|
Figure 26: details of a GPG key on seahorse
which translates into the command line as follows:
$ gpg --output revoke.key --gen-revoke [ID]
in order to generate a key revocation, populate the fields as required, then
import the revocation certificate:
$ gpg --import revoke.key
If for some reason you synced your key with PGP keyservers, you must
request the resync as follows:
$ gpg --send-keys --keyserver hkp://subkeys.pgp.net [ID]
Finally, update your keyring as follows:
$ gpg --refresh-keys --keyserver hkp://subkeys.pgp.net
Probably, you’ll also need to have a list of all your keys. Use the command:
$ gpg --list-keys
If you prefer an easier way, however, right-click the key and select Delete.
7.2.2.4 PGP/GPG to encrypt and decrypt a file
The terminal command to encrypt a file is:
$ gpg --output secret.gpg --encrypt --recipient [your recipient] [file]
You can also send it as an attachment. If you can’t do it, you may want to
generate an ASCII-coded output, in order to send it as text, using the --armor (-a)
parameter:
$ gpg --armor --encrypt --recipient [your recipient] [file]
The generated file will be [file].asc, containing the ASCII value of the text
you have written. It will be like this:
-----BEGIN PGP MESSAGE-----
Comment: GPGTools - https://gpgtools.org
hQIOAwfq5Jrby+ZxEAf+N/ozNDVnsURxXb/lcKyPB/V4QuIGG5nQVAIZ5KO8W4/+
[...]
pVhvtqu+q2yiE4khriBkpZD709uaf1kxfTaRosmRMl74duShAEQUuwjnyA1aOcT0
-----END PGP MESSAGE-----
This way, you can send the content of an encrypted file without attaching it,
but simply pasting it into a mail (however, keep in mind the file size, otherwise
you may send dozens of MBs of text!). It’s worth mentioning that, in this case,
the --encrypt parameter acts as an identifier, telling the gpg program: “hey, you
must encrypt now!”. And what about decrypting? --decrypt, of course!
$ gpg --output [file] --decrypt secret.gpg
7.2.2.5 PGP/GPG for data signature
Besides encrypting messages, OpenGPG allows you to sign them: such
signature acts as a sort of certificate, confirming the true ownership of who
wrote the message. What is it for? Imagine you are sharing messages with an
acquaintance on a forum: if the latter is attacked and their account compromised,
you wouldn’t know who is actually messaging you.
The fact they have your public key doesn’t necessarily mean the user is who
they claim to be: they may have gotten the key from the web, from your non
encrypted messages history or from other sources. To demonstrate they are who
you think they are, the other person will have to sign the message using their
private key. Let’s see what to do in this case.
The command to sign with your key makes use of the parameter -s (or --
sign):
$ gpg -s [file]
Your file will be renamed with the .gpg extension. By default, the command
also compresses the file value, so if you wish to have a legible value, use:
$ gpg --clearsign [file]
It will be then saved in .asc format. If you wish to verify it, use the
command:
$ gpg --verify [file]
The --clearsign can be appended with encryption values, so if you want to
encrypt and sign a text document, you can use the command:
$ gpg -s --encrypt --recipient [your recipient] [file]
I know, it’s quite a bunch of commands to remember, but I suggest you to
make practice (perhaps using the gpg man) instead of using the GUI; you will
familiarize with them shortly and you’ll be more productive than using the
graphical interface.
7.2.2.6 PGP/GPG for data integrity
In the data integrity chapter, we mentioned a problem that we haven’t solved
yet: how can you be 100% sure that a file is healthy and coming from a reliable
source? Such doubt concerns the fact that a comparison between checksums –
thus between results produced by hash algorithms – may be somehow altered
within the hosting server.
With asymmetric encryption and, especially, the OpenPGP model, we can
finally answer the above question: we will use the logic behind the public and
private keys to ascertain that the source is totally trusted and the download file is
perfectly healthy. Let’s get back to Debian. First of all, acquire the file signature
by downloading the SHA512 hash:
$
wget
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-
hybrid/SHA512SUMS
and the related .sign containing the signature:
$
wget
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-
hybrid/SHA512SUMS.sign
to avoid any conflict, import the key with the ID 6294BE9B (you got it from
https://www.debian.org/CD/verify
) from Debian GPG keyring:
$ gpg --keyserver keyring.debian.org --recv 6294BE9B
now you can verify the .sign (it must be named as the original file, in this
case SHA512SUMS e SHA512SUMS.sign):
$ gpg --verify SHA512SUMS.sign
If everything is fine, you will receive the Valid Signature status:
gpg: Valid Signature from "Debian CD signing key cd@lists.debian.org>"
Now you have confirmed the hash is valid, so you can finally be sure that the
downloaded SHA512 is a good counter-proof. If you want to test how the GPG
verification works, you can edit the checksum file:
$ nano SHA512SUMS
perhaps adding a character at the end of the file. Save it and verify it again:
$ gpg --verify SHA512SUMS.sign
this time, you will get an error:
$ gpg: Invalid Signature from "Debian CD signing key cd@lists.debian.org>" [unknown]
Now you’re ready to perform the checksum with the .ISO file (visit the
checksum page to learn more).
7.2.2.7 PGP/GPG for email encryption
Email encryption can help you avoiding any connection monitoring (i.e.,
someone may read your mails passing through the network with no safety
protocols in place), as well as preventing people from accessing your mailbox
and reading your encrypted contents. Obviously, if you don’t want to be
localized, you have to stay away from mailing services allowing only the
Do'stlaringiz bilan baham: |
