GnuPG : A wonderful security tool

Talking about security is a fad and I don’t like those fellows who hyped it.A system is as secure as one made it.It require constant vigilance to maintain that level.In this article I am going to share my own experience with GnuPG in very precise and compact manner. I will not be able to reveal all the information about it, as you can understand it is not desirable regarding this matter.

What is GnuPG?? In one term it is a GNU version of OpenPGP written by Phil Zimmerman way back in 1991.You might have encounter it everyday if you are working with some corporate.Because the device (laptops specifically) they provide to work are PGP encrypted.And every time you need to work on those device you got to enter the passphrase to unlock it,because data is valuable to business corporates.Now if you are not statisfied the information I gave just now then you might look in here for more details information.

I shall show you the impelementation of GnuPG on Gentoo,but it can be used on any distribution.If the native os repositories doesn’t have it,then get the tarball and install it as you do for many software.

Ok,here we go..first we need to install the software into the system.On Gentoo it is in the repositories,so I will emerge it first:

bhaskar@bhaskar-laptop_06:55:03_Fri Sep 03:~> sudo emerge -av gnupg
Password:

These are the packages that would be merged, in order:

Calculating dependencies… done!
[ebuild   R   ] app-crypt/gnupg-2.0.16-r1  USE=”bzip2 ldap nls -adns -caps -doc -openct -pcsc-lite (-selinux) -smartcard -static” 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

Would you like to merge these packages? [Yes/No]

See I have it already ..so what’s the point to get once more.I choose N or no to this prompt.If you don’t have you might say yes.

A little bit more info when did get it into my system..lets check out:

bhaskar@bhaskar-laptop_07:15:24_Fri Sep 03:~> sudo genlop -t gnupg
* app-crypt/gnupg

Mon Jan  4 17:04:45 2010 >>> app-crypt/gnupg-2.0.11
merge time: 1 minute and 57 seconds.

Thu Feb  4 21:40:53 2010 >>> app-crypt/gnupg-2.0.14
merge time: 7 minutes and 14 seconds.

Wed Jun 30 13:15:26 2010 >>> app-crypt/gnupg-2.0.15
merge time: 2 minutes and 12 seconds.

Thu Aug 19 08:08:52 2010 >>> app-crypt/gnupg-2.0.16-r1
merge time: 2 minutes and 9 seconds.

So many entries because of updates.Now move on. Lets find files deflated into the system because of this software installation.

bhaskar@bhaskar-laptop_07:18:16_Fri Sep 03:~> sudo qlist -a gnupg
/usr/share/doc/gnupg-2.0.16-r1/DETAILS.bz2
/usr/share/doc/gnupg-2.0.16-r1/FAQ.bz2
/usr/share/doc/gnupg-2.0.16-r1/THANKS.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.id.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.el.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/TODO.bz2
/usr/share/doc/gnupg-2.0.16-r1/README.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.es.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.gl.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.zh_TW.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.fr.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.pt_BR.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.et.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.be.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.tr.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.de.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.sv.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.da.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/NEWS.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.hu.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.cs.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.zh_CN.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.pt.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/TRANSLATE.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.pl.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.ro.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.ru.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.nb.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/HACKING.bz2
/usr/share/doc/gnupg-2.0.16-r1/VERSION.bz2
/usr/share/doc/gnupg-2.0.16-r1/examples/gpgconf.conf.bz2
/usr/share/doc/gnupg-2.0.16-r1/examples/trustlist.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/examples/scd-event.bz2
/usr/share/doc/gnupg-2.0.16-r1/examples/README.bz2
/usr/share/doc/gnupg-2.0.16-r1/examples/pwpattern.list.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.it.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/faq.html
/usr/share/doc/gnupg-2.0.16-r1/help.fi.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/KEYSERVER.bz2
/usr/share/doc/gnupg-2.0.16-r1/OpenPGP.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.sk.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/ChangeLog.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.ja.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.ca.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.eo.txt.bz2
/usr/share/doc/gnupg-2.0.16-r1/help.txt.bz2
/usr/share/man/man1/gpg-connect-agent.1.bz2
/usr/share/man/man1/gpgsm.1.bz2
/usr/share/man/man1/gpg.1.bz2
/usr/share/man/man1/watchgnupg.1.bz2
/usr/share/man/man1/gpgv.1.bz2
/usr/share/man/man1/gpg-preset-passphrase.1.bz2
/usr/share/man/man1/gpg2.1.bz2
/usr/share/man/man1/gpg-zip.1.bz2
/usr/share/man/man1/gpgparsemail.1.bz2
/usr/share/man/man1/gpg-agent.1.bz2
/usr/share/man/man1/scdaemon.1.bz2
/usr/share/man/man1/gpgv2.1.bz2
/usr/share/man/man1/gpgsm-gencert.sh.1.bz2
/usr/share/man/man1/symcryptrun.1.bz2
/usr/share/man/man1/gpgconf.1.bz2
/usr/share/man/man8/addgnupghome.8.bz2
/usr/share/man/man8/applygnupgdefaults.8.bz2
/usr/share/locale/zh_CN/LC_MESSAGES/gnupg2.mo
/usr/share/locale/ja/LC_MESSAGES/gnupg2.mo
/usr/share/locale/sv/LC_MESSAGES/gnupg2.mo
/usr/share/locale/ro/LC_MESSAGES/gnupg2.mo
/usr/share/locale/id/LC_MESSAGES/gnupg2.mo
/usr/share/locale/fi/LC_MESSAGES/gnupg2.mo
/usr/share/locale/ca/LC_MESSAGES/gnupg2.mo
/usr/share/locale/zh_TW/LC_MESSAGES/gnupg2.mo
/usr/share/locale/de/LC_MESSAGES/gnupg2.mo
/usr/share/locale/pt/LC_MESSAGES/gnupg2.mo
/usr/share/locale/es/LC_MESSAGES/gnupg2.mo
/usr/share/locale/cs/LC_MESSAGES/gnupg2.mo
/usr/share/locale/eo/LC_MESSAGES/gnupg2.mo
/usr/share/locale/el/LC_MESSAGES/gnupg2.mo
/usr/share/locale/sk/LC_MESSAGES/gnupg2.mo
/usr/share/locale/nb/LC_MESSAGES/gnupg2.mo
/usr/share/locale/hu/LC_MESSAGES/gnupg2.mo
/usr/share/locale/en@boldquot/LC_MESSAGES/gnupg2.mo
/usr/share/locale/it/LC_MESSAGES/gnupg2.mo
/usr/share/locale/be/LC_MESSAGES/gnupg2.mo
/usr/share/locale/gl/LC_MESSAGES/gnupg2.mo
/usr/share/locale/pt_BR/LC_MESSAGES/gnupg2.mo
/usr/share/locale/da/LC_MESSAGES/gnupg2.mo
/usr/share/locale/fr/LC_MESSAGES/gnupg2.mo
/usr/share/locale/tr/LC_MESSAGES/gnupg2.mo
/usr/share/locale/et/LC_MESSAGES/gnupg2.mo
/usr/share/locale/ru/LC_MESSAGES/gnupg2.mo
/usr/share/locale/en@quot/LC_MESSAGES/gnupg2.mo
/usr/share/locale/pl/LC_MESSAGES/gnupg2.mo
/usr/share/gnupg/com-certs.pem
/usr/share/gnupg/qualified.txt
/usr/share/gnupg/gpg-conf.skel
/usr/share/info/gnupg.info-1.bz2
/usr/share/info/gnupg.info-2.bz2
/usr/share/info/gnupg.info.bz2
/usr/bin/gpg
/usr/bin/gpgparsemail
/usr/bin/kbxutil
/usr/bin/gpgv
/usr/bin/gpg-connect-agent
/usr/bin/gpgconf
/usr/bin/symcryptrun
/usr/bin/gpg2
/usr/bin/gpg-agent
/usr/bin/watchgnupg
/usr/bin/gpgsm-gencert.sh
/usr/bin/gpgv2
/usr/bin/gpgkey2ssh
/usr/bin/gpgsm
/usr/libexec/gpgkeys_hkp
/usr/libexec/gpgkeys_curl
/usr/libexec/gpg2keys_hkp
/usr/libexec/gpg2keys_finger
/usr/libexec/gpg-protect-tool
/usr/libexec/gpgkeys_finger
/usr/libexec/gpg2keys_curl
/usr/libexec/gpg-check-pattern
/usr/libexec/gpg-preset-passphrase
/usr/libexec/gpg2keys_ldap
/usr/libexec/gpgkeys_ldap
/usr/sbin/applygnupgdefaults
/usr/sbin/addgnupghome

We need to generate the keys to operate on..so create it..

bhaskar@bhaskar-laptop_07:18:29_Fri Sep 03:~> gpg -gen-key

The above command will generate the keys and it will ask you for the passphrase ,which will be glue with it.A new key-pair is created (key pair: secret and public key). The first question is which algorithm can be used. The next question is key length. This is something that is very user dependent. You need to choose between security and calculating time. If a key is longer the risk for cracking the message when intercepted decreases. But with a larger key calculation time also increases. If computing time is an issue you still should consider that you want to use the key for sometime. We all know that arithmetic performance increases very quickly, since new processors are getting quicker and quicker. So keep this in mind. The minimal key length GnuPG demands is 768 bits. However some people say you should have at a key-size of 2048 bits (which is also really a maximum with GnuPG at this moment). For DSA 1024 is a standard size. When security is a top priority and performance is less an issue you ought to pick the largest key-size available.

The system now asks to enter names, comment and e-mail address. Based upon the entries here the code is calculated. You can change these settings later.

Finally you have to enter a password (actually passphrase would be more appropriate, since blanks are allowed). This password is used to be able to use the functionality which belongs to your secret key. A good passphrase contains the following elements:

· it is long,

· it has special (non alphanumeric) characters,

· it is something special (not a name),

· it is very hard to guess (so NOT names, birth dates, phone numbers, number of a credit card/checking account, names and number of children, …)

During the period of generation of keys you should some disk activity or keep the system busy with some activity to generate more randomness in the key.But you SHOULD NOT FORGET YOUR KEYS,if you do all will be meaningless.

So I have my public key and I am going to reveal it,but you must not disclose the private key it generate publically.Here we go:

bhaskar@bhaskar-laptop_07:18:29_Fri Sep 03:~> gpg –list-keys
/home/bhaskar/.gnupg/pubring.gpg
——————————–
pub   1024D/BC367BF7 2009-11-29
uid                  Bhaskar Chowdhury <unixbhaskar@gmail.com>
sub   1024g/489147E2 2009-11-29

So you can see where it resides too..I mean which directory it store the public key. Right.

Exporting keys

Now the time has comes to broaden your horizon by exporting it to a public key server.How do you do that? Follow this:

bhaskar@bhaskar-laptop_07:28:00_Fri Sep 03:~> gpg –export Bhaskar Chowdhury

that’s all you need to do distribute your public key. Now I will show you my credential of public key in one of key server like below:

Please insert your user id you created earlier,as I going to enter mine now on this site where I have uploded my public key. Look below for my public key:

Now if you click on the download button you can get my public id.So If I encrypt something with my private id and you have my public id you can view it.

Lets go back to some basic by showing some tricks:

bhaskar@bhaskar-laptop_07:59:18_Fri Sep 03:~> gpg –list-public-keys
/home/bhaskar/.gnupg/pubring.gpg
——————————–
pub   1024D/BC367BF7 2009-11-29
uid                  Bhaskar Chowdhury <unixbhaskar@gmail.com>
sub   1024g/489147E2 2009-11-29

Importing keys

When you received someone’s public key (or several public keys) you have to add them to your key database in order to be able to use them. To import into the database the command looks like this:

bhaskar@bhaskar-laptop_08:21:23_Fri Sep 03:~> ggp –import othersPublicKeys

If you don’t mention the file name then it will take from the stdin.

Revoke a key

bhaskar@bhaskar-laptop_08:21:23_Fri Sep 03:~> gpg –gen-revoke

For several reasons you may want to revoke an existing key. For instance: the secret key has been stolen or became available to the wrong people, the UID has been changed, the key is not large enough anymore, etc. This has one disadvantage. If I do not know the passphrase the key has become useless. But I cannot revoke the key! To overcome this problem it is wise to create a revoke license when you create a key pair. And if you do so, keep it safe! This can be on disk, paper, etc. Make sure that this certificate will not fall into wrong hands!!!! If you don’t someone else can issue the revoke certificate for your key and make it useless.

Key signing

This is the authenticity of public keys. If you have a wrong public key you can say bye bye to the value of your encryption. To overcome such risks there is a possibility of signing keys. In that case you place your signature over the key, so that you are absolutely positive that this key is valid. This leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key. With that reassurance you can start encrypting.

Using the gpg –edit-key UID command for the key that needs to be signed you can sign it with the sign command.

You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic !!!. So if you are positive you got the key yourself (like on a key signing party) or you got the key through other means and checked it (for instance by phone) using the fingerprint-mechanism. You should never sign a key based on any assumption.

Based on the available signatures and “ownertrusts” GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are

– 1 = Don’t know – 2 = I do NOT trust – 3 = I trust marginally – 4 = I trust fully

If the user does not trust a signature it can say so and thus disregard the signature. Trust information is not stored in the same file as the keys, but in a separate file.

How to see the signature of the created key? One should sign the key when they create it to keep the sanity with it.Here is my key sign:

bhaskar@bhaskar-laptop_08:21:23_Fri Sep 03:~> gpg –list-sigs
/home/bhaskar/.gnupg/pubring.gpg
——————————–
pub   1024D/BC367BF7 2009-11-29
uid                  Bhaskar Chowdhury <unixbhaskar@gmail.com>
sig 3        BC367BF7 2009-11-29  Bhaskar Chowdhury <unixbhaskar@gmail.com>
sub   1024g/489147E2 2009-11-29
sig          BC367BF7 2009-11-29  Bhaskar Chowdhury <unixbhaskar@gmail.com>

Encryption and Decryption through GnuPG:

Say you want to encrypt a file then how do you do that? Here is way to do it:

let me create a file called testpg…

bhaskar@bhaskar-laptop_08:37:12_Fri Sep 03:~> echo “This a test for GnuPG” >> testpg

Encrypt it by gpg:
bhaskar@bhaskar-laptop_08:38:06_Fri Sep 03:~> gpg –encrypt testpg
You did not specify a user ID. (you may use “-r”)

Current recipients:

Enter the user ID.  End with an empty line: Bhaskar Chowdhury

Current recipients:
1024g/489147E2 2009-11-29 “Bhaskar Chowdhury <unixbhaskar@gmail.com>”

Enter the user ID.  End with an empty line:

So I did it with the “–encrypt” option. And created file saved with “.gpg” extension ..look below
bhaskar@bhaskar-laptop_08:38:28_Fri Sep 03:~> ls
303706970325_7.pdf  Documents  RealPlayer  febe googleearth libflashplayer.so  lsap_tux2.png  sys_info    thunderbird-error A_Ducks_Claw  Downloads  SiteDelta   ff_database_optimize  gtop-www.jpg    ls   puppet-dashboard  testpg      Desktop  Gmail  calibre google-earth  kernel_map_files  lsap_tux.png  start-here.jpg    testpg.gpg

So that file is encrypted. Now how do you decrypt it? Here is ordinary way of doing it:

bhaskar@bhaskar-laptop_08:38:30_Fri Sep 03:~> gpg –decrypt testpg.gpg

You need a passphrase to unlock the secret key for
user: “Bhaskar Chowdhury <unixbhaskar@gmail.com>”
1024-bit ELG key, ID 489147E2, created 2009-11-29 (main key ID BC367BF7)

gpg: encrypted with 1024-bit ELG key, ID 489147E2, created 2009-11-29
“Bhaskar Chowdhury <unixbhaskar@gmail.com>”
This a test for GnuPG

It will ask me to enter my passphrase to decrypt it..so I did and file content is displayed!!! Cool right!!

GnuPG with Thunderbird:

I have been using GnuPG with Thunderbird for quite some time now.What you have to do is get a add-on called Enigmail from the Mozilla site to install with it,which essentially provide the way to integrate with this mail client.As I have it from OS repository of Gentoo:

bhaskar@bhaskar-laptop_09:02:51_Fri Sep 03:~> sudo genlop -t enigmail
* x11-plugins/enigmail

Sat Nov 28 14:04:46 2009 >>> x11-plugins/enigmail-0.95.7-r5
merge time: 12 minutes and 16 seconds.

Sat Nov 28 17:00:14 2009 >>> x11-plugins/enigmail-0.95.7-r5
merge time: 3 minutes and 53 seconds.

Mon Mar  8 11:31:41 2010 >>> x11-plugins/enigmail-1.0.1-r1
merge time: 26 minutes and 57 seconds.

Fri Apr 16 14:08:07 2010 >>> x11-plugins/enigmail-1.0.1-r3
merge time: 6 minutes and 7 seconds.

Tue Aug  3 17:36:32 2010 >>> x11-plugins/enigmail-1.1.2-r1
merge time: 18 minutes and 41 seconds.

Sun Aug  8 08:33:28 2010 >>> x11-plugins/enigmail-1.1.2-r1
merge time: 6 minutes and 31 seconds.

Tue Aug 10 09:29:38 2010 >>> x11-plugins/enigmail-1.1.2-r1
merge time: 6 minutes and 49 seconds.

Once that is installed and the key in place it just a matter of selection in the thunderbird security tab of account setting.

GnuPG come with hell lot of options,yes quite intimidating one for the man page.But please glean over the man page of it to learn more.

In this article I have asuumed many thing about the reader that,they are well versed with the encryption technique or rather know how they work. Whatever the distro the basic underlying fact is the same.So embrace yourself with the knowledge that matters.

Hope this will help.

Cheers!

Bhaskar

About unixbhaskar
GNU/Linux Consultant

One Response to GnuPG : A wonderful security tool

  1. Pingback: Links 4/9/2010: ‘Amnesia: The Dark Descent’ as GNU/Linux Demo, WeTab Runs MeeGo | Techrights

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: