• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Thursday, January 31, 2013

    Secure data transfer using GPG key between Linux machines

    GPG/PGP - PKI - Asymmetric Encryption
    Asymmetric means that the authentication is checked using a public with its private key where both the keys are different.

    GPG - encrypts data as well as mail which are sent over the network to some client. SO it can increase the level of security if you are planning to send some important or critical data through the network to make it safe from crackers.

    Firstly we need to generate PKI pairs (Public/Private Key Pair) - Public key has to be sent to the client location through secure session so using that public key your client will be able to decrypt the data or mail sent to them encrypted with the private key on the server machine.

    So for example here I have two RHEL 5 machines. I will be transferring data between server1 to server 2. So we need to generate gpg keys on both the machines.

    Public key from server 1 will be sent to server2 and vice versa to decrypt the data sent to any one of them.
    Still confused?
    Well you will be clear by the end of this example which I will show you here:

    On server 1
    # gpg --gen-key
    gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.

    gpg: directory `/root/.gnupg' created
    gpg: new configuration file `/root/.gnupg/gpg.conf' created
    gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this                                                                                         run
    gpg: keyring `/root/.gnupg/secring.gpg' created
    gpg: keyring `/root/.gnupg/pubring.gpg' created
    Please select what kind of key you want:
       (1) DSA and Elgamal (default)
       (2) DSA (sign only)
       (5) RSA (sign only)
    Your selection?
    [Hit Enter]
    DSA keypair will have 1024 bits.
    ELG-E keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 1024
    Requested keysize is 1024 bits
    Please specify how long the key should be valid.
              0 = key does not expire
           <n>  = key expires in n days
           <n>w = key expires in n weeks
           <n>m = key expires in n months
           <n>y = key expires in n years
    Key is valid for?
    Key does not expire at all
    Is this correct? (y/N) y

    You need a user ID to identify your key; the software constructs the user ID
    from the Real Name, Comment and Email Address in this form:
        "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

    Real name: testing
    Email address: test@example.com
    You selected this USER-ID:
        "testing <test@example.com>"

    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    You need a Passphrase to protect your secret key.[Hit Enter for blank passphrase]
    You don't want a passphrase - this is probably a *bad* idea!
    I will do it anyway.  You can change your passphrase at any time,
    using this program with the option "--edit-key".

    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    ++++++++++.++++++++++.++++++++++++++++++++++++++++++..++++++++++++++++++++++++++                                    +++++++++++++++++++.+++++++++++++++++++++++++++++++++++>++++++++++..............                                    ..............................+++++

    gpg: /root/.gnupg/trustdb.gpg: trustdb created
    gpg: key 6F433F3D marked as ultimately trusted
    public and secret key created and signed.

    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
    pub   1024D/6F433F3D 2013-01-31
          Key fingerprint = 1ED5 CCDA FDC1 BBBA 4A6B  7224 09CA CABC 6F43 3F3D

    uid                  testing <test@example.com>
    sub   1024g/BF74F2FB 2013-01-31

    You can follow the same step on server 2 for generating the keys. Once you are done with generating keys you can check the finger print using the command I have shown below.

    On server 1
    [root@server1]# gpg --list-keys
    pub 1024D/6F433F3D 2013-01-31
    uid testing <test@example.com>

    sub 1024g/BF74F2FB 2013-01-31

    On server 2
    [root@server2]# gpg --list-keys
    pub 1024R/78AC92D1 2013-01-30
    uid Deepak Prasad <deepak@example.com>

    sub 1024R/2698ECBD 2013-01-30

    NOTE: You might get an error while generating gpg keys like
    gpg: can't create '/root/.gnupg/random_seed': No such file or directory

    SOLUTION: You can overcome this by manually creating the .gnupg directory. Make sure you create it as a hidden directory.
    Here "gnupg" stands for gnu privacy guard

    Now when we are done with creating gpg key on both the machines. 
    1. You need a data file to be transferred. 
    2. Encrypt the data file using gpg
    3. Export the data file so that it can be sent to client location for decrypting purpose
    4. Change the name of the data file with standard .pub extension.
    [root@server1]# echo This is a secret file > test.txt
    Now here we will encrypt the file. Here "6F433F3D" is the USERID  which has been provided for the key  we had generated on server 1 as you can check above followed by the file name.
    [root@server1]# gpg -e --armor -r 6F433F3D test.txt
    [root@server1]# ls -l
    -rw-r--r-- 1 root root 9 Jan 31 16:28 test.txt
    -rw-r--r-- 1 root root 571 Jan 31 16:29 test.txt.asc

    [root@server1]# cat test.txt.asc
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    -----END PGP MESSAGE-----

    As you can see the data file has been encrypted and is safe now to be sent over to the client machine but to decrypt this file the client requires a public key. So let us create one public key for this purpose.
    [root@server1]# gpg --export --armor -o server1.asc

    Here "server1.asc" is the public key which will be required to decrypt the data file we encrypted.
    [root@server1]# less server1.asc
    Version: GnuPG v1.4.5 (GNU/Linux)

    [root@server1]# mv server1.asc server1.asc.pub
    Now we will copy the public key to the client location which in our case is server2 
    [root@server1]# scp server1.asc.pub  server2:/

    Similarly we need to create a public key for server 1 on server 2.

    On server 2
    [root@server2]# gpg --export --armor -o server2.asc.pub
    [root@server2]# scp server2.asc.pub server1:/

     Now import the public key which was sent from server 1
    [root@server2]# gpg --import server1.test.asc.pub
    gpg: key 6F433F3D: public key "testing <test@example.com>" imported
    gpg: Total number processed: 1
    gpg: imported: 1

    [root@server2]# gpg --list-keys
    pub 1024R/78AC92D1 2013-01-30
    uid Deepak Prasad <deepak@example.com>
    sub 1024R/2698ECBD 2013-01-30
    pub 1024D/6F433F3D 2013-01-31
    uid testing <test@example.com>
    sub 1024g/BF74F2FB 2013-01-31

     As you can see we have two keys on your server2 machine now. 
     1. The local private key Deepak Prasad
     2. Imported Public key from server1 "testing"

    The same has to be done on the other machine server1

    On server1
    [root@server1]# gpg --import server2.asc.pub

    [root@server1]# gpg --list-keys
    pub 1024D/6F433F3D 2013-01-31
    uid testing <test@example.com>
    sub 1024g/BF74F2FB 2013-01-31
    pub 1024R/78AC92D1 2013-01-30
    uid Deepak Prasad <deepak@example.com>
    sub 1024R/2698ECBD 2013-01-30

    As you can see both the keys on both server1 and server2. So we can test for the encryption of the data.

    Now we need to encrypt the data with the public keys of server2 which was just imported on server1. So that only server2 can decrypt the data file.

    On server1 (78AC92D1 is the ID for server2 user i.e. Deepak)
    [root@server1]# gpg -e -r 78AC92D1 --armor -o test.txt.server2.asc test.txt
    gpg: 2698ECBD: There is no assurance this key belongs to the named user

    pub 1024R/2698ECBD 2013-01-30 Deepak Prasad <deepak@example.com>
    Primary key fingerprint: 1F50 F1FE B6DD 9909 B673 F187 DB55 88DC 78AC 92D1
    Subkey fingerprint: 9201 1452 8E80 1050 36C8 F668 AA0D 4697 2698 ECBD
    It is NOT certain that the key belongs to the person named
    in the user ID. If you *really* know what you are doing,
    you may answer the next question with yes.
    Use this key anyway? (y/N) y
    File `test.txt.server2.asc' exists. Overwrite? (y/N) y

    [root@server1] scp test.txt.server2.asc server2:/

    On server2 verify the data by decrypting it. This will only work if the data was encrypted using your public key.
    [root@server2] # gpg --decrypt test.txt.server2.asc
    gpg: encrypted with 1024-bit RSA key, ID 2698ECBD, created 2013-01-30
    "Deepak Prasad <deepak@example.com>"
    This is a secret file

    As you can see the data file has been successfully decrypted. 

    Please let me know your success and failure rates.


    Post a Comment