| Gnupg | ||
|---|---|---|
 |
Chapter 6. Authentication |  |
| Gnupg | ||
|---|---|---|
| |
Chapter 6. Authentication | |
GNU Privacy Guard (https://www.gnupg.org/ )is an implementation of OpenPG. It can be used to:
sign files to make sure it come from a trusted source
encrypt/decript files to exchange information between users
The program gpg is used for it, see man gpg.
The package gnupg is used.
The keys need to be identified, the documentation about this is a bit confusing.
For the following the Key ID is a 8 hex digit identifier from the 40 hex digit long (Primary) Key Fingerprint and is therefore more handy as dealing with the 40 hex digits.
There are creation, expiration and revocation dates.
Keys contain Real name, e-mail address and Comment, those elements can also be used to find the Key ID. The key can hold lots of other stuff as preferred key server, photo and many more.
To work with gpg, the public keys need to be exchanged and imported into the local PC. This can be done using files, an other way is using key servers.
If the keys are once uploaded to a key server, then they stay there, forever (also when expired or revoked)
The name of the key server can often be passed to the command using a command line option as --keyserver subkeys.pgp.net but the default keyservers can be configured in the
file ~/.gnupg/gpg.conf.
Keys can be found on the keyserver when an e-mail address or the User Name (=Real name) is known. This is because the user ID composes from Real name, e-mail and comment and is inside the key:
gpg --search-keys <e-mail address>
gpg --search-keys Urs Lindegger
The Key ID must be published somewhere or can be found using:
gpg --search-keys <e-mail address>
When found simply pressing the corresponding number imports it.
Alternatively it can be imported using:
gpg --keyserver subkeys.pgp.net --recv-keys <Key ID> the public key (or keys) can be imported. This can be verified using gpg --list-keys
Gnupg creates the directory ~/.gnupg where all keys reside. The
file ~/.gnupg/gpg.conf holds the configuration.
gpg --gen-key produces the two keys belonging to you. You should limit the time the key is valid.
Select the default encryption settings. Important is the passphrase to be entered. The passphrase will be used as a password to perform all later actions.
You need to enter Real name, Email address and comment.
This forms then the USER_ID: "<Real name> (<Comment>) <<e-mail address>>"
gpg --list-keys to see the key you have got.
gpg --list-secret-keys lists the secret keys you have
When created the keys it is wise to think about when you loose your keys or when somebody would get a hold of your keys. Therefore create a revocation certificate as compromise (For normal speaking people this means create a file that you need to make the key invalid).
gpg --output revoke.asc --gen-revoke <Key ID>
It wants to know a reasons why such a certificate has to be created select 1 = Key has been compromised for the reason for the revocation.
You have to enter the passphrase from above.
Backup the contains of ~/.gnupg on a memory medium. Also move the
revocation file revoke.asc to this media and delete it from the computer (or move it int a encrypted place) and store it in a safe place.
The keys can sent to a key server gpg --send-keys <Key ID>
To get it out of the keyserver goes usually in two steps:
gpg --import my-revocation.asc
gpg --keyserver certserver.pgp.com --send-keys <Key ID>
Keys can be exported gpg --export the output goes to the screen in binary format. So better to use gpg --armor --export to get ASCII. Or put it into a file gpg --armor --export --output <filename> or just one user gpg --armor --output <filename> --export <users e-mail>
They can also be imported gpg -import <filename>
gpg --delete-key <Key ID> deletes them from the local PC but not from the key server, since you are probably not the owner.
Type gpg --edit-key<Key ID> brings you in a interactive loop, where you can type commands as help. As you can see all kinds of modifications can be done.
To see what you have showpref
The expire date can be modified with expire
A keyserver could be added with keyserver so when signed emails arrive, the receiver knows where the get the public key, however the major keyserver exchange the public keys among each others. keyserver none deletes it
Add a photo with addphoto
Refresh the keys: gpg --refresh-keys
List the keys showing the fingerprint: gpg --fingerprint
Textfiles (but also binary files) can be signed. There are different options.
gpg --sign <filename> adds a signature to the file but converts all to be unreadable
gpg --clearsign <filename> adds a signature but stays readable
gpg --detach-sign <filename> creates a separate file that is not readable containing the signature
gpg --armor --detach-sign <filename> creates a separate file that is readable containing the signature
After importing the Key from the author (e.g. using its Key ID), the file can be verified using a command as gpg --verify <filename>
gpg --encrypt <filename>
to encrypt (destination user must be specified)
gpg --recipient "Urs Lindegger" --encrypt <filename> to encrypt it for a destination user
gpg --decrypt <filename> to decrypt (passphrase is required)
Evolution can sign the e-mail it sends, all it needs is adding the Key ID into the mails account configuration data under security and enabling it. The first time it asks for the passphrase, but then it can use its internal authentication methods to get rid of continuously asking for it.
When working with gpg encryption decryption you often have to type in the passphrase. You can set a gpg agent to reduce this.
| |
|
|
| Password Hash |
|
Chapter 7. Filesystem |
