Re: [Duplicity-talk] data set sizes

[Travis H.]

On Wed, Jan 10, 2007 at 09:59:27AM -0800, mike wrote:
> However, the minute I installed gpg, it worked; I did not even
> have to setup any keys or anything. I noticed the first time it ran I
> think it autogenerated some keyring for my user,

That's something gpg probably did automagically.

> but it did not prompt
> me, or use the keys as far as I can tell

You are correct; the keys are only used if you specify recipients
(from my reading of the gpg.py)...

> I believe duplicity uses the
> gpg engine but uses the passcode you define if you define one:
> 
> >From the man page: "Duplicity will read the PASSPHRASE environment
> variable to find the passphrase to give to GnuPG. If this is not set,
> the user will be prompted for the passphrase."
> 
> So I think it is as simple as defining the same passphrase when you do
> your archiving and then again on the extraction.

Yep, by default it does symmetric encryption.  Public keys are good
for communicating between people who don't have physical proximity,
but not very useful when you're communicating with yourself (for most
encrypted storage applications, it may be useful to think of it as
sending the data to your future self).  Since public key crypto is so
slow, the PK routines (and keys) are merely used to encrypt a
symmetric session key which is prepended to the file.  As a
consequence of this, they have more ways to fail; the PK can be broken
or the symmetric.  Plus PK is slow, with the key sizes now it's often
the weakest link, the Montgomery multiplication is orderly enough that
it's the target of a lot of side channel attacks, plus it's more
likely to succumb to a practical quantum computer, when one big enough
gets built.  So yeah, use symmetric if you can. :-)

-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>

pgpCihRykGuRp.pgp
Description: PGP signature