Skip to content

Call for action: Please send me an encrypted file

tl;dr: Please encrypt a file and send it to me together with a (short) description, how I can make it readable for me.

Everyone is talking about encryption and nobody does it. This is a short summary of my initial asumption. Did you ever try to encrypt a file and to send it someone? How did you do it?

This is a fairly simple and basic task which you can present in a beginner’s course:

Assume another person uses a public computer (Internet cafe, library, etc.). You want to send a file to this person and keep the content confidential to other people. Encrypt a file on your computer and send it to the person.

I ask myself how you would do it. Thatswhy I decided to conduct a little experiment: Dear reader, please encrypt a (no so big) file and send it to me (via mail to, you can use my PGP key if you like, comment this post or use some other means to contact me). Add some information which to decrypt the file. You have no idea how to do this? I desperately want to know about it. Please write a mail or leave a comment. You tried and failed? I desperately want to know about it. Please write a mail or leave a comment. I would like to know how easy or hard this task is.

I plan to analyse the data on a anonymous basis and will introduce some tools in later posts.


Qbi's Weblog on : Zahlen zum Verschlüsselungsexperiment

Show preview
Ich hatte euch gebeten, mir eine verschlüsselte Datei zu schicken. Die An- und Vielzahl der Antworten war überwältigend. Vielen Dank an alle, die mitmachten! Doch was kam dabei heraus? Unten findet ihr eine Auswertung in Zahlen: Insgesamt erhielt ich k


Display comments as Linear | Threaded

rozzin on :

This text was sent TLS-encrypted to your webserver. It was automatically decrypted upon receipt.

rozzin on :

Hmm.... Here’s an example that will at least probably not be automatically decrypted:


Decode the above ciphertext by piping it through “openssl base64 -d | sudo openssl pkeyutl -decrypt -inkey /etc/letsencrypt/live/” (substituting the correct path to the private key on the server, if “/etc/letsencrypt/live/” is not the correct path).

Jens Kubieziel on :

Thanks for your effort. However your text is just Base64-encoded, not encrypted. Everyone can “decrypt” it by just Base64-decoding it.

rozzin on :

Well, it should be obvious to everyone reading the text decoded form the base64 that it was actually supposed to be something more like this:


(and it should be clear only to Jens, or to whomever has admin access to the server..., that it was actually supposed to be exactly that)

There’s a lesson here about “quick + clever hacks for security”....

I also just sent you an e-mail with an enigmail-enabled Thunderbird (though not with an engimail-enabled _identity_, and without having your public key in advance), to see how the process degraded.

That e-mail ended up being sent with no encryption: after having explicitly selected the option to encrypt the message in my default, enigmail-enabled profile, I selected an auxiliary profile (different sending e-mail address) which had not had enigmail enabled, and the decision to encrypt was `quasi-silently’ discarded (quietly enough that I managed to not notice).

Jens Kubieziel on :

Now it worked. This is quite an interesting approach. Thanks for your efforts.

rozzin on :

Interestingly, _someone_ has published an OpenPGP key marked for

$ gpg --verbose --search
gpg: data source:
2048 bit RSA key 92D4F7628F0E7F25, created: 2018-02-01
Keys 1-1 of 1 for “”. Enter number(s), N)ext, or Q)uit >

It has no signatures on it.

If someone other than you generated that, it seems like a bit of an odd thing to have done--since an actual attacker hoping to decrypt and read e-mail destined for that address would have to be in a position to even receive/intercept the encrypted e-mail .

Maybe someone was hoping to read secrets posted to your blog comments, though.

Jens Kubieziel on :

This is really strange. I put out a warning in German (and also a request to send my the private part :-))

Atari-Frosch on :

I sent you a text file attached to an e-mail, sent and encrypted with Thunderbird/Enigmail to the given email address, using your well known public key. :-)

rugk on :

here is a link:
(using PrivateBin, see

Password sent via mail.
Attention: You can only open it once, afterwards it destroys itself.

Sky on :

Yes to Atari-Frosch who used enigmail - I’ve used it and it’s easy. I sent you an actual encrypted file just now using GPGTools/OpenPGP on OSX to encrypt the file. On OSX the encryption process is a single right-click (context-sensitive menu) to encrypt, plus type a password. Same for decryption if you install GPGTools. You can install it on a public computer, create no key (or a garbage key if required), decrypt my message (password encrypted only - no PGP key required) and throw away the GPGTools install afterward if you wish.

Typically I would not separately encrypt a file - I would attach it within an encrypted message. GPGTools on OSX makes this so easy you don’t even notice it’s happening.

Your comment was successfully added. Warning: This comment needs approval before it will be displayed

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Form options