Skip to content

Latest commit

 

History

History
130 lines (100 loc) · 5.92 KB

lab9_GPG.adoc

File metadata and controls

130 lines (100 loc) · 5.92 KB
Raw

Lab 9: GNU Privacy Guard (GPG)

Table of Contents
Lab Length

  • Short (~10 mins)

Goal

  • Become familiar with GNU Privacy Guard (GPG), which can be used to identify yourself and encrypt your communications.

  • There are various tools you can use to manage GPG on your system—​graphical as well as command line. You use the command line tools for the steps in this lab.

  • This lab demonstrates a simple use case where you encrypt personal documents. You can build on what you have learned by using your GPG key to sign documents, encrypt email communications, sign RPM packages, or simply share documents with a colleague.

9.1: Introduction

All Red Hat® Enterprise Linux® (RHEL) packages are signed with the Red Hat GPG key. GPG is also known as GnuPG, a free software package used for verifying the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat Enterprise Linux does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.

GPG is a cryptographic software package that is included in your Red Hat Enterprise Linux subscription. GPG is used to identify yourself and to encrypt and authenticate your communications, including those with people you do not know. GPG allows anyone reading a GPG-signed email to verify its authenticity. In other words, GPG allows the recipient to be reasonably certain that communications signed by you are actually from you. GPG is useful because it helps prevent third parties from altering code or intercepting conversations and altering messages.

GPG can also be used to encrypt files at rest, which is the focus of this lab.

This lab allows you to become comfortable with some the basics of GPG, after which you can delve further into the documentation to use more advanced features. These include signing RPM packages, encrypting email communications, and more.

More information can be found on the Red Hat Enterprise Linux 7 Security Guide and on the GNU Privacy Guard webpage.

9.2: Generating a New Key Pair

In this section, you generate a new GPG key pair. After you create a new key pair, you can export this keys to identify yourself to the rest of the world, or simply use it locally to encrypt your files at rest.

  1. If you are not already there, log in to the workstation bastion host as lab-user from your desktop system (replacing GUID with your lab-provided GUID and using r3dh4t1! as the password):

    [localhost ~]$ ssh [email protected]

  2. Log in to the servera.example.com host as root:

    [lab-user@workstation-GUID ~]$ ssh [email protected]

  3. Generate your new key pair as root on servera.example.com:

    [root@servera ~]# gpg2 --full-generate-key

  4. When asked, enter or provide this information:

    • Key Type: (1) to select the default, RSA is the default

    • Key Size: 2048

    • Expiration: 0 for no expiration, this is generally fine for local encryption

    • Real Name: labuser, but this can be anything

    • Email address: [email protected], but this can be any email address

    • Comment, press Enter to leave the comment empty

    • Okay/Quit: (O)

    • Passphrase: A sufficiently difficult passphrase that can protect against attack and that you can remember

      After providing these details, your system starts generating the key pair.

  5. When asked, move your mouse or type random keystrokes to assist in generating entropy.

    Eventually, the process completes and the new key pair is ready for you to use. The output lists your key and your fingerprint.

  6. Run these commands, which may be useful at a later time when you want to view your keys and fingerprints:

    [root@servera ~]# gpg2 --list-keys
[root@servera ~]# gpg2 --fingerprint

    The contents of your key is stored in your home directory in the file .gnupg. Even if someone were to compromise your computer, this would be of no use to them as long as your passphrase is sufficiently hard to crack. That said, always maintain a backup.

9.3: Encrypting Documents

In this section, you encrypt and decrypt a document for private use. You begin by creating a document with sensitive information.

  1. Type the following to create a document with sensitive information:

    [root@servera ~]# echo “I love Red Hat” > sensitive.txt

  2. Verify that you can read the document in its unencrypted format:

    [root@servera ~]# cat sensitive.txt

  3. Encrypt the file by typing the following command and, when asked, enter the user ID you used when creating your key, followed by a carriage return to complete the task:

    [root@servera ~]# gpg2 -e sensitive.txt

    You now have a new file entitled sensitive.txt.gpg. The .gpg extension indicates that it is a file that was encrypted with a GPG key.

  4. Verify the encryption:

    [root@servera ~]# cat sensitive.txt.gpg

    Note that the output is encrypted and cannot be read.

  5. Invoke the following command, which prompts you for the passphrase you created earlier to read the file:

    [root@servera ~]# gpg2 -d sensitive.txt.gpg

  6. Delete the original file and then recreate it in its unencrypted format from the encrypted file:

    [root@servera ~]# rm sensitive.txt
[root@servera ~]# gpg2 sensitive.txt.gpg
[root@servera ~]# ls -l sensitive*

    You now have a new copy of your original file.

    Note

    During an active session, you may not be asked to provide a passphrase within a period of time. You can modify the duration of the cache. View the GPG documentation at the link provided earlier for more information.