I’m writing a program in vb.net that I want to automate encryption/decryption of files with PGP. There seem to be a lot of third party libraries out there on google.
Has anyone done this? What would you recommend?
Thanks so much.
I have not done it. I hope to have a chance to do it some day (month,year) soon for a program I have in mind but which may never get off the ground.
I would recommend caution and lots of study before you rush off to do the implementation. PGP is (from all reports) very good. There are, however, details to using it that can cause problems.
There have been PGP implementations that have failed for reasons other than the actual encryption. Insecure management of the private key springs to mind. Ideally, there should be no copy of the key on any computer - you should have to enter it manually each time, or else have it stored on something you can remove from the computer and lock away when you aren’t using it. Since you want to automate encryption/decryption, you’ll need to find a way keep the key available for your use but not available to anyone/anything else. This is usually done by encrypting the the key files with a passphrase that the user must enter when the program is started. One thing to keep in mind is that computers these days generally have access to the internet - so any file can potentially be read by someone wanting to break your system. You’ll want to pad the key file up to some large size and “randomly” distribute the keys within it and then encrypt the whole mess with a symmetrical encryption algorithm with the passphrase as the key. Do not store the passphrase anywhere. If the user forgets it, tough.
Another consideration is the multi-user environment - and, of course, file access via the network. Be careful that the memory you use to hold the key while encrypting/decrypting data cannot be swapped out to the system page file. That could conceivably leave a copy of the key in clear in the page file to be read by anyone with the time and capability to look.
Here’s some info on the PGP library I was thinking about using:
http://www.gnupg.org/
That probably doesn’t square real well with your wanting/needing to use vb.net. I tend towards GPL software if I can get what I need that way. Not so much because of the free (money wise) factor, but because of the free (freedom) factor. The software is there and can be used, so why go and reinvent it?
Wow. A lot of security issues.
Most people in the company seem to encrypt/decrypt using the PGP client, where keys are loaded on their local machines to use. The dll I downloaded makes use of an already-installed PGP client, so I suppose whatever app I run will not be any less secure than what’s the standard operating procedure right now, but I guess I’ll need to look over the company method before I make any decisions with this.
Thanks so much for your input.
If you are using the PGP client, then it should be well thought out as far as keeping the PGP keys safe (enough.)
The passphrase could be the part that is tough. If this is an automated process, then I don’t know how you’ll be able to keep it safe. Maybe you could have it ask the administrator for the passphrase on startup, and then store it in a safe (non-swappable) place in RAM. This would require the admin to do something on every reboot, but it’s all I can come up with.
Nah, it’s pretty good.
