Using GPG: Gnu Privacy Guard.
Table of contents
Creation of public and private keys
To create the GPG keys we can use **gpg –generate-key ** or **gpg –full-generate-key ** the first command will create the keys without asking other options than necessary. If we want more control over some options such as size or validity period we will use **gpg –full-generate-key **.
The size of the key is related to its security but also to the performance since it has to process with larger numbers.
root@kali:~# gpg --full-generate-key
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: creado el directorio '/root/.gnupg'
gpg: caja de claves '/root/.gnupg/pubring.kbx' creada
Por favor seleccione tipo de clave deseado:
(1) RSA y RSA (por defecto)
(2) DSA y ElGamal
(3) DSA (sólo firmar)
(4) RSA (sólo firmar)
Su elección: 1
las claves RSA pueden tener entre 1024 y 4096 bits de longitud.
¿De qué tamaño quiere la clave? (3072) 4096
El tamaño requerido es de 4096 bits
Por favor, especifique el período de validez de la clave.
0 = la clave nunca caduca
<n> = la clave caduca en n días
<n>w = la clave caduca en n semanas
<n>m = la clave caduca en n meses
<n>y = la clave caduca en n años
¿Validez de la clave (0)? 0
La clave nunca caduca
¿Es correcto? (s/n) s
GnuPG debe construir un ID de usuario para identificar su clave.
Nombre y apellidos: Viel Losero
Dirección de correo electrónico: viel.losero@gmail.com
Comentario:
Ha seleccionado este ID de usuario:
"Viel Losero <viel.losero@gmail.com>"
¿Cambia (N)ombre, (C)omentario, (D)irección o (V)ale/(S)alir? V
Es necesario generar muchos bytes aleatorios. Es una buena idea realizar
alguna otra tarea (trabajar en otra ventana/consola, mover el ratón, usar
la red y los discos) durante la generación de números primos. Esto da al
generador de números aleatorios mayor oportunidad de recoger suficiente
entropía.
Es necesario generar muchos bytes aleatorios. Es una buena idea realizar
alguna otra tarea (trabajar en otra ventana/consola, mover el ratón, usar
la red y los discos) durante la generación de números primos. Esto da al
generador de números aleatorios mayor oportunidad de recoger suficiente
entropía.
gpg: /root/.gnupg/trustdb.gpg: se ha creado base de datos de confianza
gpg: clave F87816F5B769CD83 marcada como de confianza absoluta
gpg: creado el directorio '/root/.gnupg/openpgp-revocs.d'
sgpg: certificado de revocación guardado como '/root/.gnupg/openpgp-revocs.d/141839E8065C95F48E8DC329F87816F5B769CD83.rev'
claves pública y secreta creadas y firmadas.
pub rsa4096 2019-10-17 [SC]
141839E8065C95F48E8DC329F87816F5B769CD83
uid Viel Losero <viel.losero@gmail.com>
sub rsa4096 2019-10-17 [E]
root@kali:~#
Key Management
Listing the keys gives us the UID identifier ** Viel Losero viel.losero@gmail.com** and the fingerprint of the key (that long number) ** 141839E8065C95F48E8DC329F87816F5B769CD83 **.
To use a gpg key we need the UID or the fingerprint of that key with gpg commands to signed, encrypted or verification.
List of Public keys
We can see that we only have our public key, later we will see how to import more public keys from other people to send them messages.
root@kali:~# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2019-10-17 [SC]
141839E8065C95F48E8DC329F87816F5B769CD83
uid [ absoluta ] Viel Losero <viel.losero@gmail.com>
sub rsa4096 2019-10-17 [E]
List of Private keys
The ID and footprint of the private key is the same as that of the public key, obviously. This list is simply a way to present the information of the keys to the user. The actual keys and configuration files are in the hidden .gnupg directory as explained by [gnupg file configuration] (https://gnupg.org/documentation/manuals/gnupg/GPG-Configuration.html#GPG-Configuration ).
root@kali:~# gpg --list-secret-keys
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2019-10-17 [SC]
141839E8065C95F48E8DC329F87816F5B769CD83
uid [ absoluta ] Viel Losero <viel.losero@gmail.com>
ssb rsa4096 2019-10-17 [E]
Creating an armored public key file
If we want to send our public key to another person we can export the key and add the option ** armor ** to be able to see the information in a readable way (Human Readable), this simply causes the binary file of the public key to be passed to base64 to see it well on screen. If we tried to see a binary file on the screen without any hexadecimal editor we would only see rare characters.
root@kali:~# gpg --armor --output viel.losero@gmail.com-public-key.gpg --export viel.losero@gmail.com
root@kali:~# cat viel.losero@gmail.com-public-key.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF2od4EBEAC09q3FqknBkwLYBGFyFjAapNDIb3XD7b4jJNtq8HePz/8oLR6P
jd1Zt+7t3GW888sQqkxbGvmtgx6PwwjBr1fqI+vfbv7LtTqNMHwdkF+2jvR8FjzZ
tkNw8+5ShZeD/gxypaSenIazwQAe0M40VuHQMjZkK7e+wbehR6CZ7Sgf8WYFqxn/
EB7Kfb4bNok7raXo2PZctQQ8iZVaWU1eXYK8wfm9UlTcDeUwe3rlfUenUn29juX7
pfIDCQnnOAnYPvbegIQUPLJ6BG7rpagSOml48MbPvxQ3uOfJ8edWKY5+rvO92jVM
pdZTKqzV5OlCEsPGX4jH/1zzgXWTjvROQSxYw1E9Z+nNEGej6sscMRtGVwOV5TGo
TsRzUdI+0CBaRDW+hoX+7qqzbcCShwX9KaxpgSac1VfP1EKoou4MQQXv4/NVN/JC
eB5mjv27qtkxXDO8EAFd+lUTOeGI303XoZcC+UAUV/WiVrhuwDzJ1M+UutdnR8VB
P/ecrhqhwvQUFuK5zWH2tkxFO/lL2c2Q0+kcbzElhLo/BoP8jjKea2zQAMDVJFv/
Te6zb5KHK9tOUbFxPekhbD2tEDsz4U4P7jmFQAD1wNilljRD2C/Lp4Ft34grx/K2
tpgwpb3NVXvzOmfeWpfO5lKvm9CGP4LR00n3nMdaITHF9XkWuJ9xL3CDmQARAQAB
tCNWaWVsIExvc2VybyA8dmllbC5sb3Nlcm9AZ21haWwuY29tPokCTgQTAQoAOBYh
BBQYOegGXJX0jo3DKfh4FvW3ac2DBQJdqHeBAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEPh4FvW3ac2DT3kP/12j6dJ3xTD6dcQ3Rzq0kFY23cmJwy5yA1yL
LaTp0RXf/7ApIG0jPc592XCszuRg37UtLenwLMbyPX74fa9YAuUzwKXQRUsplhdU
Bms2LS79aFbHOpaQF1eBjDeCITFEhM/Z+tdzYQER4OHDbJvWOxki7QI5mCrqXKZb
zfOKHxXg8baCHI1NMA61IMsmA8Xd1PvWmpETqkjTEHXeDaYVvharG9xZ8ggRADrd
IZPpNPNloJmW2OFiCTXBVeu5OACO+fOlMxRZ2cDdAGeIiNioAk+SUYQK+PMohNfi
2T3WApAw/ype4fnqT0s1QwcLllrrutGnBwwMygbyk3X7oJ3bH261WPwV7YwpOoAE
NzJwnVh36OW5Z/sxGe6tpJhXw8+/LUblf9rA7p0NDuFs5CfOQeRFxqzuai2V6J+j
YDTuSYAe9yNwJxTo2K6H6HhOqxWjU3hurHFr7h+sHZ7jkUBh1fxQVfr0psjoNGnH
4MSpKO94phwxwU+OgPfjb4vMEw73+rsXEjwkaRHYZHJyJjRZtCTa//ZlrY2IUNnW
agoif4FAH9d5/YFZp/sLkQ+8vUM0dKvfxvyCOhQCB8j6qaRXpNx8OpSiU+VhgxJe
DVk7JB+eyQJ/BbTbQfPhY70sHd7GoUPhJlzvvHRYqYdm0r772fiyZBFVkaiao7m5
G4a8WfmnuQINBF2od4EBEADTi6uz+LGoqnoDZQMldIz2KEMYNskz6CF8HupqF0qo
QmS8oUa4iCsui9Y56Q5Q07sueTWM0X1wt8mshJxPxPEFW1miIFp0DuYLI8e4Q5U1
eXQxEEBdDAQ0YWYhPJWrwxlS+JGKBJPEK5dZgzmJNC6wtacWWd+x8fR80sOPuXpv
eXOu2BEWTtqqfY5nfrpznxFfet1K26tS8qyyzcJsC1EnH5e0m12K9Bkt0mh9mvYF
LhBC6rIYXfrnida0W2l3Qzp2y0qCAb4z7uzVpwpJR8VQOMah2liYVWS6PUVacME0
DaefqMwMcz+tq5/JqO/hEDQnt26/6/XF5ObID77M4OBNTt7B8z4UC4yNvGx9M9Mt
HVymdqZDjlmp3DQRMF9bVkWmvnzHS/4lSgB8YrqnAOJzFV3+jp//uAsbBf3OoTH8
VPW1UrgspqRFcNJXSUl87jAuKGE8bqwRycpxlySjMosBMENGR0THewaWn6rWRIbd
UbGmxFEnPpWB0tXkdFMQDN/sCiOslbnJOYIfkixibC7mQNzAr17oewfWrwNbf6Ge
/2CEvNHizcJTXFzl0G2rG+vn6vO4ab3TOPPyE1lBmwcBtgw09VZDkw/5WvRmTVZO
zJNpkbWKLOKl2Mi0CzZRxu2C9MD4vu40u64WtDixHF4+oxl01gcUBhSb9mmOMdQb
FQARAQABiQI2BBgBCgAgFiEEFBg56AZclfSOjcMp+HgW9bdpzYMFAl2od4ECGwwA
CgkQ+HgW9bdpzYMDGw/7Bh7s1TtPExUNvcM0WNZC9NGasBN06MxpLf0mHd+htPd0
soiuxqH+eQdOirlX8J2aSqT0rHXQBgPnH6BlgboqqN+TmEIn9+t9D7JEW8JqOe0M
TW6fv5bBweg4asO6yS4earukUpbb+AefBSUjf5NPNPtCJ/lo3KcggJfAHA0ccj6e
orATBsRsv/FVclMI6iGPwjSotWyT/wfZ3/M2NLEu9bkUo4mQRw/FOPLsBmaZEECY
JGm7CtxGlVTCK2K6F/0+wF5xoripZk32FciBK+9VgTh0oHzuXaxeC/d3+p/5Q8dj
w2Cho3Ct25qvp5/dfFkyQtP2aS02v3AjNX/sDxxfIk5Z5oRbIdlu1i+gvAGx/Qbu
di3bbcAloL4aaquGJwDZEENqINpuFozLJnXFDlUvBDquU/0EnkalRenzqm0g8tY5
EuBrKXX7FF96w9KkMuD9uz5McxELYlEUKtzendEVu/cl1EjCi66BsvqMqBu59xv6
M29nt1CVTac9x/yPiV9gDtF3OK5+4iyM9U476Z1T3DzoWU0PO4kAO1NwUW4ZpTc6
zM6RQU85OnkeZOR0WP7EzFYpt01vDiGun7VudPDuI6xed1fQ+n7hBos+BoFQCz5B
e9Zx8+EedsYsxqNldc9341M2nWA+188K//PcI0/0AiaC6oVDrAp2//urGCG1gA8=
=Aa5W
-----END PGP PUBLIC KEY BLOCK-----
root@kali:~#
We can do a test with the following commands to obtain the public key in binary and then pass it to base64.
-
gpg –output file.gpg –export ID
-
cat file.gpg
-
cat file.gpg | base64
Upload our public key
We can send and armored public key to third party from a secure channel. or send the key to a public pgp servers. The receiver has to be sure that the key he receives really belongs to the right person.
Once the key is published on the public pgp servers, we can inform about her fingerprint, such as that nice guys from [purism team] (https://puri.sm/about/team/).
root@kali:~# gpg --send-keys 141839E8065C95F48E8DC329F87816F5B769CD83
gpg: enviando clave F87816F5B769CD83 a hkps://keys.openpgp.org
root@kali:~#
We can use other public servers such as:
[mit public pgp-key server] (https://pgp.mit.edu/)
root@kali:~# gpg --send-keys --keyserver https://pgp.key-server.io/ 141839E8065C95F48E8DC329F87816F5B769CD83
gpg: enviando clave F87816F5B769CD83 a https://pgp.key-server.io/
root@kali:~#
Searching our public key
Other people who get the fingerprint of our key can find it now. But we need to add a UID to the key data so that third parties can import it.
t@kali:~# gpg --search 141839E8065C95F48E8DC329F87816F5B769CD83
gpg: data source: https://keys.openpgp.org:443
(1) 4096 bit RSA key F87816F5B769CD83
Keys 1-1 of 1 for "141839E8065C95F48E8DC329F87816F5B769CD83". Introduzca número(s), O)tro, o F)in > f
root@kali:~#
Add the email UID to our key
Associate our key to our email is done by the key server by sending us an email to the account listed in the key.
Key search without UID
If we search our key, without the email being verified, we will only see the fingerprint of the key. If a key has no associated UID, it cannot be imported by other users.
root@kali:~# gpg --search 141839E8065C95F48E8DC329F87816F5B769CD83
gpg: data source: https://keys.openpgp.org:443
(1) 4096 bit RSA key F87816F5B769CD83
Keys 1-1 of 1 for "141839E8065C95F48E8DC329F87816F5B769CD83". Introduzca número(s), O)tro, o F)in > f
Email verification
Received mail from openpgp.org
Your key upload on keys.openpgp.org
keyserver@keys.openpgp.org
Hi,
this is an automated message from keys.openpgp.org. If you didn't upload your key there, please ignore this message.
OpenPGP key: 141839E8065C95F48E8DC329F87816F5B769CD83
This key was just uploaded for the first time, and is now published without identity information. If you want to allow others to find this key by e-mail address, please follow this link:
--- skipped ---
Key search with UID
Once the key server has verified the email, it will be associated with the key and we can also search the key by the associated email. In electrónic signature environments, apart from the fact that the keys are created by a certificate autority, the user is identified in person from theyr document ID to certify that the keys are given to the right person.
root@kali:~# gpg --search 141839E8065C95F48E8DC329F87816F5B769CD83
gpg: data source: https://keys.openpgp.org:443
(1) Viel Losero <viel.losero@gmail.com>
4096 bit RSA key F87816F5B769CD83, creado: 2019-10-17
Keys 1-1 of 1 for "141839E8065C95F48E8DC329F87816F5B769CD83". Introduzca número(s), O)tro, o F)in >
root@kali:~#
root@kali:~# gpg --search viel.losero@gmail.com
gpg: data source: https://keys.openpgp.org:443
(1) Viel Losero <viel.losero@gmail.com>
4096 bit RSA key F87816F5B769CD83, creado: 2019-10-17
Keys 1-1 of 1 for "viel.losero@gmail.com". Introduzca número(s), O)tro, o F)in >
Working with files
Once the keys are done, we can encrypt our own files to save them securely, decrypt files sent to us by third parties or sign files, as we will see below.
File encryption
Encryption of files with asymmetric encryption is not the main function of GPG. The best way to to save encrypted files is with symmetric encryption that is faster. If we use asimetric encryptation when we encrypt a message for ourselves, our public key is used as if we were a third party. Then only with our private key can we decrypt and read it.
root@kali:~# echo "mensaje de prueba" > test.txt
root@kali:~# gpg --encrypt --sign --armor -r viel.losero@gmail.com test.txt
-- prompted for passphrase
root@kali:~# cat test.txt.asc
-----BEGIN PGP MESSAGE-----
hQIMAymOXBWhtoQCAQ/+NY9q6IU0NTaLAboT3l3q9CCrKgdLw8ayWiPY9MFNSTa3
4LTV3sYK1tHlmV8R4yBxPze72nSR0veBPbb5f+CKUbZAAyjbnDZnr9PpMrCsPgPm
--- skipped for security reasons ---
eM0sta/1VdsCO5yHm694EIgihp0Alpo/MVj0JxhxH0PSxnZs5i6kau1e9b/ViGDO
y5CY55rdnFCmQb+xJbjdjoqxlC/gySk1I5n2EB6rBe+pY5WBXk1E+tNxZtFHfwMV
R9p5g9t19Vi7D0bT1M6Oj9a8gDs4g8t00R1kHpk1VEYDYZyJHnJkx9p74Qde
=AIh5
-----END PGP MESSAGE-----
root@kali:~#
File decryption
File decryption is one of the main functions of asymmetric encryption. Third parties with our public key will be able to encrypt messages for us. These messages can only be decrypted and read with our private key.
root@kali:~# gpg --output test.txt.dec --decrypt test.txt.asc
gpg: cifrado con clave de 4096 bits RSA, ID 298E5C15A1B68402, creada el 2019-10-17
"Viel Losero <viel.losero@gmail.com>"
gpg: Firmado el jue 17 oct 2019 17:50:32 CEST
gpg: usando RSA clave 141839E8065C95F48E8DC329F87816F5B769CD83
gpg: Firma correcta de "Viel Losero <viel.losero@gmail.com>" [absoluta]
root@kali:~# ls -la test.txt*
-rw-r--r-- 1 root root 18 oct 17 17:49 test.txt
-rw-r--r-- 1 root root 1686 oct 17 17:50 test.txt.asc
-rw-r--r-- 1 root root 18 oct 17 17:51 test.txt.dec
root@kali:~#
root@kali:~# cat test.txt.dec
mensaje de prueba
root@kali:~#
File signing
File signing is also one of the main functions of asymmetric encryption. In electronic signature environments, when the keys are created by a certified autority and a user signs a document, they give authentication, integrity and non-repudiation.
In our case, as we will see later, when we associate the email with the public key, our key can only prove that the person who signs or decrypts the files is the owner of the associated email account.
root@kali:~# gpg --clear-sign -o test.txt.clear test.txt
root@kali:~# ls -la test.txt*
-rw-r--r-- 1 root root 18 oct 17 18:09 test.txt
-rw-r--r-- 1 root root 900 oct 17 18:10 test.txt.asc
-rw-r--r-- 1 root root 900 oct 17 18:13 test.txt.clear
-rw-r--r-- 1 root root 18 oct 17 17:51 test.txt.dec
root@kali:~#
Signature verification
Verifying a signed message is relatively simple. The message comes in clear text and with a simple ** cat ** we can see it.
root@kali:~# gpg --verify test.txt.clear
gpg: Firmado el jue 17 oct 2019 18:13:08 CEST
gpg: usando RSA clave 141839E8065C95F48E8DC329F87816F5B769CD83
gpg: Firma correcta de "Viel Losero <viel.losero@gmail.com>" [absoluta]
root@kali:~#
root@kali:~# cat test.txt.clear
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
mensaje de prueba
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFBg56AZclfSOjcMp+HgW9bdpzYMFAl2q6rEACgkQ+HgW9bdp
zYPnShAAlh9MX5EZHyXZ3oxLntIthfmJ7dTMnYzNxnaMT5FTvUKjyq0joXuoKnYx
--- skipped for security reasons ---
jbcm0Iz4Vb1WicAo2ARTYKfRXroSZQlqQVZONzbYBEtypEJ6qKmk82/FUifuhTXK
mUfdrdAoRTBL6QDYHPfR3bjXYHcgwyEPxrruIsNhpHk8Uiqeoaw=
=mhz2
-----END PGP SIGNATURE-----
Third parties
Sending encrypted emails to third parties securely is relatively easy with GPG. In this section we will use the purism CEO’s public key only to perform a test but we will not send the file by email.
Importing third-party’s public keys
If a key does not have an associated UID we cannot import it correctly, luckily we can check other servers to see if the key have an associated email UID.
root@kali:~# gpg --search B8CAACEAD94930F123C4642C23CF2E3D254514F7
gpg: data source: https://keys.openpgp.org:443
(1) 4096 bit RSA key 23CF2E3D254514F7
Keys 1-1 of 1 for "B8CAACEAD94930F123C4642C23CF2E3D254514F7". Introduzca número(s), O)tro, o F)in > f
root@kali:~#
root@kali:~# gpg --recv-keys B8CAACEAD94930F123C4642C23CF2E3D254514F7
gpg: key 23CF2E3D254514F7: new key but contains no user ID - skipped
gpg: Cantidad total procesada: 1
gpg: sin identificador: 1
root@kali:~#
root@kali:~# gpg --search --keyserver hkps://keyserver.ubuntu.com B8CAACEAD94930F123C4642C23CF2E3D254514F7
gpg: data source: https://162.213.33.8:443
(1) Todd Weaver <todd@puri.sm>
Todd Weaver <ceo@puri.sm>
4096 bit RSA key 23CF2E3D254514F7, creado: 2014-12-05
Keys 1-1 of 1 for "B8CAACEAD94930F123C4642C23CF2E3D254514F7". Introduzca número(s), O)tro, o F)in > f
root@kali:~#
root@kali:~# gpg --recv-keys --keyserver hkps://keyserver.ubuntu.com B8CAACEAD94930F123C4642C23CF2E3D254514F7
gpg: clave 23CF2E3D254514F7: clave pública "Todd Weaver <todd@puri.sm>" importada
gpg: Cantidad total procesada: 1
gpg: importadas: 1
root@kali:~#
Sending encrypted message
Once we have the public key of the person with we want to communicate safely, we can encrypt a message for that person who can only read with his private key.
The warning message that comes out is because we still have not signed the recipient’s public key.
root@kali:~# gpg -r B8CAACEAD94930F123C4642C23CF2E3D254514F7 --encrypt test.txt
gpg: 7F609032678C8047: No hay seguridad de que esta clave pertenezca realmente
al usuario que se nombra
sub rsa4096/7F609032678C8047 2014-12-05 Todd Weaver <todd@puri.sm>
Huella clave primaria: B8CA ACEA D949 30F1 23C4 642C 23CF 2E3D 2545 14F7
Huella de subclave: 4D32 522D BE68 B6B5 31B9 26A2 7F60 9032 678C 8047
No es seguro que la clave pertenezca a la persona que se nombra en el
identificador de usuario. Si *realmente* sabe lo que está haciendo,
puede contestar sí a la siguiente pregunta.
¿Usar esta clave de todas formas? (s/N) s
Testing decryption
No comments here xd.
root@kali:~# gpg test.txt.gpg
gpg: ADVERTENCIA: no se ha proporcionado ninguna orden. Intentando adivinar lo que quieres...
gpg: cifrado con clave de 4096 bits RSA, ID 7F609032678C8047, creada el 2014-12-05
"Todd Weaver <todd@puri.sm>"
gpg: descifrado fallido: No secret key
root@kali:~#
Signing third party keys
When we trust that a public key really belongs to the indicated person we can sign that key to trust in it. We can see how before signing the public key in the list of public keys it comes out as unknown.
Key List
root@kali:~# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2019-10-17 [SC]
141839E8065C95F48E8DC329F87816F5B769CD83
uid [ absoluta ] Viel Losero <viel.losero@gmail.com>
sub rsa4096 2019-10-17 [E]
pub rsa4096 2014-12-05 [SC]
B8CAACEAD94930F123C4642C23CF2E3D254514F7
uid [desconocida] Todd Weaver <todd@puri.sm>
uid [desconocida] Todd Weaver <ceo@puri.sm>
uid [desconocida] [jpeg image of size 3931]
sub rsa4096 2014-12-05 [E]
Signing public key
We have to be sure that the fingerprint of the key is correct and belongs to the right person. Once we are sure we can sign your public key to trust on it and not give us notices about.
root@kali:~# gpg --sign-key B8CAACEAD94930F123C4642C23CF2E3D254514F7
pub rsa4096/23CF2E3D254514F7
creado: 2014-12-05 caduca: nunca uso: SC
confianza: desconocido validez: desconocido
sub rsa4096/7F609032678C8047
creado: 2014-12-05 caduca: nunca uso: E
[desconocida] (1). Todd Weaver <todd@puri.sm>
[desconocida] (2) Todd Weaver <ceo@puri.sm>
[desconocida] (3) [jpeg image of size 3931]
¿Firmar realmente todos los IDs de usuario? (s/N) s
pub rsa4096/23CF2E3D254514F7
creado: 2014-12-05 caduca: nunca uso: SC
confianza: desconocido validez: desconocido
Huella clave primaria: B8CA ACEA D949 30F1 23C4 642C 23CF 2E3D 2545 14F7
Todd Weaver <todd@puri.sm>
Todd Weaver <ceo@puri.sm>
[jpeg image of size 3931]
¿Está realmente seguro de querer firmar esta clave
con su clave: "Viel Losero <viel.losero@gmail.com>" (F87816F5B769CD83)?
¿Firmar de verdad? (s/N) s
Trust in third-party’s public keys
We can see how once the public key of another person is signed and added to our ring is listed with total confidence.
root@kali:~# gpg --list-keys
gpg: comprobando base de datos de confianza
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: nivel: 0 validez: 1 firmada: 1 confianza: 0-, 0q, 0n, 0m, 0f, 1u
gpg: nivel: 1 validez: 1 firmada: 0 confianza: 1-, 0q, 0n, 0m, 0f, 0u
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2019-10-17 [SC]
141839E8065C95F48E8DC329F87816F5B769CD83
uid [ absoluta ] Viel Losero <viel.losero@gmail.com>
sub rsa4096 2019-10-17 [E]
pub rsa4096 2014-12-05 [SC]
B8CAACEAD94930F123C4642C23CF2E3D254514F7
uid [ total ] Todd Weaver <todd@puri.sm>
uid [ total ] Todd Weaver <ceo@puri.sm>
uid [ total ] [jpeg image of size 3931]
sub rsa4096 2014-12-05 [E]
root@kali:~#
Message signing and encryption using the mail UID
To work more comfortably with keys and not have to be copy paste fingerprints, we can encrypt messages using the UID of the key.
We can also sign our message and encrypt it before sending to the destination. the person who receive it will may verify the signature.
IMPORTANT! Before sending or receiving a message, we have to verify that the third party’s key is not revoked.
root@kali:~# gpg -r ceo@puri.sm -u viel@losero@gmail.com --encrypt test.txt
El fichero 'test.txt.gpg' ya existe. ¿Sobreescribir? (s/N) s
root@kali:~# ls -la test.txt*
-rw-r--r-- 1 root root 18 oct 17 18:09 test.txt
-rw-r--r-- 1 root root 900 oct 17 18:10 test.txt.asc
-rw-r--r-- 1 root root 900 oct 19 12:51 test.txt.clear
-rw-r--r-- 1 root root 18 oct 17 17:51 test.txt.dec
-rw-r--r-- 1 root root 566 oct 17 18:16 test.txt.dtc
-rw-r--r-- 1 root root 614 oct 19 19:05 test.txt.gpg
root@kali:~#
Management GPG Keys
One of the most important parts of gpg is the management of our private keys, revocation certificates and updating the key ring.
Update and verification third party’s keys
Before sending a message or verifying the validity of the signature of a third party it is good to regularly update our key ring to be able to consult possible revoked certificates. We can update adding it to the CRON or manually.
root@kali:~# gpg --refresh-keys
gpg: renovando 2 claves desde hkps://keys.openpgp.org
gpg: clave 23CF2E3D254514F7: "Todd Weaver <todd@puri.sm>" sin cambios
gpg: clave F87816F5B769CD83: "Viel Losero <viel.losero@gmail.com>" sin cambios
gpg: Cantidad total procesada: 2
gpg: sin cambios: 2
root@kali:~#
Create the revocation file
Good practices suggest storing the revocation certificate of the public key and a backup copy of the private key on a USB or external device write protected and in a safe place. If the certificate is compromised or we lose it, we can revoke from the backup.
root@kali:~# gpg --output viel.losero@gmail.com-revocation.crt --gen-revoke viel.losero@gmail.com
sec rsa4096/F87816F5B769CD83 2019-10-17 Viel Losero <viel.losero@gmail.com>
¿Crear un certificado de revocación para esta clave? (s/N) s
Por favor elija una razón para la revocación:
0 = No se dio ninguna razón
1 = La clave ha sido comprometida
2 = La clave ha sido reemplazada
3 = La clave ya no está en uso
Q = Cancelar
(Probablemente quería seleccionar 1 aquí)
¿Su decisión? 0
Introduzca una descripción opcional; acábela con una línea vacía:
> Initial Rebocation Backup
>
Razón para la revocación: No se dio ninguna razón
Initial Rebocation Backup
¿Es correcto? (s/N) s
se fuerza salida con armadura ASCII.
Certificado de revocación creado.
Por favor consérvelo en un medio que pueda esconder; si alguien consigue
acceso a este certificado puede usarlo para inutilizar su clave.
Es inteligente imprimir este certificado y guardarlo en otro lugar, por
si acaso su medio resulta imposible de leer. Pero precaución: ¡el sistema
de impresión de su máquina podría almacenar los datos y hacerlos accesibles
a otras personas!
root@kali:~#
Encrypt the certificate revocation file
We will use the gpg itself with symetric encryption to encrypt the certificate revocation.
root@kali:~/data/.gnupg# gpg -c viel.losero@gmail.com-revocation.crt
root@kali:~/data/.gnupg# ls -la
total 28
drwx------ 4 root root 249 oct 19 19:49 .
drwxr-xr-x 29 root root 4096 oct 17 16:21 ..
drwx------ 2 root root 58 oct 17 16:21 openpgp-revocs.d
drwx------ 2 root root 110 oct 17 16:21 private-keys-v1.d
-rw-r--r-- 1 root root 2477 oct 17 16:21 pubring.kbx
-rw------- 1 root root 32 oct 17 16:21 pubring.kbx~
-rw------- 1 root root 1280 oct 17 16:21 trustdb.gpg
-rw-r--r-- 1 root root 3134 oct 17 16:27 viel.losero@gmail.com-public-key.gpg
-rw------- 1 root root 926 oct 19 19:39 viel.losero@gmail.com-revocation.crt
-rw-r--r-- 1 root root 829 oct 19 19:49 viel.losero@gmail.com-revocation.crt.gpg
Now we can delete the certificate revocation file with [wipe] (https://linux.die.net/man/1/wipe).
root@kali:~/data/.gnupg# wipe viel.losero@gmail.com-revocation.crt
Okay to WIPE 1 regular file ? (Yes/No) yes
Wiping viel.losero@gmail.com-revocation, pass 34 (34)
Operation finished.
1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occurred.
root@kali:~/data/.gnupg#
And change the new encrypted certificate revocation file permissions to read only.
root@kali:~/data/.gnupg# chmod 400 viel.losero@gmail.com-revocation.crt.gpg
root@kali:~/data/.gnupg# ls -la
total 24
drwx------ 4 root root 205 oct 19 19:51 .
drwxr-xr-x 29 root root 4096 oct 17 16:21 ..
drwx------ 2 root root 58 oct 17 16:21 openpgp-revocs.d
drwx------ 2 root root 110 oct 17 16:21 private-keys-v1.d
-rw-r--r-- 1 root root 2477 oct 17 16:21 pubring.kbx
-rw------- 1 root root 32 oct 17 16:21 pubring.kbx~
-rw------- 1 root root 1280 oct 17 16:21 trustdb.gpg
-rw-r--r-- 1 root root 3134 oct 17 16:27 viel.losero@gmail.com-public-key.gpg
-r-------- 1 root root 829 oct 19 19:49 viel.losero@gmail.com-revocation.crt.gpg
root@kali:~/data/.gnupg#
Now it only remains to copy the files on an external device.
back
References:
License: CC-BY-SA