Hack 71. Encrypt Your Email and Important Files
It's good to be paranoid, and the best way to protect your thoughts and data is with powerful encryption.
Encryption is a vital tool with which all Ubuntu users should familiarize themselves. One of the best ways to encrypt emails and files is with GPG, the GNU Privacy Guard. Like its inspiration PGP, GPG utilizes
public-key cryptography. In essence, each user owns two keys: a private key used to decrypt messages sent to the user and a public key others use to encrypt messages they send to that user. In order for this system to work, therefore, folks who want to send encrypted messages to each other must exchange publicnever private!keys.
Once you have GPG up and running, there are several things you can do with it:
Encrypt and decrypt email messages and attachments Encrypt and decrypt files Sign a file with your electronic signature or verify the authenticity of a file by checking its digital signature Verify or sign other users' public keys
As I said in the first paragraph, you need two keys, but where do they come from? If you've been using GPG for a while, you can move your keys from machine to machine, as needed, or you can create a new key pair from scratch.
 |
There are GUIs for virtually all of the commands I'm going to show you in this hack. For KDE, KGpg is an excellent tool (from the package kgpg). GNOME users should check out Seahorse (from the package seahorse, and shown in GNOME menus as Encryption Key Manager).
|
|
Generate a GPG Key Pair
It's a simple matter to create your own GPG key pair (if you already have a key pair on another computer, skip to the next section):
$ gpg --gen-key
You'll be asked to choose the kind of key to use, so choose from the following items...and no, I don't know why the third and fourth options are left out:
1. DSA and ElGamal (default)
2. DSA (sign only)
5. RSA (sign only)
Press Enter to choose the default of 1, and next you're asked about your key size. The default of 2048 is excellent, so just press Enter to accept it. Now you're asked about how long you want this key to be valid. The default is 0, meaning that it will never expire, and normally this is just fine, as long as you plan to keep this key and use it going forward. If you instead want it only for a limited time, change it to the number of days, weeks, months, or years you want, and press Enter. After verifying that length of time, type y and press Enter again.
Now you need to create a user ID that is linked to the keys. First, you're asked your real name, so type it in and press Enter. Following that, you're asked for an email address, and finally a comment. The comment can be anything at all, such as a URL, a company name, a location, or even nothing at all, but it's a good idea to include this data point to help distinguish between keys. Type in your info, pressing Enter after each item. You'll be asked to confirm or change your user ID when you've answered the three questionsname, email, commentso respond accordingly and press Enter.
Now for the biggie: your secret key's passphrase. As you can probably guess, you need something really good here, not just password or scooter or 123456. Notice that you're able to use a passphrase, not just a password, so pick something long with spaces that is still memorable to you. Stuck? Check out an article I wrote for SecurityFocus that contains tips for picking good passwords and passphrases: "Pass the Chocolate," at http://www.securityfocus.com/columnists/245. Enter your passphrase, then verify it, and then, boom! GPG begins generating your keys. You can tell because random characters will appear on your screen, and GPG will ask you to move your mouse, type on your keyboard, and generate disk activity to help improve the key by providing random data it can use. Finally, GPG will finish creating your new keys, which you can verify with this command:
$ gpg --list-keys
/home/scott/.gnupg/pubring.gpg
---------------------------------
pub 1024D/73CA5DE6 2006-03-20
uid Scott Granneman (St. Louis, MO) <scott@granneman.com>
sub 2048g/675B19A0 2006-03-20
You've created your keys; now it's time to use them. Skip ahead to "Signing a GPG Key," or read the next section if you want to learn how to import GPG keys from another computer.
Importing GPG Keys
If you want to use the exact same public and private keys from another computer, just copy them over from the other machine to your new box. Realize that you'll overwrite anything already on the new computer if you've created any keys at all, but this may be just fine. I've used the same keys for years, simply copying them from machine to machine, and it's worked fine. Here's how to copy keys from an old box named eliot using scp.
$ mkdir ~/.gnupg
$ scp
eliot
:~/.gnupg/* ~/.gnupg
You can also import keys, which will append them onto a computer's currently existing keyring (rather than overwriting existing keys, as in the previous method). To do so, you obviously need access to them. This can be accomplished by copying the keys from another machine to yours or by grabbing the keys from a public keyserver on the Net. If the keys are on another computer, copy them to your Ubuntu box, put them on the Desktop for the time being, and then run this command:
$ gpg --import /home/
username
/Desktop/pubring.gpg
You'll see the list of keys that are imported, along with totals, indicating success. Don't forget to delete the pubring.gpg file on your Desktop, since you no longer need it.
If the keys aren't directly available to you, but you know that the users whose keys you wish to import have uploaded them to a public keyserver, you can always import them from there. For instance, say you want to import my key. First, you need to find my key's ID. Using your web browser, go to the MIT PGP Public Key Server at http://pgp.mit.edu and search for scott granneman. You'll get back three results, but pay attention only to the one dated 2004/08/08, which looks like this:
Type bits /keyID Date User ID
pub 1024D/6503F88C 2004/08/08 Scott Granneman <scott@granneman.com>
Scott Granneman (www.granneman.com) <scott@granneman.com>
Take note of the key ID, which is 6503F88C. With it, you can import that specific key using the following command:
$ gpg --keyserver pgp.mit.edu --recv-keys 6503F88C
gpg: requesting key 6503F88C from hkp server pgp.mit.edu
gpg: key 6503F88C: public key "Scott Granneman <scott@granneman.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
Was that easy or what?
Signing a GPG Key
Before you can send someone a file or message encrypted with GPG, you have to sign the key you're going to use. By signing the key, you verify that it belongs to the correct person. In the best situation, you received it directly from the individual, perhaps face to face or perhaps through email. If you know that the key you just imported belongs to Scott Granneman, you can run this command:
$ gpg --sign-key www.granneman.com
In actuality, you can use any data that uniquely identifies a key after the --sign-key option. I used www.granneman.com because it was unique to the key you imported previously. To see the data points you can use, just run gpg --list-keys. For instance, the key ID6503F88Cwould have been a great choice, since it's obviously unique to that exact key.
When you sign a key, you're asked if you want to sign all user IDs associated with it. Type in y and press Enter. Verify your answer by entering y again and press Enter. Now you're asked for your secret passphrasethe one protecting your secret keyso that you can prove it's really you who's signing this person's public key. Enter your passphrase, press Enter, and you're finished. You've signed the key, and you can now start using it for encryption.
Encrypting Files Using GPG
You've signed my key, so now it's time to send me an encrypted file. Open your favorite text editor and enter a message like "Can't sleep...clowns will eat me." Save the file on the desktop as test_encryption and close it. In your terminal, enter this command:
$ gpg -r "Scott Granneman" --encrypt test_encryption
|
Please don't actually send me the files you're encrypting. This book is going to have a worldwide audience of billions of readers, and I can't possibly answer all of the test messages all of those readers are going to create, as well as respond to the thousands of fan mails I get every day. Thank you!
|
|
Now there's a new file on your desktop: text_encryption.gpg. This is a binary file that you could attach to an email and send. You don't have to create binary files that you attach, however; you can instead generate ASCII text messages suitable for pasting into an email. To do so, run this command:
$ gpg -r "Scott Granneman" --armor --encrypt test_encryption
Now your desktop contains a file named test_encryption.asc. If you open the file, you'll see something like this:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
hQIOAwcs+U2/zd/NEAf+IR5zIX/ggNxemqkoa4HhCDeEm5hiu1rJivzd7fi504Di
MfeE11Do7p6WMWBi+fzH5FtowwMXi/+OFt6erO65Cb3sVsBDyH01W1NrDLRNPTgN
HC88OJOiWpB16/w65rQXQC9Lgczc8kNsqMCMWUo3tHLBxFNg7d+SW62zgicX2qza
fqHq1Y5ekRPWhmmqkItbYhsXMwz8YE7jq38TP17RBcStiNEKlSAyRrFKMC2L5OI9
VCj2GV6gaKK8nDKFD87hw3V8TN29JHAcPZ5R11wJJNVRv+muDgX+bY8z/9RpTsMs
ALn3ET5J8kzquJg5tctrpXvSN4vBKpvjCH1Y30gDDQgAxRHuNLRo8muBh63N7twc
Gx5VJZlx9AfBYTTWqXPC0VA7O2DSbfgwUdDQS9mL+8ckR1XI921q9ih05IqHG40x
cibPCyg8kXRSK1PUxk4IXiOjbUs62OxMtqMvZtfSzbuOxoNRezrWXO79Q5N2KZVs
HtexYLKm9Wf4RhCQylSwosMojeg4eoTsz+R3MArG8XR/MbI/sLZKGhi3nuwpO3oK
YqaWUhob+U0ZLfCf1l3WPhO7nkJ+6xgcVKIXiycTBYeH6xfN5Gq+WHx546XKJbkB
fTutzRsqUdAr3TED77Pr6zPi8PBZL0f76KXE5KX05zClkwd97vCkIVaQkm4etsGc
4dJwAQ5fhUGqRlmMScO3UbtS3Hh43ZQ8Ndnn+Jpid7D4thZEub9lcpkGw3PLeOco
jRu9smNJHUd8J5ODapAOunqGt0whmpcePbrxEkbL1upigAxqFc9DV7g7pDgJsSLr
i+Bm7tUbhQq2vLpINDeVnzchNQ==
=yBG6
-----END PGP MESSAGE-----
You can attach the ASCII file to an email message, or you can copy and paste the entire text directly into a message.
For added security, you can digitally sign it so that the recipient knows that the file was in fact from you and you only. To sign and encrypt a file at the same time, use this command:
$ gpg -r "Scott Granneman" --armor --sign --encrypt test_encryption
You'll be asked for your passphrase, so go ahead and enter it. You'll still end up with test_encryption.asc, but it will be slightly larger, since it now contains your digital signature as well as your original message.
|
Although I've been focusing on encrypting files meant for another party, you can always encrypt files for yourself by simply specifying yourself as the recipient. It's a great way to protect files on your own computer that you don't want just anyone viewing.
|
|
Decrypting Files Using GPG
Let's say my buddy Jans sends me an encrypted file, and I need to decrypt it. Before proceeding, I must import Jans' public key into my keyring and verify his key. Once that's done, I can decrypt the file. If he sent me a binary file, I'd use this command:
$ gpg --output
business_plans.odt
--decrypt
business_plans.odt.gpg
If he instead sent me an ASCII file, I'd use this:
$ gpg --output
business_plans.odt
--decrypt
business_plans.odt.asc
In either instance, I'd be prompted to enter my secret key's passphrase. Upon doing so, GPG would decrypt the file, leaving me with the filename I'd specified with the --output option. Without that option, GPG instead sends output to STDOUT, which wouldn't work very well with an OpenOffice.org document.
Of course, most good Linux email programs have integrated GPG encryption directly into their interfaces. KMail, the default for Kubuntu, makes it simple to work with encrypted emails and attachments, and while Evolution, the default for Ubuntu, isn't quite as easy, it's certainly doable. Really, there's no excuse for you not to use GPG to encrypt your emails and files. With absolutely no downsides and lots of good reasonsprivacy and security come immediately to mindyou should set up your own keyring and start using GPG today.
|
For more details on GPG, check out man
gpg, or head over to the GnuPG web site, at http://www.gnupg.org.
|
|
Scott Granneman
 | 
