I’m new to this encryption ‘game’ and am finding Kleopatra educational as well as of practical use.
I assume that the methods used by K are ‘best practice’ and if I disagree it means I do not properly understand the process.
There seems to be two options: for K to decrypt into the user’s work folder or by the setting of this option, to put the decrypted file into the source file folder.
My concern is that surely both these locations open up the possibility of exposing the decrypted file unnecessarily.
In particular, putting the temp decrypted file in the same folder as the encrypted file seems a particularly bad choice. That folder is likely to be totally unsecured.
Surely the best option would be place the work file in the same folder as the output location - or rather don’t create a temp file at all.
I have seen some posts end 2017/ beginning 2018 where it seems what I am suggesting was in fact the original method.
It looks to me that security has been overlooked in the interests of a potential speed increase.
If my understanding is right, then really we at least need an option to only decrypt directly into the target folder - allowing the user to decide how to deal with security on his own PC.
My suggestion would be to:
- Allow selection from three options on the settings page
- Add a screen before the pin-entry with the three options shown and default selected
overall the recommendation is to only work with crypto in directories and on filesystem
which you can trust (up to the level you need it).
A temporary file is needed technically because files can be really big and may not fit into the memory. Too many options may confuse users. Maybe an improvement is possible, if
we can describe the use case in greater detail.
I take the point about the need for a temporary file.
The suggestion to ‘to only work with crypto in directories and on filesystem which you can trust’ is not always possible - the best one can do is mitigate the exposure.
In my case, we are sending an encrypted file to a printing company to print special labels.
The file has to be decrypted and passed to the pc that actually controls the physical printer.
That pc will clearly be a risk and needs to be dealt with appropriately - a not too difficult task as it is not a general office PC and is dedicated to running just printing related software.
However for the pc that is doing the decryption to also contain a copy of the decrypted file is to my mind an unnecessary risk.
To secure what is effectively a workshop ‘printer’ would be much easier then a general office pc used for all sort of things unrelated to security.
Giving users multiple choices can be confusing and is best avoided by providing well thought out default values but I would suggest that having an advanced option where the experienced used can improve his own security is a desirable aim.
From a technical point of view, I would accept that having the work file that is not local could significantly slow down the process but that would be up to the user to decide - whether he wants speed or improved security.