How to encrypt using someone's public key and then email
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to encrypt using someone's public key and then email
I've been trying to concoct a PHP script to encrypt a message using someone's public key so that I can email it to them and prevent any naughty snooping in transit. I'm relying on this IBM article which relies on the gpg command line utility to concoct the encrypted message.
The script concocts this command:
Code:
echo 'Here is my encrypted message.
I have defined it in PHP and encrypted it using the example at http://www.ibm.com/developerworks/library/os-php-encrypt/index.html
Hope this works!' | HOME=/home/sneakyimp/test_dir USER=sneakyimp /usr/bin/gpg --quiet --no-secmem-warning --encrypt --sign --armor --recipient recipient@gmail.com --local-user sneakyimp
This produces an error:
Code:
gpg: skipped "sneakyimp": secret key not available
gpg: [stdin]: sign+encrypt failed: secret key not available
Removing the --sign param still produces and error because there's no public key in the local keyring for recipient@gmail.com. I would like to avoid having to manipulate some keyring on the machine that runs this and instead just specify a file containing the public key with which to encrypt the message, but I've checked man gpg and have not been able to isolate any parameters or flags which would let me specify the public key.
Can anyone tell me how I might accomplish this? I'd really much rather not have to mess with any keyrings or otherwise establish environmental variables on the server if I can help it.
I'm pretty sure you have to import the recipient's PUBLIC key first, for security purposes and optionally for checking.
You should read this http://www.gnupg.org/gph/en/manual.html#AEN84
I've been over that page a few times in the past and am somewhat familiar with using gpg to manage keys for a linux CLI account. That's not really what I'm trying to do here.
Is there no way then to encrypt a message without fiddling with the keyrings that happen to belong to some particular user on a *nix box? As I said in my post, I really am not interested in manipulating a CLI user's keyring on this box. I want a PHP script (triggered through a page served by Apache) to encrypt a message using the public key which lives in a particular file and I want to email it with appropriate headers to the person who owns that public key such that their mail client (Outlook, Thunderbird, Apple Mail, whatever) can decrypt the message using their private key.
Portability of this script is a primary concern -- it would introduce a lot of additional configuration and difficulty if I must also manage a user's keyring.
1. Well, both the IBM link and the gpg HOWTO say to do that.
2. I've only got involved a couple of times with using gpg properly in an automated situation & I don't remember being able to use a file instead.
3. given you seem to be the admin, I don't see the problem. In any case, it would be Apache's keyring surely, given that the php proc would run as apache & more secure than letting a real user have access ...
4. you might get a more informed response if you ask the Mods (via the Report button) to move this to the Security forum; there's some sharp guys there.
PS I'll be interested in the answer myself, but a gut feeling says you're out of luck.
Based on your answer #2, I'm thinking that gpg might not be the tool to use so I'm looking into openssl which has a bazillion options as well.
RE #3 in your response, I'm certainly the admin of my workstation, but I will not always be admin. I need to work up a scheme that doesn't require any special privileges. Additionally, it introduces a sysadmin chore to add any necessary keys to a key ring -- I'm really hoping to rig up a PHP-only solution (which may end up calling some CLI commands but that's OK -- the fewer the better).
I've definitely gotten some good advice in the security forum -- and this is a security sort of question. Maybe I'll do that in a bit here if I can't make any progress.
I think the first thing I need to figure out is what the heck is my public key's format. Sadly, I don't know much about key pair formats and I'm not sure if my file is DER, PEM, x509 or what. I don't think it's x509, but I know very little about the various key formats (or where there are so damn many).
It looks something like this:
Code:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
mQINBFE2oIsBEACo1d7vsGdmWJqUHSHsDcOH8ZL+YJbNrghnvRe2V1QNF83JsF+C
...etc....
Pqvo9g9u2Vswm11CHZs9QsXm/9+5qf9Ww3ycZfmAOM8jkrtpO9gdpDF9zfmCQiVc
HX3gATz3HZoheHhOIA==
=Xnkl
-----END PGP PUBLIC KEY BLOCK-----
Been reading about openssl and it looks promising, but I'm still confused about the key formats. The man page for smime (man smime) has some really helpful looking examples. Maybe something like this:
I'm not sure what user.pem corresponds to -- a certificate or some kind? Also not sure if one can supply a public key to this command or whether one must go through the trouble of creating a signed cert, etc.
That example encrypts using a passphrase (rather than the supplied public key) and doesn't seem to add any of the MIME headers that will help a mail client to figure out the appropriate decryption actions.
Also, still puzzling over what file types are permissible for -signer and cert params.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.