PGP

Personal Security – PGP Keys

As we continue our series of articles on security, today we are going to cover personal security in the form of using PGP keys. Let’s talk about what PGP is, why it is important and how we can use it to generate the public and private keys needed to increase our personal security profile for transaction authentication.

What is PGP Exactly?

In short, it is a data encryption and decryption program. It is used to provide you with cryptographic privacy and authentication for data communication and transaction authentication. You can use it to sign, encrypt and decrypt text messages, emails, files and directories, online transactions or entire disk partitions. It was created in 1991 by Phil Zimmerman and follows the OpenPGP standard RFC 4880 for the encryption and decryption of data. PGP can protect your transactions and data by using a combination of data compression, hashes, public-key and symmetric-key cryptography in multiple steps. Each public key is then bound to a username (or email address), which is provided to other services or individuals to authenticate the transaction or message as being from whom it is claimed to be.

PGP Keys

Today, we are going to concentrate on installing what is needed to generate our PGP keys. We are using an Ubuntu 16.04 LTS system to do so, but other than the package manager being used (apt-get vs. yum, for example), the packages, libraries, and process of generating the keys are the same across all modern distributions. So first, we need to install what we need. We are going to use the ‘GnuPG’ package and then the ‘Gnu Privacy Assistant’ (GPA) GUI to generate and work with our keys. Installation is very straightforward and can be accomplished like so:

user@ubuntu:~$ sudo apt-get install gpa gnupg2
 [sudo] password for user: 
 Reading package lists... Done
 Building dependency tree 
 Reading state information... Done
 gnupg2 is already the newest version (2.1.11-6ubuntu2).
 gnupg2 set to manually installed.
 The following NEW packages will be installed:
  gpa
 0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
 Need to get 266 kB of archives.
 After this operation, 1,175 kB of additional disk space will be used.
 Do you want to continue? [Y/n] y
 Get:1 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 gpa amd64 0.9.9-3 [266 kB]
 Fetched 266 kB in 0s (960 kB/s)
 Selecting previously unselected package gpa.
 (Reading database ... 383404 files and directories currently installed.)
 Preparing to unpack .../archives/gpa_0.9.9-3_amd64.deb ...
 Unpacking gpa (0.9.9-3) ...
 Processing triggers for man-db (2.7.5-1) ...
 Processing triggers for gnome-menus (3.13.3-6ubuntu3) ...
 Processing triggers for desktop-file-utils (0.22-1ubuntu5) ...
 Processing triggers for bamfdaemon (0.5.3~bzr0+16.04.20160415-0ubuntu1) ...
 Rebuilding /usr/share/applications/bamf-2.index...
 Processing triggers for mime-support (3.59ubuntu1) ...
 Setting up gpa (0.9.9-3) ...

We now have what we need to create our PGP key pair. Remember, we need both a public key and a private key. We use the gpg application to generate our private key and associate it with our identity. Although generating it is easy, since it depends on entropy, we have to help it along. First thing’s first, let’s start this process:

user@ubuntu:~$ gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
 0 = key does not expire
 <n> = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
 "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Linux Academy
Email address: user@linuxacademy.com
Comment: 
You selected this USER-ID:
 "Linux Academy <user@linuxacademy.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

What we did here was generate a private key using the default key type and the maximum RSA key bit size of 4096, and assigned to the user ‘Linux Academy’ with an email address of ‘user@linuxacademy.com’; we then, most importantly, protected it with a nice, random passphrase. A quick word on passphrases is probably a good idea here. We have spent some years in Information Technology teaching our users how to create “complex” passwords and have largely failed. We end up with passwords that are weak and hard to remember and, with today’s computing power available to us, easy to crack. The best passwords/passphrases are those that are the longest and most random while being easy to remember. You are better off picking a list of random words (three to five words) and stringing them together than you are a single 12 character password with letters, numbers and special characters. For example “Some Salty Pony Cup” is going to be harder to brute force than “_mYr00tP@55w0rd$”.

At this point, we have to help our system out a bit. Remember when we talked about entropy? Entropy is what our system relies on to create a secure key; it is the “randomness” that is collected by your system while doing tasks (mouse movements, editing text in an editor, etc.). We have to generate some of that for our system to be able to create a key that meets the requirements we set. In my case for this key, I moved the mouse a bunch, was mashing text in an editor and listing all directories on the system recursively. This took about three minutes to complete on a virtual machine that was pretty resource constrained. Here is what it looks like while generating:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 188 more bytes)
...............+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 212 more bytes)
.....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.....+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 225 more bytes)
..................+++++

Eventually, once it has collected enough entropy, you should see something like the following:

gpg: key 432C83CE marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 4096R/432C83CE 2016-05-20
 Key fingerprint = FE6A 392D BFDA B5C7 32D6 9B9B B31E 2AF6 432C 83CE
uid Linux Academy <user@linuxacademy.com>
sub 4096R/A5B238A2 2016-05-20

Now that we have our key created, we need to obtain a public key so that we can actually use it, this is where our “Gnu Privacy Assistant” (GPA) GUI application comes into play.

Getting Your Public Key

The “Gnu Privacy Assistant” is what we are going to use to obtain the public key that allows us to use the key previously generated. Your screen should look something like this:

Screen Shot 2016-05-20 at 12.17.36 PM

If you click on the key pair that we just created and then click on the menu called “Keys,” we want to choose “Export Keys” from the list. At that point, you just have to choose where you want it saved and then click on “Save.” That’s it! You have saved your public key and, if you want, you can open your favorite text editor to take a look at it. Using vim, my public key looks like:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQINBFc/RYgBEAC7qw9djZovnltCqcPmXlTR5y/Y2tBrODOdMsuQuyv9vDXN/Dk2
FuMTIWjsgrzVksMoYXzKYpJ8fdNPOgl46qI0xR2I8iu+kAOqgZBRCzvhbLTHugUf
b/sHTkYdOYFRzCiYe6sFwEkKjolrhQ/Avr/ZDr6KV6+mFQha/1fxY3LVA8vA8l7U
zrpqgw7M4TufAQRM1wT9iaRBZWqfvd++88JXGcEz8OswdkA1NzqzPMZwy0X0WoRC
MORE KEY STUFF HERE
h/e3jcpQ4O8RzCi5d+QK0/q7Fket2rb26wv/x60qhE7Kzu/cLqZHt1pz4fitFQD6
ewpnHQ==
=tyQ6
-----END PGP PUBLIC KEY BLOCK-----

This is what we then provide to identify ourselves and, in conjunction with the private key, to verify our texts, emails or online transactions. If you want to export your private key, you can repeat the process to pull down the private key. Your public key can also be provided to the market profile so people can look you up and pull down your key (you can direct them there rather than providing it directly). We will cover this in our next article.

Summary

We have actually done a lot in this article. We have learned about what PGP is and what we can use it for, installed the necessary applications, generated a key pair (along with generating a little entropy to help along the way) and then exported the key for use. In our next article in the series, we will start putting these keys to work by registering in ourselves in the market profile and then showing how we can add this new encrypted identifier to our emails. As always, if you have any questions or comments, leave them below or on the community forum at Linux Academy!

Terrence T. Cox

A veteran of twenty years in Information Technology in a variety of roles. He has worked in development, security and infrastructure well before they merged into what we now call DevOps. He provides training in Linux, VMWare, DevOps (Ansible, Jenkins, etc) as well as containers and AWS topics.

Leave a Reply

Your email address will not be published. Required fields are marked *