The goal of this lab exercise is to introduce you to GNU Privacy Guard (GPG), which can be used to identify yourself and encrypt your communications.
There are various tools that you can use to manage GPG on your system, graphical as well as command line. We will use the command line tools for the steps in this exercise.
This exercise will demonstrate a simple use case in which you encrypt personal documents. You can build on what you have learned by using your key to sign documents, encrypt email communications. sign RPM packages, or simply share documents with a colleague.
All Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat Enterprise Linux does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
GNU Privacy Guard (GPG) is a cryptographic software package that is included in your Red Hat Enterprise Linux subscription. GPG is used to identify yourself and encrypt and authenticate your communications, including those with people you do not know. GPG allows anyone reading a GPG-signed email to verify its authenticity. In other words, GPG allows someone to be reasonably certain that communications signed by you actually are from you. GPG is useful because it helps prevent third parties from altering code or intercepting conversations and altering the message.
GPG can also be used to encrypt files at rest, which will be the focus of this lab exercise.
This lab exercise will allow you to become comfortable with some the basics of GPG, after which point, you can delve further into the documentation to use more advanced features. These include signing RPM packages, encrypting email communications, and more.
More information can be found on the Red Hat Enterprise Linux 7 Security Guide and on the GNU Privacy Guard webpage.
Once you have created a new key pair, you can export these keys to identify yourself to the rest of the world, or simply use it locally to encrypt your files at rest.
-
If not already there, log into to the workstation bastion host as lab-user from your desktop system replacing GUID with your lab’s GUID. Use the password r3dh4t1!
[localhost ~]$ ssh [email protected]
-
Log into the servera.example.com host as root.
[lab-user@workstation-GUID ~]$ ssh [email protected]
-
Now let’s generate your new key pair as root on servera.example.com.
[root@servera ~]# gpg2 --gen-key
-
You will be asked to provide the following information:
-
Key Type - RSA is the default. Type (1) to pick this.
-
Key Size - Type 2048.
-
Expiration - Type 0 for no expiration. This is generally fine for local encryption
-
User ID: Type labuser. This can be anything.
-
Email address: [email protected]. This can be any email address.
-
Type (O) for Okay/Quit.
-
For Comment, just press enter to have a blank comment.
-
Passphrase: Type anything you want and can remember. Make this hard enough to protect against attacks.
-
-
At this point you system will start generating the key pair. You will be asked to assist in helping generate entropy by moving your mouse or typing random keystrokes. Eventually it will complete and you will have your new key pair that you can now use. The output will list your key and your fingerprint. If you wish to view them at a later time, run the following commands:
[root@servera ~]# gpg2 --list-keys [root@servera ~]# gpg2 --fingerprint
The contents of your key is stored in your home directory at .gnupg. Even if someone were to compromise your computer, this would be of no use to them as long as your passphrase is sufficiently hard to crack. That said, always maintain a backup.
In this step we will show you how to encrypt and un-encrypt a document for private use. We will start by creating a document with sensitive information.
-
Please type the following:
[root@servera ~]# echo “I love Red Hat” > sensitive.txt
-
To verify that you can read the document in it’s un-encrypted format, type the following:
[root@servera ~]# cat sensitive.txt
-
Now we can encrypt the file by typing the following command. You will be asked to enter the ID (the email address) you used when creating your key, followed by a carriage return to complete the task.
[root@servera ~]# gpg2 -e sensitive.txt
-
You now have a new file entitled sensitive.txt.gpg. The .gpg extension indicates that it is a file that has been encrypted with a GPG key. Verify the encryption by typing the following:
[root@servera ~]# cat sensitive.txt.gpg
-
You will see that the output is encrypted and cannot be read. You can read this file by typing the following command, which will prompt you for the passphrase you created earlier:
[root@servera ~]# gpg2 -d sensitive.txt.gpg
-
Next, we will delete the original file and then recreate it in its un-encrypted format from the encrypted file:
[root@servera ~]# rm sensitive.txt [root@servera ~]# gpg2 sensitive.txt.gpg [root@servera ~]# ls -l sensitive*
-
You now have a new copy of your original file. Also, note that during an active session, you may not be asked to provide a passphrase within a period of time. You can modify the duration of the cache. View the GPG documentation at the link provided earlier for more information.