mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

18K
active users

#TIL that @GnuPG appears to use the #ustar tar archive format, likely the version from POSIX.1-1988, for #gpgtar rather than either the #POSIX or Star formats from POSIX.1-2001. Since ustar has serious limitations on filename and pathname lengths, can't store certain file types or metadata, and has a 2GB file size limit, it seems unsuitable for most modern use cases.

If gpgtar is actually using star, pax, or the GNU tar POSIX mode, it's not in the #GnuPG user documentation which explicitly says it uses ustar. I have a lot of respect for the #GPG devs, so I hope this is either just a documentary oversight or something that they can easily fix by linking with newer libraries. In either case, ustar is totally unsuitable for writing large archives to tape, and doesn't even offer the options GNU tar does for creating a separate index file, encrypted or not.

The gnutar command line doesn't offer the option to write a separate index, and requires a separate pass to list out the index. For example if you wanted to encrypt a 20TiB archive with a separate, encrypted index to make finding files easier, you'd either have to pipe tar through gpg (which can cause shoe-shining or buffering issues on #LTFS) and then encrypt GNU/BSD tar's index, or have triple the online HDD/SDD capacity of your archived data so you can tar up your files, run another pass with GnuPG to extract the index, and then encrypt both the tarball and index separately before writing them out to tape.

That seems...unreasonable. #OpenPGP doesn't support the AES-256-GCM mode built into current #LTO drives, so gpgtar needs to keep up with the massive growth of data storage capacity rather than remaining an afterthought utility. Especially for #SOHO LTO drives, the ability to write encrypted gpgtar archives and indexes directly to LTFS could be a real game-changer!

GnuPG

Hi @todd_a_jacobs

> If gpgtar is actually using star, pax, or the GNU tar POSIX mode, it's not in the user documentation which explicitly says it uses ustar.

That is a documentary oversight, I've created dev.gnupg.org/T7271

As for the separate index capability or other things, this sounds like a feature request to me. Feel free to suggest it. Traditionally has been about encrypting single files and emails (and thus do one task well and leave another task to another tool).

dev.gnupg.org⚓ T7271 clarify tar format of gpgtar in documentation

@GnuPG @todd_a_jacobs Using #LTFS to store #encrypteddata outside of hyper scaler environments without the dedicated #KMS components expensive tape libraries use to enable #LTO9 drives' built-in, hardware #AES256GCM support is an area the institute is evaluating, and thinking about how #GPG might fit in has been a facet of our research process.

All recent generations of #LTO drives support strong, on-the-fly, hardware-accelerated encryption on the drives themselves. Sadly, it's essentially useless in the standalone drives sold to individuals, the #SOHO market, or to other non-enterprise customers because of the high cost of the tape library hardware required to activate it.

In some ways, the situation is much like the early Intel 386 computers that shipped with missing or disabled math coprocessors even when it stopped being a cost issue. In part, that was a strategic market segmentation decision, and the institute currently believes the lack of accessible LTFS encryption for all encryption-capable drives is no different.

Even though #GnuPG is usually thought of as primarily an email tool, it's actually an important "Swiss Army knife" for a variety of #infosec use cases. It's also on a tragically short list of #OpenPGP and telatrd #cryptography tools that remains fully #opensource.

We're putting this topic on our agenda for further exploration and discussion. Meanwhile, these community conversations and the viewpoints of respected tool developers is an invaluable resource to everyone.