Total Pageviews

Search: This Blog, Linked From Here, The Web, My fav sites, My Blogroll

25 May 2009

Ubuntu & Encryption

Encrypt Your Email and Important Files

It's good to be paranoid, and the best way to protect your thoughts and data is with powerful encryption. Encryption is a vital tool with which all Ubuntu users should familiarize themselves. One of the best ways to encrypt emails and files is with GPG (GNU Privacy Guard). Like its inspiration PGP,

GPG utilizes public-key cryptography. In essence, each user owns two keys:
  • a our private key used to decrypt messages sent to us and
  • a our public key others use to encrypt messages they send to us.
In order for this system to work, therefore, folks who want to send encrypted messages to each other must exchange public (never private) keys.
Once you have GPG up and running, there are several things you can do with it:
  • Encrypt and decrypt email messages and attachments
  • Encrypt and decrypt files
  • Sign a file with your electronic signature or verify the authenticity of a file by checking its digital signature
  • Verify or sign other users' public keys
You need two keys, but where do they come from? If you've been using GPG for a while, you can move your keys from machine to machine, as needed, or you can create a new key pair from scratch.

There are GUIs for virtually all of the GPG commands. For KDE, KGpg is an excellent tool (from the package kgpg). GNOME users should check out Seahorse (from the package seahorse, and shown in GNOME menus as Encryption Key Manager || Passwords and Encryption keys(ultimately).

Generate a GPG Key Pair
It's a simple matter to create your own GPG key pair (if you already have a key pair on another computer, skip to the next section):

$ gpg --gen-key 

You'll be asked to choose the kind of key to use, so choose from the following items:
  1. DSA and ElGamal (default)
  2. DSA (sign only)
  3. RSA (sign only)
  • Press Enter to choose the default of 1, and next
  • you're asked about your key size. The default of 2048 is excellent, so just press Enter to accept it.
  • Now you're asked about how long you want this key to be valid. The default is 0, meaning that it will never expire, and normally this is just fine, as long as you plan to keep this key and use it going forward. If you instead want it only for a limited time, change it to the number of days, weeks, months, or years you want, and press Enter.
  • After verifying that length of time, type y and press Enter again.
  • Now you need to create a user ID that is linked to the keys. First, you're asked your real name, so type it in and press Enter.
  • Following that, you're asked for an email address, and finally a comment. The comment can be anything at all, such as a URL, a company name, a location, or even nothing at all, but it's a good idea to include this data point to help distinguish between keys. Type in your info, pressing Enter after each item.
  • You'll be asked to confirm or change your user ID when you've answered the three questions name, email, comment so respond accordingly and press Enter.
Now your secret key's passphrase. As you can probably guess, you need something really good here, not just password or scooter or 123456. Notice that you're able to use a passphrase, not just a password, so pick something long with spaces that is still memorable to you. Stuck? Check out an article in SecurityFocus that contains tips for picking good passwords and passphrases: "Pass the Chocolate," .
  • Enter your passphrase, then verify it, and then,
  • GPG begins generating your keys. You can tell because random characters will appear on your screen, and GPG will ask you to move your mouse, type on your keyboard, and generate disk activity to help improve the key by providing random data it can use.
  • Finally, GPG will finish creating your new keys, which you can verify with this command:
    harrykar@harrykar-desktop:~$ gpg --list-keys 
    pub 1024D/CF03D0DD 2009-02-01
    uid Χαραλαμπος Καρυπιδης (δυνατο DSA ElGamal)
    uid [jpeg image of size 3310]
    sub 4096g/C108A1DA 2009-02-01

    pub 1024D/D700AEF5 2009-02-01 [revoked: 2009-02-02]
    uid Charalampos Karypidis (normal DSA ElGamal)
    uid [jpeg image of size 3310]

    pub 1024D/D8887592 2008-06-19 [expires: 2010-12-09]
    uid Florian Thießen
    uid Florian Thießen
    sub 2048g/9C04BED8 2008-06-19 [expires: 2010-12-09]

    pub 1024D/65D0FD58 2003-07-11 [expires: 2033-07-03]
    uid CA Cert Signing Authority (Root CA)
    sub 2048g/113ED0F2 2003-07-11 [expires: 2033-07-03]

    pub 1024D/13F6AB2B 2009-02-04 [expires: 2009-08-03]
    uid Χαραλαμπος Καρυπιδης (1Kb chat key)
    uid Charalampos Karypidis
    uid [jpeg image of size 3310]
    sub 1024g/FE91FA86 2009-02-04 [expires: 2009-08-03]

    pub 1024R/247D1CFF 2009-01-21
    uid Launchpad PPA for Scribblers

    pub 1024R/365C5CA1 2009-01-22
    uid Launchpad PPA for transmissionbt

    pub 2048R/FF95D333 2009-05-14 [expires: 2010-05-14]
    uid powdarrmonkey Automatic Archive Signing Key


You've created your keys; now it's time to use them. Skip ahead to "Signing a GPG Key," or read the next section if you want to learn how to import GPG keys from another computer.

Importing GPG Keys
If you want to use the exact same public and private keys from another computer, just copy them over from the other machine to your new box. Realize that you'll overwrite anything already on the new computer if you've created any keys at all, but this may be just fine. I've used the same keys for years, simply copying them from machine to machine, and it's worked fine. Here's how to copy keys from an old box named eliot using
scp (secure copy) || WinSCP (Windows Secure CoPy) command:

$ mkdir ~/.gnupg
$ scp eliot :~/.gnupg/* ~/.gnupg

You can also import keys, which will append them onto a computer's currently existing keyring (rather than overwriting existing keys, as in the previous method). To do so, you obviously need access to them. This can be accomplished by copying the keys from another machine to yours or by grabbing the keys from a public keyserver on the Net. If the keys are on another computer, copy them to your Ubuntu box, put them on the Desktop for the time being, and then run this command:

$ gpg --import /home/username/Desktop/pubring.gpg

You'll see the list of keys that are imported, along with totals, indicating success. Don't forget to delete the pubring.gpg file on your Desktop, since you no longer need it.

If the keys aren't directly available to you, but you know that the users whose keys you wish to import have uploaded them to a public keyserver, you can always import them from there. For instance, say you want to import my key.
  1. First, you need to find my key's ID. Using your web browser, go to the MIT PGP Public Key Server at and search for my name.
  2. Take note of the key ID. With it, you can import that specific key using the following command:
    $ gpg --keyserver --recv-keys Mykey
Easy really?

Signing a GPG Key
Before you can send someone a file or message encrypted with GPG, you have to sign the key you're going to use. By signing the key, you verify that it belongs to the correct person. In the best situation, you received it directly from the individual, perhaps face to face or perhaps through email. If you know that the key you just imported belongs to me, you can run this command:

$ gpg --sign-key MyKey

In actuality, you can use any data that uniquely identifies a key after the --sign-key option. To see the data points you can use, just run gpg --list-keys.
  • When you sign a key, you're asked if you want to sign all user IDs associated with it. Type in y and press Enter.
  • Verify your answer by entering y again and press Enter.
  • Now you're asked for your secret passphrase the one protecting your secret keys o that you can prove it's really you who's signing this person's public key. Enter your passphrase, press Enter, and you're finished.
You've signed the key, and you can now start using it for encryption.

Encrypting Files Using GPG
You've signed my key, so now it's time to send me an encrypted file. Open your favorite text editor and enter a message. Save the file on the desktop as test_encryption and close it. In your terminal, enter this command:

$ gpg -r "MyName" --encrypt test_encryption

Now there's a new file on your desktop: text_encryption.gpg. This is a binary file that you could attach to an email and send. You don't have to create binary files that you attach, however; you can instead generate ASCII text messages suitable for pasting into an email. To do so, run this command:

$ gpg -r "MyName" --armor --encrypt test_encryption

Now your desktop contains a file named test_encryption.asc. You can attach the ASCII file to an email message, or you can copy and paste the entire text directly into a message.

For added security, you can digitally sign it so that the recipient knows that the file was in fact from you and you only. To sign and encrypt a file at the same time, use this command:

$ gpg -r "MyName" --armor --sign --encrypt test_encryption

You'll be asked for your passphrase, so go ahead and enter it. You'll still end up with test_encryption.asc, but it will be slightly larger, since it now contains your digital signature as well as your original message.

Although I've been focusing on encrypting files meant for another party, you can always encrypt files for yourself by simply specifying yourself as the recipient. It's a great way to protect files on your own computer that you don't want just anyone viewing.

Decrypting Files Using GPG
Let's say my buddy Jans sends me an encrypted file, and I need to decrypt it. Before proceeding,
  1. I must import Jans' public key into my keyring and
  2. verify his key.
Once that's done, I can decrypt the file. If he sent me a binary file, I'd use this command:

$ gpg --output business_plans.odt --decrypt business_plans.odt.gpg

If he instead sent me an ASCII file, I'd use this:

$ gpg --output business_plans.odt --decrypt business_plans.odt.asc

In either instance, I'd be prompted to enter my secret key's passphrase. Upon doing so, GPG would decrypt the file, leaving me with the filename I'd specified with the --output option. Without that option, GPG instead sends output to STDOUT, which wouldn't work very well with an document.

Of course, most good Linux email programs have integrated GPG encryption directly into their interfaces. KMail, the default for Kubuntu, makes it simple to work with encrypted emails and attachments, and same for Evolution, the default mailer for Ubuntu. Really, there's no excuse for you not to use GPG to encrypt your emails and files. With absolutely no downsides and lots of good reasons privacy and security come immediately to mind you should set up your own keyring and start using GPG today.

For more details on GPG, check out man gpg, or head over to the GnuPG web site.

No comments:

Post a Comment