Dr. Todd A. Jacobs<p><a href="https://infosec.exchange/tags/TIL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TIL</span></a> that <span class="h-card" translate="no"><a href="https://mstdn.social/@GnuPG" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GnuPG</span></a></span> appears to use the <a href="https://infosec.exchange/tags/ustar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ustar</span></a> tar archive format, likely the version from POSIX.1-1988, for <a href="https://infosec.exchange/tags/gpgtar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gpgtar</span></a> rather than either the <a href="https://infosec.exchange/tags/POSIX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>POSIX</span></a> or Star formats from POSIX.1-2001. Since ustar has serious limitations on filename and pathname lengths, can't store certain file types or metadata, and has a 2GB file size limit, it seems unsuitable for most modern use cases.</p><p>If gpgtar is actually using star, pax, or the GNU tar POSIX mode, it's not in the <a href="https://infosec.exchange/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> user documentation which explicitly says it uses ustar. I have a lot of respect for the <a href="https://infosec.exchange/tags/GPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPG</span></a> devs, so I hope this is either just a documentary oversight or something that they can easily fix by linking with newer libraries. In either case, ustar is totally unsuitable for writing large archives to tape, and doesn't even offer the options GNU tar does for creating a separate index file, encrypted or not.</p><p>The gnutar command line doesn't offer the option to write a separate index, and requires a separate pass to list out the index. For example if you wanted to encrypt a 20TiB archive with a separate, encrypted index to make finding files easier, you'd either have to pipe tar through gpg (which can cause shoe-shining or buffering issues on <a href="https://infosec.exchange/tags/LTFS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LTFS</span></a>) and then encrypt GNU/BSD tar's index, or have <em>triple</em> the online HDD/SDD capacity of your archived data so you can tar up your files, run another pass with GnuPG to extract the index, and then encrypt both the tarball and index separately before writing them out to tape.</p><p>That seems...unreasonable. <a href="https://infosec.exchange/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> doesn't support the AES-256-GCM mode built into current <a href="https://infosec.exchange/tags/LTO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LTO</span></a> drives, so gpgtar needs to keep up with the massive growth of data storage capacity rather than remaining an afterthought utility. Especially for <a href="https://infosec.exchange/tags/SOHO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOHO</span></a> LTO drives, the ability to write encrypted gpgtar archives and indexes directly to LTFS could be a real game-changer!</p>