flcl_manual-flcl_commands-archive-comp-to-new-flam-encrypt-pgp

PGP

Synopsis

HELP:   OpenPGP encryption
TYPE:   OBJECT
SYNTAX: PGP(PROTECT=DATA/LIST/ALL,METHOD=SEIP-AES256-SHA512,DATA/USER/RECEIVER[()...],MEMBER/SEARCH/INDEX/MBR[()...],DIRECTORY/CONTENT[()...],SIGNID/SIGNER/SIGID='str',FKM5())

Description

Archives can be protected using PGP encryption and signing. One or more PGP user IDs can be specified to protect data, member and directory segments of the archive against unauthorized access. Authorship can be proven via a PGP signature. These cryptographic processes can be executed using various cryptographic infrastructures via the FKM5 object.

There are three basic access levels: DATA, MEMBER, DIRECTORY. Each of these has a set of up to three randomly generated keys that protect the respective types of archive segments. Assigning PGP user IDs to one of these access levels determines which of the keysets gets PGP-encrypted to grant the desired access.

The three access levels are defined as follows, ordered from highest to lowest level:

DATA: Full access to everything, including directory (archive contents), member (search in encrypted member data) and all encrypted member data. This access level is required to write data to the archive. Has three encrypted keys.
MEMBER: Allows access to directory and member information. This is useful to allow third parties to search within the archive without allowing them to decrypt the actual data. Has two encrypted keys.
DIRECTORY: Only allows listing archive contents. Has one encrypted key.

Each of these access levels can be restricted further to only allow certain actions. For details, see the documentation of the RIGHTS object.

On archive creation, you need to specify at least one keyset with DATA access. Otherwise, noone would be able to read the data written to the archive.

Do not assign the same PGP key to more than one access level as the access levels are cumulative. DATA access includes everything on the MEMBER access level which includes everything on the DIRECTORY level. To grant different access levels depending on which PGP key is used, you can assign different PGP keys to two or more access levels.

The PROTECT parameter can be used to limit which of the three keys (data, member, directory) gets encrypted with the specified PGP key(s). If the PROTECT parameter is not specified (or set to ALL), all of the (up to) three keys are protected. With PROTECT=DATA, only the data key is protected using the specified PGP key(s), but the member and directory keys are not. This means that anyone can view the directory contents and compile search results without authentication, but not decrypt data segments. With PROTECT=LIST, everyone can list the members in the archive, but not perform search on encrypted members or access member data.

Use the PROTECT parameter with care. If the archive contains one valid keyset with a protection level other than ALL, access to the respective parts of the archive is granted without authentication.

Arguments

NUMBER: PROTECT=DATA/LIST/ALL - Select protection for the FLAM archive [ALL (data, member and directory segments)]
- DATA - Protect only data segments with secret keys and ensure access to member index (search) and directory (list) by default key
- LIST - Protect data segments and member segments with secret keys and ensure access to directory (list) by default key
- ALL - Protect data, member and directory segments (any) with secret keys (no directory listing without a secret key)
NUMBER: METHOD=SEIP-AES256-SHA512 - Select method for PGP data key encryption and signing [SEIP_AES256_SHA512]
- SEIP-AES256-SHA512 - Integrity protected with AES256 and SHA512 for signing
STRING: SIGNID/SIGNER/SIGID='str' - Owner user ID for signing