GnuPG Encryption and Signature Reference Guide

This little reference guide has examples that allow encryption/decryption and signature generation/verification with GnuPG.

Encryption

• To encrypt a file:

  $ gpg --encrypt file.txt
  

  and the encrypted content of file.txt will be on output file file.txt.gpg.

• ASCII armored encryption:

  $ gpg --armor --encrypt file.txt
  

  file.txt.asc will contain the ASCII armored encrypted file.txt.

• To specify a recipient:

  $ gpg --recipient rec
  

• To specify the output file name:

  $ gpg --output fileout.gpg --encrypt file.txt
  

  Instead of the default file.txt.asc, output to fileout.gpg.

• To decrypt a file:

  $ gpg --decrypt file.asc
  

Signatures

• To create a detached signature:

  $ gpg --sign myfile.txt
  

  file.txt.gpg will be created with the binary signature.

• To create a detached signature ASCII armored:

  $ gpg --armor --sign myfile.txt
  

  file.txt.gpg will be created with the ASCII armored signature.

• To create an attached signature:

  $ gpg --clearsign myfile.txt
  

  file.txt.gpg will be created with both the message and the signature.

• To verify a signature:

  $ gpg --verify [sig.asc] myfile.txt
  

  Verifies optional parameter sig.asc against myfile.txt.

Revision History

Post built on: 2014-08-25 22:13:30
Last modified on: 2014-08-25 22:13:06
First published on: 2014-08-25

Revision	Date	Description
1.00	2014-08-25	Initial Version. Published.

Creating PGP Key With Subkeys

The point of digitally signing and encrypting documents is not the goal of this post. It will be discussed why and how subkeys should be used.

Subkeys

By default, when you create a new public/secret key pair you create, actually, two key pairs:

• a master key used for signing documents and other keys and
• a subkey for encryption.

After that, subkeys can be added for encryption or signing.

The point on creating another subkey for signing is that you should keep you master key really safe, as it is the one that "proves" your identity. If any of your subkeys is compromised, you can revoke them and create a new subkey on the same master key, without losing all your web of trust as it would happen if your master key is compromised. There's no limit on how many subkeys can be created and how many subkeys that are expired or revoked on a master key.

How To

Initial Setup

Put these configurations into ~/.gnupg/gpg.conf

fixed-list-mode
keyid-format 0xlong
with-fingerprint
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
cert-digest-algo SHA512

This will ensure that your key will be generated using stronger preferences.

Generate Master Key

If you do not already have a master key pair, create one:

$ gpg --gen-key

Generate Subkeys

Then, use the --edit-key to add more keys:

$ gpg --edit-key mykeyid
     ... some output and require your key password
gpg > addkey

It will prompt which kind of key you want. It was only added new RSA signing subkeys with 4096 as key size and valid for an year in a total of two: one for the laptop and another for the Android phone. New encryption subkeys were not created for each device because, this way, there was not a way of decrypting everything everywhere (and people would not know which key is to be used when encrypting things for me - that is why more than one encryption key does not make much sense).

Setting Expiration Dates

It is reasonable setting expiration dates for the keys. If the password is forgotten or the key is lost other way, people will notice the key is no longer valid.

If it was not set on subkey creation, this is how to set expiration date:

Use gpg --edit-key command.

Select the keys with key key_index where the key_index is based on the list from edit-key output. Then use the command expire. You will be prompted for the valid period of the key. Save modifications with save.

For example, to modify key 1 expiration date:

$ gpg --edit-key keyid
...
gpg > key 1
...
gpg > expire
 ... set the date for expiration
gpg > save

Export All Secret Keys

All secret keys will be exported to mysecretkeys file, ASCII armored, with this command:

$ gpg --armor --export-secret-keys masterkeyid > mysecretkeys

Exporting Only Secret Subkeys

To export only secret subkeys:

$ gpg --armor --export-secret-subkeys masterkeyid > mysecretsubkeys

And to export only some secret subkeys:

$ gpg --armor --export-secret-subkeys subkeyid1! ... subkeyid2! > partialsecretsubkeys

The exclamation marks (!) are mandatory.

Deleting Unwanted Subkeys

After exporting secret keys, delete subkeys that are not supposed to be on the device. Use gpg --edit-key command.

Once in edit-key mode, to select a key,then use ``key key_index` to select the keys to be deleted. Once all keys that will be removed are selected, use the delkey command.

Creating Revocation Certificates

Revocation certificates are supposed to be used when your key is compromised, and will invalidate the key.

To create a revocation certificate:

$ gpg --gen-revoke keyid > revocationcertificate

Importing Subkeys On Another Hosts

To import a key, or only subkeys, on another host is as simple as:

$ gpg --import mykeys

where mykeys is the file where the keys were exported.

Properly Storing Keys and Revocation Certificates

The master key should be kept really safe. Store the exported keys and revocation certificates on a USB stick and printed on paper. Keep another copy on a safe place, like your parent's home.

This way, if a device fail, the keys are not lost forever. If a key is compromised, there is a way to revoke it. If a key is compromised because one of the backups is compromised too, there is another bakcup to revoke the key.

External Links

• http://blog.dest-unreach.be/wp-content/uploads/2009/04/pgp-subkeys.html (accessed 2014-03-11);

• https://wiki.debian.org/Subkeys?action=show&redirect=subkeys (accessed 2014-03-11);

• https://we.riseup.net/riseuplabs+paow/openpgp-best-practices (accessed 2014-03-11): this one have a lot of "tests" to check if the key is secure;

• https://alexcabal.com/creating-the-perfect-gpg-keypair/ (accessed 2014-03-11).

Revision History

Post built on: 2014-03-12 23:38:22
Last modified on: 2014-03-12 23:37:30
First published on: 2014-02-21

Revision	Date	Description
1.00	2014-03-12	Initial Version. Published.

Converting kmz to gpx

Recently, I have started to collect data from GPS during bicycle commutes using an Android smartphone. This job is done by MyTracks. I have tried other applications, but this one worked out best.

MyTracks, by default, creates a kmz file, which is a Keyhole Markup Language (kml) file (or various) bundled with other resources into a zip file. It can export to other types, but kmz has some advantages, like photographs embedded on markers.

Loading this file in Google Maps directly from Google Drive was straightforward, but it requires an internet connection. I wanted to view, and maybe edit, the file offline. I have tried loading the kmz file directly on various applications under Linux, but the I have only achieved getting the begin and end points this way.

So, I converted the kmz file to gpx (GPS Exchange Format) using gpsbabel and the track was correctly imported (I am using JOSM - Java OpenStreetMap on the computer).

How to Convert

Given a kmz file, to get a gpx one:

$ unzip -p myfile.kmz doc.kml | gpsbabel -i kml -f - -o gpx -F myfile.gpx

myfile.kmz is the file to be converted. gpsbabel does not convert kmz directly to gpx, so it is necessary to extract the kml file that inside kmz (which is doc.kml in the example). The file is piped to gpsbabel which will save the new gpx file myfile.gpx. If there is more than one kml file, the processes must be repeated for every kml.

External Links

• gpsbabel (accessed 2014-02-20): project website;

• kml (accessed 2014-02-20): Keyhole Markup Language file type;

• gpx (accessed 2014-02-20): GPS Exchange Format file type.

Revision History

Post built on: 2014-02-21 00:00:18
Last modified on: 2014-02-21 00:00:13
First published on: 2014-01-21

Revision	Date	Description
1.00	2014-02-21	Initial Version. Published.

Suspending and Hibernating on Slackware:

It is very straightforward to make Slackware suspend to RAM or hibernate to disk using D-Bus. D-Bus is a message bus system, that allows applications communicate.

On Slackware, make sure your user is on power group. Check with:

$ groups your_user

Change your_user to your user name. If it is not in power group, add with

# usermod -aG power your_user

Suspending

In order to suspend to RAM, just run the following command from a user on power group:

$ dbus-send --system --print-reply --dest="org.freedesktop.UPower" /org/freedesktop/UPower org.freedesktop.UPower.Suspend

Hibernating

CAUTION: this method does not work if you use [LVM extlink en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)]. If you do, take a look at external links at the end of the post.

The command to hibernate to hard disk is similar to the hibernating command:

$ dbus-send --system --print-reply --dest="org.freedesktop.UPower" /org/freedesktop/UPower org.freedesktop.UPower.Hibernate

But, for the bootloader to know where to find the state saved on disk during hibernation, you'll need to tell it. On /etc/lilo.conf, append the line append="resume=/dev/sdX":

image = /boot/vmlinuz
 root = /dev/sdaY
 initrd = /boot/initrd.gz
 label = Slackware
 read-only
 append = "resume=/dev/sdaX

where /dev/sdaX is the swap partition.

Run

# lilo

to apply changes.

Just a Lil' Problem

When you suspend or hibernate only with those commands, when the computer restarts, your session will be unlocked.

To avoid it, call a lock or screensaver before taking those actions. I use xscreensaver and have the scripts dbus-suspend dbus-hibernate to lock computer:

xscreensaver-command -lock
sleep 7
dbus-send --system --print-reply --dest="org.freedesktop.UPower" /org/freedesktop/UPower org.freedesktop.UPower.Hibernate

Rebooting and Halting

With D-Bus, if you are in power group, you can reboot or halt your system too:

To reboot your system:

$ dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart

And to halt:

$ dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop

External Links

• Slackware Docs: talks about hibernation on Slackware.

Revision History

Post built on: 2014-01-21 00:28:26
Last modified on: 2014-01-21 00:28:22
First published on: 2014-01-21

Revision	Date	Description
1.00	2014-01-09	Initial Version. Published.

Starting Display Manager On Slackware Startup

The default runlevel for Slackware is 3: that means it will run with multiuser mode, on a standard text-based login.

But what is a runlevel? It defines the state of the machine after the boot. And, usually, for operating systems that implement System V initialization, runlevels are:

• single user mode;
• multiuser mode without network services started;
• multiuser mode with network services started;
• system shutdown and
• system reboot.
  On Slackware, there are 7 runlevels:

runlevel	Description
0	Halt.
1	Single user mode.
2	Unused (same as runlevel 3)
3	Multiuser mode without display manager (DEFAULT).
4	Multiuser mode with display manager.
5	Unused (same as runlevel 3).
6	Reboot.

To modify the default runlevel of Slackware, in the file /etc/inittab, look for a line like this:

# Default runlevel. (Do not set to 0 or 6)
id:3:initdefault:

As it was expected (on Slackware), the default runlevel is 3 (multiuser mode). Change it to runlevel 4 for GUI login when the system is started:

# Default runlevel. (Do not set to 0 or 6)
id:4:initdefault:

Save the file and that is it. Reboot your system and a graphical login prompt will be there (if you installed the packages for one, of course).

External Links

• Slackware configuration help
• Runlevel (Wikipedia)

Revision History

Post built on: 2014-01-16 01:04:18
Last modified on: 2014-01-16 01:03:22
First published on: 2014-01-09

Revision	Date	Description
1.00	2014-01-16	Initial Revision. Published.

Improving Slackware Boot Time

Booting Slackware may be slow compared to another operating systems. This tutorial is based on Slackware 14.1.

DHCP

Slackware waits for a DHCP response on boot. Look for the following lines

echo "/etc/rc.d/rc.inet1:  /sbin/dhcpcd -t ${DHCP_TIMEOUT[$i]:-10} ${DHCP_OPTIONS} ${1}" | $LOGGER
/sbin/dhcpcd -t {$DHCP_TIMEOUT[$i]: -10 ${DHCP_OPTIONS} ${1}

and just add a & on the end of the last line:

echo "/etc/rc.d/rc.inet1:  /sbin/dhcpcd -t ${DHCP_TIMEOUT[$i]:-10} ${DHCP_OPTIONS} ${1}" | $LOGGER
/sbin/dhcpcd -t {$DHCP_TIMEOUT[$i]: -10 ${DHCP_OPTIONS} ${1} &

bzImage Loading

If the message:

Loading Linux ..........

takes too long, the solution can be adding the compact parameter on /etc/lilo.conf:

# Start LILO global section
# Append any additional kernel parameters:
append="vt.default_utf8=1 resume=/dev/sda7
boot = /dev/sda
compact

Maybe there's already this parameter commented out, with another comment saying it will be faster, but won't work on all systems.

Don't forget to run the lilo command to modifications take place:

# lilo

External Links

• Slackware Tips, by Brent W. Woodruff.

Revision History

Post built on: 2014-01-15 21:32:28
Last modified on: 2014-01-15 21:30:24
First published on: 2014-01-14

Revision	Date	Description
1.00	2014-01-14	Initial revision. Published.
1.01	2014-01-15	Adding new "syntax" for code examples.

Creating Encrypted Directories With EncFS

> EncFS (Encrypted Filesystem) is a tool for encrypted filesystems in user space. It does not require any special permissions, since it uses FUSE.

Considering I will use encrypted folders mainly on things that need frequent backup, the advantages are:

• per file encryption: will help on incremental backups;

• encrypted folder can grow: a great advantage against a loopback filesystem (like TrueCrypt, where you need to allocate resources before using them;

• do not need root permissions: on every host there is FUSE support, I can use EncFS and

• the configuration is straightforward.

I have used eCryptfs before, but it does require configuring `fstab` or having root privileges for mounting the encrypted folders. The configuration is much more complicated.

Configuration

First of all, make sure you have FUSE and EncFS installed on your system.

You will need a directory for the encrypted data to be stored and another directory to mount the encrypted directory. For the example, let's call the directories `encrypted` and `decrypted`, respectively. Both on the home directory.

$ encfs ~/encrypted ~/decrypted

Notice that full paths are necessary. You will be prompted if you want the preconfigured options or to configure it yourself. I choose the defaults. At the end, you will be prompted for a password and confirmation.

To mount the encrypted folder again, the command is the same:

$ encfs /full/path/to/encrypted_folder /full/path/to/decrypted_folder

And to umount it:

$ fusermount -u /full/path/to/decrypted_folder

External Links

• EncFS official site

• ArchLinux wiki for EncFS: contains some configuration for GUI user interaction.

Revision History

Post built on: 2014-01-16 01:06:27
Last modified on: 2014-01-16 01:05:58
First published on: 2014-01-09

Revision	Date	Description
0.01	2014-01-09	Initial revision. Not verified.
1.00	2014-01-09	Minor modifications and corrections. Published.
1.01	2014-01-15	Adding new "syntax" for code examples.
1.02	2014-01-15	A link was not set to external.

Introduction

I'm Jean Waghetti and this is my personal blog. It will contain information of any kind related to things I do, from computer systems configuration to bicycle maintenance.

This is a way of sharing knowledge in a convenient way: I have information I may need in future concentrated here.

Enjoy!

Revision History

Post built on: 2014-01-09 23:38:41
Last modified on: 2014-01-09 23:38:37
First published on: 2014-01-09

Revision	Date	Description
1.00	2014-01-09	Initial revision. Published.