Secure data transfer using GPG key between Linux machines

GPG/PGP - PKI - Asymmetric Encryption
Asymmetric means that the authentication is checked using a public with its private key where both the keys are different.

GPG - encrypts data as well as mail which are sent over the network to some client. SO it can increase the level of security if you are planning to send some important or critical data through the network to make it safe from crackers.
Firstly we need to generate PKI pairs (Public/Private Key Pair) - Public key has to be sent to the client location through secure session so using that public key your client will be able to decrypt the data or mail sent to them encrypted with the private key on the server machine.
So for example here I have two RHEL 5 machines. I will be transferring data between server1 to server 2. So we need to generate gpg keys on both the machines.

IMPORTANT NOTE : Public key from server 1 will be sent to server2 and vice versa to decrypt the data sent to any one of them.

Still confused?
Well you will be clear by the end of this example which I will show you here:

On server 1

# gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this                                                                                         run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? [Hit Enter]
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
          0 = key does not expire
         = key expires in n days
       w = key expires in n weeks
       m = key expires in n months
       y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: testing
Email address: test@example.com
Comment:
You selected this USER-ID:
    "testing <test@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.[Hit Enter for blank passphrase]
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.++++++++++.++++++++++++++++++++++++++++++..++++++++++++++++++++++++++                                    +++++++++++++++++++.+++++++++++++++++++++++++++++++++++>++++++++++..............                                    ..............................+++++
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6F433F3D marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/6F433F3D 2013-01-31
      Key fingerprint = 1ED5 CCDA FDC1 BBBA 4A6B  7224 09CA CABC 6F43 3F3D
uid                  testing <test@example.com>
sub   1024g/BF74F2FB 2013-01-31

You can follow the same step on server 2 for generating the keys. Once you are done with generating keys you can check the finger print using the command I have shown below.

 

On server 1

[root@server1]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/6F433F3D 2013-01-31
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31

On server 2

[root@server2]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/78AC92D1 2013-01-30
uid Deepak Prasad <deepak@example.com>
sub 1024R/2698ECBD 2013-01-30

NOTE: You might get an error while generating gpg keys like

gpg: can't create '/root/.gnupg/random_seed': No such file or directory
 
SOLUTION: You can overcome this by manually creating the .gnupg directory. Make sure you create it as a hidden directory.
Here "gnupg" stands for gnu privacy guard
 
Now when we are done with creating gpg key on both the machines. 
  1. You need a data file to be transferred. 
  2. Encrypt the data file using gpg
  3. Export the data file so that it can be sent to client location for decrypting purpose
  4. Change the name of the data file with standard .pub extension.

[root@server1]# echo This is a secret file > test.txt
Now here we will encrypt the file. Here "6F433F3D" is the USERID  which has been provided for the key  we had generated on server 1 as you can check above followed by the file name.

[root@server1]# gpg -e --armor -r 6F433F3D test.txt
[root@server1]# ls -l
-rw-r--r-- 1 root root 9 Jan 31 16:28 test.txt
-rw-r--r-- 1 root root 571 Jan 31 16:29 test.txt.asc
[root@server1]# cat test.txt.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)
hQEOA0yfFJC/dPL7EAP+LBNNlS/OnyO8NDhEViMK3TIVuFjrte0GWIQoWh9eumukXH/ceiIWjXMp3vFpxeU16mFtXFmqy7O90/w7wmYaEprXY5Cg+sg0J6EvXbCBUEQ0VKeWpY+ymkix/iSzboK+V5zhHI94l+ihpg+xs3CsjFH9KAkfADeSCUh/jbkbQPMD/W+lILQ52B8vlO5nV7SoA0M2u7gFp3ODitEDJoVUKKcRnc0ecu0Zp3mDxpqKih/CpPrqUiHRsqOfhIMGkD5pFGpsgWSqiU3WqY8PbjyJk2Kj9jy4OwdO/BRUqd5TUz8
zJWbpdwTw6lRE+z8F/6R4aUK49sz3PuRp076c498LyXc0kwBaxfSyTLEuTOgvLHw
hz040371wx59Xci+wjR1KjdxgcsMqopchZvwCe5usCYoMH7ppW/ggMOczQM/KS29
jnExaebzeAPONIfgke6
=EDpQ
-----END PGP MESSAGE-----
As you can see the data file has been encrypted and is safe now to be sent over to the client machine but to decrypt this file the client requires a public key. So let us create one public key for this purpose.
[root@server1]# gpg --export --armor -o server1.asc

Here "server1.asc" is the public key which will be required to decrypt the data file we encrypted.

[root@server1]# less server1.asc
Version: GnuPG v1.4.5 (GNU/Linux)
mQGiBFEKRWURBADN00ldTrjOJ5JsyZZkKyttRI+YR8lIQBqWt6yzh7W3St/hALhUcfo1QIDdNUqGw9LTe+ECVxG4lYAH22penNDCAkefJP77J6RoqTUzMwOLZV417sOhm2MloKa1elWV8Be0nRutSPmDt7chOIPAu0QbMWkhX0QDSJk/D3GmVefYuwCgiclM9DmiF9vUA+RAaRXdmX8oJRcD/jnM0+8G3BjtFZanaVKsfPWNls117KlMOXSXOWLfNL614F/woFzgHfIMxvBiHZBfAPaKjcEmEOrjaFBwuThA+HXZWQdg2NMVQ1XxwIS9m3ZDDlqav0Bc/dgfquqMj9b5TlNcxkRuz0bX9PE4cKDFMFCM1Y+RhSKtgOHJHWRU6r8A/9D3mL3E9aopuq82x5aAPuxve12l4NcaxDW8+qzgxtXsk/gN+DcHaReGrFG0ji4c757e66wuhKDKefosu0OPNbpGrO3QGu4drEmkxGaiaR7YpJcwERP2EpkoKtqYMP91BnXKa46Iew1oKaJrHS4KekfB1iOstIdXfT4qs9MYJxOjLQadGVzdGluZyA8dGVzdEBlc3R1YXRlLmNvbT6IYAQTEQIAIAUCUQpFZQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEAnKyrxvQz89cQUAnApryznbDFgWpe80I6xqIdPTVBLSAJ9Pvnih55RneWQ2elBk0xUSdbq9RrkBDQRRCkVnEAQAzs0MNQp/5kN5Puf4YSJ2igjJdd6Vc8gKiASfVufYEYh8Wg4zT8/HC69zflT8b4SKmE+7MM0k/zk+yJJ72Kb+7tRCPB9EMh54D5RN32243fClkqJZn9kCf0njwfkj2Pq5l4IswFrBUELYzO4hZxX4xSWJ4BcPQH5Cl0AmRwwhGkMAAwUEALyzl7ni4dFZPl+TvIaOnnAvMoj+LJU4de7Li7FVu7UAvtRuWLfaaH5WxFXqmB751pfyMuzoVi0U0xczVOj+eyYk6zxYoWueMklzoWBaD3HVUmD2ffyVNXMoVfvf3bAv1nQ8vZvyz86gMMXSSA4BcuZqoRR9y9gklyBdRIxFKq4BiEkEGBECAAkFAlEKRWcCGwwACgkQCcrKvG9DPz2G5QCfZGsa6LUQ3kGPrLoSz4tS1fVsEgEAn2mcFv/q+uIUU+RR3rc7O5qlwGFk=risQ
-----END PGP PUBLIC KEY BLOCK-----
[root@server1]# mv server1.asc server1.asc.pub
Now we will copy the public key to the client location which in our case is server2 
[root@server1]# scp server1.asc.pub  server2:/
Similarly we need to create a public key for server 1 on server 2.
 

On server 2

[root@server2]# gpg --export --armor -o server2.asc.pub
[root@server2]# scp server2.asc.pub server1:/
 Now import the public key which was sent from server 1
[root@server2]# gpg --import server1.test.asc.pub
gpg: key 6F433F3D: public key "testing <test@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@server2]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/78AC92D1 2013-01-30
uid Deepak Prasad <deepak@example.com>
sub 1024R/2698ECBD 2013-01-30
pub 1024D/6F433F3D 2013-01-31
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31
 As you can see we have two keys on your server2 machine now. 
 1. The local private key Deepak Prasad
 2. Imported Public key from server1 "testing"
 
The same has to be done on the other machine server1
 

On server1

[root@server1]# gpg --import server2.asc.pub
[root@server1]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/6F433F3D 2013-01-31
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31
pub 1024R/78AC92D1 2013-01-30
uid Deepak Prasad <deepak@example.com>
sub 1024R/2698ECBD 2013-01-30

As you can see both the keys on both server1 and server2. So we can test for the encryption of the data.
Now we need to encrypt the data with the public keys of server2 which was just imported on server1. So that only server2 can decrypt the data file.

On server1 (78AC92D1 is the ID for server2 user i.e. Deepak)
[root@server1]# gpg -e -r 78AC92D1 --armor -o test.txt.server2.asc test.txt
gpg: 2698ECBD: There is no assurance this key belongs to the named user
pub 1024R/2698ECBD 2013-01-30 Deepak Prasad <deepak@example.com>
Primary key fingerprint: 1F50 F1FE B6DD 9909 B673 F187 DB55 88DC 78AC 92D1
Subkey fingerprint: 9201 1452 8E80 1050 36C8 F668 AA0D 4697 2698 ECBD
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
File `test.txt.server2.asc' exists. Overwrite? (y/N) y
[root@server1] scp test.txt.server2.asc server2:/
On server2 verify the data by decrypting it. This will only work if the data was encrypted using your public key.
[root@server2] # gpg --decrypt test.txt.server2.asc
gpg: encrypted with 1024-bit RSA key, ID 2698ECBD, created 2013-01-30
"Deepak Prasad <deepak@example.com>"
This is a secret file
As you can see the data file has been successfully decrypted. 
 
Please let me know your success and failure rates.