GnuPG front-end to safely en/de-crypt files using symmetic cipher

From: Dusan Chromy (dusan.chromy_at_tiscali.cz)
Date: 05/27/03


Date: 27 May 2003 06:27:16 -0700

Hi,

I am using Steganos Security Suite v4 to encrypt some files on my
computer. However, every time I open them using Steganos, they got
saved decrypted on the disk.

I was thinking about writing a Java application to avoid that. The
idea is to
use GnuPG as the encryption engine for symmetrical encryption. The
Java application would invoke gpg (--decrypt) via Runtime.exec,
capture it's output (the decrypted file) and let the user modify it.
When done, it would again invoke gpg (--symmetric) to encrypt the
file.

Now I have several questions about this approach:

1) How secure is it at all? Runtime.exec uses probably the pipe
mechanism of the underlying OS to communicate with the process, so the
encrypted data would definitely get written somewhere in memory. How
vulnerable it is?

2) The passphrase is needed for both encryption and decryption. For
convenience, the Java application should ask the password from user
and send it to gpg (run gpg with --passphrase-fd 0). I guess it's
equally bad as item 1), but then again it's not nice to have user type
the passphrase in console window...

3) Is there a freeware product doing this or alike? I don't care so
much about commercial products because I'd like to make mine freeware.
However I wouldn't mind a little inspiration from the commercial arena
too :-)

4) Given all the drawbacks of items 1)-2) and compared to the
improvement over a scenario with temporary files, does it make sense
to create such application?

Thanks,

Dusan