Encryption with gpg
From blag.wiki.aktivix.org
Contents |
INTRO
GPG is a secure and robust encryption system used for documents and emails. It's very configurable and it's free. Use to encrypt and decrypt data including email. It comes as standard package with all of the Blag ditros. Here follows a brief guide to setting up gnupg on your box and configuring Thunderbird to work with it.
BACKGROUND AND PREPARATION
Gnugpg should be installed on your machine as it's comes with BLAG. It is recommended to update all packages and the system. Go gui with synaptic or go command line.
step 1. Update all packages on the system
apt-get update
step 2. Check the package version
gpg --version
CONFIGURATION
step 3. Create a directory for gpg sometimes the package does not create it's own dir for its's files. This bug has been hightlighted by others, (google on this if you need to, but this step overcomes the bug). In the meantime create a directory.
cd ~/ && mkdir .gnupg
Switch to user root and give your regular user ownership and directory of the new dir.
sudo su chowm [regular user] -vR .gnugp && chgrp -vR [regular user] .gnupg:code:
GENERATE A 2048 BIT GPG KEY
gpg --gen-key
step 4. select what kind of key you want: The Default is 1, which uses DSA and ElGamal encryption algorithms. Best go for that.
step 5. select keypair size The default is 1024 bits go for 2048.
step 6. select validity of key. This specifies the shelf life of the key. Best go for a few years or choose 0 for a key that does not expire.
step 7. Specify a user id. Enter your real name and email addy when asked. A comment field is optional.
step 8. Comfirmation for key creation. The key generation can be cancelled or Okayed to continue.
step 9. Passphrase creation. Use a sensible password. You can use the package `apg` to generate a p-word if you can't think of one quickly just hit apg at the command line. Use the output for the new password.
step 10. ENTROPY, make some chaos! The key is created with a large number of random bytes. In order to create random numbers, the state of the machine is used. This includes the system time, hard disk activity and user activity. In short randomness increases with hard disk and user activity. Get the machine busy. Moving the mouse is recommended but tedious. Activate the hdd whilst the random numbers are being generated with;
ls -Vr /
or
du -h /
The former lists all the files in the machine and the latter shows disk space usage. Both methods look through the entire hdd in use and should be good enough to keep the machine busy to make enough random bits. Both methods look through the entire hdd in use and should be good enough to keep the machine busy to make enough random bits for the new key that you are generating.
KEY CREATION
The key creation takes under 2 minutes on a PIII laptop with 700MHz of ram. Expect to see a output like this
gpg: /home/jayeola/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/4AA7335C 2005-05-01 John Julius Maclean <info@jayeola.org>
Key fingerprint = A4B0 01C4 7839 0ED1 E86E 6F92 80E6 0CD5 4AA7 335C
sub 2048g/A1255057 2005-05-01
The format of the first line is
pub keysize/method/IDstring date-key-created your name <email addy>
KEY REVOCATION
What happens if you lose his key, it gets comprimised or lost? Revocation involves creating a certificate which allows you to tell those that know you and your existing key not to use it in the future. Encrypted messages and emails that use the lost/compromised key can still be read.
step 11. Create a revocation certificate
gpg --output revoke.asc --gen-revoke -a 'John Maclean'
You will then be asked why you are creating the certificate. Choose 0 as the key has just been created and has not been lost or compromised. An additional comment field is optional but is used for decription of the certficate. Confirm the certificate to continue and enter your newly created passphrase.
step 12. Hide the certificate! gnupg recommend that it is printed and stored in a safe place.
step 13. List the new key The new key and revocation has been created. But where is the key on the disk?
gpg --list-keys
Expect to see output like
/home/jayeola/.gnupg/pubring.gpg -------------------------------- pub 1024D/A4889F62 2005-05-01 John Maclean <info@jayeola.org> sub 2048g/F771D443 2005-05-01
EXPORTING THE KEY
gpg --armor --export info@jayeola.org
PUBLISH KEYS TO A KEYSEVER
How do you tell people that you have created a key and is ready for use? Publish it to a key server.
jayeola@19:21:26$ gpg --send-keys --keyserver wwwkeys.pgp.net 8FB109FF
You should be greeted with
gpg: success sending to `wwwkeys.pgp.net' (status=200) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.6 (GNU/Linux) mQGiBEJ0yc0RBAD/AFXsRFRJwD4ENiqCQQzGVgBi6Z+HZ6N/K5WpnCeb4z5OlZAf 8YdZVEgwooZ5UnDCq3JDZoKMoKG2yqAxLYiqt0COua0OHHmMLOWLbNGdCxazcGAu egQHwOXJYLv7xSRAbWE81X8o3dSHVKh7QhO7g63ibgyJ/sZc4gGUsvSaqwCg9qNd ... ... ... Xxsadc8ckqiwip5noc8evfRrp7pG3CWXJOKlkkBLPQiPQBauwf2ScHyCPkU1gEie nhBi4nfUgJSE8qnJRIyb7oCkZhdNK4hJBBgRAgAJBQJCdMoXAhsMAAoJEDAAVs6k iJ9iuKYAniNXCLVIvAN2s3zpZ96xCywLYTcMAKCSBt8rSc4LSrE54yRh3jlZCcCb Yg== =qqDa -----END PGP PUBLIC KEY BLOCK-----
The block is gibberish - it's supposed to be!
You could also put your new key onto your webpage, vcard or just email people with the output from te command as shown below as you need to.
jayeola@13:37:21$ gpg --fingerprint John Maclean
pub 1024D/F9C133BC 2005-05-07 John Maclean <info@jayeola.org>
Key fingerprint = 1D2C E593 B2A7 95F1 C6ED 9C90 9859 31E9 F9C1 33BC
sub 2048g/4126901C 2005-05-07
Enigmail
If your primary use of encryption is for email it is recommended to use Thunderbird and the plugin enigmail. Enigmail's a gui extention that manages and generates keys and revocation certificates, identities and much more. Thunderbird is in the blag repo so install it if you need to and get the plugin from the url listed below.
REFERENCES
evolution help page, section 2.6.1
gnu.org
fedora news
Enigmail
Thunderbird
