Skip to main content

GPG Hints - GNU Privacy Guard

GPG Hints - GNU Privacy Guard

GPG is an Open Source set of tools that allow for symmetric and asymmetric encryption of data: emails, security keys, key-rings, even mountable secure virtual drives, (as loop-devices).

"Hints": Just some reminders, and resources for figuring things out!

cmp.20141021
ed.20141117.01

Organization

  1. References
  2. GPG Symmetric Encryption with ASCII Armor
  3. GPG-ZIP Helper Tool
  4. Creating Public and Private Keys, and Revocation Certificates
  5. Publishing Public Keys
  6. Revoking / Cancelling Keys
  7. Backing up Keys and Revocation Certificates
  8. Recovering / Decrypting Keys and Revocation Certificates

1. References

  1. GPG Website: https://www.gnupg.org/
  2. GPG For Windows Users: http://www.gpg4win.org/
  3. Enigmail for Secure Email: https://www.enigmail.net/home/index.php

2. GPG Symmetric Encryption with ASCII Armor

ASCII Armor Encrypt the Secure Key, (a PGP Key, Bitlocker Recovery Key, etc), but use ASCII Armor if you want to email to yourself, or post in plain text.

Converting it from Binary to Base64 ASCII Armor, makes the encrypted key "Human Readable." However, doing so increases the output by about 33%, (or so)--which is not significant when encrypting keys. However, when encrypting folders, large files, etc, don't use ASCII Armor, or that 33% increase in size will be very noticeable.
cmd:/>gpg -c --cipher-algo=AES256 -a -o 20141018.bitlocker@computername.asc 20141018.bitlocker@computername.key

Decrypting the Key is fairly simple, and GPG will infer from the data in the file which encryption algorithm is being used, or if it is in ASCII Armor.
cmd:/>gpg -o output.txt -d 20141018.bitlocker@computername.asc

3. GPG-ZIP Helper Tool

Encrypts and compresses the folder name "MyFolder", and its subfolders into one file, "EncryptedZipFile.gz.gpg.

// Specify a cipher, such as AES: --cipher-algo=AES256, otherwise, will result in CAST5 by default.
cmd:/>gpg-zip --symmetric --gpg-args --cipher-algo=AES256 --output EncryptedZipFile.gz.gpg MyFolder
cmd:/>gpg-zip --decrypt EncryptedZipFile.gz.gpg

4. Creating Public and Private Keys, and Revocation Certificates

There are GUI Tools, like Kleopatra, available on Linux and Windows that will help: http://www.gpg4win.org/

When creating a PGP public/private key pair--always be certain you specify an expiration date. Otherwise, if your key is compromised, and if you don't have a revocation certificate, you may be encounter someone misusing your key for an indeterminate period of time.
cmd:/>gpg --gen-key
cmd:/>gpg --list-keys
cmd:/>gpg --export -a 66H049E4 > 20141022.PGP.66H049E4.pub.key
cmd:/>
cmd:/>

5. Publishing Public Keys

Publish the Keys to some key servers. Or, go to their websites, like MIT's to upload your PUBLIC key: https://pgp.mit.edu/
cmd:/>gpg --send-keys 66H049E4
cmd:/>gpg --keyserver subkeys.pgp.net --send-key 66H049E4
cmd:/>gpg --keyserver keys.gnupg.net --send-key 66H049E4

6. Revoking / Cancelling Keys

You can generate a Revocation Certificate in advance, and backup to some-place safe, in case you lose your Private Key, or someone else gets your Private Key, (if you are forgetful, lose keys and passwords, the dog eats your password, etc).

When you want to "cancel," (Revoke your certificate), public/upload the revocation certificate to the key servers, and they will synchronize, and tell everyone your key is no longer valid.
cmd:/>gpg --gen-revoke -a 66H049E4 > 20141022.PGP.66H049E4.rev.asc

7. Backing up Keys and Revocation Certificates

It isn't necessary to encrypt your Public Key before backing it up, but be absolutely certain to encrypt your Private Key and Revocation Certificate before backing up.

Since these are small files, you can email them to yourself, or put on cloud storage, (encrypt them first!).

Be certain to encrypt the Private and Revocation certificates. Otherwise, your keys will be "importable" by PGP tools like Kleopatra, etc, and possibly subject to brute-force attacks, and compromised.

After you create encrypted files for your private key, and revocation certificate, don't delete the unencrypted keys "normally." Use "shred" utilities to delete those files securely.
  1. Export Key, or Genereate Revocation Certificate
  2. Alternatively, you could "pipe/redirect" the output to the GPG encrpytion pipeline.
  3. Shred Original Exported Private Key, and Revocation Key File.
cmd:/>gpg --export-secret-keys -a 66H049E4 > 20141022.PGP.66H049E4.prv.asc
cmd:/>gpg --symmetric --cipher-algo=AES256 -a -o 20141022.PGP.66H049E4.prv.gpg 20141022.PGP.66H049E4.prv.asc
cmd:/>gpg --symmetric --cipher-algo=AES256 -a -o 20141022.PGP.66H049E4.rev.gpg 20141022.PGP.66H049E4.rev.asc
cmd:/>shred 20141022.PGP.66H049E4.prv.asc
cmd:/>shred 20141022.PGP.66H049E4.rev.asc

8. Recovering / Decrypting Keys and Revocation Certificates

To recover your keys from backup, decrypt using GPG, (Kleopatra, etc).
cmd:/>gpg -d -o 20141022.PGP.66H049E4.prv.asc 20141022.PGP.66H049E4.prv.gpg
cmd:/>gpg -d -o 20141022.PGP.66H049E4.rev.asc 20141022.PGP.66H049E4.rev.gpg

Popular posts from this blog

EncFS Hints

EncFS Hints Contents:What is EncFS?Using EncFS and Cloud StorageTermsEncFS CommandsEncFS Tools cmp.20141209 1. What is EncFS? EncFS is a "Virtual Filesystem" ... of sorts.  Encrypted files are placed individually within a folder, on top of an existing filesystem.
With special software, the folder containing the encrypted files is "Mounted"  as another drive letter, ( Z: drive), or as another mountpoint in a Linux/Unix system, (i.e. /mount/shdw). 2. EncFS Best PracticesWhen mounting/decrypting encrypted files, mount in RAM/Memory, or decrypt to a secure partition.Encrypt your swap drive, (Linux/Unix).Use EncFS to encrypt home folders, auto-decrypting on login.Use EncFS to encrypt files synchronized to cloud storage or with BitTorrent Sync.Use a "shdw" prefix/folder root, for mounted secure folders, or even secure source repositorie, (i.e., /mnt/shdw/dropbox-encfs, /mnt/shdw/luks-drive/source/apache-source, etc). 3. Using EncFS and Cloud Storage EncFS is i…

Pages

Pages

Heavy tattered curtains smothered the living room window; a heavy gust slammed the screen door against the mountain cabin. Hiding from the lightning, a small boy huddled in the corner, wondering when the daylight would be taken by the storm. I'm not afraid of the lightning, he tried.He closed his eyes at the thunder and then faded into nothingness as his page was thrown away. 
A black, cold iron wood stove stood isolated in its corner; a small ash bucket and a spilled wood cradle spotted the bare wooden floor. A young man watched from his stool, peering between the curtains with a rifle in his hand. What will run here from the storm, he wondered.  He slid a round into the rifle's chamber, turned, and then closed the bolt.  As he waited for what was to come, lightning tore through the mountain top, sundering soul from body—a page torn in half; the clouds crumpled, and then he was gone.

A few framed oil paintings, among a dozen unfinished, hung on the cabin's only inte…

Meta Security & Theosophy

Meta Security & Theosophy ContentsWhen Technical Debates Become ReligiousEquivocation in Technology: Meta DataEquivocation in Theology: Six Days of CreationThe Value of Accepting Ideas, "As Is"Conclusion cmp.20140704
ed.20141028.04
e.s. kohen
1. Where Technical Debates Become Religious How do you know when Meta Data become real Data?  The answer is the same as asking: How do you know when an Electron will change state?  By observing it.

Slashdot vs, the NSA and Meta Data has yet another community mash-up regarding Meta Data.  As always, "Tin Foil Hat" conspiracies abound--but in this case justifiably.

From a Philosophical point of view--namely Epistemology, (even Memetics), for that matter, the International Community has completely failed to "Grok" the idea that "Meta" is a completely relative term.

When any scientific debate is abruptly thrown into the context of the Politics or Theology, the entire planet seems to devolve into manipulati…