Saturday, March 27, 2010

Misc 13

From now on, all Debian related articles will use the topology found in Misc 3 unless otherwise specified. This will save me a few bytes in the future!
Now I'm going to go into using GnuPG with a mail client such as Alpine. GnuPG (which would be referred to as GPG for the rest of the article) stands for Gnu Privacy Guard. It is a replacement for Pretty Good Privacy (PGP). GPG allows you to generate keypairs which you can then freely distribute (of course, you distribute your public keys only). These keypairs can be used to encrypt mails or files.

Since we're going to use Alpine with GPG, download them both:
apt-get install alpine gnupg

I will not go into the configuration of Alpine and your MTA. Refer to Misc 5 for setting up a basic MTA and getting Alpine to work with it (It's easy! Trust me!).

Now that both are set up, you'll need to generate your own keypair. To do this, use the command:
gpg --gen-key

Follow through with the process. All key settings will work. Just make sure that your email is put correctly. This is very vital. In this exercise, I will mail myself with an encrypted mail and see if I can read it again.

During the key generation process, you may encounter a message that says that they have not enough random data. To fix this, spam on your keyboard (literally). I usually have to spam for a minute or two for it to work, be patient. (You may end up with a whole screen of gibberish. Just hit enter to clear it if you want).

Now at this point you should have a public and a private key for yourself. To see the keys, type:
gpg --list-keys
gpg --list-secret-keys

To encrypt a file, type:
gpg --encrypt -r kelvin@syraxius.ath.cx File.txt

Now you'll get a file that has the extension .gpg. These files can be decrypted if you have the private key for them (which you coincidentally have). To decrypt the .gpg file, type:
gpg --decrypt File.txt

Notice that if you do a cat of the .gpg file, you'll see a whole bunch of gibberish. There is also a chance of your shell getting text corruption. To prevent this, you can actually add a padding to the top and bottom of the file. This padding is also important for your mail later. The padding is called armouring, and you can do this through the -a parameter:
gpg --encrypt -r kelvin@syraxius.ath.cx -a File.txt

If you did it correctly, you'll have a .asc file. If you cat the .asc file, you'll notice that the file looks quite clean, and it has a -----BEGIN PGP MESSAGE----- header and a -----END PGP MESSAGE----- trailer. Notice that there's no longer any shell corruption.

A recap on theory. When you encrypt a file with your public key, only your corresponding private key can decrypt it. When I want to send you a file and no one else is supposed to read it, I will encrypt it with your public key and send it to you. You will then decrypt it with your private key. This satisfies the confidentiality part of the equation.

However, you can also turn the keys around. If you encrypt the file with your private key, only your public key can decrypt it. This is known as signing. This ensures not much of confidentiality (unless you restrict the spreading of your public key) but it ensures that the message source (you) is genuine, unless someone else has your private key.

To sign a file, simply use:
gpg --sign File.txt

You will get a .gpg file. Recall that a .gpg file has a chance to corrupt your shell when you cat it. Also recall that the -a parameter performs armoring which adds a header and trailer to the encrypted file. The armoring equivalent of signing is the clearsign, which is activated through:
gpg --clearsign File.txt

Now you'll have a .asc file. To decrypt both the signed and clearsigned file, use:
gpg --decrypt File.txt.gpg
gpg --decrypt File.txt.asc

Now it's time to set up Alpine to work with it. Boot up Alpine and press S then C to get into the configuration mode. Now, hit "End" to get to the bottom, then hit "Page Up" twice. You should see two parameters: Display Filters, Sending Filters.

Display Filter matches a pattern. If the pattern is matched, the mail is piped into the specified process. Add an entry as follows:
_LEADING("-----BEGIN PGP")_ /usr/bin/gpg --decrypt

This will pipe any files that begin with the two specified patterns into the /usr/bin/gpg --decrypt process.

Now it's time to set up the sending filters. To do this, add in these two entries:
/usr/bin/gpg --encrypt -r _RECIPIENTS_ -a
/usr/bin/gpg --clearsign

The _RECIPIENTS_ will be replaced by Alpine automatically. Now send a mail to yourself. You should be getting a message to use filters. Use CTRL+N or CTRL+P to scroll through them.

Note that since we're using the same programs to encrypt and sign, then the filters will just show "gpg". To fix this, make symbolic links to /usr/bin/gpg as "encrypt" and "sign", then add them into the filters. When you receive the mail, it should automatically decrypt it upon opening. It would ask for a PEM password if the message is encrypted (instead of signed).

In the next article, I will talk about utilizing GPG in Windows and Hotmail.

No comments :

Post a Comment