comment_1_684d36c06429306be68fd60019564db3._comment b/doc/bugs/feature_request:_pubkey-only_encryption_mode/comment_1_684d36c06429306be68fd60019564db3._comment new file mode 100644 index 000000000..0e2f5e3ba --- /dev/null +++ b/doc/bugs/feature_request:_pubkey-only_encryption_mode/comment_1_684d36c06429306be68fd60019564db3._comment @@ -0,0 +1,23 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2015-03-31T19:37:20Z" + content=""" +When you use encryption=pubkey, the symmetric key that is used for +HMAC encryption of filenames is encrypted using your gpg private key. +The contents of files are also encrypted using your gpg private key +(not using the symmetric key; that mode is encryption=hybrid). + +So, with encryption=pubkey, all that can be done with that symmetric key is +to HMAC encrypt filenames and try to find results that match the HMACed +filenames used on the remote. So, if you don't care about filenames +leaking, you could publish that symmetric key with no bad effects. Its +security is not important to you based on what you've said. + +But again, that symmetric key is encrypted with your gpg private key. +The only way to decrypt it would be to break your gpg key somehow. In which +case you have big problems. But not ones caused by the existence of the +symmetric key. + +So, I see no benefit to the suggested mode. +"""]] |