SUSE Conversations


GnuPG (GNU Privacy Guard)



By: DamianMyerscough

April 9, 2008 3:03 am

Reads:326

Comments:0

Rating:0

In this article we are going to look at setting up GnuPG and how to encrypt sensitive data. The GnuPG application is a free implementation of the OpenPGP application with features such as: “Decrypts and verifies PGP 5, 6 and 7 messages”, “Supports ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER”, “English, Danish, Dutch, Esperanto, Estonian, French, German, Japanese, Italian, Polish, Portuguese (Brazilian), Portuguese (Portuguese), Russian, Spanish, Swedish and Turkish language support” and many other features.

In this article we will be using SUSE Linux Enterprise Desktop 10 SP1. If you are using SUSE Linux Enterprise Server 10 SP1 you will need to compile the GunPG software.

Installation

The installation of GnuPG on SUSE Linux Enterprise Desktop 10 SP1 is very simple. SLED 10 SP1 ships the GnuPG RPM (Red Hat Package Management) package. To install the GnuPG package you can issue the following command to start YaST “yast sw_single” or “yast2 sw_single“. Once the YaST tool has loaded you can search for the GnuPG program simply by searching for the keyword “gnupg“.

Generating keys

Once you have installed GnuPG you can issue the command “gpg” from the command line with the “–help” qualifier as shown in Figure 1.

damian@linux-7q52:~> gpg --help
gpg (GnuPG) 1.4.2
Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
sign, check, encrypt or decrypt
default operation depends on the input data

Commands:

 -s, --sign [file]             make a signature
     --clearsign [file]        make a clear text signature
 -b, --detach-sign             make a detached signature
 -e, --encrypt                 encrypt data
 -c, --symmetric               encryption only with symmetric cipher
 -d, --decrypt                 decrypt data (default)
     --verify                  verify a signature
     --list-keys               list keys
     --list-sigs               list keys and signatures
     --check-sigs              list and check key signatures
     --fingerprint             list keys and fingerprints
 -K, --list-secret-keys        list secret keys
     --gen-key                 generate a new key pair
     --delete-keys             remove keys from the public keyring
     --delete-secret-keys      remove keys from the secret keyring
     --sign-key                sign a key
     --lsign-key               sign a key locally
     --edit-key                sign or edit a key
     --gen-revoke              generate a revocation certificate
     --export                  export keys
     --send-keys               export keys to a key server
     --recv-keys               import keys from a key server
     --search-keys             search for keys on a key server
     --refresh-keys            update all keys from a keyserver
     --import                  import/merge keys
     --card-status             print the card status
     --card-edit               change data on a card
     --change-pin              change a card's PIN
     --update-trustdb          update the trust database
     --print-md algo [files]   print message digests

Options:

 -a, --armor                   create ascii armored output
 -r, --recipient NAME          encrypt for NAME
 -u, --local-user              use this user-id to sign or decrypt
 -z N                          set compress level N (0 disables)
     --textmode                use canonical text mode
 -o, --output                  use as output file
 -v, --verbose                 verbose
 -n, --dry-run                 do not make any changes
 -i, --interactive             prompt before overwriting
     --openpgp                 use strict OpenPGP behavior
     --pgp2                    generate PGP 2.x compatible messages

(See the man page for a complete listing of all commands and options)

Examples:

 -se -r Bob [file]          sign and encrypt for user Bob
 --clearsign [file]         make a clear text signature
 --detach-sign [file]       make a detached signature
 --list-keys [names]        show keys
 --fingerprint [names]      show fingerprints

Please report bugs to .

Figure 1: Checking GnuPG supported qualifiers.

Before we begin to generate a public and a private key you can check to see if there are any keys already in your GnuPG keyring using the “gpg” command with the “–list-keys” qualifier as shown in Figure 1.1.

damian@linux-7q52:~> gpg --list-keys
gpg: /home/damian/.gnupg/trustdb.gpg: trustdb created

Figure 1.1: Displaying the current list of keys.

If no keys are return you can begin generating a key pair using the “gpg” command with the “–gen-key” qualifier as shown in Figure 1.2.

damian@linux-7q52:~> gpg --gen-key
gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Damian Myerscough
Email address: Damian@example.com
Comment: Damian Myerscough's Keys
You selected this USER-ID:
    "Damian Myerscough (Damian Myerscough's Keys) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++.++++++++++..++++++++++.+++++++++++++++...+++++++++++++++..+++++......>+++++........................................................................................+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 277 more bytes)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++.+++++++++++++++++++++++++.+++++...+++++.++++++++++.+++++.++++++++++++++++++++..+++++.++++++++++..++++++++++....+++++++++++++++..+++++.++++++++++..+++++++++++++++++++++++++.+++++>....+++++.++++++++++++++++++++.+++++...++++++++++.++++++++++>+++++>+++++>+++++...>......+++++...........< ..+++++...................................................................................................................................................+++++^^^
gpg: key 25C422DB marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/25C422DB 2008-03-28
      Key fingerprint = C6CF 8D5E 5EA2 B4BD 58FA  9B13 7D54 2E11 25C4 22DB
uid                  Damian Myerscough (Damian Myerscough's Keys) 
sub   4096g/16790907 2008-03-28

Figure 1.2: Generating a new key.

As you can see in Figure 1.2 you will be asked multiple questions regarding you’re key, fill in the details that suite your needs. I would strongly recommend using “DSA and Elgamal” as this allows you to perform encryption of files whereas the other two options are used for signing data to provide data integrity.

Managing keys

Once you have successfully generate a key pair you can manage your key with the “gpg” command, some of the qualifier you might want to use for managing your key(s) are listed in Table 1.

Qualifier Description
–list-keys List keys.
–delete-keys Remove keys from the public keyring.
–edit-key Sign or edit a key.
–send-keys Export keys to a key server.
–search-keys Search for keys on a key server.

Table 1: GnuPG management qualifiers.

If you are uncomfortable working from the command line it is possible to install a utility called: “Seahorse” which is available at [1] and provides a nice GUI (Graphical User Interface) for managing GnuPG keys. In a later article I will cover installing Seahorse for anyone who is interested in this.

Encrypting and Decrypting Data

In this section of the article we are going to look at encrypting a sensitive text file using GnuPG and the key that was just generated. The first step we will do is create a simple text file with some fictitious data and will encrypt the file making it useless to other users. Figure 2 shows the text file we will be encrypting.

Username                        Password
----------------------------------------
Damian                          p4ssw0rd
Jason                           cl1ck
Chisa                           cl1ckcl1ck24

Figure 2: Fictitious data.

Once you have created a fictitious data file you can begin encrypting it using the “gpg” command as shown in Figure 2.1. In Figure 2.1 you may be wondering where the “25C422DB” was retrieved, this can be retrieved using the “gpg –list-key” command as shown in Figure 1.1.

damian@linux-7q52:~> gpg -r 25C422DB -e secret_data.txt
damian@linux-7q52:~> ls
bin  Desktop  Documents  public_html  secret_data.txt  secret_data.txt.gpg

Figure 2.1: Encrypting the sensitive data.

As you can see from Figure 2.1 a new file has been created called: “secret_data.txt.gpg”, if you use the “cat” command against this file or open it with your favorite text editor you will notice that all the data has been scrambled.

The “secure_data.txt.gpg” file can now be sent transmitted across the Internet or via an insecure media and still be guaranteed secure. If you need to decrypt this file you can simple use the “-d” qualifier as shown in Figure 2.2.

damian@linux-7q52:~> gpg -r 25C422DB -d secret_data.txt.gpg

You need a passphrase to unlock the secret key for
user: "Damian Myerscough (Damian Myerscough's Keys) "
4096-bit ELG-E key, ID 16790907, created 2008-03-28 (main key ID 25C422DB)

gpg: encrypted with 4096-bit ELG-E key, ID 16790907, created 2008-03-28
      "Damian Myerscough (Damian Myerscough's Keys) "
Username                        Password
----------------------------------------
Damian                          p4ssw0rd
Jason                           cl1ck
Chisa                           cl1ckcl1ck24

Figure 2.2: Decrypting the “secure_data.txt.gpg” file.

As you can see from Figure 2.2 the data from the “secure_data.txt.gpg” file was printed onto the screen, to have the contents goto a file you can use simple redirection as shown in Figure 2.3.

damian@linux-7q52:~> gpg -r 25C422DB -d secret_data.txt.gpg > secure_data.txt

Figure 2.3: Writing the decrypted contents to a file.

Final Thoughts

In this article we only touched on the basics of GnuPG. I would recommend you visit the GnuPG website to find out even more about GnuPG [2] and its latest features. Now that you have GnuPG setup and configured you can now protect your sensitive data and also provide authenticity by signing files using GnuPG.

Reference

[1] http://www.gnome.org/projects/seahorse/
[2] http://gnupg.org/

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: Enterprise Linux, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS