Saturday, March 15, 2008

GPG Me

This brief entry should help me remember (and maybe others) how to complete my monthly backup. Every month I backup critical data to DVD and mail it to a secure location. In theory, this means that my data is always safe... even if I might not be! Press mid-2007 I was mailing out completely unencrypted DVDs until I realized that this was probably a very bad idea indeed. Using Linux made this process very easy, as I knew immediately which encryption type to employ... GPG.

But what is GPG and how does it work?

Initially developed by Werner Koch in 1999, GNU Privacy Guard (GnuPG or GPG) is a replacement for the PGP suite of cryptographic software. Where Wikipedia says "replacement" it should probably (for neutrality) so "alternative". GPG is open source, whereas PGP is owned and licensed by Network Associates. That is in a nutshell, the difference. More on PGP vs GnuPG here GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users, it is a hybrid encryption software program in that it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange; more on keys and keypairs below.

Keypairs

As mentioned above, GPG uses keypairs to encrypt "messages". Of course PGP/GPG was originally designed primarily with messaging in mind, but has the ability to encrypt any data. The basic idea is that you generate two keys, a private key and a public key. You then distribute your public key either directly or through keyservers, which act as indexes of public keys... kind of like a phonebook.

Once a user has your key and decides to send you a message or data, that user can use GPG to encrypt the message. Once encrypted even the sender cannot decrypt the data. The data then travels across either the Internet or physical media in a highly secure format. Once you receive this data, you use your private key to decrypt it. If you loose your private key, all data encrypted with the public key becomes unusable.

Using GPG to encrypt data

So we've got the basics of GPG, now time to put it to use. Generating keypairs is a fairly straightforward process. Michael Anckaert describes the basic steps at masuran.org under "Generating a keypair". Following this guide you will now have two files, a public and a private key. Remember that you will be using your public key to encrypt. Firstly, find your key ID by running gpg --list-keys. Here is my key list: 

/home/lukeoconnell/.gnupg/pubring.gpg
-------------------------------------
pub   1024D/74B30C1E 2008-02-13 [expires: 2009-02-12]
uid                  Luke O'Connell 
sub   4096g/2167C1ED 2008-02-13 [expires: 2009-02-12]

pub   1024D/B22BEB02 2008-03-04 [expires: 2009-03-04]
uid                  Luke O'Connell 
sub   4096g/F0D92AA2 2008-03-04 [expires: 2009-03-04]

See how it starts with the keyring file? This is there your public keys are stored. The key ID is located on the pub line, so the key ID for luke@emailannex.com is 74B30C1E. Now we have the ID, we can go ahead and encrypt the file by running the following: 

gpg -r 74B30C1E --output encrypted.txt.gpg --encrypt sourcefile.txt

Good practice would suggest that you leave the original extension intact, thus creating .txt.gpg in the above example. And the encryption process is as simple as that. Next lets look at backing up your private key, a very important task indeed.

Backing up your private key

Here we need to run gpg --list-secret-keys to find the ID of our private key. Here you'll find the result on the sub line. Once we have the ID, it's just a case of running the following to output it to a file: 

gpg -ao private.key --export-secret-keys 0637B724
  • -a Denotes that the output should be ASCII armoured output, which is useful when backing up plaintext data (the format of your key).
  • -o Used for specifying the output. If no output is selected then the result will be output to the terminal.

You'll now be ready to store that highly sensitive file on backup media. I would strongly recommend not placing this file on the Internet or transmitting it across the Internet in any capacity.

Some really useful information

I found somacon.com's notes and the OpenSkils OpenPGP page extremely useful when getting to grips with the world of GPG. The two resources cover some topics not discussed here such as restoring keys and managing keyrings.

Posted by at 9:31 AM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)