2023 - March

• Encrypting Files
  • Encrypt disk partition using LUKS Format
  • Encrypt a file
  • GPG key files
    • Create a GPG keypair
    • Edit your GPG key
    • List GPG keys
    • Export Public GPG key
      • Sharing public keys
      • Fingerprints
    • Protonmail
    • Copy keys to e-mail client host
    • Revoke Certificate
    • Encrypt/decrypt a file with a key

Encrypting Files

You should protect your carefully built system and it's files from abuse, tampering, or just plain spying. It's easy to do, what are you waiting for? Encrypt your data directory now.

Also E-Mailing files is not secure, but you can encrypt that file before sending it and the other party can decrypt it with just a simple pass phrase.

Encrypt disk partition using LUKS Format

1 - Create cryptographic device mapper device in LUKS encryption mode:

sudo cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdd1

2 - Unlock the partition, here "backup" is device mapper name, think of it as label.

sudo cryptsetup open --type luks /dev/sdd1 backup

3 - We have to create filesystem in order to write encrypted data that would be accessible through the device mapper name (label).

sudo mkfs.ext4 /dev/mapper/backup

4 - Mount the device and transfer all of your data:

sudo mount -t ext4 /dev/mapper/backup /backups

5 - Unmount and close the device once you are done:

sudo umount /backup
#
sudo cryptsetup close backup
#
#Last but not least, clear the copy and cache buffers:
#
sudo sysctl --write vm.drop_caches=3

Reference:

• https://www.man7.org/linux/man-pages/man8/cryptsetup.8.html
• https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html?highlight=drop_caches#drop-caches

Encrypt a file

Create a file to encrypt:

$ echo "Cold!" > mittens

Encrypt it:

You will be prompted for a pass phrase

$ gpg -c mittens

Check the output:

<file name >.gpg is the encrypted version, the original file is left intact

$ ls mittens*
mittens
mittens.gpg

$ strings mittens*
Cold!
O2#a3

You can now distribute the encrypted file. You must also securely share the passphrase.

Decrypt it

This example uses the public keyring stored on this computer user's home directory ~/.gnupg

$ gpg -d mittens.gpg 
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
Cold!

Files created the first time you run gpg:

$ ls ~/.gnupg/
private-keys-v1.d  pubring.kbx	random_seed

Reference: https://www.redhat.com/sysadmin/getting-started-gpg

GPG key files

GPG supports private and public key files so passphrases are not required in normal use for encrypting, decrypting and signing files and e-mails.

Here is how that works.

Create a GPG keypair

Use the default (1)

$ gpg --full-generate-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
...

Use the default 3072

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)

Enter 2 years

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y

• Fill out your name, email, etc.

GnuPG needs to construct a user ID to identify your key.

Real name: Best User
Email address: bestuser@example.com
Comment: Best Company
You selected this USER-ID:
    "Best User (Best Company) <bestuser@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Enter a passphrase in the popup

• Verify your information, then a keystore will be created in your home directory:

...
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key B...5 marked as ultimately trusted
gpg: directory '/home/bob/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/bob/.gnupg/openpgp-revocs.d/A...3.rev'
public and secret key created and signed.

pub   rsa3072 2023-04-20 [SC] [expires: 2025-04-19]
      A...3
uid                      Bob <bob@bob.com>
sub   rsa3072 2023-04-20 [E] [expires: 2025-04-19]

• Store your host, username, and passphrase in your password manager.

Files created:

$ tree ~/.gnupg/
/home/bob/.gnupg/
├── openpgp-revocs.d
│   └── B...5.rev
├── private-keys-v1.d
│   ├── C...2.key
│   └── A...3.key
├── pubring.kbx
├── pubring.kbx~
├── random_seed
└── trustdb.gpg

Edit your GPG key

$ gpg --edit-key bestuser@example.com
gpg>

At the subprompt, help or a ? lists the available edit commands.

List GPG keys

$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-04-19
/home/bob/.gnupg/pubring.kbx
----------------------------
pub   rsa3072 2023-04-20 [SC] [expires: 2025-04-19]
      A...3
uid           [ultimate] Bob <bob@bob.com>
sub   rsa3072 2023-04-20 [E] [expires: 2025-04-19]

Export Public GPG key

$ gpg --export --armor --output bob-gpg.pub
$ more bob-gpg.pub 
-----BEGIN PGP PUBLIC KEY BLOCK-----
...

The -a or --armor option encodes the output to plain text. The -o or --output option saves the output to a specified file instead of displaying it to standard out on the screen.

Sharing public keys

You can share your public key to the OpenPGP Key server [1]. This way other people can read your e-mails, they just need to import your key from the keyserver using your email address.

• Pros:

  1. Public key servers allow other people to easily read your encrypted e-mails.
  2. Signing verifies the email came from you.
  3. It also guarantees the message was not altered.

• Cons:

  1. It does not assure privacy, because if a third party gets ahold of your encrypted email they can still decrypt it using your public key on a public server.
  2. After your certificate expires or is revoked, encrypted messages become unreadable. Renewed certificates allow old messages to be read.

1. https://keys.openpgp.org/upload

Fingerprints

To allow other people a method of verifying the public key, also share the fingerprint of the public key in email signatures and even on business cards. The more places it appears, the more likely others will have a copy of the correct fingerprint to use for verification.

$ gpg --fingerprint
/home/bob/.gnupg/pubring.kbx
----------------------------
pub   rsa3072 2023-04-20 [SC] [expires: 2025-04-19]
      A... 3... 5... 7... D...  9... A... E... 1... 4...
uid           [ultimate] Bob <bob@bob.com>
sub   rsa3072 2023-04-20 [E] [expires: 2025-04-19]

Reference: https://www.redhat.com/sysadmin/creating-gpg-keypairs

Protonmail

To obtain a correspondent's protonmail public key, use curl. Change user@protonmail.com to the real email.

$ curl https://api.protonmail.ch/pks/lookup?op=get\&search=user@protonmail.com -o user-pubkey.asc

Then import it into gpg

$ gpg --import user-public.asc

Now you can decrypt their files and they can import your public pgp key from https://keys.openpgp.org using your email address.

Reference: https://proton.me/mail

Copy keys to e-mail client host

Maybe you have a laptop for e-mail, while the gpg keys were created on a server. Here is how to copy the key(s).

Export public and secret key files

ID=bob@bob.com
 gpg --export ${ID} > public.key
 gpg --export-secret-key ${ID} > private.key

Copy to new host

 scp bob@server:'/home/bob/gpg/bob.com/*.key' .

Import into gpg on new host

 gpg --import public.key
 gpg --import private.key

Be sure to clean up the keys!

 rm public.key
 rm private.key

You will need to verify the signature in your GUI E-Mail client, change it to 'verified' or 'accepted' to get full functionality.

Now you can send/receive encrypted e-mail on the new host

Reference:

• https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
• https://www.openpgp.org/software/

Revoke Certificate

If you forget your password or your private key is compromised, revoke the current certificate.

$ gpg --output revoke.asc --gen-revoke user@example.com
$ cp revoke.asc  ~/.gnupg/openpgp-revocs.d/revoke.rev

Be sure to update the public key server and your fingerprints.

Encrypt/decrypt a file with a key

• Create a file to be mailed:

File: junk

To Whom it May Concern,

This is addressed to the party that I have contacted.

Regards,
-- Me

• Encrypt your email file

$ gpg --sign --armor --recipient bob@bob.com --encrypt junk

• Mail it

cat junk.asc | mail -s "Hello Bro" bob@bob.com

• The other person can decrypt it (if they imported your public key)

$ gpg --output junk-doc --decrypt junk.asc

This is more secure if you do not share your public key on a public server. You just have to find a secure way to share it, like your own cloud server.