gpg4usb - encryption [discontinued]

Submit portable freeware that you find here. It helps if you include information like description, extraction instruction, Unicode support, whether it writes to the registry, and so on.
Message
Author
gpg4usb
Posts: 26
Joined: Fri Aug 15, 2008 5:39 am
Contact:

gpg4usb - encryption [discontinued]

#1 Post by gpg4usb »

gpg4usb is a very easy to use portable-application, which combines a simple text-editor with a GnuPG-frontend to write, encrypt and decrypt your text-messages. Gpg4usb should work on almost any computer you're working on, should it be a Linux-machine or even one with a Microsoft-OS running.

Just download the zip-File, and unzip it onto your usb-pendrive. Then simply change into the folder gpg4usb at your usb-drive, and execute the binary in there

http://gpg4usb.cpunk.de/

Image

ashghost
Posts: 384
Joined: Wed Feb 06, 2008 2:55 pm
Location: South Carolina

#2 Post by ashghost »

You've answered Webfork's question of a year ago: http://www.portablefreeware.com/forums/ ... hlight=pgp

The biggest problem I see is that it doesn't include robust key management. You can only import keys, you can't generate them (though I see that's on the to-do list).

I can verify that it's portable, anyway.

Saves settings to: None. Saves keys in a database in a subdirectory of the application directory.

Stealth: Yes

Size: 23.6 MB uncompressed (a little big, but it is cross-platform

Compatibility: Linux/Win? XP and Vista for sure.

M@tty
Posts: 192
Joined: Wed May 02, 2007 9:32 am
Contact:

#3 Post by M@tty »

Unfortunately gnupg creates an empty folder in the Application Data folder upon startup, thus making the program not stealth.

Yucca
Posts: 88
Joined: Sun May 07, 2006 10:59 am

#4 Post by Yucca »

M@tty wrote:Unfortunately gnupg creates an empty folder in the Application Data folder upon startup, thus making the program not stealth.
M@tty,

That's correct. The following is extracted from the README-W32.txt file in the docs folder of GnuPG's install directory:
Home directory:
===============

GnuPG makes use of a per user home directory to store its keys as well
as configuration files. The default home directory is a directory
named "gnupg" below the application data directory of the user. This
directory will be created if it does not exist. Being only a default,
it may be changed by setting the name of the home directory into the
Registry under the key HKEY_CURRENT_USER\Software\GNU\GnuPG using the
name "HomeDir". If an environment variable "GNUPGHOME" exists, this
even overrides the registry setting. The command line option
"--homedir" may be used to override all other settings of the home
directory.
In using GPG from the command line, a user can always put --homedir d:\gnupg (or whatever, perhaps even a relative directory) as the first element of the gpg command and the user app's folder will not be touched, so GPG from the command line can be stealth. Unfortuantely, this option cannot be added to the gpg.conf file to set a default home directory.

I assume the author of gpg4usb could make a code change to add the --homedir option in his functions and perhaps allow stealth operations of GPG with his interface.

Actually, if one is concerned about stealth, then I would think that using the command line would be the best alternative anyway.

Using GPG from the command line is fairly easy to learn, since one only needs to know a few short command strings to perform the basic functions of key-encryption, symmetric encryption, signing, clearsigning, detached signing, importing of keys, exporting of keys and deleting keys. (In fact, these can be set up as windows shortcuts -- but that is not portable.)

Yucca

Yucca
Posts: 88
Joined: Sun May 07, 2006 10:59 am

#5 Post by Yucca »

** Accidental Duplicate post deleted. **

Yucca
Last edited by Yucca on Wed Aug 20, 2008 3:06 pm, edited 1 time in total.

Yucca
Posts: 88
Joined: Sun May 07, 2006 10:59 am

#6 Post by Yucca »

ashghost wrote: ...
The biggest problem I see is that it [gpg4usb] doesn't include robust key management. You can only import keys, you can't generate them (though I see that's on the to-do list).
...
Size: 23.6 MB uncompressed (a little big, but it is cross-platform)
...
In terms of program size, windows users can delete the linux elements and UPX-compress the start_windows.exe and gpg.exe files, resulting in a total size about 3.5 MB uncompressed.

With regard to key management, I can offer some help for windows users until the author of gpg4usb adds other key management functions.

Below are some short .cmd programs that should be placed in the gpg4usb application directory along with start_windows.exe. The functions are self-explanatory from the suggested names.

To create these .cmd files, just use Notepad (or other plain text editor) and copy and paste my code exactly. I have used relative directory paths, so you do not need to change any of the code.

Suggested File Name = GenKeyPair.cmd

Code: Select all

@echo off
:: This generates a new key pair for use in gpg4usb

%~dp0\bin\gpg --homedir %~dp0\keydb --gen-key

echo.
echo Operation complete.  Press any key to close . . .
echo.
pause > nul
exit
Suggested File Name=ExportKey.cmd

Code: Select all

@echo off
:: This exports a public key from gpg4usb

echo.
set /p expkey=What is the KeyID (Name, Email or Number) of key to be exported?  &::

%~dp0\bin\gpg --homedir %~dp0\keydb --armor -o "%~dp0\keydb\exportedkey.txt" --export "%expkey%"


Notepad "%~dp0\keydb\exportedkey.txt"
echo.
echo.
echo Exported key can be found in "%~dp0\keydb\exportedkey.txt".
echo.
echo Operation complete.  Press any key to close . . .
echo.
pause > nul
exit

Additionally, the following two files can be used to clearsign a text file and to verify signed text in a text file.

Suggested File Name=ClearSignTextFile.cmd

Code: Select all

@echo off
:: This clearsigns a text file with default signing key

echo.
set /p infile=What is dir:\path\filename of the text file to be signed?  &::
echo.
echo.
set /p signedfile=What is dir:\path\filename of the output file with signature?  &::

%~dp0\bin\gpg --homedir %~dp0\keydb -o "%signedfile%" --clearsign "%infile%"

Notepad "%signedfile%"

echo.
echo Signed file is "%signedfile%" .
echo Operation complete.  Press any key to close . . .
echo.
pause > nul
exit
Suggested File Name=VerifySigInTextFile.cmd

Code: Select all

@echo off
:: This verifies the signature of signed text in a text file

echo.
set /p sigfile=What is dir:\path\filename of the text file with signed text?  &::
echo.

%~dp0\bin\gpg --homedir %~dp0\keydb -o "%signedfile%" --verify "%sigfile%"

echo.
echo.
echo Operation complete.  Press any key to close . . .
echo.
pause > nul
exit
Hope this information helps somebody.

Yucca

gpg4usb
Posts: 26
Joined: Fri Aug 15, 2008 5:39 am
Contact:

#7 Post by gpg4usb »

M@tty: Thanks for the hint about the created folder on Windows-machines - we added this to our TODO-list to solve this behaviour in our upcoming releases

Yucca: We now offer a UPX-compressed version on our homepage http://gpg4usb.cpunk.de - this results in a total size of 9mb uncompressed now (linux+windows-version) - Thanks for this!

Key Management is one important point on our TODO-List - before we work on this, binary-encryption is our top-priority and will be added in our next release.

Yucca
Posts: 88
Joined: Sun May 07, 2006 10:59 am

#8 Post by Yucca »

gpg4usb wrote:Key Management is one important point on our TODO-List - before we work on this, binary-encryption is our top-priority and will be added in our next release.
gpg4usb,

It appears that your team's original purpose was to create a tool to make GnuPG easy to use with email, and I think you did a great job of that.

However, if that was your purpose, then I would suggest that you might consider adding signing and clearsigning text messages and verifying signatures near the top of your TODO-List before turning your efforts to binary-encryption.

In using GnuPG with email, it is important (some would say essential) not only to be able to encrypt and decrypt email text for privacy but also to be able to validate it's authenticity (actual authorship) and integrity (no tampering with the text) with GnuPG's signing and signature verification functions. Because it is so easy to fake email headers today, GnuPG's digital signing features provide an important means of determining/verifying who really sent an email (encrypted or not). That is, authenticity and integrity are equally important to privacy in email transactions -- since all three elements are required for email security.

Thanks for a very good, portable, cross-platform program. I look forward to watching it evolve to include more functions.

Yucca

gpg4usb
Posts: 26
Joined: Fri Aug 15, 2008 5:39 am
Contact:

#9 Post by gpg4usb »

Yucca,
thanks for your suggestions, I've added signing and verifying of signatures to our todo-list.

But because it's easy for administrators of e.g. internet-cafes to copy your data off the usb-drives plugged into their machines we are for now a little bit aware of adding too much key-management. The risk of 'identity-theft' has lead us to the conclusion, that we can't expect our application to really proove identities, but to simply encrypt messages/binaries.

File-encryption has made good progress already and will be published soon with our next release.

Yucca
Posts: 88
Joined: Sun May 07, 2006 10:59 am

#10 Post by Yucca »

gpg4usb,

Thanks for adding signing/verifcation to your To-do list.

I'm not sure I understand your logic about risk, however, since you already support decryption which requires inputing a passphrase. Signing a message, which requires inputing a passphrase, would not be any riskier in a cafe than decrypting a message.

Also, verification of signatures only uses the public keyring and does not require a passphrase, so there is no security risk. Even if you don't add signing capability (for the reason you mentioned), perhaps you could add signature verification.

Whatever you decide, thanks for an excellent portable program that will, hopefully, get more people using GnuPG with their email.

Yucca

gpg4usb
Posts: 26
Joined: Fri Aug 15, 2008 5:39 am
Contact:

#11 Post by gpg4usb »

I'm not sure I understand your logic about risk, however, since you already support decryption which requires inputing a passphrase. Signing a message, which requires inputing a passphrase, would not be any riskier in a cafe than decrypting a message.
Yucca,

you're right, the risk I was talking about was not because of special risks with signing-features.

One user of our software has pointed out some days ago, that decrypting and therefore the use of secret-keys on an usb-drive plugged into not-known machines is a big risk.
Admins with bad intents can easily steal your secret-key on those machines - if they want to. You're right, they need your passphrase to use it - but our user was aware about this possibility in combination with e.g. installed keyloggers...

Because of this, we were thinking about the 'web-of-trust-ideals' and the idea of identity-verification via signatures. For now we decided to put a warning about this on our website soon - then users can decide by themselves how much they have to worry about this worst-case-scenario.

Yucca
Posts: 88
Joined: Sun May 07, 2006 10:59 am

#12 Post by Yucca »

gpg4usb,

Perhaps you could add a warning to the text of the popup box that asks for the passphrase during decryption. I know a lot of people will just ignore it, but at least they would have been warned.

I do think you're right that USB reading, keylogging and wireless sniffing make using GnuPG on public machines very risky. Of course, all you can do is remind users of the risk unless you only provide encryption (without decryption or signing) -- and that would not be a very useful program.

Thanks for your work.

Yucca

gpg4usb
Posts: 26
Joined: Fri Aug 15, 2008 5:39 am
Contact:

#13 Post by gpg4usb »

Yucca,

yes, we are discussing about adding a warning-box if someone's adding a secret-key to the gpg4usb-keyring actually - knowing the problem that most users unfortunately will ignore it... but they have been warned...

You're right, a program without decrypting/signing-features would be nearly useless - so we hope that we can provide a simple tool that can do all this, and make the users sensitive about the risks.

Thanks a lot for your appreciation of our program!

gpg4usb

gpg4usb
Posts: 26
Joined: Fri Aug 15, 2008 5:39 am
Contact:

Announce: v0.1.1-2 released!

#14 Post by gpg4usb »

There's a new version of gpg4usb published recently!

We solved some bugs, and added some minor modifications like a sortable keylist now.

You'll find the current release on our website:
http://gpg4usb.cpunk.de/

gpg4usb
Posts: 26
Joined: Fri Aug 15, 2008 5:39 am
Contact:

gpg4usb 0.2

#15 Post by gpg4usb »

gpg4usb, your portable application for gpg encryption is still alive! Version 0.2 is out, featuring:

* Keymanagement
* Key-Generation
* File encryption/decryption

and lots of bug fixes and smaller improvements. http://gpg4usb.cpunk.de/

about gpg4usb:
gpg4usb is a very easy to use and small portable editor to encrypt and decrypt any text-message or -file you want.

Our aim is, to give anyone the possibility to send and receive secure encrypted messages anywhere - on any computer out there, no matter if Microsoft Windows(TM) or Linux is running on it. Therefore it's usage is self-describing, and the user-interface as simple as possible.

gpg4usb is free software, and it is licensed under the GNU General Public License (GPL).

If you want to give it a try, please visit our download-section, get the files and unzip it onto your usb-pendrive... et voilà: you're done and ready to go!

Post Reply