Compression before encryption is best

Henry Hertz Hobbit hhhobbit at securemecca.net
Sat Jun 23 07:40:16 CEST 2007 

Ryan:

That was a bad example to give you, and I DID use public encryption
given what was in the file to give it a little greater protection.
But because it contains all binary files, you don't get much from
compression anyway.  I must hasten to add for the files that are
in the Quarantine folder that I always add a ".ck" extension for
files I THINK are bad (after analysis), and a ".BAD" extension
if my decision has been confirmed by at least one AntiVirus
company. By extension changes I mean:

PotentiallyBad.cab -> PotentiallyBad.cab.ck
ReallyBad.exe      -> ReallyBad.exe.BAD

But since I had to change the order of compression on my key
to put bzip2 first, to me it was manual.  Frequently I use
just symmetric encryption with the "-a" flag in a script. I
had some problems doing it without the flag (can't remember
what it was) so I left the script that way. I should probably
modify the script to give a choice. Depending on how big the
file is, I may or may not use the script.  Usually I am in such
a hurry I end up using the script.  I did a short test using
symmetric encryption (AES), and my key set to do NO compression
(my default, and it should have nothing to do with symmetric
encryption). Here are the results of the test (you should be
able to deduce what the other files are from the comments):

1154945   Hosts.tar.bz2.gpg	bzipped, then encrypted
1157556   Hosts.tar.bz2
1390758   Hosts.tar.gz.gpg
1390807   Hosts.tar.gz
1390856   Hosts.tar.zip.gpg
1390929   Hosts.tar.zip
1407485   Hosts.tar.gpg		encrypted ONLY
1407732   Hosts.tar.gpg.gz
1407858   Hosts.tar.gpg.zip
1414045   Hosts.tar.gpg.bz2	encrypted, then bzipped
6400000   Hosts.tar
--------------------------
(using "-a" option)
1906066   Hosts.tar.asc
1446067   Hosts.tar.asc.bz2

If you aren't using the "-a" option, you should NOT attempt to
compress it after you have encrypted it because it just makes
the file size LARGER!  This is altered if you do an --armor
as you noted, and my scripts are set to do "-a" encryption
right now.  Since the size difference was only marginally
larger for the *.asc file I figured I would just bzip2 the
file after it was encrypted.  When I am in a hurry it is easier
to use script and then bzip2, but it is NOT the smallest file.
That file is the one that bzipped, and then encrypted without
the "-a" option.

Encryption does some compression. It reduced the size of all the
compressed files, and the size of the TAR file considerably whether
you use "-a" option or not.

HHH

More information about the Gnupg-users mailing list