Difference between revisions of "GnuPG"

From Hack Sphere Labs Wiki
Jump to: navigation, search
(Uploading Your Key to Key Servers)
(Archlinux)
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Info==
+
=Info=
  
 
PGP encryption of email and files.  Since PGP is not free GnuPG comes to the rescue.
 
PGP encryption of email and files.  Since PGP is not free GnuPG comes to the rescue.
Line 9: Line 9:
 
More information:  http://www.gnupg.org/
 
More information:  http://www.gnupg.org/
  
==Installation==
+
=Installation=
 
 
===Archlinux===
 
  
 +
==Archlinux==
  
 
  pacman -Sv gnupg gnupg2 pinentry
 
  pacman -Sv gnupg gnupg2 pinentry
Line 23: Line 22:
 
This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable:
 
This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable:
  
{{File|name=/etc/profile.d/gpg-agent.sh|content=<nowiki>
+
{{File|/etc/profile.d/gpg-agent.sh|<nowiki>
 
#!/bin/sh
 
#!/bin/sh
  
Line 38: Line 37:
 
  sh /etc/profile.d/gpg-agent.sh
 
  sh /etc/profile.d/gpg-agent.sh
  
====Generate a Key====
+
===Generate a Key===
  
 
  gpg --gen-key
 
  gpg --gen-key
Line 100: Line 99:
 
  source ~/.bashrc
 
  source ~/.bashrc
  
====Creating Revocation Certificate====
+
===Creating Revocation Certificate===
  
 
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way.  It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.  
 
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way.  It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.  
Line 108: Line 107:
 
{{Note|Anybody having access to your revocation certificate can revoke your key, rendering it useless.}}
 
{{Note|Anybody having access to your revocation certificate can revoke your key, rendering it useless.}}
  
====Making an ASCII Armored Version of Your Public Key====
+
===Making an ASCII Armored Version of Your Public Key===
  
 
  gpg --output mykey.asc --export -a $GPGKEY
 
  gpg --output mykey.asc --export -a $GPGKEY
  
====Uploading Your Key to Key Servers====
+
===Uploading Your Key to Key Servers===
  
Some servers seem to accept http sends and ldap sends.  The pgp seems to only work with ldap.  You can submit the armoured version of your key via most of these sites http interfaces.
+
Some servers seem to accept hkp sends and ldap sends.  The pgp server seems to only work with ldap.  You can submit the armoured version of your key via most of these sites http interfaces.  I am going to submit my key to a decent amount of key servers to test.  I will also post the results here.
  
http:
+
I am going to try hkp first, then ldap, and post the results that way.
 +
 
 +
hkp:
  
 
gpg --send-keys --keyserver the.server.name $GPGKEY
 
gpg --send-keys --keyserver the.server.name $GPGKEY
Line 122: Line 123:
 
  keyserver.ubuntu.com
 
  keyserver.ubuntu.com
 
  pgp.mit.edu
 
  pgp.mit.edu
 +
keys.kfwebs.net
  
 
ldap:
 
ldap:
Line 128: Line 130:
  
 
  keyserver.pgp.com
 
  keyserver.pgp.com
 +
 +
{{Note| stinkfoot.org, wwwkeys.stinkfoot.us.pgp.net, subkeys.pgp.net same - submitting via ldap://keyserver.pgp.com listed me @ them}}
  
 
So far through my submissions pgp.mit.edu updates fast.  The others I am still waiting on.
 
So far through my submissions pgp.mit.edu updates fast.  The others I am still waiting on.
 +
 +
===Searching a Server For Your Key===
 +
 +
gpg --keyserver pgp.mit.edu --search-keys webdawg
 +
gpg --keyserver pgp.mit.edu --search-keys webdawg@gmail.com
 +
gpg --keyserver pgp.mit.edu --search-keys K3Y1D01
 +
 +
=Usage For Encrypted Email=
 +
 +
I used Thunderbird and enigmail because I wanted a GUI when sending and recieving emails.  I already have gpg installed as such above and gpg-agent is managing my keys.
 +
 +
==Installation==
 +
==New-Way==
 +
enigmail is out of date on the aur...
 +
The archlinux wiki now points to nightly builds that are compatible with the version of thunderbird installed and the 64 bit platform.  The one I downloaded 07.25.12 works fine.
 +
 +
*Via enigmail.mozdev.org
 +
 +
EnigMail addons that works for x86_64 can be downloaded from
 +
*http://enigmail.mozdev.org/download/download-static.php.html
 +
page. Select the Arch build of the addon and follow the instructions in the previous section to install.
 +
 +
If you are having problems with the nightly build you may want to wait until they fix the problem, contact the enigmail people about it, or download the one that I got on 07.25.12.
 +
 +
The one that I got @ 07.25.12:  http://files.hackspherelabs.com/?download=enigmail-nightly-comm-release-win-lin.xpi
 +
 +
==Old-Way==
 +
enigmail is available from the aur for 64 bit.  You should be able to pull the plug-in strait from https://addons.mozilla.org/en-US/thunderbird/addon/71 if you run 32 bit.
 +
 +
It looks like two versions are available:
 +
*One you can compile:  enigmail
 +
*One compiled:  enigmail-bin
 +
 +
I chose to have yaourt compile mine.  It took '''hours''' but works fine.
 +
 +
pacman -Sv thunderbird
 +
yaourt enigmail
 +
 +
After everything was installed it was easy from there.  I did disable in the enigmail preferences the option that inserts the 'encrypted by enigmail' comment.
 +
 +
I also wondered about the functionality of the software and did some tests.  I wanted to know what it would do if I tried to send an encrypted email to someone not in my gpg keyring.  When I do it prompted me to search a keyserver for the email address.
 +
 +
{{Note| The software should prompt you but it is advised that you send plain text emails vs html.  Using the combination Shift + Click Write will bring up plain txt emails.}}
 +
 +
==Testing Your Encrypted Email Setup==
 +
 +
Adele, the "Friendly OpenPGP Email Robot". Adele accepts OpenPGP messages and replies in an explanatory way to any kind of OpenPGP messages.
 +
 +
The bots email is:  adele-en@gnupp.de
 +
 +
I started a plain text email (Shift + Click Write) typed some random message in and went to OpenPGP->Attach My Public Key.  I also tested the attach public key prompt and manually selected my key and it still attached and I got a response fine.
 +
 +
It will ask you if you want to encrypt the attachment (public key).  You do not or the bot will not be able to read it as it does not pull keys from servers.  I did not choose the pgp/mime format either.  I do not know if it matters.
 +
 +
It took 15-30 mins to get the response.
 +
 +
===Notes===
 +
*Documentation on enigmail:  http://enigmail.mozdev.org/documentation/quickstart-ch3.php.html
 +
 +
=Backing Up and Restoring Your Private and Public Keys=
 +
 +
==How To Backup==
 +
List your keys first.
 +
 +
# gpg --list-keys
 +
 +
    /root/.gnupg/pubring.gpg
 +
    ————————
 +
    pub  1024D/EE6E8046 2009-02-20
 +
    uid                Bill Till (My GPG key) <test@abc.com>
 +
    sub  2048g/AE3B1BD4 2009-02-20
 +
 +
    pub  1024D/E4635BBE 2009-03-16
 +
    uid                  John Doe (My first key) <gpg@abc.com>
 +
    sub  2048g/0AC353C2 2009-03-16
 +
 +
Select the KeyID which belogs to you. In this case it is EE6E8046.
 +
 +
To backup your Public key give the following command:
 +
 +
#  gpg -ao mypub.key --export EE6E8046
 +
 +
This will create a file called “mypub.key”
 +
 +
To backup your Private key give the following command:
 +
 +
#  gpg -ao myprivate.key--export-secret-keys EE6E8046
 +
 +
This will create a file called “mypub.key”
 +
 +
Now store these two files (mypub.key and mypub.key) on a floppy disk, CD or USB drive and put it away to some secure and safe place.  Or gpg encrypt them some more :p and them store them.
 +
 +
==How To Restore==
 +
 +
# gpg --import myprivate.key
 +
 +
    gpg: key EE6E8046: secret key imported
 +
    gpg: key EE6E8046: public key “Bill Till (My GPG key) <test@abc.com>” imported
 +
    gpg: Total number processed: 1
 +
    gpg:              imported: 1
 +
    gpg:      secret keys read: 1
 +
    gpg:  secret keys imported: 1
 +
 +
# gpg --import mypub.key
 +
 +
    gpg: key EE6E8046: “Bill Till (My GPG key) <test@abc.com>” not changed
 +
    gpg: Total number processed: 1
 +
    gpg:              unchanged: 1
 +
 +
# gpg --list-keys
 +
 +
    /root/.gnupg/pubring.gpg
 +
    ————————
 +
    pub  1024D/EE6E8046 2009-02-20
 +
    uid                  Bill Till (My GPG key) <test@abc.com>
 +
    sub  2048g/AE3B1BD4 2009-02-20
 +
 +
=Encrypting and Decrypting a File=
 +
 +
When I backup my keys I encrypt them too.
 +
 +
For example, this is how you can encrypt a zip file called backup.zip and output the result to a new file called backup.zip.gpg.
 +
 +
    gpg --symmetric --cipher-algo aes256 -o backup.zip.gpg backup.zip
 +
    Enter passphrase: *******
 +
    Repeat passphrase: *******
 +
 +
To decrypt the file, the following will work.
 +
 +
    gpg -d -o backup.zip backup.zip.gpg
 +
    gpg: AES256 encrypted data
 +
    Enter passphrase: *******
 +
    gpg: encrypted with 1 passphrase
 +
 +
For fun, here’s how to create a Gzip Tar archive (tar.gz) and encrypt it on the fly.
 +
 +
    tar czvpf - SomeFiles/ | gpg --symmetric --cipher-algo aes256 -o backup.tar.gz.gpg
 +
    Enter passphrase: *******
 +
    Repeat passphrase: *******
 +
 +
To decrypt and extract in a single command, the following also works.
 +
 +
    gpg -d backup.tar.gz.gpg | tar xzvf -
 +
    gpg: AES256 encrypted data
 +
    Enter passphrase: *******
 +
    gpg: encrypted with 1 passphrase
 +
 +
If you’re curious to know what other ciphers are available to you, simple use the gpg --version command.
 +
 +
    gpg --version | grep Cipher
 +
    Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
 +
 +
=Password Entry and pinentry via commandline vs GUI=
 +
 +
One of the problems that I have on my system is the fact that pinentry-gtk-2 does not allow a user to paste a password into it.  This sucks espically if you are a user of keepassx.
 +
 +
I actually used the --passphrase and --batch options to enter my password as a switch then erased my bashrc.  On a multiuser system this is bad though.
 +
 +
gpg -d --batch --passphrase YourReallyLongPassword -o Inputfile.tar OutputFile.tar.gpg
 +
 +
I still like the gtk pinentry for some situations but until they fix the copy and paste bs I just created two aliases in my bashrc
 +
 +
alias gpgswitchgtk='echo "pinentry-program /usr/bin/pinentry-gtk-2" > /home/username/.gnupg/gpg-agent.conf ; gpgconf --reload gpg-agent'
 +
alias gpgswitchcurses='echo "pinentry-program /usr/bin/pinentry-curses" > /home/username/.gnupg/gpg-agent.conf ; gpgconf --reload gpg-agent'
 +
 +
Just change username to your username as that is where your gpg config is held.  You can then use those commands to switch back and fourth.
 +
 +
 +
=Restarting GPG Agent=
 +
I have had to restart GPG agent to clear some cached passwords and also after I change the gpg-agent.conf.
 +
 +
This command reloads it:
 +
 +
gpgconf --reload gpg-agent
 +
=Notes=
 +
*http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036556.html
 +
*http://lists.gnupg.org/pipermail/gnupg-users/2012-June/044581.html
 +
*http://savvyadmin.com/symmetric-key-encryption-with-gnupg/
 +
*http://linux.koolsolutions.com/2009/04/01/gpgpgp-part-5-backing-up-restoring-revoking-and-deleting-your-gpgpgp-keys-in-debian/
 +
*https://wiki.archlinux.org/index.php/GnuPG

Latest revision as of 07:57, 16 June 2015

Info

PGP encryption of email and files. Since PGP is not free GnuPG comes to the rescue.

Quote:

GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.

More information: http://www.gnupg.org/

Installation

Archlinux

pacman -Sv gnupg gnupg2 pinentry

You should use gpg-agent to manage the interactions between your software:

gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. It can be activated by adding following line in ~/.gnupg/gpg.conf:

use-agent

This tells GnuPG to use the agent whenever it needs the password. However, the agent needs to run already. To autostart it, create the following file and make it executable:

/etc/profile.d/gpg-agent.sh
#!/bin/sh

envfile="${HOME}/.gnupg/gpg-agent.env"
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
else
    eval "$(gpg-agent --daemon --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO  # the env file does not contain the export statement
sudo chmod 0755 /etc/profile.d/gpg-agent.sh
sh /etc/profile.d/gpg-agent.sh

Generate a Key

gpg --gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Select (1) to both sign and encrypt

What keysize do you want? (2048)

I select 4096 because why not? If it had 1 million. You should select it too :p

Key is valid for? (0)

I put forever because I will revoke when I need to. If you want forward secrecy (only physical) then you may want to define a time limit so however many years from now people are not sending you emails or whatever with old keys. It will expire and you will have to create a new one with a better key size. I just like the control. You can figure out the other reasons to make them expire.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Dennis Kaarsemaker
Email address: dennis@kaarsemaker.net
Comment: Tutorial key
You selected this USER-ID:
    "Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>"
You need a Passphrase to protect your secret key.

You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. Make it something you can remember and long. The first letter of each word in a sentence, etc. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.

Note: Forgetting your passphrase will result in your key being useless. Carefully memorize your passphrase.

After you are done:


gpg: key D8FC66D2 marked as ultimately trusted
public and secret key created and signed.

pub   1024D/D8FC66D2 2005-09-08
      Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
uid                  Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>
sub   2048g/389AA63E 2005-09-08

The key in this example is D8FC66D2.

For keysigning parties you will need the key fingerprint. Although PGP keys are generally used with personal computers for Internet-related applications, key signing parties themselves generally do not involve computers, since that would give adversaries increased opportunities for subterfuge. Rather, participants write down a string of letters and numbers, called a public key fingerprint, which represents their key.

You should set your key as the default key by editing ./bashrc and adding

export GPGKEY=D8FC66D2
killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc

Creating Revocation Certificate

A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.

gpg --output revoke.asc --gen-revoke $GPGKEY
Note: Anybody having access to your revocation certificate can revoke your key, rendering it useless.

Making an ASCII Armored Version of Your Public Key

gpg --output mykey.asc --export -a $GPGKEY

Uploading Your Key to Key Servers

Some servers seem to accept hkp sends and ldap sends. The pgp server seems to only work with ldap. You can submit the armoured version of your key via most of these sites http interfaces. I am going to submit my key to a decent amount of key servers to test. I will also post the results here.

I am going to try hkp first, then ldap, and post the results that way.

hkp:

gpg --send-keys --keyserver the.server.name $GPGKEY

keyserver.ubuntu.com
pgp.mit.edu
keys.kfwebs.net

ldap:

gpg --send-keys --keyserver ldap://keyserver.pgp.com $GPGKEY

keyserver.pgp.com
Note: stinkfoot.org, wwwkeys.stinkfoot.us.pgp.net, subkeys.pgp.net same - submitting via ldap://keyserver.pgp.com listed me @ them

So far through my submissions pgp.mit.edu updates fast. The others I am still waiting on.

Searching a Server For Your Key

gpg --keyserver pgp.mit.edu --search-keys webdawg
gpg --keyserver pgp.mit.edu --search-keys webdawg@gmail.com
gpg --keyserver pgp.mit.edu --search-keys K3Y1D01

Usage For Encrypted Email

I used Thunderbird and enigmail because I wanted a GUI when sending and recieving emails. I already have gpg installed as such above and gpg-agent is managing my keys.

Installation

New-Way

enigmail is out of date on the aur... The archlinux wiki now points to nightly builds that are compatible with the version of thunderbird installed and the 64 bit platform. The one I downloaded 07.25.12 works fine.

  • Via enigmail.mozdev.org

EnigMail addons that works for x86_64 can be downloaded from

page. Select the Arch build of the addon and follow the instructions in the previous section to install.

If you are having problems with the nightly build you may want to wait until they fix the problem, contact the enigmail people about it, or download the one that I got on 07.25.12.

The one that I got @ 07.25.12: http://files.hackspherelabs.com/?download=enigmail-nightly-comm-release-win-lin.xpi

Old-Way

enigmail is available from the aur for 64 bit. You should be able to pull the plug-in strait from https://addons.mozilla.org/en-US/thunderbird/addon/71 if you run 32 bit.

It looks like two versions are available:

  • One you can compile: enigmail
  • One compiled: enigmail-bin

I chose to have yaourt compile mine. It took hours but works fine.

pacman -Sv thunderbird
yaourt enigmail

After everything was installed it was easy from there. I did disable in the enigmail preferences the option that inserts the 'encrypted by enigmail' comment.

I also wondered about the functionality of the software and did some tests. I wanted to know what it would do if I tried to send an encrypted email to someone not in my gpg keyring. When I do it prompted me to search a keyserver for the email address.

Note: The software should prompt you but it is advised that you send plain text emails vs html. Using the combination Shift + Click Write will bring up plain txt emails.

Testing Your Encrypted Email Setup

Adele, the "Friendly OpenPGP Email Robot". Adele accepts OpenPGP messages and replies in an explanatory way to any kind of OpenPGP messages.

The bots email is: adele-en@gnupp.de

I started a plain text email (Shift + Click Write) typed some random message in and went to OpenPGP->Attach My Public Key. I also tested the attach public key prompt and manually selected my key and it still attached and I got a response fine.

It will ask you if you want to encrypt the attachment (public key). You do not or the bot will not be able to read it as it does not pull keys from servers. I did not choose the pgp/mime format either. I do not know if it matters.

It took 15-30 mins to get the response.

Notes

Backing Up and Restoring Your Private and Public Keys

How To Backup

List your keys first.

# gpg --list-keys
    /root/.gnupg/pubring.gpg
    ————————
    pub   1024D/EE6E8046 2009-02-20
    uid                 Bill Till (My GPG key) <test@abc.com>
    sub   2048g/AE3B1BD4 2009-02-20

    pub   1024D/E4635BBE 2009-03-16
    uid                  John Doe (My first key) <gpg@abc.com>
    sub   2048g/0AC353C2 2009-03-16

Select the KeyID which belogs to you. In this case it is EE6E8046.

To backup your Public key give the following command:

#  gpg -ao mypub.key --export EE6E8046

This will create a file called “mypub.key”

To backup your Private key give the following command:

#  gpg -ao myprivate.key--export-secret-keys EE6E8046

This will create a file called “mypub.key”

Now store these two files (mypub.key and mypub.key) on a floppy disk, CD or USB drive and put it away to some secure and safe place. Or gpg encrypt them some more :p and them store them.

How To Restore

# gpg --import myprivate.key
    gpg: key EE6E8046: secret key imported
    gpg: key EE6E8046: public key “Bill Till (My GPG key) <test@abc.com>” imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    gpg:       secret keys read: 1
    gpg:   secret keys imported: 1
# gpg --import mypub.key

    gpg: key EE6E8046: “Bill Till (My GPG key) <test@abc.com>” not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
# gpg --list-keys

    /root/.gnupg/pubring.gpg
    ————————
    pub   1024D/EE6E8046 2009-02-20
    uid                  Bill Till (My GPG key) <test@abc.com>
    sub   2048g/AE3B1BD4 2009-02-20

Encrypting and Decrypting a File

When I backup my keys I encrypt them too.

For example, this is how you can encrypt a zip file called backup.zip and output the result to a new file called backup.zip.gpg.

   gpg --symmetric --cipher-algo aes256 -o backup.zip.gpg backup.zip
   Enter passphrase: *******
   Repeat passphrase: *******

To decrypt the file, the following will work.

   gpg -d -o backup.zip backup.zip.gpg
   gpg: AES256 encrypted data
   Enter passphrase: *******
   gpg: encrypted with 1 passphrase

For fun, here’s how to create a Gzip Tar archive (tar.gz) and encrypt it on the fly.

   tar czvpf - SomeFiles/ | gpg --symmetric --cipher-algo aes256 -o backup.tar.gz.gpg
   Enter passphrase: *******
   Repeat passphrase: *******

To decrypt and extract in a single command, the following also works.

   gpg -d backup.tar.gz.gpg | tar xzvf -
   gpg: AES256 encrypted data
   Enter passphrase: *******
   gpg: encrypted with 1 passphrase

If you’re curious to know what other ciphers are available to you, simple use the gpg --version command.

   gpg --version | grep Cipher
   Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH

Password Entry and pinentry via commandline vs GUI

One of the problems that I have on my system is the fact that pinentry-gtk-2 does not allow a user to paste a password into it. This sucks espically if you are a user of keepassx.

I actually used the --passphrase and --batch options to enter my password as a switch then erased my bashrc. On a multiuser system this is bad though.

gpg -d --batch --passphrase YourReallyLongPassword -o Inputfile.tar OutputFile.tar.gpg

I still like the gtk pinentry for some situations but until they fix the copy and paste bs I just created two aliases in my bashrc

alias gpgswitchgtk='echo "pinentry-program /usr/bin/pinentry-gtk-2" > /home/username/.gnupg/gpg-agent.conf ; gpgconf --reload gpg-agent'
alias gpgswitchcurses='echo "pinentry-program /usr/bin/pinentry-curses" > /home/username/.gnupg/gpg-agent.conf ; gpgconf --reload gpg-agent'

Just change username to your username as that is where your gpg config is held. You can then use those commands to switch back and fourth.


Restarting GPG Agent

I have had to restart GPG agent to clear some cached passwords and also after I change the gpg-agent.conf.

This command reloads it:

gpgconf --reload gpg-agent

Notes