The encrypted file can be decryptedback as example.doc with this command plus the passphrase, whenprompted3: origi-$ gpg --output example.doc --decrypt example.doc.gpg The recipient will
Using Gnu Privacy Guard
Keeping Data Secret, for a Novice GnuPG User
In the lounge, Sam explains that if you're in a hurry to encrypt a file using GnuPG, a straightforward approach is to utilize single-key encryption with a strong passphrase He emphasizes that it's simple to do, requiring no additional setup beyond having GnuPG installed.
Gpg4win is a secure solution for file and email encryption, available for Windows You can download it from the official site at www.gnupg.org/download, with GnuPG for Windows at http://gpg4win.org/ and GPGTools for OS X at https://www.gpgtools.org/ To get started, it's recommended to explore tutorials or the Gpg4win Compendium for a comprehensive understanding of its features and functionalities.
Bob checks the time and the departure board, while Sam explains that symmetric encryption with GnuPG is straightforward, as it doesn't require generating a public key pair or obtaining others' keys; he simply inputs an encryption command and a strong passphrase for his file.
The Simplest Example: GnuPG Symmetric Encrypting Text
Sam likens GnuPG commands to sentences, starting with "gpg" and following specific grammar rules, such as placing options before files and commands He emphasizes the importance of adhering to these rules while noting that it is generally straightforward To illustrate, he demonstrates how to encrypt a file named example.txt.
$ gpg -c exampel.txt gpg: can't open `exampel.txt': No such file or directory gpg: symmetric encryption of `exampel.txt' failed: No such file or directory
“Oh crud, what the .” Sam, reading the GnuPG error messages onscreen after he hit ,Enter., realizes he misspelled the filename.
When a filename is missing from the current directory, it can lead to an error, which is a common occurrence and generally not a major issue If you encounter an unclear error message, searching for it online can often provide helpful insights Sam then reenters the command and is asked to input a passphrase twice.
2 Files in these examples will always be read from or written to the current working directory in the terminal/console session (unless otherwise specified).
Depending on the operating system, users will encounter a unique prompt, typically displayed in a small GUI window designed for secure passphrase entry Additionally, when GnuPG generates new files, it appends the gpg extension to the filenames, as illustrated by the directory listing that includes a file named example.txt.gpg.
Sam continued: “Here’s my thinking when I enter that command. First, gpg5’run GnuPG’ Then, -c, an abbreviation for the command
For single-key encryption, symmetric encryption is utilized The -e option, or encrypt, is used for public key encryption, which I will explain later if you're interested.
“So that’s my command: ‘GnuPG, encrypt something!’.
In this context, 'something' refers to the file named example.txt located in the current directory After pressing Enter, you will be prompted to create a secure passphrase, which should be difficult to crack A strong passphrase typically exceeds 8 to 10 characters and appears random, incorporating a mix of upper and lower case letters, symbols, and numbers While it may be challenging to remember, a complex passphrase significantly enhances security Keep in mind that forgetting your passphrase will prevent you from decrypting your file.
Bob asks, “How do I decrypt this file? Do I need GnuPG to decrypt?”
Decrypting a File (Symmetric Key)
Sam explains that decrypting a file is straightforward, but requires GnuPG or compatible software He demonstrates the process by typing the command and pressing Enter, entering the passphrase when prompted.
$ gpg example.txt.gpg gpg: CAST5 encryp ted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected
4 dir on Windows, ls on Mac OS X or Linux.
5 A directory is the text-only version of a folder; folder is the icon for the directory.
Any program that adheres to the OpenPGP standard for encryption is compatible OpenPGP will be elaborated on later in the chapter The default encryption method for GnuPG single-key encryption is the CAST5 algorithm, which utilizes a single passphrase Additionally, the absence of a digital signature indicates that the file was not signed.
Sam explains that the messages confirm the successful encryption of the file GnuPG has saved the decrypted file, named example.txt, to the disk, resulting in both files being present in his directory without the need for any explicit commands.
I’m decrypting (though I could have used the decrypt option for clarity) Often you can just enter gpg , file_name and GnuPG
To ensure proper handling of files with GnuPG, it is essential to use GnuPG-compatible files, particularly when dealing with encrypted files Entering a valid passphrase is crucial for decryption If a file is not compatible, an error will occur, as GnuPG requires explicit instructions for encryption, using the -c option for symmetric encryption or the -e option for public key encryption.
Bob spoke up: “Hang on, Sam, do I have to save it to a file? I’m not sure I want to save my secrets as plaintext on my hard drive.”
Sam emphasizes the importance of using the decrypt or -d command in GnuPG, as it directs the output straight to the terminal He demonstrates this by typing a few lines, illustrating that he is simply instructing the computer to execute GnuPG and decrypt a specified file.
The file named foo.bar contains simple text and is encrypted using the CAST5 algorithm with a single passphrase It consists of three lines, with the third line being a continuation of the content However, it is important to note that the message lacks integrity protection, as indicated by the warning from GPG.
To decrypt files using GnuPG, simply enter the command `gpg -d filename` after inputting the passphrase The decrypted content will be displayed in the console, as shown in the highlighted 3-line text file.
GnuPG generates files that adhere to the OpenPGP format, allowing any programmer familiar with this format to potentially develop software that can identify and interact with GnuPG files This capability raises concerns about the security of sensitive information stored on your disk.
When encrypting a plaintext file with GnuPG, a new file containing the ciphertext is created, leaving the original plaintext file intact To ensure security and prevent unauthorized access, it is crucial to securely erase the plaintext file rather than simply deleting it, as failure to do so could lead to potential risks.
Bob expresses concern about saving a dangerous secret on his disk, fearing that even deleted files can be recovered Sam acknowledges this possibility but mentions that there are methods to complicate recovery Bob then inquires if there is a way to encrypt information without ever saving the plaintext to the disk.
As the flight attendant calls for passengers to board Sylvania Air Flight 789, Sam hands Bob his business card, inviting him to discuss encryption further He mentions he will be in Sylvania for a couple of weeks on business and suggests meeting for another drink to answer all of Bob's questions.
Bob notices a business card belonging to Sam Mallory, which includes contact information and a series of seemingly random letters and numbers Spotting Sam in line for his flight, Bob rushes to catch up, eager to get an answer to his lingering question before they part ways.
Encrypting Interactively
Bob greets Sam, noticing they are on the same flight, and inquires about Sam's seat He also requests an explanation of interactive encryption.
Sam, ignoring Bob’s first question, replies, “Sure, interactive encrypting It’s not hard, just a bit strange for people who are used to working in a GUI all the time.”
The article discusses the importance of secure deletion and references the EFF's "Secure Deletion" project for further information It highlights that when a filename is provided, GnuPG can determine the appropriate action for OpenPGP-compliant files.
Sam explains that the final segment of the command for GnuPG, which specifies the item to encrypt, decrypt, or digitally sign, is typically optional If this section is left empty, GnuPG will prompt the user to input the desired content interactively after pressing Enter, rather than executing any action immediately.
Bob thinks about it for a moment as the line inches forward and asks, “How does that work, though? What gets output? How do you enter something to encrypt?”
“Good questions,” says Sam “This is where it gets a little more complicated, because you have to use an option, in this case the
armor or -a option ‘Armor’ is short for ‘ASCII-armored’.”
“Huh? What does that mean?” Bob goggles as Sam inches forward in line.
ASCII Armor
Bob learns from Sam that a good ciphertext should appear completely random, resembling chaotic gibberish filled with unusual symbols when printed as text.
It looks like your computer’s barfing at the command line.” Sam opens his laptop to demonstrate “Like this”: 9
Sam utilizes the UNIX/Linux/OS X command `cat` to read files sequentially and output them to the standard display, while in Windows, the `more filename.txt` command serves to list the contents of the specified file.
GnuPG can generate encrypted output in a format that is easily readable by humans, allowing for display in terminal windows or inclusion in email messages This output consists of seemingly random letters and numbers that, while appearing as alphanumeric characters, do not convey any discernible meaning.
ASCII armor provides a method for generating human-readable output by encrypting data while ensuring that only standard alphanumeric characters are used This approach becomes clearer when visualized, as demonstrated by Sam, who shares an example of an ASCII-armored file: jA0EAwMCAhOLCBblqDyrye1J/xOQtWF4UDri7fzpeD9xY8TtPVsQDwliwPh4m1Aw.
68MCsFNK9chXGncdiZq+fd7f9tIdLAXXb2nLJip3JUp05z/HjjGSvKQ5LnRdD3H7
OmWDxNwpq99dSsxKwB5AoC/zlkW4XFR644/e0yn06PUf1wZnYldx6UivxbEhtKeL t5ZIvwCfuHma7C+Ye1Y2q3ZkfLGI0IEVfM40YpzmrI5LMCpLISN0E3OCJsyKfveR
[and so on, you get the idea ]
As Sam boards the plane with his laptop in hand, he tells Bob, “Maybe I can show you more on the plane See you later!” Meanwhile, the flight attendant informs Bob that the flight is overbooked and asks him to wait a moment.
Bob, accustomed to long lines and unreliable service in Sylvania, waits calmly at the airport His patience pays off when a flight attendant offers him a first-class seat, which he gladly accepts Without hesitation, she escorts him to the front of the plane, where he finds himself seated next to a new friend in the nearly empty first-class section.
Congratulations on your flight! Coach class can feel cramped, but get ready for an engaging experience as Sam opens his laptop to demonstrate interactive encryption and ASCII armoring.
“I’ve just started GnuPG with the option, -a, to generate output inASCII armor, and a command, -c, to do symmetric encryption.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Notice I don’t have to give each option its own hyphen but I could, if
GnuPG provides an empty line for message input when no file is specified, allowing me to type my message freely Upon completion, I must enter an 'end-of-file' sequence, after which GnuPG prompts me to enter a passphrase twice.
This is just a silly little message, that's going to be completely secret -BEGIN PGP MESSAGE - jA0EAwMCKl33JIYA9SOryVx TRYapN5zz0Ug5YnDjlVl5ncEiB2oxmFzCtXiulgm3
Xodix78mScGA0t+GWkugeMbPo5h+ROQ6TvmgIqnTWtS5HdoWH54tAb80LKmqmGdX
Sam explains that the plaintext refers to the text entered after the command, while the ciphertext is displayed below it He points out the lines marked with hyphens, indicating the start and end of the ciphertext, which are part of the ASCII armor.
Bob, staring at the lines, asks “What is this ‘PGP’? Is it part of GnuPG?”
PGP, or Pretty Good Privacy, is the first significant end-user encryption software developed by Philip Zimmermann in 1991 Its introduction was groundbreaking, as the U.S government classified strong encryption as munitions, making it illegal at the time.
Zimmerman faced the risk of federal prison for exporting software, which simply involved downloading it online His courageous actions have made him a hero to many, and although the situation was eventually resolved, it led to a significant shift in policy As a result, strong encryption became widely accessible, with most people now able to obtain it.
10 Sometimes is the operative word; other times, you’ve got to keep options separate.
To exit GnuPG without executing any command, use the shortcut Ctrl+C On Windows, press Enter, then Ctrl+Z, followed by Enter For OS X/Linux, press Enter and then Ctrl+D.
12 Encryption software can be difficult to come by in some countries where Internet access and access to computers may be limited by the government.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn. for Zimmermann, we might not be sitting here talking about encryption.”
During the early days of the Internet, PGP captivated pioneers due to its unique accessibility as an encryption program Its widespread adoption led to the establishment of an Internet standard known as 'OpenPGP.'
Anyone can develop programs that adhere to the OpenPGP standard, allowing for the exchange of encrypted and digitally signed data with any OpenPGP-compliant software While it is not necessary to use GnuPG to decrypt data encrypted with GnuPG, users have the option to utilize commercial software, such as PGP Software from Zimmermann's former company, or choose an open-source alternative However, many individuals prefer the open-source project Gnu Privacy Guard, commonly known as GnuPG.
Bob enjoys his drink while pondering why PGP isn't universally adopted He questions the preference for open-source software like GnuPG over commercial options, expressing concerns about potential back doors and security vulnerabilities Additionally, he inquires about the necessity of using the command line, wondering if a user-friendly Windows program is available, and seeks clarification on the concept of public key encryption.
“Bob, those are some great questions, but I’ve had a long day.
Command Summary and Review
Command Description and Notes gpg symmetric [filename] Encrypt using symmetric (secret key) encryption.
GnuPG offers various commands for file encryption and decryption To encrypt a file, use the command `gpg -c [filename]`, while decryption can be performed with `gpg decrypt [filename]`, which displays the plaintext in the terminal For public key encryption, the command `gpg encrypt [filename]` is utilized Additionally, symmetric encryption can be achieved with `gpg armor symmetric [filename]`, producing an ASCII-armored output saved as filename.asc The command `gpg -ac [filename]` is also available for symmetric encryption.
Review Questions
1 Why does Sam know so much about encryption?
3 Is there anything about Sam that might be suspicious?
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Selected FAQs on Using GnuPG
Bob reads from Sam Mallory’s FAQ on using GnuPG:
GnuPG is a Free software program, allowing users to download, share, and modify both the software and its source code at no cost This aligns with the principles of free software licenses, which promote freedom in software usage and distribution.
You are free to use, share, modify, and enhance the GnuPG program, including publishing your modifications, as long as you adhere to the original license agreement This means that any new features you add must also be licensed under the same terms, allowing others to build upon your version of GnuPG and share their enhancements as well.
The original PGP was a freeware program, allowing free downloads without publishing its source code In 1996, Philip Zimmermann established PGP Inc to offer a commercial version, and by 2010, Symantec was marketing a PGP product line alongside other vendors providing encryption software Despite the availability of paid options, many users still prefer free programs for their encryption needs.
For effective encryption, open-source solutions are ideal, as they allow for unrestricted access to the source code for review and modification GnuPG stands out as a secure option, not only because its code is accessible for scrutiny, but also due to the extensive reviews and bug fixes conducted by skilled programmers and security experts over the years since its initial release.
I use software that conforms to the OpenPGP standard because that way I’ll always have access to my data With proprietary data
I am restricted by the vendor that controls the formats of my data, meaning I can only access it as long as I continue to pay for their software.
Closed source programs raise concerns about vendors potentially including back doors that allow law enforcement easy access to encrypted data While the goal of combating crime is commendable, these back doors can also be exploited by hackers, corrupt officials, or disgruntled employees, posing significant security risks In contrast, free and open source software is preferable as it prevents any hidden modifications to the code, ensuring greater transparency and security.
Plus, free/open source software doesn’t cost anything!
2.2 WHY START WITH THE COMMAND LINE
I’m not saying graphical user interface (GUI) encryption software is bad, I’m just saying that it’s best to start out doing encryption at the command line for a number of reasons:
It’s the simplest way to get started Just one thing to download and install (or nothing to install for Linux systems, where GnuPG is already installed).
It works the same, everywhere If you can use GnuPG at the com- mand line on a Mac, it works almost exactly the same on Linux or Windows.
The GnuPG interface remains stable and familiar, ensuring that users won't need to relearn it with new updates or operating system versions As a widely recognized standard in command-line encryption, GnuPG is easy to use for anyone knowledgeable about encryption.
After grasping the fundamentals, relying solely on the command line can be counterproductive, particularly for regular encryption users Utilizing an email reader plug-in for signing and authenticating digital signatures on messages, or a word processor plug-in for frequently encrypted compositions, can significantly enhance efficiency.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
2.3 WHY USE THE COMMAND LINE
GUIs are the default for modern end-user operating systems, but I pre- fer using a command line interface (CLI).
The command line offers precision, eliminating any ambiguity regarding the actions taken, such as the specific icon clicked or the number of clicks Additionally, it provides an audit trail to track issued commands, and users can effortlessly review the outcomes of each command by scrolling through the terminal session window.
While numerous GUI front-ends for GnuPG exist, relying on them to learn encryption can be just as perplexing as using the command line Additionally, these front-ends introduce another potential vulnerability, as they represent another layer of software that may contain security flaws or be compromised by attackers.
Utilizing GnuPG via the command line allows users to engage directly with each cryptographic process, enhancing awareness and enabling the avoidance of potential security pitfalls more effectively.
If you struggle with the command line, it's acceptable to use an official GUI program packaged with GnuPG However, adhering to the principle of simplicity, the command line may be the better choice when utmost caution is required.
2.4 GETTING TO THE COMMAND LINE
To access a command-line interface (CLI) on OS X and Linux systems, utilize the Terminal application, which is the default terminal program for Unix-like systems Other terminal programs that provide access to a system shell are also acceptable alternatives.
The Command Prompt window lets Microsoft Windows users enter commands directly to the system Command Prompt works similarly to Terminal on OS X/ nix systems.
You can navigate through previous commands using the up and down arrow keys, and access the entire command history with the "history" command (or doskey/history on Windows) However, this poses a security risk, as anyone who views your command history can see the files you have been encrypting and decrypting unless you manually clear your history For more details, refer to Chapter 8.
13Selected FAQs on Using GnuPG
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Getting to the command line:
Windows: from the Start icon, choose “All Programs,” then
OS X: the Terminal application is found in the Applications/ Utilities folder.
Linux: the Terminal application can be started by pressing the Ctrl- Alt-T key combination, or from the Applications menu.
Windows lacks many shell commands that enhance usability, making OS X or Unix-based systems preferable for cryptography However, Windows users can achieve similar functionality and enhanced security by utilizing a live-boot version of Linux.
Selected FAQs on Using GnuPG
Why Use GnuPG
GnuPG is a Free software program, allowing users to download, share, and modify both the software and its source code at no cost This aligns with the principles of free software licenses, which promote freedom in software usage and distribution.
You are free to use, share, modify, and enhance the GnuPG program, including publishing your modifications, as long as you adhere to the original license agreement This means you can add new features and share your version, but you must maintain the same licensing terms, allowing others to also contribute and publish their enhancements.
The original PGP was a freeware program, allowing free downloads without publishing its source code In 1996, Philip Zimmermann established PGP Inc to offer a commercial version, and by 2010, Symantec was marketing a PGP product line alongside other vendors providing encryption software Despite the availability of paid options, many users still prefer free programs for their encryption needs.
For effective encryption, open-source software is ideal, as it allows for unrestricted access to the source code for review, modification, and use GnuPG stands out as a secure option, not only because I can personally examine its code, but also due to the extensive scrutiny it has undergone from skilled programmers and security experts over the years, who have diligently identified and resolved any bugs or errors.
I use software that conforms to the OpenPGP standard because that way I’ll always have access to my data With proprietary data
I am restricted by the vendor that controls the formats of my data, meaning I can only access my information as long as I continue to pay for their software.
Closed source programs raise concerns about vendors potentially including back doors that allow law enforcement easy access to encrypted data While the goal of combating crime is commendable, these back doors can also be exploited by hackers, corrupt officials, or disgruntled employees, posing significant security risks In contrast, free and open source software is preferable as it prevents any hidden modifications to the code, ensuring greater transparency and security.
Plus, free/open source software doesn’t cost anything!
Why Start with the Command Line
I’m not saying graphical user interface (GUI) encryption software is bad, I’m just saying that it’s best to start out doing encryption at the command line for a number of reasons:
It’s the simplest way to get started Just one thing to download and install (or nothing to install for Linux systems, where GnuPG is already installed).
It works the same, everywhere If you can use GnuPG at the com- mand line on a Mac, it works almost exactly the same on Linux or Windows.
The GnuPG interface remains stable and familiar, ensuring that users won't need to relearn it with new updates or operating system versions Its command line functionality is a standard in the encryption community, making it accessible and easy to use for anyone knowledgeable about encryption.
After grasping the fundamentals, relying solely on the command line can be counterproductive, particularly for regular encryption users Utilizing an email reader plug-in for signing and authenticating digital signatures on messages, or a word processor plug-in for frequently encrypted compositions, can significantly enhance efficiency.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Why Use the Command Line
GUIs are the default for modern end-user operating systems, but I pre- fer using a command line interface (CLI).
The command line offers precision, eliminating any ambiguity regarding the actions taken, such as which icon was clicked and the number of clicks Additionally, it provides an audit trail to track issued commands, and users can effortlessly review the outcomes of each command by scrolling through the terminal session window.
While numerous GUI front-ends exist for GnuPG, relying on them for learning encryption can be just as perplexing as using the command line Additionally, these front-ends introduce another potential vulnerability, as they represent another layer of software that may contain security flaws or be compromised by attackers.
Utilizing GnuPG via the command line allows users to engage directly with each cryptographic process, enhancing awareness and enabling easier avoidance of potential security pitfalls.
If you struggle with the command line, it's acceptable to use an official GUI program packaged with GnuPG However, adhering to the principle of simplicity, the command line may be the better choice when utmost caution is required.
Getting to the Command Line
To access a command-line interface (CLI) on OS X and Linux systems, utilize the Terminal application, which is the default terminal program for Unix-like systems Other terminal programs that provide access to a system shell are also acceptable alternatives.
The Command Prompt window lets Microsoft Windows users enter commands directly to the system Command Prompt works similarly to Terminal on OS X/ nix systems.
You can navigate through previous commands using the up and down arrow keys, and access all past commands with the "history" command (or doskey/history on Windows) However, this poses a security risk, as anyone who views your command history can see the files you have been encrypting and decrypting unless you manually clear your history For more details, refer to Chapter 8.
13Selected FAQs on Using GnuPG
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Getting to the command line:
Windows: from the Start icon, choose “All Programs,” then
OS X: the Terminal application is found in the Applications/ Utilities folder.
Linux: the Terminal application can be started by pressing the Ctrl- Alt-T key combination, or from the Applications menu.
Windows lacks many shell commands that enhance usability, making OS X or Unix-based systems preferable for cryptography However, Windows users can achieve similar functionality and improved security by utilizing a live-boot version of Linux.
Is GnuPG Even Installed?
To determine if GnuPG is installed, open a terminal or command line window and enter the appropriate command, then press Enter to check the results.
The command prompt, represented by the dollar sign (\$), indicates that the computer is ready to accept commands While the appearance of the prompt may vary, on Windows it typically appears as C:\Users\Sam, whereas on OS X, Linux, and other UNIX-like systems, it usually includes the hostname, the current working directory, and the user ID, concluding with the \$ symbol, such as in the example: sams-laptop:myDocs sam\$.
This prompt tells me that I’m logged into a nix/OS X system as
“sam,” on “sams-laptop,” in the “myDocs” directory.
To execute a command, type the command and press the Enter key.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
The output from the command gpg version will look some- thing like this: gpg (GnuPG) 2.0.19 (Gpg4win 2.1.1 -34299-beta) libgcrypt 1.5.0
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/Sam/AppData/Roaming/gnupg Supported algorithms:
Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
GnuPG provides information about its version, specifically GnuPG version 2.0.19 and Gpg4win version 2.1.1-34299-beta for Windows In addition to the version number, it also reveals the GnuPG home directory and the supported cryptographic algorithms The public key algorithms are listed under "Pubkey," while the single key algorithms are found under "Cipher," and secure hashing algorithms are categorized under "Hash."
GnuPG is available in two versions: version 1.4.12, known as the "portable standalone version," and version 2.0.19, referred to as the "enhanced" version Both versions provide a similar user experience and are actively supported, making either version a suitable choice for users.
To see which is the most current version of GnuPG, check theGnuPG web site, http://www.gnupg.org/.
GnuPG Commands and Options
One enters GnuPG commands at the system command line (Linux or Mac OS X terminal or Windows command prompt) They can be
2 The directory C:\Users\Sam\AppData\Roaming\gnupg is the GnuPG home directory on a Windows system; it would be B /.gnupg (a hidden directory in the user ’ s home directory) under
3 By default, GnuPG compresses files before encrypting; according to the specification in RFC
4880, “compression has the added side effect that some types of attacks can be thwarted by the fact that slightly altered, compressed data rarely uncompresses without severe errors.”
15Selected FAQs on Using GnuPG
Using the command line simplifies the understanding of GnuPG's operations, making it easier to execute tasks effectively.
“right” thing (where “right”5“what I want it to do”).
Checking for the software version is a simple method I can use to check whether GnuPG is installed; the next command I want to know is how to get help:
The command `gpg help` (or `gpg -h`) provides a summary of frequently used GnuPG commands and options, delivering the same information as `gpg version`, along with a concise overview of GnuPG commands and options, beginning with essential syntax rules for command line usage.
Syntax: gpg [options] [files] sign, check, encrypt or decrypt default operation depends on the input data
To use GnuPG, you can enter various options and specify one or more files as needed If no command is provided, GnuPG will automatically select a default action based on the specified options and files.
For optimal results with GnuPG, it is recommended to use explicit commands and options, as this enables precise control over the desired actions Nonetheless, it is important to note that explicit commands are not always required.
When GnuPG commands are executed with a filename but without a specific command, they are processed based on the file's contents If the file includes GnuPG data, such as being encrypted or digitally signed, GnuPG will automatically perform the appropriate action, either decrypting the file or verifying its signature.
The help file includes a comprehensive list of GnuPG commands, which represent the various actions the program can execute This list corresponds to the output of the command `gpg help`, and while it may appear complex, it is essential for understanding the program's functionalities.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
I only really use a half dozen or so commands on a regular basis, and a few more less frequently:
-s, sign make a signature clearsign make a clear text signature -b, detach-sign make a detached signature -e, encrypt encrypt data
-c, symmetric encryption only with symmetric cipher -d, decrypt decrypt data (default)
verify verify a signature -k, list-keys list keys
The article outlines various commands related to key management, including listing keys and signatures with ` list-sigs`, checking key signatures using ` check-sigs`, and displaying fingerprints with ` fingerprint` It also covers the management of secret keys with `-K` or ` list-secret-keys`, the generation of new key pairs through ` gen-key`, and the creation of revocation certificates with ` gen-revoke` Additionally, it details the removal of keys from the public keyring using ` delete-keys` and from the secret keyring with ` delete-secret-keys`, as well as signing a key with the ` sign-key` command.
lsign-key sign a key locally edit-key sign or edit a key passwd change a passphrase export export keys
The commands for managing keys on a key server include: using ` send-keys` to export keys, ` recv-keys` to import keys, ` search-keys` to find specific keys, ` refresh-keys` to update all keys from the server, and ` import` to merge keys.
card-status print the card status card-edit change data on a card change-pin change a card's PIN update-trustdb update the trust database print-md print message digests
server run in server mode
Each command features a long-form name, such as encrypt, verify, or list-keys, which are prefixed with a double dash for clarity Additionally, many commands have a corresponding short-form name, like -e for ease of use.
“encrypt,” -s for “sign,” or -k for “list keys.”
I can have GnuPG sign and encrypt at the same time, but all other GnuPG actions are strictly one action at a time (e.g., list keys, decrypt data, export a key, etc.).
17Selected FAQs on Using GnuPG
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
After listing the commands themselves, help lists all GnuPG options As with commands, most users can get away with knowing only three or four of these:
-a, armor create ascii armored output
-r, recipient USER -ID encrypt for USER -ID
-u, local-user USER-ID use USER-ID to sign or decrypt
-z N set compress leve l to N (0 disables)
textmode use canonical text mode -o, output FILE write output to FILE
-n, dry-run do not make any changes
openpgp use strict OpenPGP behavior
Followed by a handful of examples:
-se -r Bob [file] sign and encrypt for user Bob clearsign [file] make a clear text signature
detach-sign [file] make a detached signature
list-keys [names] show keys
It’s easier to understand if you look at examples.
Simple Examples
To encrypt (single key) a file:
GnuPG prompts for a passphrase and then saves the encrypted data as ciphertext in a file named essay.txt.gpg, while the original plaintext file, essay.txt, remains intact on the disk.
To decrypt a symmetric key-encrypted file and save the plaintext to a file:
$ gpg output example.docx decrypt example.docx.gpg gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected
$ gpg output example.docx decrypt example.docx.gpg
$ gpg output example.docx decrypt example.docx.gpg
$ gpg output example.docx decrypt example.docx.gpg
The command entered above can be read as “decrypt file example.docx.gpg and write the plaintext into file example.docx ” When
The plaintext file example.docx is generated once the user successfully inputs the passphrase, but a WARNING message highlights that while the file is encrypted, it lacks a digital signature.
Options: Getting More Information
GnuPG messages can be brief, and the program may not provide feedback on file operations To obtain more detailed information about the results, enable the verbose option by using -v.
$ gpg -v -c foo.bar gpg: using cipher CAST5 gpg: writing to `foo.bar.gpg'
This tells me GnuPG encrypted the file with the CAST5 algorithm (the default for symmetric encryption) and wrote an encrypted file as foo.bar.gpg
Verbose mode does not affect the function of the program, just the amount of information returned by GnuPG when it executes a command.
Using the "verbose" mode option with the -vv command in GnuPG does not yield additional information beyond the standard output, as there is a limit to the data provided However, for other GnuPG commands, increasing the number of 'v's can reveal more detailed information.
Options: Text or Binary
When GnuPG creates cryptographic output (e.g., when it encrypts a file, exports a public key, generates a digital signature), the default behavior is to save the output to a binary file with the extension
gpg As noted above, it is also possible to output to a differently named file relatively easily, but it will still be saved as a binary file.
19Selected FAQs on Using GnuPG
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Producing human-readable output is often preferable to binary files, especially when appending digital signatures to emails or text messages These signatures must use characters that can be correctly displayed by the application software To address this, GnuPG offers an option to generate output that encodes all cryptographic data in a readable format.
The armor ( -a ) option directs GnuPG to “create ASCII- armored output.” Armored output simplifies matters when send- ing encrypted data in an e-mail message, or when publishing public keys 4
To encrypt symmetrically to an ASCII-armored file, I use this command:
The default output file is named foo.bar.asc, where the asc extension signifies that it contains ASCII data This file can be easily viewed using any text editor or by utilizing command line shell commands such as cat, less, or more.
-BEGIN PGP MESSAGE - jA0EAwMC+Y3fEGr12USryUf0TXaBClzPg63rBu6jUm4iwkYClB9xFyKsCSLHY7Ol
GXuIUeCHwMLOs+LbVE7/tClMsDgnE2ZC3ZAlA2thh8xS0y/3jGNN3g==
ASCII-armored results can be saved to a file, copied into a message, or printed for later manual decryption Additionally, taking a photo of the output can help avoid detection by attackers monitoring for suspicious files.
ASCII armor is particularly useful when experimenting with GnuPG.
4 For more about ASCII armoring, see http://tools.ietf.org/html/rfc4880#section-6.2.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Command Summary and Review
Command Description and Notes gpg version Get version information about GnuPG. gpg help Get brief summary of commonly used
GnuPG commands provide essential functionalities for encryption and decryption To decrypt a file, use the command \$gpg output filename1 decrypt [filename2]\$, which writes the plaintext to \$filename1\$ For encrypting a file with verbose output, the command is \$gpg -v symmetric [filename]\$ To encrypt using ASCII armor, utilize \$gpg armor symmetric [filename]\$, which outputs the ciphertext to \$filename.asc\$ or displays it in the terminal if entered interactively Additionally, the command \$gpg -ac [filename]\$ can be used for symmetric encryption.
Review Questions
1 Practice some of the command line commands introduced in this chapter, including one to get a listing of all files in a directory, and to list a file’s contents on screen Look up how to copy a file at the command line of your OS, how to delete a file, and how to use wildcards to do things to multiple files with a single command.
2 What is a FAQ? What is a Howto document? Why do you think Sam is compiling a FAQ on how to use GnuPG?
21Selected FAQs on Using GnuPG
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
This page intentionally left blank
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn.
Bob’s eyes fluttered shut reading Sam’s howto, but he twitches into awareness when Sam’s wristwatch emits a tiny beep, just 20 minutes into their flight.
“OK sleepyhead, are you ready for more GnuPG?” Sam asks.
Bob, brushing sleep from his eyes, answers, “Sure Can you explain how to do public key encryption now?”
Public key encryption is a powerful form of cryptography that raised concerns for the US government in the 1990s due to its strength By using my public key, anyone can encrypt a message intended for me, and as long as I safeguard my private key, I remain the sole individual capable of decrypting that message.
Bob asks, “But why is that so scary?”
Sam emphasizes that while encrypting a file with a secret key is effective for certain situations, it poses challenges when needing to securely send a confidential file to someone, like 'Alice', located far away, as there is no secure method to share the secret key with her.
“That’s funny, my American friend’s name is Alice,” says Bob. Sam goes on:
In Sylvania, communication methods such as phone calls, emails, and texts are insecure due to government surveillance It's crucial to avoid sharing sensitive information like passphrases through these channels, as eavesdroppers can intercept them However, if you possess Alice's public key, you can securely encrypt messages to her, ensuring that only she can read them.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn. read it, and without risking an eavesdropper intercepting a decryp- tion key.”
Public key cryptography poses a significant challenge to governments because it allows for secure communication If someone possesses Alice's public key and she safeguards her private key, they can send encrypted messages that only Alice can decrypt Remarkably, even the sender cannot access the content of the messages they send to her.
In the digital realm, it's crucial to consider the potential threats posed by eavesdroppers, often referred to as 'Eve' in cryptographic discussions This term is part of a convention, similar to 'Bob' and 'Alice,' who represent individuals seeking secure communication Meanwhile, Bob reflects on the irony of the name 'Eve,' as it happens to be his wife's name.
Sam explains that despite Eve's access to the public key, she cannot read the plaintext messages unless she obtains Alice's private key, highlighting the security of public key encryption.
“But can she, Eve I mean, figure out who I’m sending messages to?” Bob asks.
Sam reflects on the situation, noting that Eve's level of monitoring is crucial If she is tracking Internet traffic, she will be aware of any ciphertext being sent and can identify the recipients of emails This scenario, however, is still preferable to the worst-case situation where Eve has a keylogger installed, allowing her to capture passphrases and all typed information on the computer.
Bob asks, “Then using encryption would be pointless Is there noth- ing I can do?”
“It’s not exactly pointless,” Sam crosses his legs as he answers.
“Encryption is only part of being secure You can communicate
Keystroke logging involves the recording of every keystroke made on a computer for later analysis This can be achieved through software installed on the system or through covert hardware devices If you suspect that you are being monitored by a keylogger, it may indicate significant issues, either due to someone intruding on your digital activities or a misunderstanding of your situation.
To ensure secure communication with Alice and protect your secrets from Eve, it is essential to implement additional precautions However, encrypting your messages remains crucial, as it safeguards your data's privacy in case other security measures fail.
“What kind of measures?” asks Bob.
To enhance your online security, consider using public networks such as those found in libraries, coffee shops, or internet cafes to evade network scanners Additionally, employing anti-keylogger software can help safeguard against keylogging threats Overall, there's no need for excessive concern, even in places like Sylvania.
To maintain privacy, it's essential to avoid drawing 'special attention' unless intentionally trying to attract it Despite efforts to stay discreet, data can still be intercepted on the network, making it wise to keep a low profile.
“Let’s take a look at how to encrypt to someone’s public key Why don’t you open a terminal window on your laptop, Bob.”
Bob pulls his battered Sylvanian laptop out from under his seat, and says, “But Sam, I don’t have any public key myself How would that work?”
Public key encryption only requires the recipient's public key, not your own Sam explains this to Bob while assisting him in connecting to a tethered mobile Wi-Fi hotspot, enabling Bob to encrypt a file and send it securely.
Sam provides Bob with a link to his public key, instructing him to access it using GnuPG He emphasizes the importance of copying the entire public key block, which starts and ends with specific hyphens Bob is guided on how to highlight and copy the key depending on his operating system, ensuring he captures the necessary information correctly.
2 To be really safe, consider MAC spoofing See Reverse Engineering Forensics (http://crypto. loshin.com/2013/01/17/reverse-engineering-forensics/) for more information.
To enhance security against public key forgery, you can download keys from a public keyserver and verify them against the provided URL For additional information on keyservers, refer to Chapter 6.
Stt.010.Mssv.BKD002ac.email.ninhddtt@edu.gmail.com.vn. when you switch to the terminal window) The public key I’m pointing you to looks like this”:
-BEGIN PGP PUBLIC KEY BLOCK - mQENBFD1u2UBCADNwvLGUnivhWrL+UtpkohaZXpdwCbO8cKVf3aeLsTZi8iP2bKT
/LaopR+tr+mA4AwU5biHBrm7FHLrBef49qUqiCI7v0vjlH7NBEEfIZwscnMZUjke
EVNE7g+Ag+yJLCNaMJRuTuSLoDV4gIevIZgJ1TFwpHoXoo173O4xIgr4R75qkIPg
5I5GMRXZ+MSlerEAanfrTG8HFeNhPaOrLKj4GzJr+SAdOqVuLp+DNf1xCAhGHmpR
HcQLCgFqpAanFSOGgFRxRMoo2Gu7Kw5rqHu5N3v4H2h+Q2jaHSYDw9UHzBkD4ZRJ
IdC+AXgpZ1K/+ghy9jXsNohi1efJ7akMLM7jABEBAAG0P1NhbSBNYWxsb3J5IChQ
ZXJzb25hbCBDcnlwdG9ncmFwaHkpIDxzYW0ubWFsbG9yeS40MDRAZ21haWwuY29t
AheAAAoJEDs7s7MaD3Ea3hIH/i2Gpt951eboWUp480dWJr5ZfaKpkgWA+aDWN2K6
D1fo3NkxrOiD5U2fdfrAaCBeA4iAL9f1BQiYjmep6dY6oupmHODvS+euYl5rsTOl
Ey7WRhGqJ+HjQ6tc2/wfgVi/QS2vLtHn9Hr6LDg8QoIyfVTfDd6x+k1Bk3n02yOh
Ruz70vUTiW8XSiFWlKoK2JFa3gjdRJW7CoK4ZFlHLX8O9mJEvQOwVB0BVP1XMfQn
1+2Y+w2CdgHJ/HklLxp7u39F8eixS9cfx1jILibMATxhkV9Y3BjrCZY4NM1JQL/F
GTo59BzTkoGIyKfgMLl3WWhgca3qoFE77IJ3dzKKRgaEVb65AQ0EUPW7ZQEIAJXF
+iJ2U5+56rwq64x3GsT8SebhRXYfapdllHTryYxKaPs6FROTthpFevSKrCOEwnSi lsW2EEUCKZ+oSUYcOqxMs0ugTYu2WXtSZNA6n1LARZIRrNmvjicOYm5GJDsUmz1y nUkmde9qLsgc9f5oEvsRbGh3CIVko8gDapnnO2NWA76zUhgEXC7tA5fzkEtWYN3E
CSJjKMqwiSxHhjsNfQE4tyranXnsOAx0RuseD/zyNUuKe+Cl+NDDHR15YtSwDMUw
ZU7eWDIp0vkRkfzKX0nFVYVwDvP36uUhtjU2aPhfvf6bxhrnzxYSswsyf0HyQdVw
O7OzGg9xGs3VB/0QP8xfjDCOthQd57EAuntkJ+hN5cI8mRZGo540+vleI8qO1WYe
HjTMeTe1karIdDHbDOPFYAdA1F6OcD/jbCSObBHr2RsNfHSMeN5MLFZY9Uwepf1y
DEgC5Cjei5TY2oQJKIKrmF2egtP3e+RgDszNoDaFM6+m+I2703qGTeSXa1VUUd9Q lEXCHbWZYedu+pmBkRQaEqPo0ug4kMfuctew35n56eF32hzlU1paEoqGsggdW8Q/
I7bUUOZ8hJqPfMLNe5IZge2j2llA/ZQQH39RxVJCnaqgrkxCWI99PvvkF89W29mD
AgW6nCFtEZnn/4bMEWfwf452TCQmvWR/ajN9
-END PGP PUBLIC KEY BLOCK -