Understanding Basic Encryption Software

All data can be scrambled and modified in a way that makes it difficult to understand to keep the content secret to anyone who doesn’t know how to read it or reverse the process. This is especially true of data stored on a computer as the processor can perform mathematical operations on the data quickly.

For example a simple encryption scheme would involve say shifting all letter “a”s in a message to letter “b” and letter “b”s to “c”s and so forth.

Linux is particularly good at encryption because installing software to do it is easy.

A simple program that does encryption that can be accessed from the linux terminal command line is gpg which stands for GNU [a type of free software licensing scheme] Privacy Guard.

The software can be installed with the terminal command…

sudo apt-get install gpg

From the command line you can issue commands like

gpg -c filename.txt

which will prompt you for a password. Enter that and you’ll have a new encrypted file called filname.txt.gpg. The -c means to encrypt with asymmetric encryption.

If you want to decrypt the file issue the command…

gpg filename.txt.gpg

and enter the password again when promoted to do so (it won’t if you recently encrypted the file). And there you have it. Simple file encryption.

Now gpg is a pretty useful program that can encrypt data for a particular recipient. The command line for that is…

gpg –encrypt [or just -e] recipientname myfile.txt

and to decrypt

gpg –decrypt [or just -d] recipientname myfile.txt.gpg [or whatever]

but that will just display the data so to direct the output to a file use…

gpg -d recipientname myfile.txt.gpg -o decryptedfile.txt

And that would work, but to do either of those things you’ll need encoded keys installed onto the computer that the program will use for the mathematics involved.

To encrypt a message to a particular person you’ll need their public key which they can give you (or you can use your own public key to encrypt a message to yourself) and to decrypt a message sent to you you’ll need to use your private key or they will need theirs obviously. So how do you make a key set? With the command…

gpg –gen-key

And that will make a set of keys, both a private and public one. You keep the private one safe on your computer or backup device and you give your public one to the person you want to send you messages.

Now when you run that command it’ll ask for your real name. Obviously you could use a fakename. And a real email address. Again this could be fake. But you just have to remember them if they are fake and if you want people to send you messages it helps if they are real obviously, but for encrypting your own files it makes no difference.

Then a window will pop up that prompts you for a passphrase. Let’s talk about how PGP works a bit before I explain that…

Basic explanation of PGP Encryption: Because it’s mathematically arduous for even a computer to decrypt a message of which the correct private key is unavailable it is considered fairly safe to send a public key to another person in the open which is the main advantage of using PGP [pretty good privacy] encryption. This means that in hostile environments when communication lines are under surveillance as they are when you use the internet or radio or telephones and cell phones something like PGP encryption works pretty well however not perfectly. For most purposes of security it’s fine especially if you change keys regularly so that any information sent may be of no use by the time they are decrypted and only a small amount of everything that will be sent or has been sent can be decrypted with one formula. Also by simply using multiple keys to send different portions of one particular message or a few different ones you limit your exposure to all  of the data being compromised simultaneously. And so PGP is as it is called, “Pretty Good Privacy” for sending messages in hostile operating theaters while under surveillance.

So back to the point. In order to use PGP encryption you need a private key and a public key and you send the public key to the person you want to be able to send you messages. You can also post it on the internet if you want anybody to be able to send you messages obviously. So you need to generate those keys obviously and the command gpg –gen-key will do it.

But that command will ask for a passphrase, not a password. That’s because the phrase can contain spaces and can be really long, but it’s just a password. The longer and harder to guess the better. Using numbers and symbols and mixing capitals and lower cased letters will give you the best security. Avoiding your own name, birthday, address, pet’s name, etc. is important because that kind of data can be obtained through research and social engineering (con artistry). So pick a good passphrase. And then it’ll ask you to move your mouse around, use the hard disks of your computer, or type a lot of random characters until it gets a lot of random data to use for generating the key set. After a while it will be satisfied and it will say it’s generated keys of probably an rsa2048 type. RSA is a type of encryption and 2048 is the amount of bits. That’s fine. And it will also tell you what the uid [user id] is for your keyset which the computer has now stored. That’ll be the name you entered of course.

Now once you do that you’ll have a keypair in the computer but how to use it? The command line…

gpg –export -0 exportedkeys.txt

will export all the public keys stored on your computer into a file called exportedkeys.txt or you can specify to only export one user’s name like…

gpg –export myusername -o exportedkeys.txt

And either of those will give you a file you can open and you can see the public and private keys you’ll need but that’s not always the best way to do it because it’s not readable in ascii format so you can’t just paste it to a website or whatever, so it’s best to use the command…

gpg –export myusername [if you want to specify just one] -a -o exportedkeys.txt

And now you’ll have a simple file you can open and copy and paste the text from in email or post online or whatever.

TIP: At some point you might want to revoke a key which basically just means forcing it to expire so the computer knows it’s no good. Like, “For instance: the secret key has been stolen or became available to the wrong people, the UID has been changed, the key is not large enough anymore, etc.” And so you can use the command…

gpg –gen-revoke

And using the secret key the computer will create a revoking certificate. “This creates a revocation certificate. To be able to do this, you need a secret key, else anyone could revoke your certificate. This has one disadvantage. If I do not know the passphrase the key has become useless. But I cannot revoke the key! To overcome this problem it is wise to create a revoke license when you create a key pair. And if you do so, keep it safe! This can be on disk, paper, etc. Make sure that this certificate will not fall into wrong hands!!!! If you don’t someone else can issue the revoke certificate for your key and make it useless.”

Now also you might want to see what keys your computer has stored on it. Use the command..

gpg –list-keys

and you have…

gpg –list-secret-keys

to list secret (private) keys.

and you also have ” gpg –list-sig” for signatures and “gpg –fingerprint” for finger prints if you need those commands as well.

To delete a public key from your collection on your computer use…

gpg –delete-key theusersid [whatever the user id may be which you can get from the gpg –list-keys command right?]

and to delete private keys use…

gpg –delete-secret-key

and you can use…

gpg –edit-key theusersid

to do things like changing the key’s expiration date, adding a fingerprint and signing your key.

Understanding key signing: When a public key is exchanged confidence in it’s authenticity can vary. For example if a public key is exchanged in person you can be fairly certain the key belongs to person who gave it to you. However if you download it from a website you may have less confidence as that website may not be under the control of the proper owner at the time the key is posted or since then. And so we can assign a level of confidence by four numbers being :

1 = I don’t know or won’t say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately

So once you get a public key an import it into gpg you can assign any of those values to it or simply “sign” it if you know for certain it is authentic.

This is done through the command…

gpg –edit-key username

Now once that command is issued another prompt appears like “gpg>” and you can enter various commands. You can type “help” and press enter to see a list of commands.

The first word in this list is the command and thereafter is the explanation. They are…

quit quit this menu
save save and quit
help show this help
fpr show key fingerprint
grip show the keygrip
list list key and user IDs
uid select user ID N
key select subkey N
check check signatures
sign sign selected user IDs [* see below for related commands]
lsign sign selected user IDs locally
tsign sign selected user IDs with a trust signature
nrsign sign selected user IDs with a non-revocable signature
adduid add a user ID
addphoto add a photo ID
deluid delete selected user IDs
addkey add a subkey
addcardkey add a key to a smartcard
keytocard move a key to a smartcard
bkuptocard move a backup key to a smartcard
delkey delete selected subkeys
addrevoker add a revocation key
delsig delete signatures from the selected user IDs
expire change the expiration date for the key or selected subkeys
primary flag the selected user ID as primary
pref list preferences (expert)
showpref list preferences (verbose)
setpref set preference list for the selected user IDs
keyserver set the preferred keyserver URL for the selected user IDs
notation set a notation for the selected user IDs
passwd change the passphrase
trust change the ownertrust
revsig revoke signatures on the selected user IDs
revuid revoke selected user IDs
revkey revoke key or selected subkeys
enable enable key
disable disable key
showphoto show selected photo IDs
clean compact unusable user IDs and remove unusable signatures from key
minimize compact unusable user IDs and remove all signatures from key

We’ll deal with “trust” for now.

By typing “trust” we can enter another number for our level of trust in the key or type “m” to return to the previous part of the program.

Also if you are certain a key is authentic you can “sign” it. Keys generated on your own computer are already signed. But imported keys would need to be signed if so desired if you are certain they are authentic.

Typing “sign” at the prompt will do that for you.

Now you can type “quit” and press return or use ctrl+c and then enter to exit.

This is the end of part 1. I’ll add to this later to talk about how key servers work and how the linux program gpa works and how to use thunderbird email with pgp.

SOURCES: http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html