Deploying GNU Privacy Guard

by Greg Pregovia.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on linux  

You are here: Categories » » Linux

Although many GUI interfaces are in the planning stage for GPG, the following steps focus on using GPG with the command line.The steps assume that you already have GPG installed on your system.Verify this by using the whereis command:

whereis gpg
gpg: /usr/bin/gpg

If you do not have GPG installed, you can download GPG from
www.rpmfind.net, from www.gnupg.org/download.html (gnupg-1.0.4-11.i386.rpm or the equivalent gnupg-1.0.5.tar.gz).

Now that you know the program is installed, your first step is to secure how it allocates memory to nonroot users. GPG requires that most Linux systems run it as SUID root.Any application allocates pages of memory from the system, and GPG wants this memory to be secure. Otherwise, an illicit user could capture this memory and then gain access to the information you are going to encrypt. In order to secure these memory pages, GPG locks this memory before using it. It needs to run as root to lock the memory. As soon as this is done, GPG then runs under the permissions of the owner.

By default, however, GPG is not installed as SUID root.To make it setuid root, do the following:

1. Find the application (in Red Hat Linux, GPG is at /usr/bin/gpg).

2. If you are not already root, become root with the command su.

3. Issue the command chmod u+s /usr/bin/gpg.
If you cannot do this on your own system for some reason, or do not wish
to, you can enter the following line into the ~/.gnupg/options file of any nonroot
user:

/usr/bin/gpg --gen-key

This command will create the necessary directories and files for GPG to work. Once you create these directories, generate a key pair for the user you are logged in as.You do this by issuing the gpg --genkey command again. GPG will then ask you to select a key type.You will have the option of choosing Digital Signature Algorithm (DSA) and ElGamal (the default) DSA, or ElGamal (sign and encrypt). Each of these options defines different types of signature and encryption algorithms.The first uses both the standard ElGamal key distribution method and the DSA, which is used to sign and encrypt data. DSA is a nonproprietary algorithm, unlike the RSA algorithm, which was previously used. If you only wish to sign and encrypt documents, you can just use DSA. Most people use the first option, which is to both sign and encrypt information.Traditionally, the first choice (the default) is the best. You are then given the choice of the keysize.The default keysize of 1024 bits is actually quite sufficient for most purposes. Selecting anything higher can significantly slow your application. So, select 1, and then press ENTER.

Enter 1y to make your key expire one year from now, and then press ENTER.

Press y to confirm this choice.

Enter your name in the Real name: field.

Next, enter your e-mail address. In the Comment: field, enter GPG signature, or any text you wish, and then press ENTER.

You will then be asked to confirm your settings. If you are happy with what you entered, press O (that’s the letter O, not the digit 0), and then press ENTER.

Enter a passphrase for your private key. This passphrase should be sufficiently long (at least six passwords), but should also be something you will remember. Press ENTER, confirm the passphrase, and press ENTER again. After doing this, GPG will generate a new key. Move your mouse and/or enter text into the keyboard so that the machine has enough entropy to generate a good private key. Once GPG is finished, you will receive a message that your key is created and signed.

Now, verify that GPG correctly created and signed keys for your account with the following commands:

gpg --list-secret-key
gpg --list-public-key
gpg --list-sig

These commands list your secret key, your public key, and your signature, respectively. Once you do this, you should create a revocation certificate in case you need to publish the fact that your private key is no longer valid.You do this by following the sequence outlined here:

gpg --output revoke.asc --gen-revoke james@root.test.com
sec 1024D/3B386145 2000-07-01 jamesroot (root) <james@root.test.com>
Create a revocation certificate for this key? y
Please select the reason for the revocation:
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
0 = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> For my keats system root account
>
Reason for revocation: Key has been compromised
For my keats system root account
Is this okay? y
You need a passphrase to unlock the secret key for user: "jamesroot
(root) <james@root.test.com>"
1024-bit DSA key, ID 3B386145, created 2000-07-01
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!

After verifying that you have keys and a revocation certificate, you are now able to import and export keys.To export your key, use the following command:

gpg --export --armor > yourname.asc

This command will create a file that contains your public key.You can then distribute this key to anyone and establish a trust relationship.

With this capability, you now can use the RPM command to check the signatures and public keys generated by others. For example, suppose you wish to update your version of Red Hat Linux due to a security alert.To help you verify that this package has not been tampered with, and that it has truly originated from Red Hat, you can obtain Red Hat’s signature. Go to www.redhat.com and obtain the public key for the site and the RPM-based download you want. Figure 1.8 shows Red Hat’s public key. As of this writing, the key is located at www.redhat.com/about/contact/redhat2.asc.

Now that you have created your own key ring, which is where you will store the public keys of the people with whom you wish to communicate, you can now import the Red Hat public key into GPG using the following GPG command:

gpg --import redhat2.asc

It is possible that the public key you wish to import has a different extension. Now, sign this key. Failure to sign this key will cause it to return error messages when you try to use it. Make sure that you have made absolutely no changes to this key file. Once this key is imported, you need to sign it. Remember, you just downloaded it from a trusted source, and are reasonably sure that you can trust this key.You can sign it using the gpg --sign command, or you can use GPG’s interactive mode, shown in the following sequence:

gpg --edit-key security@redhat.com
gpg (GnuPG) 1.0.2; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/DB42A60E created: 1999-09-23 expires: never trust: -/f
sub 2048g/961630A2 created: 1999-09-23 expires: never
(1) Red Hat, Inc <security@redhat.com>
Command> sign
Are you really sure that you want to sign this key
with your key: "yourkey (key) <yourkey@yoursystem.domain.com>"
Really sign? y
You need a passphrase to unlock the secret key for
user: "jamesroot (root) <james@root.test.com>"
1024-bit DSA key, ID 3B386145, created 2000-07-01
Command> q
Save changes y

Now, you can issue the following command to check the latest GNU GPG RPM file:

rpm -Kv your_rpm.i386.rpm

You will receive a message that both the MD5 signature and the PGP signature are acceptable:

rpm -Kv your_rpm.i386.rpm
your_rpm.i386.rpm:
MD5 sum OK: fc28444c7c7dee7d59671ac5e27b2ad0
gpg: Signature made Wed 30 Aug 2000 03:16:54 PM PDT using DSA key
IDDB42A60E
gpg: Good signature from "Red Hat, Inc <security@redhat.com>"

If you do not find a message similar to this, but instead find a message that reads public key not found, then you know that this public key is not valid for this RPM.You will either have to find the right public key, or find another RPM. You can, of course, use GPG to verify any public key you wish.You have now configured and used GPG to help ensure that the file you are installing is safe.

Installing PGP

Although GPG has become a standard, you can also use the PGP program, which behaves rather differently.You can download PGP from the Massachusetts Institute of Technology Web site at http://web.mit.edu/network/pgp-form.html.You will then have to repeat many of the earlier steps to create a public and private key, and then import the site’s key. Because PGP (and GPG, for that matter) enables powerful encryption, MIT will ask you questions concerning your intentions for PGP. Answer these according to your intentions. If you enter the right answers, you will be able to download PGP. Choose the correct file for your distribution.

1. MIT uses gzip to compress the RPM files. If you are using Red Hat Linux, the RPM package works best. Use tar to unzip and un-tar the RPM package: tar -zxvf pgprpmfile.tar.gz.

2. This process will deposit an RPM file. Run RPM to install it: rpm -ivh pgprpmfile.

3. Once you have installed PGP, issue the following command to create a key pair: pgp -kg.

4. Choose the DSS/DH option, which is the default.

5. Choose 1 to generate a new signing key.

6. You will be asked to choose the size of your key. Enter 1024, and then press ENTER.

7. Enter a user ID for your public key. Enter your name and e-mail address. This will become your PGP username. This is important, as you will see later when it comes time to edit the RPM configuration file.

8. Enter 0 to keep the key forever. Don’t worry, you can revoke it and generate a new key pair later.

9. Enter a passphrase. Make sure this is a solid passphrase (over eight characters, containing at least one capital letter and one nonstandard character), but also one that you can remember. Confirm your password by entering it again.

10. You will be asked if you need an encryption key. Press y, and then press ENTER.

11. The choice of key size is up to you. Just remember that the larger the key size, the slower information will be processed. Most people choose either 1024 or 2048.

12. Enter 0 as the “validity period.” As before, this value means that the key is valid forever.

13. PGP will ask you to press random keys on the keyboard so that it can generate enough entropy.

14. When PGP is finished, it will ask you if you want to make this key the default signing key. Press y to indicate yes.

15. Now, you need to enter the public key of the GNU GPG RPM.You do this with the following command: pgp --ka gnugpg.publickey.

16. You will see a list of keys. Indicate that you wish to add these keys to your key ring by pressing y.

17. You will see that several new keys and signatures have been added.

18. Now, you must edit the macros file for your version of RPM. In Red Hat 7.0, this file is in //usr/lib/rpm/macros. Find the following values and change the values according to your own information:

%_pgp_name your PGP user name %_pgp_path The path to your public key. For example, /root/.pgp/

Instead of taking this second step, you can set the PGPPATH variable in your bash_profile file.

19. You can now use RPM to verify your RPM:

rpm -Kv your_rpm.i386.rpm
your_rpm.i386.rpm:
MD5 sum OK: fc28444c7c7dee7d59671ac5e27b2ad0
gpg: Signature made Wed 30 Aug 2000 03:16:54 PM PDT using DSA
key IDDB42A60
gpg: Good signature from "Red Hat, Inc <security@redhat.com>"

If you want to learn more about PGP, read the man pages, or issue the following commands:

pgp –h pgp –k

Thus far, you have learned how to use GPG with the RPM package. Of course, GPG has many other uses. Once you have engaged in a trust relationship with the recipient, you can encrypt files to this person. The following command can encrypt a file named managerreport.txt: gpg --encrypt --r public_keyname_of_recipient managerreport.txt. You will have to enter the password of your private key. Hopefully, you can remember it; otherwise, you will have to generate a new private/ public key pair. After you enter your passphrase, GPG will create a file named managerreport.txt.gpg.

You can then send this key to the intended recipient, who can then decrypt it with the following command: gpg --decrypt managerreport .txt.gpg > managerreport.txt.

The recipient will, of course, have to enter his or her passphrase to decrypt the message and read it.

To create a signature file, you can create an empty file named yourname, and then enter the following command: host# gpg --clearsign yourname.

You will then be asked to enter your password. After this sequence is completed, you will see a new file named yourname.asc, which has your signature in it.

Share
Leave a comment or ask a question
Total comments: 0

Linux Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Free Open source Software and GNU Linux - Free Software and GNUIn a series of events that have almost become legend through constant repetition, Richard M. Stallman created the concept of "free software" in 1983. Stallman grew (more...)
Choose an Ubuntu Version - The developers behind Ubuntu have worked to make the software as easy and flexible to install as possible. They understand that people will be installing Ubuntu on different types of computers (more...)
Customize Ubuntu Look and Feel - Changing the Background To change the background of your desktop right-click it and select Change Desktop Background. Inside the dialog box that appears, choose yo (more...)
Configuring a Printer in Ubuntu - In the Linux world, configuring a printer has traditionally been a challenge. For years, newcomers to Linux have been repeatedly challenged and even bludgeoned with terms, commands, and phrases (more...)
Working with Windows from inside Ubuntu - Although the Linux platform offers an increasingly compelling platform for the desktop, there are sometimes situations when there is just no alternative application available. This is often the (more...)
Hardening the System with Bastille and Functions - Bastille is an open source program that facilitates the hardening of a Linux system. It performs many of the tasks, including downloading operating system updates and disabling services and po (more...)
Using GPG and Md5sum to Verify Signatures on Tarball Packages - Follow these steps to verify the signature of a gzipped tarball: 1. Add the public key of the person or organization that created the package. 2. Sign the public k (more...)
Red Hat Linux Errata: Fixes and Advisories - Once your Red Hat system is live, you must make sure that the most current required Red Hat errata are installed.These errata include bug fixes, corrections, and updates to Red Hat products. (more...)
Locking Down Ports Under Linux - TCP/IP networks assign a port to each service, such as HTTP, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3).This port is given a number, called a port number, (more...)
Manually Disabling Unnecessary Services and Ports in Linux - To harden a server, you must first disable any unnecessary services and ports.This process involves removing any unnecessary services, such as the Linux rlogin service, and locking down unnece (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.