Today I am going to be looking GnuPG as a continuation of my delve into Practical Linux Topics. As described on https://www.gnupg.org/, GnuPG is a free implementation of OpenPGP which is used to encrypt and sign data and communications using a public/private key infrastructure. It can be used to encrypt and digitally sign emails, encrypt files, and to secure SSH tunnels. In this post I am going to look at some fundamental configuration and usage of GnuPG for encryption.
Note: Due to the CSS of my WordPress Theme some of the syntax of the code is being altered post publish. Many commands have double hyphens (- -), but are appearing as a single hyphen. For clarity I have provided a PDF with proper syntax. I apologize for this inconvenience. I will be looking into fixing this for future posts.
To start off, I used the following command to see if it was installed:
# grep install /var/log/dpkg.log | grep gpg
For my test, I am running Debian-based Linux Mint. The grep search may look different for Red Hat based systems. In my case, it was not installed so I ran the following command to install it:
# sudo apt install gnupg
Once installed I used the following command to verify all the available options:
# gpg –dump-options
This will likely be a hardy list, but it can be piped into grep to only show the options desired. The first thing I did was choose an RFC, this determines what files and directories are generated for the storage of the private/public keys as well as some compatibility settings. I ran the following command to begin this process:
# gpg –rfc4880
This generated the .gnupg directory in my home directory. The configuration files and key ring directories are located in this directory. Now that gnupg has been prestaged, it is time to generate keys by using the following command:
# gpg –gen-key
For my test, I selected the default options of RSA for my key type, 2048 for my key length, and a 0 expiration date. The most important thing is the passphrase, this will be used to decrypt things using the private key. It is imperative to ensure that this key has a very strong password and that it can always remain a secret. Anyone can read the encrypted data if the passphrase compromised. Also, it is a best practice to give the keys expiration dates to make it unusable after a certain time. After entering the passphrase a lot of random data will need to be generated to help with key creation. I achieved this by typing random characters. A separate terminal window can also be opened to do other tasks to generate greater entropy on the key. Lastly, in a graphical UI the mouse can be moved to generate random bytes. When enough data has been generated, a message will appear saying the key has been created. After key creation, a public key needs to be generated using the following command:
# gpg –armour –export uid > pubkey.asc
This creates an ASCII public key. In this example, the uid is the email address designated when creating the key. This public key can be freely distributed. With this, all the necessary pieces have been created to begin encrypting data. The individual sending the data will need import the recipients public key using the following command:
# gpg –import pubkey.asc
Next, a command similar to the following will need to be ran:
# gpg –encrypt –r recipient_pubkey –armour < in.txt –o out.txt
In this example, -r specifies which public key to use. in.txt is the file that is being encrypted. out.txt is the encrypted file and is denounced with the –o switch. To decrypt the message the following would be ran:
# gpg –decrypt out.txt
The passphrase for the secret key will be prompted and upon entering the message will be decrypted.
Digital signing is another thing that can be achieved using gnupg to enforce nonrepudiation. To sign a document, the following command can be ran:
# gpg –sign in.txt
The secret passphrase is prompted and upon entering, a new file is created called in.txt.gpg that is digitally signed. Another option is clearsign:
# gpg –clearsign in.txt
This creates a signature message inside of the file, but also increases the size. Lastly there is detacted signatures that create a separate signature file that is required to read the signed file. The syntax for this would look similar to the following:
# gpg –output outputfile.sig –detach-sig inputfile
In this example, the output file is the separate signature file created to match inputfile. To read the message would need to reference both files like so:
# gpg –verify outputfile.sig inputfile
Ultimately, all the digital signature methods achieve the same goal with slight differences.
The last commands I will show are ones to remove old keys from the key ring:
# gpg –delete-key uid
This command will delete a public key from the public key ring. The following command should be used to delete a secret key:
# gpg –delete-secret-keys uid
This will remove the secret key from the key ring. However, if this key is deleted, any messages that were encrypted with its public key pair will be lost. This should be done with caution.
To end I will provide some best practices that I have found to be solid advice when it comes to encryption. When deciding what data needs to be encrypted, a good rule of thumb is to answer the following question. Would I rather this data be compromised or lost? It is easy to think that encrypting an entire drive is the most secure way to protect data, and to an extent it is. However, not all data needs to be encrypted as this can lead to unnecessary data loss. If a data leak would cause harm to competitiveness, wellbeing, or cause legal ramifications then it should be encrypted. Otherwise, it may not be worth encrypting non-sensitive data as it can lead to greater risk of data loss if the encryption keys are ever lost.
References:
Binnie, C. (2016). Practical Linux topics. Berkeley, CA: Apress.
The GNU Privacy Guard. (2018, December 14). Retrieved January 15, 2019, from https://www.gnupg.org/
