PGP encryption

Sometimes you come across a situation where in a rather large enterprise they do not understand at all (or do not want to understand) why data encryption, communication channels, mail correspondence are necessary. This situation occurs in my work. The situation with the strange loss of client-bank data helped to cut this Gordian knot.

Now the team is trained in the basics of working with the gpg program in several stages. The decision to use the GnuPG utility to encrypt mail correspondence and files is made because of its availability in various Linux distributions. You ask what Linux is doing in the enterprise. I will answer this way - as a result of persistent 3-month work, the network of about 200 pc was transferred to linux with 90% success, which I will probably tell you a little later.


We will understand for a start with the basics and principles of encryption. We will analyze the system known as public key encryption, which has become the de facto standard for encrypting various kinds of information.
')
This scheme uses two keys: one is the private key, which is kept only by the user, and the second is the public key, which is in the public domain and is transmitted to other users. The public key belonging to the user himself or to whom he wants to send encrypted information is used for encryption. And only the owner of the corresponding private key will be able to decrypt the data. There is also a third key, called a session key. It is automatically generated and used for encryption and decryption. And since all this is done automatically, it is rarely mentioned in the process description.

Widespread are two encryption packets according to the public key scheme. The first is commercial PGP (Pretty Cood Privacy), GPG (GNU Privacy Guard), which is a free implementation of PGP. The second is OpenSSH. Further we will consider only GPG, in view of its openness and prevalence.

The main task of GPG is to perform file encryption. It does not set up secure data channels, as OpenSSH does. It simply encrypts the data and checks its integrity.

The first thing to do before you start working with GPG is to create a pair of keys: public and private. It is best to do this under the account under which you are constantly working. The command for creating keys is:

gpg --gen-key

In the process of generation, you must select the type of key (the first option suits by default), its size, expiration date, user name, e-mail, password. All these points are intuitive and I will not dwell on them.

Generation is complete, a pair of keys is ready for use. Both files — pubring.gpg (a bunch of public keys) and secring.gpg (a bunch of private keys) —are stored in binary code in the $ HOME / .gnupg directory. The public key can be presented in two forms: in the form of a binary code and in text format. The default is binary. To convert the key into text format, you must do:

gpg -a --export user> user.pub.key.asc

The “> user.pub.key.asc” part of the command is used to redirect output not to the screen, but to a file.

In order to see the key identifier, you can run a key check, which will result in a list of keys in the pubring.gpg file:

gpg --list-key

Up to this point we carried out operations with our keys. And what to do with the keys of other users? To do this, you need to insert the public key received from the side into your public keychain:

gpg --import otherkey.pub.key.gpg.asc (where otherkey.pub.key.gpg.asc is the resulting key file)

Encryption is only one way to verify the integrity and reliability of information. Another way is to sign files. In this method, based on the characteristics of the file, a kind of signature is created, in the creation of which the private key data is involved. If the file did not change between the time it was signed and the time it was received, the following message will appear when decrypting or checking it using GPG:

[user @ host] $ gpg --verify foo.txt.asc foo.txt
gpg: Signature made Thu March 18 14:10:50 2009 EST using DSA key ID 12EA888D
gpg: Good signature from "******"

To sign a file with the name “file”, you need to run:

gpg -b file

As a result of this command, a binary file will be created. In order to translate it into an ASCII representation, you need to do this:

gpg -ba file

The “-b” option is used to create a separate signature file. The signature file has the same name as the file being signed, but only with the extension .gpg or .asc, depending on whether it is binary or in ASCII - this file is signed.

And finally, I'll tell you how to actually encrypt files. Suppose a user has a public key for you and wants to send you an encrypted file. For this it needs to execute the following command:

gpg -r user -e file (where "user" is the key identifier in the bundle, the encrypted file is sent to its owner, "file" is the name of the encrypted file)

As a result, a file file.gpg is created that can be sent. It is also possible to immediately get a file in the text view at the output:

gpg -r user -ea file (where "user" is the key identifier in the bundle, the encrypted file is sent to its owner, "file" is the name of the encrypted file)

Having received such a file, you only need to run:

gpg -d file.gpg (or .asc)

You can combine encryption and signing with one command:

gpg -r user -bea file

As a result, we will get an encrypted file, which, when decrypted, will take steps to create a signature for it.

Original blog post .