GnuPG
Contents
Info
PGP encryption of email and files. Since PGP is not free GnuPG comes to the rescue.
Quote:
GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.
More information: http://www.gnupg.org/
Installation
Archlinux
pacman -Sv gnupg gnupg2 pinentry
You should use gpg-agent to manage the interactions between your software:
gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. It can be activated by adding following line in ~/.gnupg/gpg.conf:
use-agent
This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable:
/etc/profile.d/gpg-agent.sh
#!/bin/sh envfile="${HOME}/.gnupg/gpg-agent.env" if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then eval "$(cat "$envfile")" else eval "$(gpg-agent --daemon --write-env-file "$envfile")" fi export GPG_AGENT_INFO # the env file does not contain the export statement
sudo chmod 0755 /etc/profile.d/gpg-agent.sh sh /etc/profile.d/gpg-agent.sh
Generate a Key
gpg --gen-key
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)
Select (1) to both sign and encrypt
What keysize do you want? (2048)
I select 4096 because why not? If it had 1 million. You should select it too :p
Key is valid for? (0)
I put forever because I will revoke when I need to. If you want forward secrecy (only physical) then you may want to define a time limit so however many years from now people are not sending you emails or whatever with old keys. It will expire and you will have to create a new one with a better key size. I just like the control. You can figure out the other reasons to make them expire.
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Dennis Kaarsemaker Email address: dennis@kaarsemaker.net Comment: Tutorial key You selected this USER-ID: "Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>"
You need a Passphrase to protect your secret key.
You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. Make it something you can remember and long. The first letter of each word in a sentence, etc. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.
After you are done:
gpg: key D8FC66D2 marked as ultimately trusted public and secret key created and signed. pub 1024D/D8FC66D2 2005-09-08 Key fingerprint = 95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2 uid Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net> sub 2048g/389AA63E 2005-09-08
The key in this example is D8FC66D2.
For keysigning parties you will need the key fingerprint. Although PGP keys are generally used with personal computers for Internet-related applications, key signing parties themselves generally do not involve computers, since that would give adversaries increased opportunities for subterfuge. Rather, participants write down a string of letters and numbers, called a public key fingerprint, which represents their key.
You should set your key as the default key by editing ./bashrc and adding
export GPGKEY=D8FC66D2
killall -q gpg-agent eval $(gpg-agent --daemon) source ~/.bashrc
Creating Revocation Certificate
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.
gpg --output revoke.asc --gen-revoke $GPGKEY
Making an ASCII Armored Version of Your Public Key
gpg --output mykey.asc --export -a $GPGKEY
Uploading Your Key to Key Servers
Some servers seem to accept hkp sends and ldap sends. The pgp server seems to only work with ldap. You can submit the armoured version of your key via most of these sites http interfaces. I am going to submit my key to a decent amount of key servers to test. I will also post the results here.
I am going to try hkp first, then ldap, and post the results that way.
hkp:
gpg --send-keys --keyserver the.server.name $GPGKEY
keyserver.ubuntu.com pgp.mit.edu keys.kfwebs.net
ldap:
gpg --send-keys --keyserver ldap://keyserver.pgp.com $GPGKEY
keyserver.pgp.com
So far through my submissions pgp.mit.edu updates fast. The others I am still waiting on.
Searching a Server For Your Key
gpg --keyserver pgp.mit.edu --search-keys webdawg gpg --keyserver pgp.mit.edu --search-keys webdawg@gmail.com gpg --keyserver pgp.mit.edu --search-keys K3Y1D01
Usage For Encrypted Email
I used Thunderbird and enigmail because I wanted a GUI when sending and recieving emails. I already have gpg installed as such above and gpg-agent is managing my keys.
Installation
New-Way
enigmail is out of date on the aur... The archlinux wiki now points to nightly builds that are compatible with the version of thunderbird installed and the 64 bit platform. The one I downloaded 07.25.12 works fine.
- Via enigmail.mozdev.org
EnigMail addons that works for x86_64 can be downloaded from
page. Select the Arch build of the addon and follow the instructions in the previous section to install.
If you are having problems with the nightly build you may want to wait until they fix the problem, contact the enigmail people about it, or download the one that I got on 07.25.12.
The one that I got @ 07.25.12: http://files.hackspherelabs.com/?download=enigmail-nightly-comm-release-win-lin.xpi
Old-Way
enigmail is available from the aur for 64 bit. You should be able to pull the plug-in strait from https://addons.mozilla.org/en-US/thunderbird/addon/71 if you run 32 bit.
It looks like two versions are available:
- One you can compile: enigmail
- One compiled: enigmail-bin
I chose to have yaourt compile mine. It took hours but works fine.
pacman -Sv thunderbird yaourt enigmail
After everything was installed it was easy from there. I did disable in the enigmail preferences the option that inserts the 'encrypted by enigmail' comment.
I also wondered about the functionality of the software and did some tests. I wanted to know what it would do if I tried to send an encrypted email to someone not in my gpg keyring. When I do it prompted me to search a keyserver for the email address.
Testing Your Encrypted Email Setup
Adele, the "Friendly OpenPGP Email Robot". Adele accepts OpenPGP messages and replies in an explanatory way to any kind of OpenPGP messages.
The bots email is: adele-en@gnupp.de
I started a plain text email (Shift + Click Write) typed some random message in and went to OpenPGP->Attach My Public Key. I also tested the attach public key prompt and manually selected my key and it still attached and I got a response fine.
It will ask you if you want to encrypt the attachment (public key). You do not or the bot will not be able to read it as it does not pull keys from servers. I did not choose the pgp/mime format either. I do not know if it matters.
It took 15-30 mins to get the response.
Notes
- Documentation on enigmail: http://enigmail.mozdev.org/documentation/quickstart-ch3.php.html
Backing Up and Restoring Your Private and Public Keys
How To Backup
List your keys first.
# gpg --list-keys
/root/.gnupg/pubring.gpg ———————— pub 1024D/EE6E8046 2009-02-20 uid Bill Till (My GPG key) <test@abc.com> sub 2048g/AE3B1BD4 2009-02-20 pub 1024D/E4635BBE 2009-03-16 uid John Doe (My first key) <gpg@abc.com> sub 2048g/0AC353C2 2009-03-16
Select the KeyID which belogs to you. In this case it is EE6E8046.
To backup your Public key give the following command:
# gpg -ao mypub.key --export EE6E8046
This will create a file called “mypub.key”
To backup your Private key give the following command:
# gpg -ao myprivate.key--export-secret-keys EE6E8046
This will create a file called “mypub.key”
Now store these two files (mypub.key and mypub.key) on a floppy disk, CD or USB drive and put it away to some secure and safe place. Or gpg encrypt them some more :p and them store them.
How To Restore
# gpg --import myprivate.key
gpg: key EE6E8046: secret key imported gpg: key EE6E8046: public key “Bill Till (My GPG key) <test@abc.com>” imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1
# gpg --import mypub.key gpg: key EE6E8046: “Bill Till (My GPG key) <test@abc.com>” not changed gpg: Total number processed: 1 gpg: unchanged: 1
# gpg --list-keys /root/.gnupg/pubring.gpg ———————— pub 1024D/EE6E8046 2009-02-20 uid Bill Till (My GPG key) <test@abc.com> sub 2048g/AE3B1BD4 2009-02-20
Encrypting and Decrypting a File
When I backup my keys I encrypt them too.
For example, this is how you can encrypt a zip file called backup.zip and output the result to a new file called backup.zip.gpg.
gpg --symmetric --cipher-algo aes256 -o backup.zip.gpg backup.zip Enter passphrase: ******* Repeat passphrase: *******
To decrypt the file, the following will work.
gpg -d -o backup.zip backup.zip.gpg gpg: AES256 encrypted data Enter passphrase: ******* gpg: encrypted with 1 passphrase
For fun, here’s how to create a Gzip Tar archive (tar.gz) and encrypt it on the fly.
tar czvpf - SomeFiles/ | gpg --symmetric --cipher-algo aes256 -o backup.tar.gz.gpg Enter passphrase: ******* Repeat passphrase: *******
To decrypt and extract in a single command, the following also works.
gpg -d backup.tar.gz.gpg | tar xzvf - gpg: AES256 encrypted data Enter passphrase: ******* gpg: encrypted with 1 passphrase
If you’re curious to know what other ciphers are available to you, simple use the gpg --version command.
gpg --version | grep Cipher Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Password Entry and pinentry via commandline vs GUI
One of the problems that I have on my system is the fact that pinentry-gtk-2 does not allow a user to paste a password into it. This sucks espically if you are a user of keepassx.
I actually used the --passphrase and --batch options to enter my password as a switch then erased my bashrc. On a multiuser system this is bad though.
gpg -d --batch --passphrase YourReallyLongPassword -o Inputfile.tar OutputFile.tar.gpg
I still like the gtk pinentry for some situations but until they fix the copy and paste bs I just created two aliases in my bashrc
alias gpgswitchgtk='echo "pinentry-program /usr/bin/pinentry-gtk-2" > /home/username/.gnupg/gpg-agent.conf ; gpgconf --reload gpg-agent' alias gpgswitchcurses='echo "pinentry-program /usr/bin/pinentry-curses" > /home/username/.gnupg/gpg-agent.conf ; gpgconf --reload gpg-agent'
Just change username to your username as that is where your gpg config is held. You can then use those commands to switch back and fourth.
Restarting GPG Agent
I have had to restart GPG agent to clear some cached passwords and also after I change the gpg-agent.conf.
This command reloads it:
gpgconf --reload gpg-agent
Notes
- http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036556.html
- http://lists.gnupg.org/pipermail/gnupg-users/2012-June/044581.html
- http://savvyadmin.com/symmetric-key-encryption-with-gnupg/
- http://linux.koolsolutions.com/2009/04/01/gpgpgp-part-5-backing-up-restoring-revoking-and-deleting-your-gpgpgp-keys-in-debian/
- https://wiki.archlinux.org/index.php/GnuPG