»Wuphon's Reach - My Blog ::Home::

Wednesday, November 05, 2003

GPG Encrypt Only


Okay, for the next trick... how do you setup a server to encrypt to a public-key using GPG where you're not storing any secret-key information on the server. For example, I have a server that I've attached a USB drive to for backup purposes. This drive will ultimately end up in a safe-deposit box, but maybe I'll just store it at a friend's house. Since I trust my friend, the majority of the information on the drive is unencrypted, but there still might be data that I want to encrypt (financial records). I could use Windows EFS, except that if I try to attach the drive to another one of my systems I'll have trouble decrypting the data. Easier is to use tar / WinRar / WinZip / Info-Zip combined with my public GPG/PGP key.

Setup:

1. Download and unzip GnuPG into a directory on the server. It should be a directory that gets backed up, but since we won't be storing any secret keys in the key-rings, it's not that important. I usually create a directory called "D:\Data\Bin" (because things in the "D:\Data" folder get backed up).

2. Add the "D:\Data\Bin" folder to your PATH= environment variable. Under Windows 2000, right-click on My Computer, Properties, Advanced tab, Environment Variables, then edit the PATH= system variable and put the ";D:\Data\Bin" on the end (note that entries are seperated by semi-colons).

3. Look at the readme.w32 file in the GnuPG distribution (or in the folder that you extracted the files to). Create the following key in the registry:

HKCU\Software\GNU\GNUPG

4. Create a REG_SZ variable within the GNUPG key called "HomeDir" and enter the path where you installed GnuPG to. Note that you have to use forward slashes instead of backslashes.

HomeDir = D:/Data/Bin

5. Get a copy of your public key as a text file. You can create this public-key by exporting from your key-ring on your workstation/laptop (gpg --export -a UID > UID.txt) or by importing from a key-server. If you're importing from a text file, use the following command to import the key:

gpg --import keyfile.txt

6. Now you need to designate that this key is ultimately trusted. Since you're encrypting using your own public-key (for decryption later by your secret-key), it's pretty safe to say that you know for certain that you've just imported your own public-key. Use the following commands to mark the key as trusted.

gpg --edit-key UID
Command> trust
Your decision? 5

That will mark the key as ultimately trusted.

7. If you want, you can add the right-click menu option (see my previous blog entry).

8. Test the encrypt/decrypt cycle. To encrypt a file, use the following command (which will encrypt filename.zip using key "UID", creating an output file called filename.zip.gpg):

gpg -r UID --encrypt -o filename.zip.gpg filename.zip

9. Verify that you can decrypt the file by copying the .gpg file to your workstation/laptop and using the following command (GnuPG will prompt you for your passphrase and then decrypt the file using your secret-key):

gpg filename.zip.gpg

Other notes:

Because GnuPG does not encrypt the original file, but merely creates a new encrypted file, you should be careful about how you create archives to be put on removable media. You don't want to do the encryption on the removable media, because the unencrypted (plain text) copy would be left behind in the sectors on the disk (even if you delete the plain text file). The preferred method would be as follows:

1. First, zip/tar your data into an archive that is still on the server's permanent drives. Optionally, you may wish to write this archive into a folder that is protected using Windows EFS.

2. Encrypt the archive file, specifying that the output file should be written to the removable media. Optionally, you may wish to create the .gpg file on the server's permanent drives and then move the file to the removable media (e.g. you're queing up multiple archives for off-loading to a tape drive).

Another possibility is that you'll want to encrypt files so that any one of multiple people can decrypt the data. For example, when backing up data, you can choose to encrypt the files so that either of two administrators can retrieve the data without having to share private keys. To do this, you just add more "-r UIDx" elements to the command:

gpg -r UID1 -r UID2 -r UID3 --encrypt -o filename.zip.gpg filename.zip

Reference links:

Earlier blog entry
Getting the long keyID

Software wanted:

What I have yet to find is software that will syncrhonize an entire source tree where the destination ends up encrypted using GPG/PGP.


posted by Wuphon's at 7:51 PM

Gasaraki


Introduction


A random collection of thoughts, news, central Pennsylvania stuff, trying to grow a balcony garden, or whatever else strikes my fancy.

E-Mail:
WuphonsReach [at] wuphonsreach.org (GPG Key)

Favorite Blogs


Grand Potato
jschuur dot com
Quilpuuxla Daj

Blog Archives


current
2001
2002
2003
2004
2005
2006
2007

Favorite Comics


Commander Kitty
Dilbert
Dork Tower
General Protection Fault
Glasbergen
Greystone Inn
GU Comics
Helen
Kevin and Kell
Melon Pool
Newshounds
Over the Hedge
Player vs Player
Striptease Comic
User Friendly

Other Links


The Right Stuf
Yahoo! Cycling
Anime Turnpike
QuickSilver (MOO3)
Maxis SimCity 4
ThinkGeek
Powered by Blogger Who's linked to me?