 |
| Categories Menu | | |
| Navigation | |
|
|
 Home |
| |
|
|
 Community |
| |
|
 Content |
| |
|
 Support Us |
| | | | |
| |
| User Info | |
| Welcome, Anonymous
 Membership:
 Latest: aria
 New Today: 1
 New Yesterday: 0
 Overall: 328
 People Online:
 Visitors: 9
 Members: 0
 Total: 9
| | |
| |
| hacker Beware | | |
 | |
Security: Introduction to GNUPG
Posted on Tuesday, December 14 @ 03:36:52 CST by maysvill
|
ewiget writes "GNUPG is software used to encrypt data, create digital signatures, verify program source integrity, and signing individual sensitive files. Most linux users are either concerned about security, or could care less about security. Those who are concerned with security, probably already know how to use GNUPG, for example, they might already know how to send digitally signed email. Either way, this article will cover the very basics of GNUPG and how to use it on your computer system. Once you see how easy it is, it will likely improve everyones security.
As with all the articles I write for the MLUG, my desktop of choice is a bash shell. I generally cover most of the articles I write as using the bash shell. I do this for a reason in that everything you can do from a graphical desktop can be done from a shell, terminal, whatever you want to call it. More times than not, learning how to do something from a shell has saved me whether it be in the field on a service call, or at home fixing some rogue program that has messed up X, KDE, Gnome, whatever. There are gui tools available to do most, if not all, of the things this article will discuss.
First you need to make sure you have GNUPG installed on your system. The easiest way to do that is to simply type:
which gpg
If it gives you a path, then it is already installed. If it is not already installed, you can either install it by RPM before continuing, using apt, or by tar file. (I wont cover installation here as most people will have it installed already).
The first thing we are going to cover is creating your own gpg key. This is very easy to accomplish with the following command:
mlug@tsp mlug $ gpg --gen-key
You need a Passphrase to protect your secret key.
Enter passphrase: mypassphrase
Repeat passphrase: mypassphrase
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++
gpg: /home/mlug/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/A3258E4E 2004-12-13 Your Name
Key fingerprint = A6A5 CB1E 6FCE 0032 CBAD ED3A 5FAD 49DD A325 8E4E
sub 2048g/FEF01CF9 2004-12-13
The .gnupg directory should be created in your home directory. I check to make sure it was below:
mlug@tsp mlug $ ls -la
total 16
drwxr-xr-x 3 mlug users 4096 Dec 13 14:56 .
drwxr-xr-x 7 root root 4096 Dec 13 14:46 ..
drwx------ 2 mlug users 4096 Dec 13 14:48 .gnupg
Within the above directory, I should have several files. Below I check the names of them:
mlug@tsp mlug $ ls -la .gnupg
total 32
drwx------ 2 mlug users 4096 Dec 13 14:48 .
drwxr-xr-x 3 mlug users 4096 Dec 13 14:56 ..
-rw------- 1 mlug users 8075 Dec 13 14:47 gpg.conf
-rw------- 1 mlug users 1167 Dec 13 14:48 pubring.gpg
-rw------- 1 mlug users 0 Dec 13 14:47 pubring.gpg~
-rw------- 1 mlug users 600 Dec 13 14:48 random_seed
-rw------- 1 mlug users 1240 Dec 13 14:48 secring.gpg
-rw------- 1 mlug users 1240 Dec 13 14:48 trustdb.gpg
-
Now that you have a gpg key, you could start signing email messages with it using most Linux email programs (I know kmail and evolution both support digitally signing email).
If you want to be able to share your public key with others, you first need to export your key. This is done like so:
mlug@tsp mlug $ gpg --export -ao UID
Where --export is for extracting the public key from your encrypted file, a is to create ASCII armored output that you can mail, publish, or put on a web page. O to put the result in a file, and UID represents the user key you want to export. I am not sure why, but whenever you output a key by the users name, it will only output the first name if there is a space between the first and last name. To make this a little more meaningful for this article and the key I created above, the actual command would look like this (and better be different for your gpg key):
mlug@tsp mlug $ gpg --export -ao Your Name
Next I check to make sure the file was created:
mlug@tsp mlug $ ls -la
-rw-r--r-- 1 mlug users 1686 Dec 13 14:56 Your
Next I view the content of the file created:
You could now use the above file for various reasons, for example, you could include it in your email signature or you could upload the file to a gpg key server, or you could upload the file to your homepage and make it downloadable as your own gpg key, or you could send it to a friend who could then send you theirs and once you have each others keys you can then send encrypted messages between you.
So, assuming your friend sends you a key, you may be wondering how you use it or add it to your keyring? This is accomplished like this:
mlug@tsp mlug $ gpg --import filename
For the above example, I am going to import my real gpg key into the fake user I created for this article. The name of the file I exported is called Ed. My real key looks like this:
Next, I will import this file, Ed, into the fake user (mlug) keyring. This is the command I used to import it into the fake users key above:
mlug@tsp mlug $ gpg --import Ed
gpg: key C3855F59: public key "Ed Wiget (RHP Studios Security Consultant) " imported
gpg: Total number processed: 1
gpg: imported: 1
To make sure that it imported, I can run this command:
mlug@tsp mlug $ gpg --list-key
/home/mlug/.gnupg/pubring.gpg
-----------------------------
pub 1024D/A3258E4E 2004-12-13 Your Name
sub 2048g/FEF01CF9 2004-12-13
pub 1024D/C3855F59 2001-07-08 Ed Wiget (RHP Studios Security Consultant)
sub 2048g/4CFFC4EB 2001-07-08
If you notice, it shows the fake user (mlug) with the name (Your Name) keys and also the key I imported, belonging to Ed Wiget (RHP Studios Security Consultant) It also shows some details about these keys, including the public and sub keys, the strength of the key (1024 or 2048), the type of key (D or G), the key ID which is used by some email programs for identifying your key to digitally sign email (A3258E4E), the date these keys were created, and who owns them.
Now, even though I have imported the key, there is one more step I can do to further secure the key I just imported. I can digitally sign the imported key with my own key. This should only be done if you are absolutely 300% sure the key belongs to the person they claim. Signing a key certifies that you know the owner of the keys and you acknowledge that the user id mentioned in the key is actually the owner of that key. To sign another key is done using the command:
mlug@tsp mlug $ gpg --sign-key UID
So for the same examples being used throughout this article, the user mlug is going to sign Ed Wigets key. This is how it is done (notice that I left off the last name, because of the space between the first name and last name):
mlug@tsp mlug $ gpg --sign-key Ed
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
pub 1024D/C3855F59 created: 2001-07-08 expires: never trust: -/-
sub 2048g/4CFFC4EB created: 2001-07-08 expires: never
(1). Ed Wiget (RHP Studios Security Consultant)
pub 1024D/C3855F59 created: 2001-07-08 expires: never trust: -/-
Primary key fingerprint: E0A1 B2C9 7478 E69F 04AB B9A3 A66C 3AA4 C385 5F59
Ed Wiget (RHP Studios Security Consultant)
How carefully have you verified the key you are about to sign actually belongs
to the person named above? If you don't know what to answer, enter "0".
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? (enter '?' for more information): 3
Are you really sure that you want to sign this key
with your key: "Your Name " (A3258E4E)
I have checked this key very carefully.
Really sign? y
So, now we have made it this far...lets see how we can encrypt and decrypt files between each other and also verify the signature of the file encrypted.
First, I create a text file to encrypt using the nano text editor (but you can use an existing file too) using the commands:
mlug@tsp mlug $ nano -w testfile.txt
Inside this file I created some simple text:
this is a test file for encryption to Ed Wiget
To encrypt it, I will use the following command:
mlug@tsp mlug $ gpg -sear Ed testfile.txt
where s is for signing, e is for encrypting, a is to create ASCII armored output ready for sending by email, r to encrypt the user id of the recepient, testfile.txt is the file I want to encrypt.
Once I press the enter key, I see:
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/0
I then check the directory listing using ls -la and find a new file called testfile.txt.asc
mlug@tsp mlug $ ls -la
total 28
drwxr-xr-x 3 mlug users 4096 Dec 13 15:39 .
drwxr-xr-x 7 root root 4096 Dec 13 14:46 ..
drwx------ 2 mlug users 4096 Dec 13 15:39 .gnupg
-rw-r--r-- 1 mlug users 1710 Dec 13 15:14 Ed
-rw-r--r-- 1 mlug users 1686 Dec 13 14:56 Your
-rw-r--r-- 1 mlug users 47 Dec 13 15:37 testfile.txt
-rw-r--r-- 1 mlug users 1070 Dec 13 15:39 testfile.txt.asc
Looking to see if the contents of the file was in fact encrypted, this is the contents:
The above looks good to me, so now I send my secret message to Ed Wiget via email. Once Ed Wiget receives the file, he can now decrypt it using the following command:
bash-2.05b$ gpg -d testfile.txt.asc
You need a passphrase to unlock the secret key for
user: "Ed Wiget (RHP Studios Security Consultant) "
2048-bit ELG-E key, ID 4CFFC4EB, created 2001-07-08 (main key ID C3855F59)
gpg: encrypted with 2048-bit ELG-E key, ID 4CFFC4EB, created 2001-07-08
"Ed Wiget (RHP Studios Security Consultant) "
this is a test file for encryption to Ed Wiget
gpg: Signature made Mon Dec 13 15:39:31 2004 EST using DSA key ID A3258E4E
gpg: Good signature from "Your Name "
gpg: checking the trustdb
And if you will notice it shows the actual unencrypted text above.
I think I have covered pretty much all of the basics of using gpg. If you have any more questions, you can post a comment and I will answer your questions or remember, man is your friend so you can also try man gpg"
|
| |
| Related Links | | |
| Article Rating | |
| Average Score: 5
Votes: 2
 | | |
| |
| Options | | | |
Associated Topics
  |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
|
|
