If you were going to send a file, encrypted with a passphrase, to three users: one on a Mac, one on Linux and one on Windows... what would you use?

(For sake of argument, do not say PGP.)

ยท Web ยท 10 ยท 2 ยท 2

How tragic is it that the LibreOffice and OpenDocument folks invented their own scheme for encrypting the contents of ZIP archives... instead of fixing the ZIP toolchain itself to support proper encryption.



Show thread

Oh good, my brief manic obsession with encryption file formats has passed.

I was totally reaching for the editor to teach both Python's zip module and the Info-zip code how to do AES encryption properly.

Which would like, totally be worth doing. But really I don't need another project.

Do you? It'd be awesome...

Show thread

@HerraBRE Do they have Signal on their desktops? Otherwise Firefox send.

@HerraBRE link to download from my Nextcloud instance, password shared via some other channel (email link, password via chat or similar)

@pl This would officially be the Best Answer, if only the encryption didn't suck.

AFAICT, the AES encryption extension hasn't been implemented in the zip/unzip available on Linux.

The man pages all warn that the encryption is crap and we should ... use PGP.

@HerraBRE add that it's a file over 12GB and now you also end up in filesystem support nightmare

@HerraBRE Tutanota (e2e encrypted mail with nice javascript client). And they need not to have e-mail there, you can send them passwords via SMS.

@HerraBRE symmetric encryption is mostly easy in Python. There is lovely 'cryptography' module, with API that takes keys, some bytes ans encrypts them properly (works on bytes objects so in RAM I think)

Doing more complicated stuff is also more or less straightforward.

I tried doing this in C and C++, and it was awful (for different reasons though).

@jacek Yeah, I suspect the Python implementation would be pretty easy.

C is always trickier.

@Keltounet Keybase was at least paying lip service to being PGP... and mostly I'm fishing for tools people to install (or have already), not services people can sign up for.

But I didn't specify that clearly, so thank you for your input. ๐Ÿ˜„

@HerraBRE not sure there is a simple answer to your question. There are tools floating around, either proprietary or open source that will do that, even cross-platform but things like key distribution & secure encryption are still hard things to tackle in all cases.

Interested in seeing a summary of your answers BTW (as we used to say on Usenet) :)

@HerraBRE BTW the real answer (or question) should probably more in the lines of "what is your threat model (aka who is it you want to protect that information from?" before asking what you want to do.

@Keltounet My tl;dr takeaway so far, is "centralized cloud services or 7zip, depending on which is a better fit."

Turns out 7zip LGPL'ed their core library, so they're widely supported and there are many implementations on all platforms.

And their crypto is, modulo implementation bugs, quite acceptable.

@HerraBRE @Keltounet bear in mind that they *had* nasty security bugs, that were fixed but not released for some time. Some antivirus software were vulnerable so this was kinda big news.

@jacek Thank you! I realized after posting that I should have just Googled... and did so.

@jacek @Keltounet One follow-up here.

According to this blog post, the time between discovery, report and a fix being released was IMO quite reasonable: landave.io/2018/05/7-zip-from-

This does not seem like a huge red flag against the software, although for certain threat models the attack surface is probably unacceptably large. It's a complex tool.

@HerraBRE @Keltounet maybe I mixed things up a bit. Anyways it was something like they either fixed it but did not update executables, or didn't enable some mitigations in the release builds. (both could have some proper technical reasons).

@jacek @Keltounet The post I linked actually discusses exactly that; it took a couple of rounds of communication with the researcher before the dev got all the mitigations right. But they got there in the end.

@HerraBRE @Keltounet good to hear! Thanks! It's too late for me to read dense technical posts on things I'm not super familiar.


That depends on what the file is, and how secure it needs to be at rest, I think.

In transit, I'd use onionshare, and I'd share the onionshare link over deltachat/autocrypt email (this is a thing I do regularly.)

I don't really do at rest encryption of individual files often, but if I do, I'll use GPG (which is disqualified here) or 7zip.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!