Monday 8 June 2009

GPG - Public private key encryption

GPG is a good tool for encrypting with public private key cryptography. I tend to create a signing key with no expiry and then add encryption keys which expire after one year. Adding additional encryption keys is done using the addkey command.  Many people either create a whole key pair that never expires (not quite as secure) or create a whole new key pair every year (paranoid?).  As ever the less often you change things the less secure but unless you are encrypting military secrets or similar GPG is probably more than adequate.


Generate new key
# gpg --gen-key
To list keys
# gpg --list-keys
Using keyserversTo find a key on a keyserver use the following command. A list of all matching keys will be displayed along with the ability to select which you wish to import
# gpg --search-keys ''
To update keys on your keyring to the latest version on the keyservers run the following command:
# gpg --refresh-keys'
Edit a GPG key
# gpg --edit-key 01234567
->Trust (sets the trust level on a key)
->lsign (signs locally - will not export to key serveers)

To encrypt a file
# gpg -e -r [email protected] [file]
--batch - batch mode, will not prompt for anything, will just work or fail
--armor - ASCI armour the file (use only "normal" chars, less likely to be corrupted by a system which tries to interpret, makes resultant file bigger)
--always-trust - automatically trust recipients for this encryption. Useful for eg scripts where you do not want to have to create a private key and sign the recipient keys, and don't want to hit "y" to override this check each time.

To decrypt a file
# gpg -d [file]
To setup GPG for automatic encryption of a file with cron first install GPG and import the keys we need from keyservers:
$sudo yum install gpg
$sudo -H gpg --keyserver --search-keys <name_of_person_or_company>

The -H is required for sudo to use the root $home otherwise it tries to use the current user $home and fails with bad permissions. Import any keys you need and repeat for all required keys.
Now you can run the following in root's crontab inside a script to encrypt a file using GPG:
gpg --batch --always-trust -e -r email.of@recieipent <file to encrypt>

No comments:

Post a Comment