Differences

This shows you the differences between two versions of the page.

--- wiki:procedures:encrypt:linux [2010/02/03 09:55]
127.0.0.1 external edit
+++ wiki:procedures:encrypt:linux [2010/02/08 14:58] (current)
Keith A McDermott Alter title
@@ Line 1: / Line 1: @@
+====== File Encryption with GPG on *nix ======
+GNU Privacy Guard is Open Source encryption software.  It is
+an implementation of the OpenPGP standard.  GnuPG enables you to
+encrypt and sign your data and communication, features a versatile
+key managment system as well as access modules for all kind of
+public key directories.
+[[http://www.gnupg.org/documentation/howtos.en.html|GnuPG HOWTOs]]
+===== GnuPG Basics =====
+=== Passphrase File Encryption ===
+The simplest encryption is with a symmetric cipher. A file can be encrypted with a passphrase and anyone who knows the passphrase can decrypt it, thus keys are not needed. You will note, after encrypting sensitivefile the original file remains untouched.  A new, encrypted file is created with a '.gpg' suffix.
+<code>
+> gpg -c sensitivefile               # Encrypt a sensitivefile with password
+> gpg sensitivefile.gpg              # Decrypt sensitivefile
+</code>
+=== Using Keys ===
+Public and private keys are the heart of asymmetric cryptography. Key points to remember:
+    * Your public key is used by others to encrypt files that only you as the receiver can decrypt.  The sender cannot even decrypt the file unless they are also a receiver. The public key is thus meant to be distributed.
+    * Your private key is encrypted with your passphrase and is used to decrypt files which were encrypted with your public key. The private key must be kept secure. **If the key or passphrase is lost, so are all the files encrypted with your public key.**
+The first step is to generate a key pair. You will be asked a series of questions.  The defaults are reasonable, however you will have to enter at least your full name and email and optionally a comment. Depending on your need, you may also want to select a more appropriate key lifetime than non expiring.  The comment is useful to create more than one key with the same name and email. Also you should use a "passphrase", not a simple password.
+<code>$ gpg --gen-key
+gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+Please select what kind of key you want:
+   (1) DSA and Elgamal (default)
+   (2) DSA (sign only)
+   (5) RSA (sign only)
+Your selection?
+DSA keypair will have 1024 bits.
+ELG-E keys may be between 1024 and 4096 bits long.
+What keysize do you want? (2048)
+Requested keysize is 2048 bits
+Please specify how long the key should be valid.
+= key does not expire
+      <n>  = key expires in n days
+      <n>w = key expires in n weeks
+      <n>m = key expires in n months
+      <n>y = key expires in n years
+Key is valid for? (0) 1
+Key expires at Thu 04 Feb 2010 08:37:34 AM EST
+Is this correct? (y/N) y
+You need a user ID to identify your key; the software constructs the user ID
+from the Real Name, Comment and Email Address in this form:
+    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
+Real name: Physics Computer Network
+Email address: staff@physics.purdue.edu
+Comment: Example key, 1 day life.
+You selected this USER-ID:
+    "Physics Computer Network (Example key, 1 day life.) <staff@physics.purdue.edu>"
+Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+You need a Passphrase to protect your secret key.
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
++++++.+++++....+++++.+++++++++++++++.+++++.+++++.+++++.+++++.+++++++++++++++.++++++++++++++++++++++++++++++.++++++++++.+++++++++++++++.+++++++++++++++>+++++........................................>.+++++...<..+++++.............................>+++++..........+++++
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+++++++++++++++++++++..++++++++++++++++++++.++++++++++.+++++...+++++...+++++++++++++++++++++++++.+++++++++++++++.++++++++++.....+++++..+++++++++++++++++++++++++.+++++>..+++++.+++++>+++++................>+++++...<.+++++.......+++++^^^
+gpg: key F520101A marked as ultimately trusted
+public and secret key created and signed.
+gpg: checking the trustdb
+gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
+gpg: depth: 0  valid:   4  signed:   3  trust: 0-, 0q, 0n, 0m, 0f, 4u
+gpg: depth: 1  valid:   3  signed:   0  trust: 0-, 0q, 1n, 0m, 2f, 0u
+gpg: next trustdb check due at 2010-02-04
+pub   1024D/F520101A 2010-02-03 [expires: 2010-02-04]
+      Key fingerprint = FDB8 0538 9E5E DDD9 4E9F  F0CB B3BE 3FA7 F520 101A
+uid                  Physics Computer Network (Example key, 1 day life.) <staff@physics.purdue.edu>
+sub   2048g/F14E2C72 2010-02-03 [expires: 2010-02-04]
+</code>
+==== Encryption/Decryption ====
+Summary of commonly used options:
+    *   -s sign data
+    *   -e encrypt data
+    *   -d decrypt data
+    *   -r NAME encrypt for recipient NAME (or 'Full Name' or 'email@domain')
+    *   -a create ascii armored output of a key
+    *   -o use as output file
+The examples use 'Your Name' and 'Alice' as the keys are referred to by the email or full name or partial name.
+== Encrypt for personal use only ==
+No need to import or export any key for this. You have the necessary keys already if you have run gpg --gen-key.
+<code>
+> gpg -s -e -r 'Your Name' file               # Sign and encrypt with your public key
+> gpg -o file -d file.gpg                     # Decrypt. Use -o or it goes to stdout
+</code>
+== Encrypt - Decrypt with keys ==
+First you need to export your public key for someone else to use it. And you need to import the public key from Alice to encrypt a file for her. You can either handle the keys in simple ascii files or use a public key server.
+For example, Alice exports her public key and you import it, you can then encrypt a file for her. Only Alice will be able to decrypt it.
+<code>
+> gpg -a -o alicekey.asc --export 'Alice'     # Alice exports her key in ascii format
+> gpg --send-keys --keyserver cryptonomicon.mit.edu KEYID   # She then puts her key on a  key server.
+> gpg --import alicekey.asc                   # You import her key into your key ring, from the alicekey.asc file.
+> gpg --search-keys --keyserver cryptonomicon.mit.edu 'Alice' # or get her key from a server.
+</code>
+Once the keys are imported it is trivial to encrypt or decrypt a file:
+<code>
+> gpg -s -e -r 'Alice' file                      # Sign and encrypt a file for Alice.
+> gpg -d file.gpg -o file                     # Decrypt a file encrypted by Alice for you.
+</code>
+== Key administration ==
+<code>
+> gpg --list-keys                             # list public keys and see the KEYIDS
+    The KEYID follows the '/' e.g. for: pub   1024D/F520101A  the KEYID is F520101A
+> gpg --fingerprint KEYID                     # Show the fingerprint of a key
+> gpg --gen-revoke 'Your Name'                # generate revocation certificate
+> gpg --list-secret-keys                      # list private keys
+> gpg --delete-keys NAME                      # delete a public key from local key ring
+> gpg --edit-key KEYID                        # Edit key (e.g sign, trust, etc.)
+</code>