Disposal of decrypted files/folder

dhmanesh's Avatar

dhmanesh

04 Aug, 2016 09:49 AM

When GPG decrypts a file or folder, it dumps the resulting files on the hard drive which you then need to “safely” delete. I miss Truecrypt which was the only tools that handled the work in its own safe environment and everything disappeared when you logged out.

GPG can of course decryption highlighted text inline with no debris left behind on the hard disk (ala Mailvelope). But not when you have encrypted files or folders. Minilock behaves the same way and dumps your decrypted files into DOWNLOADS folder — disastrous as it may be synced and transferred into the cloud depending on your settings. For this very reason I consider Minilock unsafe, specially with devices like Chromebook where syncing to cloud is often automatic. There is no point in having a powerful software when your decrypted files can be leaked so carelessly.

GPG can helps us by rectifying this problem so we wouldn’t have to worry about left over files every time we use GPG.

  1. Support Staff 1 Posted by Steve on 07 Aug, 2016 01:18 PM

    Steve's Avatar

    Hey dhmanesh,

    thank you for your suggestion!

    We already have a feature request to add delete unencrypted files after encryption is done and I've added your comments and vote to it. The number of votes is one factor that helps us to determine what feature to add next.

    Unfortunately there's no workaround for this problem at the time being. We're very sorry for that. This discussion will be updated however, when the requested feature is available.

    Comparing TrueCrypt with OpenPGP decryption is a bit odd since you would be comparing unmounting a sparsebundle file with deleting a file from your system. So far we have not tapped into the space of file deletion, because it would add a lot of overhead and to really ensure the files are safely removed, the space where they resided, would have to be overwritten (probably several times). So this is not a trivial task and we think it's better to leave this to the user. Also the case you describe is unclear. At which point in time should the decrypted files be deleted? After a minute? Or ten? And if you have to take a manual action since we would not know, when to remove the file, you can aswell just use some file shredder tool at your desire.

    If you are working in highly sensitive environments you may not want to be using any cloud services in the first place. Especially not any cloud services that sync your desktop or download folders to some company server which you are not certain if you can trust them and under which jurisdiction they are.

    All the best,
    steve

  2. 2 Posted by dhmanesh on 07 Aug, 2016 10:58 PM

    dhmanesh's Avatar

    Hi Steve,
    Thank you very much for your reply. I do remember us having this very conversation a few years ago, though I cannot find my original post in your forum archive. What  peaked my interest in the same subject again was an old Chromebook that my son gave me. I soon realised that as you cannot install programs on it, any file that lands in the limited storage space will remain recoverable. As such a Chromebook is a leaky machine that should never be used for handling encrypted materials.
    It is odd that this feature of Chromebook (i.e. inherent data insecurity) is never highlighted by providers of encryption tools such as miniLock. They say how easy it is to pick up your decrypted files in downloads folder. But they make no mention of the fact that the file cannot be shredded securely after use.
    I have always been fascinated by the idea of encryption and the methods and the mathematics involved. However I am equally fascinated (and shocked by) the sloppiness in using these tools that renders all the good work that goes into creating them pointless. 

    Thanks again Steve for your reply and your thoughts. It is always a pleasure talking to you.
    Kind regards,
    Davood

          From: Steve <[email blocked]>
     To: [email blocked]
     Sent: Sunday, 7 August 2016, 14:18
     Subject: [GPGTools] Disposal of decrypted files/folder [Problems]

  3. Support Staff 3 Posted by Steve on 08 Aug, 2016 09:44 AM

    Steve's Avatar

    Hey Davood,

    this request comes up occasionally. But it's not trivial to solve. Regarding encryption: often times it's not the encryption that is the weak point in the setup but human error or something that is forgotten in the processing chain.

    Re: chromebooks: I am not too familiar with chromebooks, so I can't add anything useful to that.

    If you have further questions, just let us know. (you can always re-open your discussion)

  4. Steve closed this discussion on 08 Aug, 2016 09:44 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac