PDA

View Full Version : Basic gpg help



Ullrich
6th April 2007, 10:21 AM
I know some of you are good at gpg. I have some basic questions. I am going to make a new pair of keys because my existing public key is not working. I didn't make a revocation certificate. I did a rotten job when creating public and private keys. The reason was I was not aware of all the pros and cons of gpg and PKI .

I had a crash in my previous computer. I didn't make any backup of pgp folder or keys. Thus, I lost everything.

Do you know the best way of backing up of your gpg folder and the keys?

I know the following will copy your public key and private key.

[root@c83-251-139-53 Nissanka]# gpg --export > pubkeys
[root@c83-251-139-53 Nissanka]# gpg --export-secret-keys > privkeys

How do I put them on a USB stick?
-----------------------------------------------------------

Finally, I know the following command will encrypt a file on my computer

[root@c83-251-139-53 Nissanka]# gpg -e -r Nissanka foo.txt
[ Here I am assuming that I have file named 'foo.txt'.]

The above will create a file name 'foo.txt.gpg' .

The file command will decrypt it and give me back the original file.
[root@c83-251-139-53 Nissanka]# gpg --output foo.txt --decrypt foo.txt.gpg

Please tell me if my presumptions are incorrect.

How do I encrypt folders using the gpg system?
Now I have learnt some people had gone into my computer read some files. So I must encrypt some folders which contains sensitive information; this will make life difficult for people to open the encrypted folders.

Ullrich
6th April 2007, 08:36 PM
I urge someone who works or rather some knowledge of gpg to look at this.

markkuk
6th April 2007, 10:24 PM
Do you know the best way of backing up of your gpg folder and the keys?

Just copy the ~/.gpg directory to a suitable backup medium. There's nothing special about it.



How do I encrypt folders using the gpg system?

You don't use gpg for that. Use cryptsetup-luks (http://luks.endorphin.org/dm-crypt) instead.

Ullrich
7th April 2007, 08:35 AM
Thanks markkuk for the comments. I have never ever heard about cryptsetup-luks. It seems the best solution. This must be some recent work. It may be possible to download and install using 'yum' command.
Because yum installations make life easy. Those tarball expansions has some additional work.

Could you please tell me if it is possible to use yum to install cryptsetup-luks ? If so, what is the command?

RobertoVanto
7th April 2007, 10:35 AM
% yum install cryptsetup-luks

Ullrich
7th April 2007, 12:59 PM
Roberto
It didn't work. What is the problem?
----------------------------------------------------------------

[Nissanka@c83-251-139-53 ~]$ su root
Password:
[root@c83-251-139-53 Nissanka]# yum install cryptsetup-luks
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
livna [1/4]
livna 100% |=========================| 951 B 00:00
core [2/4]
http://ftp1.skynet.cz/pub/linux/fedora/5/x86_64/os/repodata/repomd.xml: [Errno 14] HTTP Error 404: Date: Sat, 07 Apr 2007 11:57:19 GMT
Server: Apache/2.2.2 (Fedora)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1
Trying other mirror.
core 100% |=========================| 1.1 kB 00:00
updates [3/4]
updates 100% |=========================| 1.2 kB 00:00
extras [4/4]
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100% |=========================| 136 kB 00:01
livna : ################################################## 354/354
Added 0 new packages, deleted 37 old in 0.68 seconds
primary.xml.gz 100% |=========================| 420 kB 00:03
updates : ################################################## 1181/1181
Added 273 new packages, deleted 308 old in 3.56 seconds
primary.xml.gz 100% |=========================| 1.4 MB 00:05
extras : ################################################## 4373/4373
Added 49 new packages, deleted 6 old in 6.09 seconds
Parsing package install arguments
Nothing to do
[root@c83-251-139-53 Nissanka]#

markkuk
7th April 2007, 01:07 PM
"Nothing to do" means that the latest version of the package was already installed. Apparently cryptsetup-luks is installed by default in FC6. Check with "rpm -q cryptsetup-luks".

Ullrich
7th April 2007, 01:18 PM
[Nissanka@c83-251-139-53 ~]$ su root
Password:
[root@c83-251-139-53 Nissanka]# rpm -q cryptsetup-luks
cryptsetup-luks-1.0.3-0.rc2
[root@c83-251-139-53 Nissanka]#
------------------------------------------------------
Does the above mean it is installed? If it is installed, how do I configure?

RobertoVanto
7th April 2007, 01:26 PM
% man -k cryptsetup
cryptsetup (8) - setup cryptographic volumes for dm-crypt (including LUKS extension)
cryptsetup-luks (rpm) - Una utility per l'impostazione di filesystem criptati

% man 8 cryptsetup

Ullrich
7th April 2007, 01:33 PM
Roberto
It didn't work.
------------------------
[root@c83-251-139-53 Nissanka]# cryptsetup
bash: cryptsetup: command not found
[root@c83-251-139-53 Nissanka]# cryptsetup-luks
bash: cryptsetup-luks: command not found
[root@c83-251-139-53 Nissanka]# cryptsetup (8)
bash: syntax error near unexpected token `8'
[root@c83-251-139-53 Nissanka]#

Ullrich
7th April 2007, 01:49 PM
Now I found out; the following command is fine
man 8 cryptsetup
------------------------
LUKS EXTENSION
LUKS, Linux Unified Key Setup, is a standard for hard disk encryption. It standardizes a partition
header, as well as the format of the bulk data. LUKS can manage multiple passwords, that can be revoked
effectively and that are protected against dictionary attacks with PBKDF2.

These are valid LUKS actions:

luksFormat <device> [<key file>]

initializes a LUKS partition and set the initial key, either via prompting or via <key file>.
<options> can be [--cipher, --verify-passphrase, --key-size]

luksOpen <device> <name>

opens the LUKS partition <device> and sets up a mapping <name> after successful verification of
the supplied key material (either via key file by --key-file, or via prompting). <options> can be
[--key-file].

[ I think the following command is the correct one.
luksFormat <device> [<key file>]
What is the device? What shall I write there? What is 'key file' ?
I just want to encrypt two or three folders on my system. Those folders contain private letters.

Ullrich
7th April 2007, 08:56 PM
This seems to be a very sensitive business. I must backup my data to be on the safe side. Things could go to hell. I read the following:
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptHomeDirUsingLUKS
Have you backed up your data before installing this?

I am working with FC5.
The following command doesn't work on my computer though I have a file named 'badblocks' in 'sbin' folder.
# /sbin/badblocks -c 10240 -s -w -t random -v /dev/vg0/home

Is it possible to do quicker? I mean some other method to execute this procedure.

Please tell me. A friend of mine who works with windows suggested 'truecrypt'. He said truecrypt was easy to use and reliable.

I am a bit scared to go ahead with this. Things could go to hell. I need your advice.

RobertoVanto
8th April 2007, 09:31 AM
Make a backup it's always a good idea. But I'm not an expert in the security/encryption field. However, try to follow this link: http://liquidat.wordpress.com/2007/02/11/howto-graphical-login-and-encrypted-directories-on-fc6/

Ullrich
8th April 2007, 01:46 PM
Roberto
This EncFs seems another variety for encryption. However, it is not straightforward. There are so many other things. There is no 100% support for Fedora users. I don't know what to do. I am using FC5.

Some friends, who uses only windows, told me that this is tantamount playing with fire. If things go wrong, I will loose everything.
I don't know what to do. I need simple straightforward method to encrypt some folders on my system. Because people have gone into my computer and gathered some information.

Please read the following:
http://liquidat.wordpress.com/2007/02/11/howto-graphical-login-and-encrypted-directories-on-fc6/

As already mentioned, we will use PAM to bind the GDM login to the EncFS-encrypted directories. The module needed is called pam_encfs and is unfortunatelly not available as a package for Fedora. Get it from the homepage, unpack it and run make && make install as root. There is also an example configuration file which we will use. Copy pam_encfs.conf to /etc/security/.

Ullrich
10th April 2007, 07:25 PM
Could you advice me whether the following site is helpful for me?
It has Truecrypt for FC5.

How do I download using 'yum install' command?

http://rpmfarm.free.fr/5/i386/RPMS.farm/repodata/index.html

RobertoVanto
10th April 2007, 07:47 PM
First you must configure the repo: http://rpmfarm.free.fr/configuration.html. Then install whatever you want with yum:

% yum --enablerepo=rpmfarm install foo

Ullrich
10th April 2007, 08:07 PM
Roberto
What do you mean?
How can I configure some other repository?

RobertoVanto
10th April 2007, 08:27 PM
Following the previous link:


Yum

To start using the rpmfarm.free.fr repository in yum simply install the farm.repo file in /etc/yum.repos.d:



As root:

% cd /etc/yum.repos.d
% wget http://rpmfarm.free.fr/farm.repo

Ullrich
10th April 2007, 08:48 PM
In any case, I must do some backup of data. I must do some backup now. This will take time. Probably I will go ahead with this tomorrow or day after tomorrow.
I know the risk is great. I must backup all data before embarking on this.

RobertoVanto
10th April 2007, 08:59 PM
yah

Anyway I suggest you to read some books like: "Fedora Linux: A Complete Guide to Red Hat's Community Distribution"
http://www.amazon.com/Fedora-Linux-Complete-Community-Distribution/dp/0596526822/ref=pd_bbs_sr_3/002-0003174-2445630?ie=UTF8&s=books&qid=1176235028&sr=1-3

...or something similar. Just to start ...

virus
10th April 2007, 09:39 PM
ciao Roberto

RobertoVanto
11th April 2007, 11:41 AM
ciao Roberto


Do I know you?