gpg4usb - encryption [discontinued]

[gpg4usb]

To let you all know: we've released version 0.3.1.1 today, because there were problems with signing messages in russian, greek or other languages with non-latin characters... http://gpg4usb.cpunk.de

@webfork: Thank you a lot for your great reply! It's very nice to hear, that our application is useful for some people, and you're liking the new features in gpg4usb!

To answer your questions:
#3 - Some other users have complained about this, too. We're working on it to make this easier again. (This seems to affect some users, but not all of them)

#4 - It's a good point. We actually don't know, how we should handle files which are dropped on to the window: Always encrypt them automatically? If it's just a text-file, open it in the editor window instead? We have to think about this, how this should be dealt with.

#5 - looks nice too bad, it's windows only...

[webfork]

#4 - It's a good point. We actually don't know, how we should handle files which are dropped on to the window: Always encrypt them automatically? If it's just a text-file, open it in the editor window instead? We have to think about this, how this should be dealt with.

When the program just did encryption, I think just encrypting it would have made sense, but now that it has a signing function and a pretty good text editor, I would think the default action would be to just import it as text. Obviously, some will prefer auto-encrypt so maybe additional options in the menu to change the default import action.

Additionally, if what's being dragged into the program is already encrypted or signed, it would be nice to have the option to have the program automatically try decrypt/verify.

Having worked with the program over the last few days, I can throw out a few more suggestions:

• Ability to change default text editor font (for people with big monitors or bad eyesight) [Edit: this has been added ... use Zoom In / Zoom Out]
• Ability to sign files
• If you have multiple key pairs, how does the program know which key to use to sign? Other programs for example have a "default signing key" setting. [Edit: this isn't meaningful unless the "sign file" feature becomes available]
• Although the majority of your downloaders are going to know what they're getting, you might want to stick one of the many great GPG intro guides out there into the documentation to acclimate beginners. I always liked this one, but acknowledge it might be a little too much. [Edit: this feature has been added.]

we've released version 0.3.1.1 today

Cool -- will update shortly. Also, I posted something to Wikipedia about your program.

[gpg4usb]

[quote]I would think the default action would be to just import it as text[/quote]
Ok, we'll see what we can do about this. Shouldn't be too hard to integrate. Right now, we're not quite sure, hot to best detect, if a file is a text file, but we've got to have a look, which posibilities are presented by Qt for this.

[quote]
Obviously, some will prefer auto-encrypt so maybe additional options in the menu to change the default import action.
[/quote]
Perhaps we put an appropriate setting in the settings, so that one can active this behaviour.

[quote]
Additionally, if what's being dragged into the program is already encrypted or signed, it would be nice to have the option to have the program automatically try decrypt/verify.
[/quote]
Agreed. We think, this won't be in the next release, but in 0.3.3.

[quote]
Ability to change default text editor font (for people with big monitors or bad eyesight)
[/quote]
We've also considered this. Unfortunately, we've got to change our textedit-widget for this, but it'll be integrated in one of the next releases.

[quote]
Ability to sign files
[/quote]
It's on the list, but not of our top point. But it's on the list.

[quote]
If you have multiple key pairs, how does the program know which key to use to sign? Other programs for example have a "default signing key" setting.
[/quote]
We thought about this, escecially, becasue we want to implement "encrypt and sign" action Right now, the message is signed with all private checked keys. Perhaps you could tell your thoughts here: http://lists.gzehn.de/pipermail/gpg4usb ... 00017.html

Thanks for the link to the tutorial. It's written really nice and simple.

Best Regards

[webfork]

• >> I would think the default action would be to just import it as text
  >Ok, we'll see what we can do about this. Shouldn't be too hard to integrate. Right now, we're not quite sure, hot to best detect, if a file is a text file, but we've got to have a look, which posibilities are presented by Qt for this.
  
  >> some will prefer auto-encrypt
  > Perhaps we put an appropriate setting in the settings, so that one can active this behaviour.
  
  >> default text editor font
  > We've also considered this. Unfortunately, we've got to change our textedit-widget for this, but it'll be integrated in one of the next releases.
  
  >> if what's being dragged into the program is already encrypted or signed
  > Agreed. We think, this won't be in the next release, but in 0.3.3.
  
  >> Ability to sign files
  > It's on the list, but not of our top point. But it's on the list.

All that sounds good.

• >>how does the program know which key to use to sign
  >We thought about this, escecially, becasue we want to implement "encrypt and sign" action Right now, the message is signed with all private checked keys. Perhaps you could tell your thoughts here: http://lists.gzehn.de/pipermail/gpg4usb ... 00017.html

That's a hard question, for sure. I would create a pop-up menu that asks "which key would you like to sign to" when someone clicks "Sign." Give a list of available private keys with checkboxes. Then, have a checkbox at the bottom "always use this setting / don't show this menu again". Then in options, give an option to allow this pop-up to return so the user is prompted every time.

If you'd like, I can mock up an idea of the interface I have in mind and post it.

• > Thanks for the link to the tutorial. It's written really nice and simple.

Glad to hear it.

[gpg4usb]

Encrypt and decrypt messages and files wherever you want - portable on windows and linux: http://gpg4usb.cpunk.de/

The new release comes with a first start wizard, an offline help system and a lot of bugfixes. Our translators worked hard on bringing you localized versions: 0.3.2 ships in with nine languages!

New features:

• First start wizard with posibility to create new key
• import config and keys from old version
• import from locally installed GnuPG
• Integrated offline help system
• Dialog with result of key import
• Key details dialog more user friendly
• Zoomable text area
• File operation toolbar
• Added Arabian translation

Minor changes:

• Build with Qt 4.8
• Strike out revoked keys in keylist and add warning to keydetails dialog
• Change default iconsize to 24x24
• Show selection for keyring files in import dialog
• Understandable message if no private key found for decryption
• Add button to copy fingerprint in key detail dialog and remove whitespaces on copy
• Automatically restart gpg4usb on language change
• Change file encryption to single dialogs for en- and decryption
• Disable tab related actions when no tab is shown

Bugfixes:

• Fix crash on canceling password dialog on Windows
• Clear password cache after signing, if password remember isn't enabled
• Handle uft8 encoding correctly for keys
• Fix random crash when searching key on key server

[procyon]

Thank you for this update gpg4usb !

[...]

• Fix crash on canceling password dialog on Windows

[...]

Oh yes !


BTW, as visitor for a long time, i finally registred.
Hello TPFC community

[Checker]

@ gpg4usb: Thanks, and updated
@ procyon: Hello and welcome

[gpg4usb]

0.3.2-1 generates safer gnupg-keys by default, with RSA and 1024bit minimum.
Including gpg binary was updated to version 1.4.12.

Bugfix:
Fix creation of empty Windows registry key on import from existing GnuPG

Have fun! http://gpg4usb.cpunk.de/

[Checker]

@ gpg4usb: Thanks, and updated

[Kea]

More a question than a reply:

https://securityinabox.org/en/gpg4usb_portable says:

"The first key is known as the private key. It is protected by a password or passphrase, guarded and never shared with anyone."

But that is not completely true. If I have GPG4USB on the USB stick, and someone is stealing or only "borrowing" the stick for a few minutes to copy it, then the private key will be compromised, since he or she don't need any passphrase to open GBG4USB or to export the private key to a text file.

Is there a way to protect GPG4USB itself?

[webfork]

But that is not completely true. If I have GPG4USB on the USB stick, and someone is stealing or only "borrowing" the stick for a few minutes to copy it, then the private key will be compromised, since he or she don't need any passphrase to open GBG4USB or to export the private key to a text file.

Is there a way to protect GPG4USB itself?

For most users this really isn't an issue: with just a private key and no password, it's still very difficult to decrypt your communications. Although I don't have high security needs at the moment, I still keep my GPG4USB (and many other portable programs) inside an encrypted container such as Truecrypt (http://www.portablefreeware.com/index.php?id=199) or FreeOTFE (http://www.portablefreeware.com/index.php?id=698).

One nice thing is that GPG4USB handles this problem much better other programs, which save config files in weird places. So, if you didn't want to use a container program mentioned above, you could quickly encrypt the keydb folder (or the entire program) using 7-zip or a similar program.

Other precautions could include creating a key pair that expires in a year or less, keeping your USB drive on your person at all times, or buying one of those hardware encrypted hard drives.

[gpg4usb]

New stable release 0.3.3-1

• gpg4usb-0.3.3-1 additionally contains a 64-bit linux binary now, so there's no need to have 32-bit compatibility libraries installed on a 64-bit linux system anymore
• this release contains japanese translation, thanks a lot to Andoh.
• we changed the behaviour of the "remove double linebreaks"-action. It doesn't filter GPG-headers anymore
• we updated the included GnuPG-binaries from 1.4.16 to 1.4.18 for fixing some security issues (have a look at the changelog of GnuPG 1.4.17 and 1.4.18).

You may download http://gpg4usb.org now.

New alpha release 0.4

This release additionally contains binaries for MacOS. But since we had to rewrite the whole core, this release needs a lot of testing. So, if you want to be sure, better get the stable release. If you want to have a look what is planned for the release when it is finished have a look on our TODO-List.
Changes in this release till now:

• added encrypt to self functionality, so that every message additionally is encrypted for the choosen key
• added find widget
• added posibility to change path of keydb for using the keydb of other applications
• show key details in an extra tab, not in a window
• added refresh key from keyserver
• added upload key to keyserver
• added possiblity to add/remove keyservers
• added posibility for creating RSA-keys
• removed key management and integrated these functionalities in main window

[SYSTEM]

Thank you. I have updated the entry to version 0.3.3-1.

[webfork]

Latest update (v0.3.3) is a real improvement in terms of a genuinely good notepad program in addition to it's included encryption tool.

Features

- Notepad

• There's now unlimited undo levels (I assume, only tested around 100)
• If you exit any file that's not empty, you'll be prompted to save
• Tab hotkeys: CTRL+T to open a tab, CTRL+TAB to switch between tabs
• Ability to increase or decrease text size (CTRL++ or CTRL+-)

Security

• The intro to GPG screen works a lot better (opens up at the start and from the menu via Help - Integrated Help)
• Is set by default to 2048 keysize when generating a key and includes a 5 year expire date
• Advanced Stenography options to remove the PGP header (make the file look more like random data)

Wishlist

- High

• Optional ability to automatically prompt to decrypt once an encrypted file is opened
• Ability to drag and drop files (text into the main window, files into the Encrypt File window)
  - Autodetect encrypted drag-and-drop files and have the program automatically ask to decrypt
• If a file is not signed and you click "Verify" it should give some kind of note in the toolbar at the bottom that indicates a file was not signed. Right now, nothing happens.

- Low

• Another hotkey: CTRL + = increases text size (better for laptops, which right now have to press ctrl+shift+=
• Option to open tabs to what was visible upon shutdown (as this is less secure, this should be disabled by default)

[procyon]

New alpha release 0.4

I'm currently trying your alpha version as i'm particularly interested by the ability to change the keydb path. Unfortunatly, i can't get this working.
I changed the path in "settings -- Gpg paths" and even after a restart, the keys are not found. If i copy-paste the files in the default keydb folder of gpg4usb that's works.
Don't know if it's related but the "GNUPGHOME" environment variable always point to the default keydb folder. And this variable can't be overwritten by a batch launcher (for example)

By curiosity i took a little look at your code. BTW, even if i'm not very familiar with Qt/C++ , your code is well commented and easy to read

In main.cpp line 61: you seem to force the "GNUPGHOME" . Can i suggest to check if this variable is empty or exists before ? The advantage could be to use this variable if already set by an other app.
The downside is maybe a problem for the portability: if the host has already a "GNUPGHOME" but not the one wanted by the gpg4usb user.

About the keydb path available in the settings, which obviously avoid the previous downside, i can't find where "keydbpath" is used outside "settingsdialog".
Does this setting really works ?

Don't hesitate to correct me

Thank you for your work !