Poor Man’s Encryption

In a secure file transfer scenario, it is a very good idea to have a side channel for communication. A side channel is a second communication mechanism other than the one which is used to transfer the data. Side channels can be used for sending a password (used for decryption) and verifying someone’s key. In an extreme scenario, the side channel might be an in-person meeting.

Some mechanisms, such as email and SMS, send data in plain text. Please be aware of this, and definitely encrypt sensitive data when using these channels. RFC 1855 recommends, “never put in a mail message anything you would not put on a postcard.” Anyone in the transport chain can read it!

Some mechanisms, including most modern Internet-based messaging systems and storage providers, use client-server encryption. This means that data is encrypted in transit, but is not encrypted on the server. In some cases, the data may be encrypted on the server, but the operators have the key to decrypt the data, in which case the at-rest encryption doesn’t help you much.

Some mechanisms encrypt data in a true end-to-end manner (also called client-client encryption). When implemented properly, end-to-end encryption makes it computationally infeasible for a middleman to decrypt the message. Example systems that use true end-to-end encryption are Pretty Good Privacy (PGP), Telegram secret chats, and Matrix (now called Element.io).

Pretty Good Privacy (PGP) is an ideal solution. The modern GnuPG implementation is powerful and can be used as an additional layer of security on top of a plaintext communication channel.

The one problem is that very few people outside the Linux community use PGP. Even inside the Linux community, use of PGP has waned dismally.

If you wish to use PGP, you and the recipient will each need to generate a PGP key (outside of the scope of this document) and then verify each other’s keys over a side channel, traditionally in an in-person “key signing party” (also outside the scope of this document).

Once you have each other’s public keys, the rest of the job is easy.

To encrypt a file, use the --encrypt flag.

$ gpg --encrypt -r <id> sensitive.txt

To encrypt several files, use --encrypt-files.

$ gpg --encrypt-files -r <id> sensitive1.txt sensitive2.txt ...

To encrypt a message in STDIN, use --encrypt and omit the file name. In this manner, GnuPG can be run in a pipeline.

$ gpg --encrypt -r <id>

Once your file is encrypted, send it over the channel of your choice.

A useful flag that can be added to encrypt operations is -a, which formats the result in an ASCIIfied way. When the ciphertext is in ASCII, you can send it over any text-only channel. In this way, you can encrypt an image and send it over e.g. SMS on a phone carrier.

To decrypt one or more files, use --decrypt-files. GnuPG will ask you for the password of your key.

$ gpg --decrypt-files sensitive.txt.gpg

To decrypt from STDIN, simply use --decrypt. In this manner, GnuPG can be run in a pipeline.

$ gpg --decrypt

ZIP has a handy lesser-known feature: encrypting a file with a passphrase. Also, every modern operating system comes with a ZIP implementation, making ZIP password protection highly available.

However, be warned that the default ZipCrypto algorithm is considered weak by today’s standards. To make matters more complicated, the ZIP tools bundled with modern operating systems (Windows Explorer, macOS Finder, and Linux’s Info-ZIP) only support ZipCrypto. Any attempt to decrypt something other than ZipCrypto will yield an error message. So, there is a trade-off between confidentiality and availability.

If you want better encryption, then use AES. 7-Zip supports AES, and it is cross-platform. On Windows, WinZip supports AES. On Linux, you can use either 7-Zip or BSD’s tar implementation (packaged as bsdtar in most distributions).

bsdtar is command line based, and it is usually installed on modern Linux distributions by default. To encrypt a file using bsdtar on Linux:

$ bsdtar -a -cf sensitive.zip --options zip:encryption=aes256 sensitive.txt

You can replace aes256 with aes128, or you can fall back to zipcrypt for traditional (weak) ZipCrypto.

The command will prompt you for a password. Send the password to the recipient via a side channel.

PDF also has a feature to encrypt documents. This feature is somewhat entangled with the poorly designed “permissions” system of yesteryear (e.g. permission to print, etc). However, when configured properly, the entire document is encrypted. Furthermore, PDF 1.6 uses AES-128, and PDF 1.7 uses AES-256 (according to Adobe). So, the encryption is pretty good, and documents can be decrypted by any PDF reader.

On Linux, you can encrypt a PDF with Ghostscript.

$ gs -sDEVICE=pdfwrite -dBATCH -dNOPAUSE -sOwnerPassword=balloons -sUserPassword=balloons -sOutputFile=sensitive.pdf sensitive-enc.pdf

(Of course, you probably want to pick a better password than ‘balloons’. Also, send the password to the recipient via a side channel.)

As of ghostscript 9.26, this command outputs a PDF 1.7 document, so AES-256 is used.

Make sure you set both the owner password and the user password to the same string. The dichotomy is an artifact from the era of bad PDF protection. What is important now is that both values are set and equal.

Once you are happy with the encryption, safely destruct the plaintext copy by writing random data to it.

$ shred sensitive.pdf
$ mv sensitive-enc.pdf sensitive.pdf