LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 03-06-2013, 01:35 AM   #1
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
How to encrypt using someone's public key and then email


I've been trying to concoct a PHP script to encrypt a message using someone's public key so that I can email it to them and prevent any naughty snooping in transit. I'm relying on this IBM article which relies on the gpg command line utility to concoct the encrypted message.

The script concocts this command:
Code:
echo 'Here is my encrypted message.
I have defined it in PHP and encrypted it using the example at http://www.ibm.com/developerworks/library/os-php-encrypt/index.html

Hope this works!' | HOME=/home/sneakyimp/test_dir USER=sneakyimp /usr/bin/gpg --quiet --no-secmem-warning --encrypt --sign --armor --recipient recipient@gmail.com --local-user sneakyimp
This produces an error:
Code:
gpg: skipped "sneakyimp": secret key not available
gpg: [stdin]: sign+encrypt failed: secret key not available
Removing the --sign param still produces and error because there's no public key in the local keyring for recipient@gmail.com. I would like to avoid having to manipulate some keyring on the machine that runs this and instead just specify a file containing the public key with which to encrypt the message, but I've checked man gpg and have not been able to isolate any parameters or flags which would let me specify the public key.

Can anyone tell me how I might accomplish this? I'd really much rather not have to mess with any keyrings or otherwise establish environmental variables on the server if I can help it.
 
Old 03-06-2013, 01:44 AM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
I'm pretty sure you have to import the recipient's PUBLIC key first, for security purposes and optionally for checking.
You should read this http://www.gnupg.org/gph/en/manual.html#AEN84
 
Old 03-06-2013, 01:51 AM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Thanks for your response.

I've been over that page a few times in the past and am somewhat familiar with using gpg to manage keys for a linux CLI account. That's not really what I'm trying to do here.

Is there no way then to encrypt a message without fiddling with the keyrings that happen to belong to some particular user on a *nix box? As I said in my post, I really am not interested in manipulating a CLI user's keyring on this box. I want a PHP script (triggered through a page served by Apache) to encrypt a message using the public key which lives in a particular file and I want to email it with appropriate headers to the person who owns that public key such that their mail client (Outlook, Thunderbird, Apple Mail, whatever) can decrypt the message using their private key.

Portability of this script is a primary concern -- it would introduce a lot of additional configuration and difficulty if I must also manage a user's keyring.
 
Old 03-06-2013, 02:27 AM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
1. Well, both the IBM link and the gpg HOWTO say to do that.

2. I've only got involved a couple of times with using gpg properly in an automated situation & I don't remember being able to use a file instead.

3. given you seem to be the admin, I don't see the problem. In any case, it would be Apache's keyring surely, given that the php proc would run as apache & more secure than letting a real user have access ...

4. you might get a more informed response if you ask the Mods (via the Report button) to move this to the Security forum; there's some sharp guys there.

PS I'll be interested in the answer myself, but a gut feeling says you're out of luck.
 
Old 03-06-2013, 02:52 AM   #5
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Based on your answer #2, I'm thinking that gpg might not be the tool to use so I'm looking into openssl which has a bazillion options as well.

RE #3 in your response, I'm certainly the admin of my workstation, but I will not always be admin. I need to work up a scheme that doesn't require any special privileges. Additionally, it introduces a sysadmin chore to add any necessary keys to a key ring -- I'm really hoping to rig up a PHP-only solution (which may end up calling some CLI commands but that's OK -- the fewer the better).

I've definitely gotten some good advice in the security forum -- and this is a security sort of question. Maybe I'll do that in a bit here if I can't make any progress.

I think the first thing I need to figure out is what the heck is my public key's format. Sadly, I don't know much about key pair formats and I'm not sure if my file is DER, PEM, x509 or what. I don't think it's x509, but I know very little about the various key formats (or where there are so damn many).

It looks something like this:
Code:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQINBFE2oIsBEACo1d7vsGdmWJqUHSHsDcOH8ZL+YJbNrghnvRe2V1QNF83JsF+C

...etc....

Pqvo9g9u2Vswm11CHZs9QsXm/9+5qf9Ww3ycZfmAOM8jkrtpO9gdpDF9zfmCQiVc
HX3gATz3HZoheHhOIA==
=Xnkl
-----END PGP PUBLIC KEY BLOCK-----
 
Old 03-06-2013, 03:16 AM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Well, there's a good cli example of openssl here http://tombuntu.com/index.php/2007/1...-with-openssl/

You need to ask the creator of the Pub key exactly how he created it.

HTH
 
Old 03-06-2013, 03:17 AM   #7
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Been reading about openssl and it looks promising, but I'm still confused about the key formats. The man page for smime (man smime) has some really helpful looking examples. Maybe something like this:
Code:
openssl smime -sign -in msg_to_encrypt.txt -signer signer_cert.pem -text \
| openssl smime -encrypt -out mail.msg \
-from sender@example.com -to recipient@example.com \
-subject "Signed and Encrypted message" -des3 user.pem
I'm not sure what user.pem corresponds to -- a certificate or some kind? Also not sure if one can supply a public key to this command or whether one must go through the trouble of creating a signed cert, etc.

Any help appreciated.
 
Old 03-06-2013, 03:18 AM   #8
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by chrism01 View Post
You need to ask the creator of the Pub key exactly how he created it.
I created the public key using gpg4win (a windows implementation of GPG).
 
Old 03-06-2013, 03:22 AM   #9
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by chrism01 View Post
Well, there's a good cli example of openssl here http://tombuntu.com/index.php/2007/1...-with-openssl/
That example encrypts using a passphrase (rather than the supplied public key) and doesn't seem to add any of the MIME headers that will help a mail client to figure out the appropriate decryption actions.

Also, still puzzling over what file types are permissible for -signer and cert params.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Does public key cryptography encrypt data in both directions with SSH? wulp Linux - Security 3 02-28-2012 10:05 AM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 09:33 AM
Putty/SSH login failed when using RSA public key: 'Server refused our key' itsecx@gmail.com Linux - Server 10 10-04-2010 02:19 PM
public key encrypted email via command line? hank43 Linux - Software 4 04-21-2007 09:03 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 08:25 AM


All times are GMT -5. The time now is 11:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration