GNU Privacy Guard

To protect messages that you send by e-mail, most Linux distributions provide GNU Privacy Guard (GnuPG) encryption and authentication (www.gnupg.org). GnuPG is GNU open source software that works much like Pretty Good Privacy (PGP) encryption. It is the OpenPGP encryption and signing tool, and OpenPGP is the open source version of PGP. With GnuPG, you can both encrypt your messages and digitally sign them—protecting the message and authenticating that it is from you. Currently, Evolution and KMail both support GnuPG encryption and authentication, as does Thunderbird with the added use of GPG extensions. On Evolution, you can select PGP encryption and signatures from the Security menu to use GnuPG (the PGP options use GnuPG on Fedora and Red Hat Linux). On KMail, you can select the encryption to use on the Security panel in the Options window. For Thunderbird you can use the enigmail extension to support OpenGPG and PGP encryption (enigmail.mozdev.org).

GNU Privacy Guard (GnuPG) operations are carried out with the gpg command, which uses both commands and options to perform tasks. Commonly used commands and options are listed in Table 16-2. Some commands and options have a short form that uses only one hyphen. Normally, two hyphens are used. If you just want to verify the validity of a digital signature, you can use gpgv instead. This is a stripped-down version of gpg used just for signature verification.

The first time you use gpg, a .gnugpg directory is created in your home directory with a file named options. The .gnugpg/gpg.conf file contains commented default options for GPG operations. You can edit this file and uncomment or change any default options you want implemented for GPG. You can use a different options file by specifying it with the --options parameter when invoking gpg. Helpful options include keyserver entries. The .gnugpg directory will also hold encryption files such as secring.gpg for your secret keys (secret keyring), pubring.gpg for your public keys (public keyring), and trustdb.gpg, which is a database for trusted keys.

TIP You can use GNOME Keyring Manager (gnome-keyring) to manage your PGP secret keys.

GnuPG Setup: gpg

Before you can use GnuPG, you will have to generate your private and public keys. On the command line (terminal window), enter the gpg command with the - -gen-key command. The gpg program will then prompt with different options for creating your private and public keys. You can check the gpg Man page for information on using the gpg program.

Creating Your Key

You are first asked to select the kind of key you want. Normally, you would just select the default entry, which you can do by pressing the enter key. Then you choose the key size, usually the default 1024. You then specify how long the key is to be valid—usually, there is no expiration. You will be asked to enter a user ID, a comment, and an e-mail address. Press enter to be prompted for each in turn. These elements, any of which can be used as the key's name, identify the key. You use the key name when performing certain GPG tasks such as signing a key or creating a revocation certificate. For example, the following

GPG Commands	Description
-s, --sign	Signs a document, creating a signature. May be combined with - -encrypt.
--clearsign	Creates a clear-text signature.
-b, --detach-sign	Creates a detached signature.
-e, --encrypt	Encrypts data. May be combined with - -sign.
--decrypt [file]	Decrypts file (or stdin if no file is specified) and writes it to stdout (or the file specified with --output). If the decrypted file is signed, the signature is verified.
--verify [[ sigfile ] [signed-files]]	Verifies a signed file. The signature can either be contained with the file or be a separate detached signature file.
--list-keys [names]	Lists all keys from the keyrings or those specified.
--list-public-keys [names]	Lists all keys from the public keyrings or those specified.
--list-secret-keys [names]	Lists your private (secret) keys.
--list-sigs [names]	Lists your keys along with any signatures they have.
--check-sigs [names]	Lists keys and their signatures and verify the signatures.
--fingerprint [names]	Lists fingerprints for specified keys.
--gen-key	Generates a new set of private and public keys.
--edit-key name	Edits your keys. Use commands to perform most key operations such as sign to sign a key or passwd to change your passphrase.
--sign-key name	Signs a public key with your private key. Same as sign in --edit-key.
--delete-key name	Removes a public key from the public keyring.
--delete-secret-key name	Removes private and public keys from both the secret and public keyrings.
--gen-revoke	Generates a revocation certificate for your own key.
--export [names]	Exports a specified key from your keyring. With no arguments, exports all keys.
--send-keys [names]	Exports and sends specified keys to a keyserver. The option -keyserver must be used to give the name of this keyserver.
--import [files]	Imports keys contained in files into your public keyring.
GPG Options	Description
-a, --armor	Creates ASCII armored output, ASCII version of encrypted data.
-o, --output file	Writes output to a specified file.

Table 16-2 GPG Commands and Options (continued)

GPG Options	Description
--default-key name	Specifies the default private key to use for signatures.
--keyserver site	The keyserver to look up public keys not on your keyring. Can also specify the site to send your public key to. host -l pgp.net | grep www.keys will list the keyservers.
-r, --recipient names	Encrypts data for the specified user, using that user's public key.
--default-recipient names	Specifies the default recipient to use for encrypting data.

Table 16-2 GPG Commands and Options

Table 16-2 GPG Commands and Options elements create a key for the user richlp with the comment "author" and the e-mail address [email protected]:

Richard Petersen (author) <[email protected]>

You can use any unique part of a key's identity to reference that key. For example, the string "Richard" would reference the preceding key, provided there are no other keys that have the string "Richard" in them. The string "richlp" would also reference the key, as would "author". Where a string matches more than one key, all the matched ones would be referenced.

Protecting Your Key

The gpg program will then ask you to enter a passphrase, which is used to protect your private key. Be sure to use a real phrase, including spaces, not just a password. gpg then generates your public and private keys and places them in the .gnupg directory. The private keys are kept in a file called secring.gpg in your .gnupg directory. The public key is placed in the pubring.gpg file, to which you can add the public keys of other users. You can list these keys with the - -list-keys command.

In case you later need to change your keys, you can create a revocation certificate to notify others that the public key is no longer valid. For example, if you forget your password or someone else discovers it, you can use the revocation certificate to tell others that your public key should no longer be used. In the next example, the user creates a revocation certificate for the key richlp and places it in the file myrevoke.asc:

$ gpg --output myrevoke.asc --gen-revoke richlp

Making Your Public Key Available

For other users to decrypt your messages, you have to make your public key available to them. They, in turn, have to send you their public keys so that you can decrypt any messages you receive from them. In effect, enabling encrypted communications between users involves all of them exchanging their public keys. The public keys then have to be verified and signed by each user that receives them. The public keys can then be trusted to safely decrypt messages.

If you are sending messages to just a few users, you can manually e-mail them your public key. For general public use, you can post your public key on a keyserver, which anyone can then download and use to decrypt any message they receive from you. A keyserver can be accessed using e-mail, LDAP, or the HTTP Horwitz Keyserver Protocol (HKP). The OpenPGP Public Keyserver project is located at pks.sourceforge.net. Several public keyservers are available. hkp://subkeys.pgp.net is listed in your .gnupg/gpg.conf file, though commented out. You can send directly to the keyserver with the -keyserver option and --send-key command. The - -send-key command takes as its argument your e-mail address. You need to send to only one keyserver, as it will share your key with other keyservers automatically.

gpg --keyserver search.keyserver.net --send-key [email protected]

If you want to send your key directly to another user, you should generate an armored text version of the key that you can then e-mail. You do this with the - -armor and - -export options, using the - -output option to specify a file to place the key in. The - -armor option will generate an ASCII text version of the encrypted file so that it can be e-mailed directly, instead of as an attached binary. Files that hold an ASCII-encoded version of the encryption normally have the extension .asc, by convention. Binary encrypted files normally use the extension .gpg. You can then e-mail the file to users to whom you want to send encrypted messages.

# gpg --armor --export [email protected] --output richlp.asc

# mail -s 'mypubkey' [email protected] < richlp.asc

gpg --import georgekey.asc

All Linux distribution sites have their own public keys available for download. You should, for example, download the Red Hat public key, which can be accessed from the Red Hat site on its security resources page (www.redhat.com). Click the Public Encryption Key link. From there, you can access a page that displays just the public key. You can save this page as a file and use that file to import the Red Hat public key to your keyring. (Your Red Hat distribution also places the Red Hat public key in the /usr/share/doc/rpm4-1 directory with versions for both GPG and PGP encryption, RPM-GPG-KEY and RPM-PGP-KEY

Many companies and institutions post their public key files on their Web sites, where they can be downloaded and used to verify encrypted software downloads or official announcements.

NOTE Some commands and options for GPG have both long and short forms. For example, the

--armor command can be written as -a, - -output as -o, - -sign as -s, and - -encrypt as -e. Most others, like - -export, have no short form.

Obtaining Public Keys

To decode messages from other users, you will need to have their public keys. Either they can send them to you or you can download them from a keyserver. Save the message or Web page containing the public key to a file. You will then need to import, verify, and sign the key. Use the file you received to import the public key to your pubring file. In the following example, the user imports George's public key, which he has received as the file georgekey.asc.

files.) In the following example, the user saved the page showing just the Red Hat public key as myredhat.asc, and then imported that file:

gpg --import myredhat.asc

NOTE You can remove any key, including your own private key, with the --delete-key and --delete-secret-key commands.

Validating Keys

To manually check that a public key file was not modified in transit, you can check its fingerprint. This is a hash value generated from the contents of the key, much like a modification digest. Using the - -fingerprint option, you can generate a hash value from the key you installed, and then contact the sender and ask them what the hash value should really be. If they are not the same, you know the key was tampered with in transit.

gpg --fingerprint [email protected]

You do not have to check the fingerprint to have gpg operate. This is just an advisable precaution you can perform on your own. The point is that you need to be confident that the key you received is valid. Normally you can accept most keys from public servers or known sites as valid, though it is easy to check their posted fingerprints. Once assured of the key's validity, you can then sign it with your private key. Signing a key notifies gpg that you officially accept the key.

To sign a key, you use the gpg command with the - -sign-key command and the key's name.

gpg --sign-key [email protected]

Alternatively, you can edit the key with the --edit-key command to start an interactive session in which you can enter the command sign to sign the key and save to save the change. Signing a key involves accessing your private key, so you will be prompted for your passphrase. When you are finished, leave the interactive session with the quit command.

Normally, you would want to post a version of your public key that has been signed by one or more users. You can do the same for other users. Signing a public key provides a way to vouch for the validity of a key. It indicates that someone has already checked it out. Many different users could sign the same public key. For a key that you have received from another user, and that you have verified, you can sign the key, generate a file containing the signed public version, and return the signed version to that user. This process builds a Web of Trust, where many users vouch for the validity of public keys.

gpg -a --export [email protected] --output georgesig.asc

The user would then import the signed key and export it to a keyserver.

TIP If you want to start over from scratch, you can just erase your .gnupg directory, though this is a drastic measure, as you will lose any keys you have collected.

Using GnuPG

GnuPG encryption is currently supported by most mail clients, including Kmail, Thunderbird, and Evolution. You can also use the GNU Privacy Assistant (GPA), a GUI front end, to manage GPG tasks, or you can use the gpg command to manually encode and decode messages, including digital signatures, if you wish. As you perform GPG tasks, you will need to reference the keys you have using their key names. Bear in mind that you only need a unique identifying substring to select the key you want. GPG performs a pattern search on the string you specify as the key name in any given command. If the string matches more than one key, all those matching values will be selected. In the following example, the "Sendmail" string selects matches on the identities of two keys.

# gpg --list-keys "Sendmail" pub 1024R/CC374F2D 2000-12-14

Sendmail Signing Key/2001 <[email protected]> pub 1024R/E35C5635 1999-12-13

Sendmail Signing Key/2000 <[email protected]>

NOTE You can use gpgsplit to split a GPG message into its components in order to examine them separately.

Decrypting Messages

When the other user receives the file, they can save it to a file named something like myfile.asc and then decode the file with the -d option. The -o option will specify a file to save the decoded version in. GPG will automatically determine if it is a binary file or an ASCII armored version.

Encrypting Messages

The gpg command provides several options for managing secure messages. The e option encrypts messages, the a option generates an armored text version, and the s option adds a digital signature. You will need to specify the recipient's public key, which you should already have imported into your pubring file. It is this key that is used to encrypt the message. The recipient will then be able to decode the message with their private key. Use the - -recipient or -r option to specify the name of the recipient key. You can use any unique substring in the user's public key name. The e-mail address usually suffices. You use the d option to decode received messages. In the following example, the user encrypts (e) and signs (s) a file generated in armored text format (a). The -r option indicates the recipient for the message (whose public key is used to encrypt the message).

gpg e -s -a -o myfile.asc -r [email protected] myfile # mail [email protected] < myrile.asc

You can leave out the ASCII armor option if you want to send or transfer the file as a binary attachment. Without the - -armor or - a option, gpg generates an encoded binary file, not an encoded text file. A binary file can be transmitted through e-mail only as an attachment. As noted previously, ASCII armored versions usually have an extension of .asc, whereas binary versions use .gpg.

gpg -d -o myfile.txt myfile.asc

To check the digital signature of the file, you use the gpg command with the - -verify option. This assumes that the sender has signed the file.

$ gpg --verify myfile.asc

Decrypting a Digital Signature

You will need to have the signer's public key to decode and check the digital signature. If you do not, you will receive a message saying that the public key was not found. In this case, you will first have to obtain the signer's public key. You could access a keyserver that you think may have the public key, or request the public key directly from a Web site or from the signer. Then import the key as described previously.

Signing Messages

You do not have to encrypt a file to sign it. A digital signature is a separate component. You can either combine the signature with a given file or generate one separately. To combine a signature with a file, you generate a new version that incorporates both. Use the - -sign or -s option to generate a version of the document that includes the digital signature. In the following example, the mydoc file is digitally signed with the mydoc.gpg file containing both the original file and the signature.

If, instead, you want to just generate a separate signature file, you use the --detach-sig command. This has the advantage of not having to generate a complete copy of the original file. That file remains untouched. The signature file usually has an extension like .sig. In the following example, the user creates a signature file called mydoc2.sig for the mydoc2 file.

$ gpg -o mydoc2.sig --detach-sig mydoc2

To verify the file using a detached signature, the recipient user specifies both the signature file and the original file.

$ gpg --verify mydoc2.sig mydoc2

To verify a trusted signature you can use gpgv.

You could also generate a clear sign signature to be used in text files. A clear sign signature is a text version of the signature that can be attached to a text file. The text file can be further edited by any text editor. Use the --clearsign option to create a clear sign signature. The following example creates a clear signed version of a text file called mynotice.txt.

$ gpg -o mysignotice.txt --clearsign mynotice.txt

NOTE Numerous GUI front ends and filters are available for GnuPG at www.gnupg.org. GPA (GNU Privacy Assistant) provides a GNOME-based front end to easily encrypt and decrypt files. You can select files to encode, choose the recipients (public keys to use), and add a digital signature if you wish. You can also use GPA to decode encoded files you receive. You can also manage your collection of public keys—the keys in your keyring file.

TIP Steganography is a form of encryption that hides data in other kinds of objects, such as images. You can use JPEG Hide and Seek software (JPHS) to encode and retrieve data in a JPEG image (jphide and jpseek). See linux01.gwdg.de/~alatham/stego.html for more details.

Continue reading here: SELinux Management Tools

Was this article helpful?

0 0