|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Friday, 15 December 2000||Author: Kapil Sharma|
|Published to: enhance_articles_sysadmin/Sysadmin||Page: 1/1 - [Printable]|
Secure Communication with GnuPG on Linux
Have you ever thought about how secure your connection is? Maybe you use ssh when ever you're connecting to a remote shell, but have you ever stopped to think about your mail? Click the more link to learn about setting up GnuPG, a free replacement for PGP.
|Page 1 of 1|
GnuPG is a tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate.
You can find all the software related to GnuPG at http://www.gnupg.org/download.html
Copy the gnupg source file to ./usr/local/ directory or wherever you want to install it and then cd to that directory.
[root@dragon local] tar xvzf gnupg-1.0.4.tar.gzThis will compile all source files into executable binaries.
[root@dragon gnupg-1.0.4]# make checkIt will run any self-tests that come with the package.
[root@dragon gnupg-1.0.4]# make installIt will install the binaries and any supporting files into appropriate locations.
[root@dragon gnupg-1.0.4]# strip /usr/bin/gpgThe "strip" command will reduce the size of the "gpg" binary for better performance.
1: Generating a new keypair
We must create a new key-pair (public and private) for the first time. The command line option --gen-key is used to create a new primary keypair.
[root@dragon /]# gpg --gen-key
Start GnuPG again with the following command:
[root@dragon /]# gpg --gen-key
Now I will explain about the various inputs asked during the generation of the keypairs.
A DSA keypair is the primary keypair usable only for making signatures. An ElGamal subordinate keypair is also created for encryption. Option 2 is similar but creates only a DSA keypair. Option 4 creates a single ElGamal keypair usable for both making signatures and performing encryption. For most users the default option is fine.
Minimum keysize is 768 bits
Default keysize is 1024 bits
Highest suggested keysize is 2048 bits
What keysize do you want? (1024)
There are advantages and disadvantages of choosing a longer key. The
advantages are: 1) The longer the key the more secure it is against brute-force
The default keysize is adequate for almost all purposes and
the keysize can never be changed after selection.
from Real Name, Comment and Email Address in this form:
"Kapil Sharma (Linux consultant) <firstname.lastname@example.org>"
name: Enter you name here
There is no limit on the length of a passphrase, and it should be carefully
chosen. From the perspective of security, the passphrase to unlock the private
key is one of the weakest points in GnuPG (and other public-key encryption
systems as well) since it is the only protection you have if another individual
gets your private key. Ideally, the passphrase should not use words from a
dictionary and should mix the case of alphabetic characters as well as use
non-alphabetic characters. A good passphrase is crucial to the secure use of
2: Generating a revocation certificate
After your keypair is created you should immediately generate a revocation certificate for the primary public key using the option --gen-revoke. If you forget your passphrase or if your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.
[root@dragon /]# gpg --output revoke.asc --gen-revoke mykeyHere mykey must be a key specifier, either the key ID of your primary keypair or any part of a user ID that identifies your keypair. The generated certificate will be left in the file revoke.asc. The certificate should not be stored where others can access it since anybody can publish the revocation certificate and render the corresponding public key useless.
3: Listing Keys
To list the keys on your public keyring use the command-line option --list-keys.
[root@dragon /]# gpg --list-keys
4: Exporting a public key
You can export your public key to use it on your homepage or on a available key server on the Internet or any other method. To send your public key to a correspondent you must first export it. The command-line option --export is used to do this. It takes an additional argument identifying the public key to export.
To export your public key in binary format, use the following command:
[root@dragon /]# gpg --output kapil.gpg --export email@example.comTo export your public key in ASCII armored output, use the following command:
[root@dragon /]# gpg --export-armor> kapil-key.ascHere "--export" is for extracting your Public-key from your pubring encrypted file , "-armor" is to create ASCII armored output that you can mail, publish it on a web page and ">kapil-key.asc" is to put the result in a file.
To export your public key in ASCII armored output and to view it , use the following command:
[root@dragon /]# gpg --export-armor5: Importing a public key
Once your own keypair is created, you can put it into your public keyring database of all keys from trusted third party in order to be able to use the keys for future encryption and authentication communication. A public key may be added to your public keyring with the --import option.
[root@dragon /]# gpg --import <filename>Here "filename" is the name of the exported public key.
[root@dragon /]# gpg --import mandrake.ascIn the above example we imported the Public key file "mandrake.asc" from the company Mandrake Linux, downloadable from Mandrake Internet site, into our keyring.
6: Validating the key
Once a key is imported it should be validated. A key is validated by verifying the key's fingerprint and then signing the key to certify it as a valid key. A key's fingerprint can be quickly viewed with the --fingerprint command-line option.
[root@dragon /]# gpg --fingerprint <UID>As an example:
In the above example we verified the fingerprint of mandrake. A key's fingerprint is verified with the key's owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. If the fingerprint you get is the same as the fingerprint the key's owner gets, then you can be sure that you have a correct copy of the key.
7: Key Signing
After importing and verifying the keys that you have imported into your public database, you can start signing them. Signing a key certifies that you know the owner of the keys. You should only sign the keys when you are 100% sure of the authentication of the key.
To sign a key for the company Mandrake that we have added on our keyring above, use the following command:
[root@dragon /]# gpg --sign-key <UID>
As an example:
[root@dragon /]# gpg --sign-key <UID>8: Checking Signatures
Once signed, you can check the key to list the signatures on it and see the signature that you have added. Every user ID on the key will have one or more self-signatures as well as a signature for each user that has validated the key. We can check the signatures of the keys by the gpg option "--check-sigs:
As an example:
[root@dragon /]# gpg --check-sigs mandrake
9: Encrypting and decrypting
The procedure for encrypting and decrypting documents is very simple. If you want to encrypt a message to mandrake, you encrypt it using mandrake public key, and then only mandrake can decrypt that file with his private key. If Mandrake wants to send you a message, it encrypts it using your public key, and you decrypt it with your private key.
To encrypt and sign data for the user Mandrake that we have added on our keyring use the following command (You must have a public key of the recipient):
[root@dragon /]# gpg -sear <UID of the public key> <file>
As an example:
Here "s" is for signing , "e" for encrypting, "a" to create ASCII armored output (".asc" is ready for sending by mail), "r" to encrypt the user id name and <file> is the data you want to encrypt
To decrypt data ,use the following command:
[root@dragon /]# gpg -d <file>As an example:
[root@dragon /]# gpg -d documentforkapil.ascHere the parameter "d" is for decrypting the data and <file> is a data you want to decrypt.
[Note: you must have the public key of the sender of the message/data that you want to decrypt in your public keyring database.]
10: Checking the signature
Once you have extracted your public key and exported it then by using the --verify option of GnuPG anybody can check whether encrypted data from you is also signed by you. To check the signature of encrypted data, use the following command:
[root@dragon /]# gpg --verify <Data>
Here "--verify" option is to check the signature and "<Data>" is the encrypted data/file you want to verify.
1: Send encrypted mail messages.
Here is a list of some of the Frontend and software for GnuPG
GPA aims to be the standard GnuPG
graphical frontend. This has a very nice GUI interface.
Anybody who is cautious about security must use GnuPG. It is one of the best open source software which has all the functions for encryption and decryption for all your secure data and can be used without any restrictions as it is under GNU General Public License. It can be used to send encrypted mail messages, files and documents for security. It can also be used to transmit files and important documents through network securely.
|Page 1 of 1|