The is more of comprehensive post detailing how to setup and use PGP encryption on any Linux machine using the most widely used GnuPGP, as the name describes PGP Is free open source. i will describe and explain core concepts the following ,
- Why encryption & core concept of the OpenPGP
- Generating encryption
- Revocation certificate
- Backup configuration and data
Generally there are two types of encryption: Symmetric and asymmetric. In symmetric encryption shared key is used to encrypt document and decrypt from clear text to cipher text example of symmetric tools 7zip widely used or HDD hard disk drive encryption, Bitlocker, Becrypt. Clearly the use of symmetric is only worth anything if both sender and receiver know the secret. Asymmetric.
Asymmetric encryption much more secure , in total two keys are used throughout the encryption process The way asymmetric key works is that if document encrypted with one key only be decrypted with using the other key a.k.a Public and Private keys, this form of encryption also known as trapdoor algorithms “Consider a padlock and its key. It is trivial to change the padlock from open to closed without using the key, by pushing the shackle into the lock mechanism. Opening the padlock easily, however, requires the key to be used. Here the key is the trapdoor and the padlock is the trapdoor function”
So what does encryption provide ?
Asymmetric encryption is used to maintain the confidentiality i.e the privacy of your data, documents , this formation of encryption involves generating a “keypair” i.e if document is encrypted with one can only be decrypted by the other (public, private) you share your public key with other and keep your private keys for yourself. People who want to communicate with you via encrypted e-mail will use public key to encrypt the clear text to cipher-text and read it.
Asymmetric encryption has security advantages with a few drawbacks. It’s computationally intensive, in actual fact Asymmetric uses hybrid encryption rather than just public keys https://en.wikipedia.org/wiki/Public-key_cryptography
Installing and using OpenPGP
This just a basic guides to get started with installing and running OpenPGP on Centos 7. I;m not running Windows or other GNU/Linux flavours but you can probably find some good guides installing PGP online elsewhere.
Almost all linux operating system have GnuPGP but if not for some reason it should be pretty easy to install
sudo yum install gnupgp2 pinentry-gtk
Figure 1 installing gnupgp2 locally
Below gpg –version for successful installation
Figure 2 gpg version with successful installation
Generate A Keypair
This involve using your favourite command launch terminal app and type
you will this this
Figure 3 – just choice the default version 1 to select RSA
Next we select the key size i like to have 4096 but that a decision yo need to make. remember the the loner key the more security however they can also take very long to generate on the older hardware especially old legacy embedded system
RSA as selection and the key size is 4096
Figure 4 – The key size and how long the key should be valid is your decision. if somehow your private key becomes compromised you will be able to revoke it using the revocation certificate just hit y and enter again.
0 valid and the key does not expire
Figure 5 Email address must be your valid email
Your User ID constructed
Figure 6 Just type O to confirm a dialog box will appear asking for a passphrases. this is crucial to make sure that even if an attacker gain access to your private key , they might not be able to use it. Make sure this is a strong password. Complex password at least 18 characters long i.e mixture of upper, and lower case letters, numbers, special characters
Figure 7 The initial 8 character F6ACBB42 key ID on the line beginning with pub is the unique public master id which is used for identity and signing. The one line beginning with sub is that of your public subkey ( key used for encryption) and your primary user ID is on the line beginning with uid .. Read on more man gpg2
How do you publish or let people know about your public key ? That’s where key servers comes to help. a key server is a computer that receives and then serves existing cryptographic keys to users of other programs.
To publish your public key to a keyserver, run: gpg2 –send-keys Public_ID
Figure 8 Sending keys to key servers http://pgp.mit.edu/
Public key export
To be able to receive encrypted files you need the export public key and share with others via email attachment or via usb memory
Lists the existing keys
Figure 9 listing the keys i.e you need username demo for generating key
Exporting key to “key.txt” specified key name demo
Figure 10 export of demo public key demo
Key.txt contains the public key
Figure 10 public key contains public demo key
if the key becomes a compromised somehow you should revoke it i.e declare the key is no longer is safe, you still require to type in the Passphrase
gpg2 –gen-revoke “publicid” creates a revocation .asc format
Figure 11 revoke certificate
Just follow the instruction and press 1 to revoke the key
Figure 12 – press 1 for key has been compromised
Next import the key to be revoked locally
Figure 13 key locally revoked
In order to let the key server know, just send the key ID to it using
Figure 14 sending the revoked key to the keyserver
Web of Trust / Key signing ?
Web of trust is very interesting security concept with GnuPGP, let say an attacker decide to generate a keypair using your identify i.e your name and email . How are people to know which belongs to who ? This is where Web of Trust comes into help which is basically is key signing , the more people sign key the more likely becomes trusted.
Fortunately key signing is very simple task. You need the user’s key if it is stored on key server simply run
Figure 15 receive key from the keyserver
Figure 16 we sign the key we imported from the key server
It’ll ask you to confirm the signature operation, and then it’ll ask you to input your passphrase. Once this is done you have added your signature to the key is now modified,
you need to send it back to the keyserver
Figure 17 sending the signed key back to the key server (Web of trusted created)
gpg --encrypt --recipient ambientcrypto secret.txt
Figure 18 is encrypting a document locally secret.txt.gpg
Decrypt the secret.txt.gpg
Figure 19 decrypted secret.txt.gpg – you need pass phrase to decrypt the key
What if you want to encrypt files for others ? That’s the cool thing about GnuPGP using public available keys
gpg --import key.asc
Figure 20 importing keys to encrypt document for someone else
Alternatively, you will be able to find key on public keyserver. Here’s what it look like when someone searcher for key
Figure 21 search for a key with name ‘security’ from the pool key servers