Just imagine what those of us who have to manage three different server technologies (and the administration panels thereof) replicated across six different servers have to go through!

-The Gneech

God, THANK you. I'm glad I'm not the only one driven crazy by this. Work has probably 8-10 passwords for different systems we have to remember, and we're forced to change them (and use numbers, mixed-case, and special characters!) every three months, and not reuse old password.

Also with some of them, if we enter the wrong password 3x in a row, we're locked out of the system.

This is something I've had issues with as well. Well, both the password thing and the portable data file encryption thing. Actually, what would be ideal for me would be portable disk image encryption, but even that is hard to come by. PGP has always been too much of a pain... Mac OS's encrypted disk image system is delightfully simple to use and copy to another system (you can add the passwords to your keychain but it's not at all required) but it's restricted to that platform... I have yet to find something both truly simple to use and portable^*. Actually, portable ones at all I've rarely seen.

Meanwhile, if a site (including Disney's own cast portal stuff) demands that I switch incomprehensible passwords around every 90 days or so, I just let it expire, feign ignorance, get a reset, and set my old fave password back again. At least in D's systems, a reset clears the history so I can do that.

As for the Linux/Unix equivalent of a .BAT file though, the term you want is "shell script." Those can be quite simple or quite complex... I think I recall helping you set up one or two at some point but that was a while back, to say the least.

^*By "portable" I mean "easily usable on multiple hardware/OS platforms", not "easily usable on different computers of the same platform." The "USB keyfob of goodies you can run on Windows computers without installing them to the HD" crowd has hijacked the term and I want it back, dammit.

You did indeed help me with a shell script or two, but it was far enough back that I couldn't remember the phrase "shell script".

And "portable between Ubuntu systems" is sufficiently "portable" for me right now.

Edited at 2010-04-02 08:57 pm (UTC)

In a text editor:

#!/bin/bash
/bin/rot13 %1 > %1

Save as 'r31', then at the command line, chmod +x r31; when you want to use it, ./r31 filename.txt

Better yet, there should be a file (usually hidden by dot-convention, use ls -laF to see all your files plus attributes) typically called the .rc file, which holds the script that gets run when you login. You can edit that file to add alias r31 '/bin/rot13' or equivalent alias command (different shells have slightly different formats, man alias to discover yours, though sometimes the man page for your install throws a middle finger exception and just discusses the shell instead of specific shell commands).

The password thing is even more fun for me, because some nimrod in upper management has decided that we should be changing passwords every thirty days!

Despite the fact that the nationally renowned head of the computer security foundation here (Eugene Spafford for those of you in the know) has repeatedly stated how this policy will only cause passwords to be LESS secure.

Ooh! Can you link me to one of his statements to that effect? Preferably one where he 'splains the reasoning behind it.

Don't use passwords, use passphrases - long sentences with some tangential relationship to the thing they unlock and some content which is random. If it's a good long passphrase, it's easy to remember and you can probably use it for most things.

Have at least two passwords - a 'casual' password you use for everything, and a 'high security' password you use for stuff that seriously needs to not get compromised.

GRC.com has an excellent high-security password generator. Save one in a text file to a thumbdrive, or perhaps save several, and next time you need one you can copy and paste from your physically secured data device.

I'm going to give you the answer to your question first, and then I will give you some cryptography background notes you can skip or just glaze on. Or if my explanation is confusing or you want more detail, feel free to ask.

What you want is to use one of those PGP-style applications in "symmetric cipher mode." You make up a passphrase, and it encrypts your file to that passphrase. Move the file elsewhere, decrypt it, and you put in the same passphrase. You don't need to carry around any key file.

I use GnuPG for this purpose, which is another PGP variant. You can install it as a package from Ubuntu with apt-get. It's probably called "gnupg". And it's actually quite simple to use:

To encrypt: gpg -c <file to encrypt>
You will be prompted for a passphrase, and out pops a file called the same thing with ".gpg" appended to it. You can then delete the original and just the encrypted version remains.

Full disclosure: Technically, just deleting the original file isn't the kind of secure wipe that the truly paranoid would insist upon to protect the original contents. I'm guessing you don't care enough to bother with that.

To decrypt: gpg <encrypted file.gpg>
You will again be prompted for a passphrase, and out pops the original file without the .gpg extension. (If the original filename exists already, you will be prompted to overwrite.)

And now, crypto notes:

Regarding "any pass phrase I come up with will be linked to a locally-stored Encryption Key File." This is how you pass things around, but between different people, and is the default way PGP applications encrypt data. Remember, PGP was intended for sending encrypted email between different people. This is the asymmetric mode (as opposed to the symmetric mode I described above). As in, I want to send you an encrypted document, and you and I each have a public/private key pair. Everyone knows your public key, and can encrypt the document to your public key. You can then use your private key to decrypt. In the asymmetric mode, the passphrase you so often hear about is a key used to encrypt the private key data, so it's not kept unprotected when stored on disk. So the passphrase unlocks the private key, and the private key is what unlocks the encrypted document you've received. That's why, in this mode, you need to keep key data around. You actually don't even have to have a passphrase; but this means your private key is kept on disk unencrypted, which is just considered a bad idea, since anyone who gets access to it could then use it to decrypt.

Your confusion stems from using the asymmetric mode to store documents for yourself: you are, in effect, sending the document to yourself. You can do this, and it's secure (so long as your private key is protected), but it's not the intended purpose of this mode.

But in symmetric mode, you're not using a passphrase to unlock the real key. The passphrase itself is the real key. And so there's no baggage you need to carry around. And more full disclosure: this means the strength of the encryption on your document is related to the security of your chosen key. Again, it sounds as though this modest security is acceptable to you.

Edited at 2010-04-02 09:46 pm (UTC)

You totally get the cookie. I was hoping someone could explain how to make one flavor or another of PGP do what I wanted it to do.

And, yeah—I grok enough about the principles behind encryption to know that Security ∝ Key Length.

My stated parameters were "at least as secure as ROT-13", after all, and I'm well aware that's pretty lame.

I'm also not certain about Gnome, but in KDE I can encrypt/decrypt files with a right-click on the icon. I'm assuming Gnome has something similar.

Oh, lookie there! GNOME has that, too -- but it still tells me it can't find encryption keys and fires up the same app as gedit, so I'm gonna have to spend some time with the Help Manual to see how to go all symmetric an' stuff.

Ah, so close but so far.

What I'm wondering is maybe that is an oversight from the folks that made the GUI widget for encrypting. They might've assumed that if you were using a function of GPG you'd need a key.

Because I have a key already I get a display that shows my keys and then below it is a check-box to use symmetric encryption. As soon as I check that it disables the keys and other options and just asks for the pass-phrase.

Maybe you just need to generate a "throw-away" key that'll let you get to the rest of the GUI?

Hey, thanks for that reply!

I've been dabbling in very basic GPG for a while with a couple clients, but I wasn't aware of the symmetric mode, which is something I had been looking for as well. This is great!

*goes to encrypt everything on his HD*

You must get to know me better to realise exactly how bad an idea this is!

I'd never be able to access my data again.

Which my wife would probably applaud, come to think of it.

Oh, yeah, there's always been a trade-off between usability and convenience. This is probably the single biggest security problem, period. I don't just mean for you and me, but also for huge corporations and governments and armies. It's just something that we have to accept. I accept it by not worrying about it too much. Cyber-security doesn't bother me so much because I feel it's pretty superficial. I don't think the revolution will be webcast. ;)