Gpg
From charlesreid1
GPG (Gnu Privacy Gard) is a security program that can be used to do many different things; sign files, hash files, encrypt and decrypt files, etc.
Installation
Configuring
To configure GPG:
# configure
# make
# make install
./configure \
--prefix=$HOME/pkg/gpg/x.x.x
Some Security Theory
Public/Private Keys
Public and private keys are used to encrypt and decrypt information in a protected way, so that only the intended recipient can decrypt the file.
Let's consider the scenario where Alice is sending a file to Bob, with a middleman eavesdropper Eve.
Alice must combine her private key with Bob's public key to obtain a special combo-key. She then uses this combo-key to encrypt the file, and then she sends it to Bob.
Bob can then decrypt the file by combining his private key with Alice's public key, which creates a complimentary combo-key, and allows Bob to decrypt the file. In this way, Alice never knows Bob's private key, and Bob never knows Alice's private key, but they can still create complimentary combo-keys to encrypt/decrypt the file.
Eve can also download the file sent from Alice to Bob, but because she does not have either Alice's private key, or Bob's private key, she cannot reconstruct the same combo-key to decrypt the file.
Performing Tasks
Generating a Public/Private Key Pair
To generate a private key,
$ gpg --gen-key gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
RSA is stronger than DSA, so the default is highly recommended.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
This is like asking, "How long would you like it to take to crack your private-key: 100,000 years, or 15,000 eons?
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Then it will ask for some identifying information. This is used to generate a public key, and it is important you give a unique name, email address, and comment, so that other people can identify your public key and distinguish it from others'.
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real Name:
Email:
Comment:
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
Enter passphrase:
Then it will generate your public and private keys:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ...+++++ ..........+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ....+++++ ..+++++ gpg: key BB63D9F1 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
Then it will spit out a summary of your public key information.
List Keys in Your Keyring
Once you've created your public key, it will be added to your GPG key ring. You can see all the public keys on your GPG key ring using:
gpg --list-keys
Sharing Public Keys
Because someone can potentially decrypt things intended only for you by sharing their public key with someone and claiming it is yours, the transfer method for public keys should be trusted. That means NOT EMAIL! Email is not secure and can easily be read and tampered with by other people.
For this reason, public keys should either be shared in person via jumpdrive or local network transfer, via a trusted intermediate (who can sign a public key to confirm it is trusted by that person), or via a public key server.
Remember that GPG is all about trust. When you receive a public key, whoever owns the corresponding private key can decrypt everything you encrypt, so you should be absolutely sure that you trust any public key that you receive and use to encrypt something.
Export ASCII Public Key
If you want to share your public key with others, you can output your public key in ASCII format, and share it:
gpg --armor --output my_pubkey.txt --export 'Your Name' gpg -a -o my_pubkey.txt --export 'Your Name'
Import ASCII Public Key
You can import others' ASCII public keys into your GPG key ring using the --import option:
gpg --import friend_pubkey.txt
Now when you list your public keys using gpg --list-keys, the new key will show up.
Putting Public Key on Public Key Server
You can send any of the public keys in your GPG by using the --send-keys option:
gpg --send-keys 'Your Name' --keyserver hkp://subkeys.pgp.net
Alternatively, some public key servers (like the PGP Key Server) have convenient web interfaces where you can copy and paste your ASCII public key.
Networks of public key servers often share keys, so your key will probably be propagated to other key servers.
Obtaining Public Keys from Public Key Server
You can obtain public keys from a public key server by using the --search-keys option:
gpg --search-keys 'name@email.com' --keyserver hkp://subkeys.pgp.net
Alternatively, some public key servers will have web interfaces for searches.
Encrypting/Decrypting Files
This is a method for encrypting and decrypting files using GPG. This is a handy trick if you want to store all of your usernames and passwords in a file, and want to protect it via encryption.
Encrypting With Keys
If you are paranoid, or want very strong security, you can encrypt a file so that only someone else can open it. To do this, you must create a GPG private key and a GPG public key (see #References, and GPG Quick Start).
You can also encrypt a file for yourself, so that only your public/private keys can open it.
1. Make sure you have the public key of the individual you want to send the file to, by running
$ gpg --list-keys
2. Encrypt the file using the -e or --encrypt flag, and specify a recipient by putting their name (the one that shows up from their public key) after the -r or --recipient flag:
$ gpg --encrypt --recipient 'Name of Person' secret.txt $ gpg -e -r 'Name of Person' secret.txt
This will output a file secret.txt.gpg; alternatively, specify the name of the output file using -o or --output flag:
$ gpg --encrypt --recipient 'Name of Person' secret.txt --output encrypted_secret.txt $ gpg -e -r 'Name of Person' secret.txt -o encrypted_secret.txt
The encrypted file will look like nonsensical garbage if opened in a text editor.
3. Decrypt the file using the -d or --decrypt flag:
$ gpg --decrypt --output decrypted_secret.txt $ gpg -d -o decrypted_secret.txt
If you don't specify an output file, then it will output to stdout - probably not the best idea for information that is sensitive enough to be encrypted.
Encrypting Without Keys
Sometimes dealing with public and private keys to encrypt a file is just a big hassle. Perhaps the other person has not created a public key; or perhaps they shared it with you, but you can't entirely trust their public key because a man in the middle could have changed it to their own key (thus allowing them to decrypt files that you think can only be decrypted by the intended recipient).
It may be advantageous, in these cases, to have a method of encrypting files that does not use public keys. This is where a handy feature called "symmetric encryption" can be used.
Symmetric encryption uses a strong cipher, called CAST5 (see #References), to encrypt a file using a passphrase, rather than a public/private key pair. As with any passphrase-protected encryption, the passphrase is the weakest link in the process, and only a very strong passphrase can give you the confidence of a strongly-encrypted file.
Keep in mind that this is not as ideal as encryption using keys, but is more convenient (security and convenience are on opposite sides of the same scale).
This can be done in gpg using the -c or --symmetric command line options:
$ gpg -c filename Enter passphrase:<YOUR-PASSWORD> Repeat passphrase:<YOUR-PASSWORD>
The result of this command is a binary file, filename.gpg.
To make an armored ascii output file, use the --armor option:
$ gpg --symmetric --armor filename Enter passphrase:<YOUR-PASSWORD> Repeat passphrase:<YOUR-PASSWORD>
The result of this command is an ascii file filename.asc.
To decrypt the gpg file:
$ gpg filename.gpg gpg: CAST5 encrypted data Enter passphrase:<YOUR-PASSWORD>
WARNING: This will print the contents of your file to standard output. You definitely don't want that to happen. Instead, use the -o or --output flags to dump the decrypted contents to a file:
$ gpg filename.gpg --output decrypted_filename.txt gpg: CAST5 encrypted data Enter passphrase:<YOUR-PASSWORD>
Similarly, for the armored ascii file, use the -d or --decrypt command-line option:
$ gpg -d filename.asc --output decrypted_filename.txt gpg: CAST5 encrypted data Enter passphrase:<YOUR-PASSWORD>
GPG Signatures of Files
Sometimes it is desirable to create a signature for a particular file that is made publicly available for download. This is the case if, say, you're worried that a software project's "latest version" was actually maliciously tampered with by a third party, or that somebody might have hacked a site and injected malware into all the downloads.
An individual can use their private key to sign a file, and create a "detached signature" - i.e. a signature in an external file. Then anyone with their public key can then verify the file using its signature.
Creating a Detached Signature
To sign a tarball file.tar.gz:
gpg --armor --detach-sign file.tar.gz
This creates a signature file, file.tar.gz.asc. Note that while anyone tampering with file.tar.gz may also tamper with file.tar.gz.asc, they cannot create a valid signature file unless they have the original creator's private key.
Verifying Using a Signature
To verify file.tar.gz using file.tar.gz.asc:
gpg --verify file.tar.gz.asc file.tar.gz
In order to do this, you must have the original creator's public key in your GPG key ring (see above for how to obtain their public key: the recommended method is to use a key server, NOT to download the public key from the website, because if someone can tamper with a file provided for download they can also tamper with a public key provided for download, and if they provide you with a malicious public key, a malicious download, and a malicious file signature, the file will still be verified).
References
GPG Quick Start:
GPG Documentation: CAST5 (used in symmetric encryption):
GPG at the "Security Viewpoints" blog: