Using GPG to Encrypt Your Data

Use GPG with the cipher AES256, without the --armour option, and with compression to encrypt your files during inter-host transfers.

GPG

Encryption helps protect your files during inter-host file transfers (for example, when using the scp , bbftp , or ftp commands). We recommend GPG (Gnu Privacy Guard), an Open Source OpenPGP-compatible encryption system.

GPG has been installed on Pleiades, Endeavour, and Lou at /usr/bin/gpg. If you do not have GPG installed on the system(s) that you would like to use for transferring files, please check out the GPG web site.

Choosing What Cipher to Use

We recommend using the cipher AES256, which uses a 256-bit Advanced Encryption Standard (AES) key to encrypt the data. Information on AES can be found at the National Institute of Standards and Technology's Computer Security Resource Center.

You can set your cipher in the following ways:

Add the following line to your ~/.gnupg/gpg.conf cipher-algo AES256

Or add --cipher-algo AES256 in the command line to override the default cipher, CAST5.

Examples

For any of the following simple examples, you can add --cipher-algo AES256 to override the default cipher, CAST5, if you choose to not add the cipher-algo AES256 to your personal gpg.conf file.

Creating an Encrypted File

Both commands below are identical. They encrypt the file "test.out" and produce the encrypted version in "test.gpg."

% gpg --output test.gpg --symmetric test.out % gpg -o test.gpg -c test.out

You will be prompted for a passphrase, which will be used later to decrypt the file.

Decrypting a File

The following command decrypts the file "test.gpg" and produces the file "test.out."

% gpg --output test.out -d test.gpg

You will be prompted for the passphrase that you used to encrypt the file. If you don't use the --output option, output of the command goes to STDOUT. If you don't use any flags, it will decrypt to a file without the .gpg suffix. That is:

% gpg test.gpg

results in the decrypted data in a file named "test".

Passphrase Selection

Your passphrase should have sufficient information entropy. We suggest that you include five words of 5-10 letters in size, chosen at random, with spaces, special characters, and/or numbers embedded into words.

You need to be able to recall the passphrase that was used to encrypt the file.

Factors that Affect Encrypt/Decrypt Speed on NAS Filesystems

We do not recommend using the --armour option for encrypting files that will be transferred to/from NAS systems. This option is mainly to send binary data through email, not via scp , bbftp , ftp , etc. The file size tends to be about 33% bigger than without this option, and encrypting the data takes about 10-15% longer.

The level of compression used when encrypting/decrypting affects the time required to complete the operation. There are three options for the compression algorithm: none , zip , and zlib .

--compress-algo none or --compress-algo 0

or --compress-algo zip or --compress-algo 1

or --compress-algo zlib or --compress-algo 2

For example:

% gpg --output test.gpg --compress-algo zlib --symmetric test.out

If your data is not compressible, --compress-algo 0 (aka none) gives you about a 50% performance increase compared to --compress-algo 1 or --compress-algo 2 .

If your data is highly compressible, choosing zlib or zip will not only give you a 20-50% speed increase, but it also reduces the file size by up to 20x. For example, a 517 MB highly compressible file was compressed to 30 MB on a NAS system.

zlib is not compatible with PGP 6.x, but neither is the cipher algorithm AES256. zlib is about 10% faster than zip on a NAS system and compresses about 10% better than zip .

Random Benchmark Data

We tested the encryption/decryption speed of three different files (1 MB, 150 MB, 517 MB) on NAS systems. The file used for the 1 MB test was an rpm file, presumably already compressed, since the resultant file sizes for the none/zip/zlib were within 1% of each other. The 150 MB file was an ISO, also assumed to be a compressed binary file for the same reasons. The 517 MB file is a text file. These runs were performed on a CXFS filesystem when many other users' jobs were running. The performance reported here is for reference only, and not the best or worst performance you can expect.