Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey, I've decided to start using email encryption, and since I'm on linux this means GnuPG. Before I go live with my setup I'd like to verify that I'm not missing something important or doing something stupid. Now the thing is I've done research, and it's been a long ride, but I am still in the learning phase right now. I came up with the following settings (the key settings will be taken from gnupg.conf - see below). In particular, these two articles were most helpful:
- Boot a recent live linux CD on an unrelated computer
- Create a 4096-bit RSA certification key with unlimited expiry
# gpg --gen-keys
"(4) RSA (sign only)", 4096, no expiry
- Create a 4096-bit encryption subkey with 5 year expiry
# gpg --edit-key <KeyID>
gpg> addkey, "(6) RSA (encrypt only)", 4096, 5y
- Create a 4096-bit signing subkey with 5 year expiry
gpg> addkey, select "(4) RSA (sign only)", 4096, 5y
- Save the master key to a encrypted container on a USB stick
gpg> save
# gpg --export-secret-keys --armor <KeyID> > /mnt/usb/encrypted/key_private.asc
# gpg --export --armor <KeyID> > /mnt/usb/encrypted/key_public.asc
- Generate a revocation key, put it somewhere safe.
# gpg --gen-revoke --output /mnt/usb/encrypted/key_revoke.asc
- Export the public key, and the private subkeys onto another USB key
# gpg --export --armor <KeyID> > /mnt/usb2/encrypted/key_public.asc
# gpg --export-secret-keys --armor <KeyID> > /mnt/usb2/encrypted/key_private.asc
- Power off the laptop to erase RAM
# poweroff
- Import the laptop key into my laptop's GnuPG keyring for daily use
$ gpg --import /mnt/usb2/encrypted/key_public.asc
$ gpg --import /mnt/usb2/encrypted/key_private.asc
- Upload the public key to a keyserver
$ gpg --send-keys <KeyID>
Is everything okay with my OpenPGP key setup procedure? Is everything okay with my gpg.conf? Am I missing anything important?
Since I'll be generating a key on a live CD, how does it affect the randomness (/dev/urandom, /dev/random)? Does the system have the same random seed each boot? What can I do to increase randomization i.e. introduce some extra entropy before generating the key? I must not connect to the internet!
One of the articles suggest that I use sha512 as the signature digest. But is it really needed? I mean I've read somewhere that 512 is a bit too long, and that it makes it difficult to read emails that are all signed with these long and annoying signatures. It suggests to use sha256 instead.
I've noticed that GnuPG also supports Twofish encryption algorithm. The articles do not specifically mention it, but can I add it to my key i.e. in between the AES and CAST5?
On my systems, GPG encryption and decryption is very-nicely integrated right into the mail client, and there is a "GPG Keychain" utility for conveniently managing all of the keys: generating them, pushing them to keyservers, pulling from keyservers and so-on. When I send a message to certain people, it is automatically encrypted using their key, and the same is true for messages that I receive from them. (If any message weren't properly encrypted, a gigantic red-flag appears or the message is simply refused.)
Encryption of EMail (which can also be done using the S/MIME standard ...) ought to be painless. It needs to be painless, otherwise you just won't do it. It really needs to be just as routine, just as transparent, and just as "thought-less," as typing "https" when visiting a web-site. "It Just Works,™" and yet the message is at-least somewhat more secure than before.
Therefore, look around to see if you have in fact identified "the easiest way to do it." Yes, it is academically interesting and informative to get to know these tools at the command-line level, but in daily practice it should not be necessary or, as I said, you just won't do it or won't do it consistently.
Personally I would have gone for the ECC equivalents, but those are not very well supported today. Anyway, I found out that mouse movement and heavy disk activity (i.e. running "find") does increase entropy, and thus /dev/random output speed (tested). It's also ok to put twofish into the list of ciphers.
Well, OS/X Mail supports S/MIME natively, and there's a very nice GPG plug-in with an accompanying GUI key-management program So, I can do either form of encryption at will, and verification is automatic. There are certain people with whom all my communications is automatically (and transparently) encrypted and decrypted. Messages which claim to be from a certain person, but who do not bear their signature and/or that are not encrypted (if I have specified that they must be) will be red-flagged or simply discarded.
The KMail client also supports encryption. Even good ol' Microsoft Outlook can do it.
You probably shouldn't have to monkey with the command-line directly, although you certainly can, and you should basically know how. Encryption should be, and can be, easy. So easy that you can almost forget about it.
Last edited by sundialsvcs; 06-20-2014 at 01:12 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.