Is there any reason I shouldn't make a GPG-encrypted file publicly-accessible?

There is always a risk that any given cipher will be broken at some point and data like this will become truly public. So yes there are some risks but it doesn't mean you aren't making a reasonable security trade-off.

A few things you may want to consider:

What's your worse case scenario with the data going public and are there implications to this data going public that you might not be aware of ?

Are there any time-based factors to this data, such as the data is only useful for a year, a week, etc ?

Are there any regulatory, legal, or ethical implications of this data going public ?

Can you add additional security controls such that it's not just one control protecting the data ?

Do the people you want to share this data with need ALL of the data or could they satisfy their needs with a smaller subset of data ?

Is data masking (replacing sensitive data with known fake data ) an option here which would provide additional security ?

Where will it be decrypted and where will the decryption keys be stored ?

Is the passphrase to decrypt it easy to brute force ?

etc... Millions of other questions go here.

Nothing is 100% secure, everything is a trade-off so you need to look at the decision from a few different angles first.

Generally my advice when I see a single security control is to tell you that you need additional levels of security controls rather than just one. So I would have to advise you to consider additional controls but again even then I don't know what you are protecting and if it's just a collection of Internet cat photos then hey maybe just using GPG is good enough... (no offense to GPG of course, that's a great tool but cat photos are everywhere)


I think one of the biggest risks is that somebody is accidentally going to replace an encrypted file with its unencrypted version. Keeping the files in a private place protects against that. It's part of the concept of multilayered security that others have mentioned: when one layer is bypassed, whether maliciously or accidentally, you still have some protection in place to cover you while you realize what happened.

Never forget, the biggest vulnerability is (pretty much) always the people.

XKCD 538


If you have confidence in the encryption (which you should), depending on your implementation, you might be leaking some kind of metadata, for example:

  • "user A is using the service", or
  • "user B configuration has not been updated since ...", or
  • "a new user C was recently created", or
  • "80% of users recently moved away from the service".

Tags:

Pgp

File Encryption

Recent Posts