Linux Exercise: GNU Privacy Guard (GPG)

This exercise requires the use of two user accounts. If you do not have these yet, follow the instructions in the User Accounts exercise to set these up.

Generating and exchanging keys

  1. Open two SSH sessions. Use one SSH session to logon as tux1, and the other to logon as tux2.
  2. For both tux1 and tux2, generate GPG public/private keypairs.
    • tux1$ gpg --gen-key
    • tux2$ gpg --gen-key
      The gpg --gen-key brings up a lengthy wizard. Look in the book (page 568) for a full description.
  3. If generating keys seems to take an eternity, then your system most likely does not have enough 'entropy'. You can fix this by installing the random number generator from the rng-tools RPM, and starting it.
    • # yum -y install rng-tools
    • # systemctl start rngd
    • # systemctl enable rngd
    • # systemctl status rngd
      Note: If the rngd doesn't start properly, then this is most likely be caused by a configuration error in CentOS/Red Hat. The rngd then uses a non-existing file to retrieve entropy. To solve this, modify the file /usr/lib/systemd/system/rngd.service: Change the ExecStart line into: 
      ExecStart=/sbin/rngd -f -r /dev/urandom

      After this, reload the systemd with systemctl daemon-reload. Then you can restart the rngd with systemctl restart rngd. Then try the gpg --gen-key commands again.
  4. Look at the files in ~/.gnupg. Do you see the public and private keys?
    • tux1$ ls -l ~/.gnupg
    • tux2$ ls -l ~/.gnupg
  5. Use gpg to show all keys.
    • tux1$ gpg --list-keys
    • tux2$ gpg --list-keys
  6. Export the public key of tux1 to /tmp/tux1key. Do the same for tux2.
    • tux1$ gpg -a -o /tmp/tux1key --export emailaddress
    • tux2$ gpg -a -o /tmp/tux2key --export emailaddress
  7. Import the key of tux2 in the environment of tux1 and vice versa. Make a list of your keys again. Does the imported key appear?
    • tux1$ gpg --import /tmp/tux2key
    • tux1$ gpg --list-keys
    • tux2$ gpg --import /tmp/tux1key
    • tux2$ gpg --list-keys

Encrypting and decrypting files

  1. As tux1, create a secret file with ultra-secret contents.
    • tux1$ vi mysecretfile 
      bla bla bla
  2. Encrypt this file so that only tux2 can read the file. Use the "armor" option so that the file only contans the original 7-bit ASCII characters, so that it can be sent by e-mail without issues. Also sign the file.
    • tux1$ gpg -a -e -s mysecretfile
      This command will ask for the recipient.
    • tux1$ ls -l
    • tux1$ cat mysecretfile.asc
  3. Transfer the file to tux2. Normally we would send it through, for instance, e-mail but since both users are on the same system we can exchange files via /tmp.
    • tux1$ cp mysecretfile.asc /tmp
  4. As tux2, decrypt the file. Also verify the digital signature.
    • tux2$ gpg -d /tmp/mysecretfile.asc

Using a Key Server

Exchanging public key files like we've done in these exercises is fairly complicated if more than a handful users are involved. To solve this problem, various organizations on the internet are hosting GPG key servers. You can upload your public keys here so that others can download them as and when required.

There are dozens of key servers out there on the internet. A Google search for "GPG Key Server" should give you the most popular ones.

Most key servers do not allow you to delete keys however, so using them in exercises would lead to loads of unused keys in their databases. We don't want that, so we're not going to upload our keys during these exercises. However, should you want to upload a production public key to one of these servers, you can use the --send-keys and --recv-keys options to send/receive keys from these servers. The keyserver itself is identified with the --keyserver option.

End of exercise