GnuPG Hacks

GnuPG does a lot more than just encrypt and decrypt e-mail and attachments.

Have you wondered about using cryptography, but found it too confusing? Are complicated software packages, passphrases, keys, key rings, certificates and fingerprints too daunting?

You don't need all that. With no prior experience and nothing to remember, GnuPG can do basic and immediately useful cryptography. GnuPG even may be installed on your Linux system already.

GnuPG and OpenPGP

The GnuPG is the GNU Project's implementation of the OpenPGP standard. Also known as the Gnu Privacy Guard, it is a sophisticated public key cryptosystem with more than 70 command-line options, plus an internal command-line and menu environment. It has been ported to several operating systems and has precompiled binaries available from the GnuPG Web site (see the on-line Resources). Like all GNU software, it can be used freely under the GNU General Public License.

The OpenPGP standard, RFC 2440, is based on the Pretty Good Privacy system developed by Phil Zimmermann in 1991. OpenPGP is also the basis for commercial products on even more operating systems. An OpenPGP system is the most common file encryption system you will encounter.

Getting Started

First, let's begin with some GnuPG features that don't need a passphrase. After that, we'll choose a passphrase and use it to encrypt something. Note that GnuPG is the name of the software, but the name of the command is gpg.

Make sure GnuPG is installed and in your path:

gpg --version

You should get something like this:

gpg (GnuPG) 1.4.1
Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to
redistribute it under certain conditions.
See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
Compression: Uncompressed, ZIP, ZLIB, BZIP2

The version number, date and other details may vary. The examples shown in this article should work for most current and future versions of GnuPG.

Now, type:

gpg /dev/null

You might get something like this:

gpg: /home/you/.gnupg: directory created
gpg: new configuration file `/home/you/.gnupg/gpg.conf'
 ↪created
gpg: WARNING: options in `/home/you/.gnupg/gpg.conf'
 ↪are not yet active during this run
gpg: keyring `/home/you/.gnupg/secring.gpg' created
gpg: keyring `/home/you/.gnupg/pubring.gpg' created
gpg: processing message failed: eof

This is perfectly normal the first time you run GnuPG. If it doesn't happen, it simply means you've run GnuPG before, or your .gnupg directory already exists.

Binary File Shields

Most e-mail programs support file attachments, but command-line e-mail programs, such as /bin/mail, don't. Sometimes it's more convenient to keep all the data in the message body. But binary files must be ASCII-encoded to prevent them from being corrupted in transit.

You may have tried to use uuencode and found it confusing or that it didn't work. Not all systems have a command-line MIME encoder. However, GnuPG has an ASCII-encoding option very similar to MIME, but without all the complexity, overhead and features.

To wrap a file in PGP ASCII armor, type:


$ gpg --enarmor < filename.bin > filename.txt

To unwrap a file already in PGP ASCII armor, type:


$ gpg --dearmor < filename.txt > filename.bin

Warning: despite the name, the OpenPGP ASCII armor has absolutely no security. If you do want security and data compression, see the Quick and Clean Encryption section below and use a good passphrase.

Better Checksums

Do you suspect a file you just received is corrupted? Traditionally, the sum or cksum command is run over the file before and after it was sent and the outputs are compared. But there are three different incompatible versions of these commands, and even the same version can produce completely different output on different machines due to processor endian issues. Even worse, sometimes they won't even detect corrupted files. By chance alone, even when they are compatible, they sometimes will produce the same output for different files. The 32-bit output of the sum and cksum commands is simply too small for reliability, much less security. The popular SSH v1 CRC-32 compensation attack is the same vulnerability.

You could use md5sum instead, but there are different versions of this command. Each version has slight differences in formatting of filenames, whitespace and hexadecimal case. These differences in format prevent diff from running cleanly. In addition, there are known security vulnerabilities in the MD5 hash algorithm used by md5sum. And, sometimes md5sum isn't even installed.

GnuPG avoids these problems, because it produces the same output regardless of operating system or processor architecture. GnuPG also supports newer and more secure algorithms:

$ gpg --print-md sha1 filename
filename: E83A 42B9 BC84 31A6 6450  99BE 50B6 341A 35D3 DCEB

It also will take multiple files:

$ gpg --print-md sha1 *.txt
test.txt: E0D6 3F44 4253 CED5 9205  4047 4AA6 4E0F FD0F 130D
test2.txt: 32AC 34F9 B7AF 1972 C015  E5EE 456E 89BD CC3C 7246

If you still need MD5, that's available too:

$ gpg --print-md md5 filename
filename: 26 E9 85 5F 8A D6 A5 90  6F EA 12 12 83 C7 29 C4

The more recent GnuPG versions also support much more secure hash algorithms, such as SHA-512:

$ gpg --print-md sha512 filename
filename: FC37410D 9336DD60 22AEB6A2 A42E82F1 2EA3470D 4982E958 B35C14A0
          CF381CD2 3C4CBA35 BE5F11CB 05505ED2 DBF1C7A0 397EFF75 007FAEBB
          30B43B30 6514990D

By the way, you can validate these --print-md examples by creating a file called filename containing the single line: The Linux Journal.

Your hash values should have exactly the same hexadecimal value as those in this article if the contents of the file is the same.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

wrong correction?

Anonymous's picture

> The stdin (file descriptor 0) of the gpg process is filename txt,
rather than passphrase.txt, so your (intended) passphrase is never actually used!

Then how come the decryption worked?

I like this article

felipe1982's picture

i've been using GPG for a few years, and never knew about the --enarmor option (it isn't even in man page for version 1.2.6. I also like the built-in RNG, which I never knew existed. I enjoyed this tutorial did not include information about public key crypto, which is much more common on the web. That makes this article (and ones like it) in shorter supply == more valuable.

Thanks!

GPG should not be used here

Anonymous's picture

GPG should not be used here at all. According to the man page, the input password is not even hashed.
Have a look at aesloop instead. (Or maybe openssl enc alternatively)

gpg --passphrase-fd 0 doesn't do what you think it does

Anonymous's picture

The following command, as given in the article, has a problem.

cat passphrase.txt | gpg --passphrase-fd 0 -c < filename.txt > filename.gpg

The stdin (file descriptor 0) of the gpg process is filename txt,
rather than passphrase.txt, so your (intended) passphrase is never actually used!

Use this instead:

gpg --passphrase-fd 3 -c 3<passphrase.txt < filename.txt > filename.gpg

You failed to spot the problem simply because the decryption command
has the same problem...

(The unescaped less-than character in my 2 previous posts seem to have caused problems.Please delete them/ignore them)

gpg --passphrase-fd 0 doesn't do what you think it does

Anonymous's picture

The following command, as given in the article, has a problem

cat passphrase.txt | gpg --passphrase-fd 0 -c < filename.txt > filename.gpg

The stdin (file descriptor 0) of the gpg process is filename txt,
and not passphrase.txt, so your (intended) passphrase is never actually used!

Use this instead:

gpg --passphrase-fd 3 -c 3 < passphrase.txt < filename.txt > filename.gpg

You failed to spot the problem simply because the decryption command
has the same problem...

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState