Linux Server Security Secrets and Administration: October 2005

Asymmetric Cryptography with Linux

A fast introduction or memory notes about PGP and GPG (GNU) for Linux and UNIX.
Asymmetric Cryptography is the best method to encrypt information and asure confidentiality and authenticity.

You will see these formulas:
Symetric cryptography
Y = E(X)
X = D(Y)

Confidentiality with asymmetric Cryptography
A-->Kub--->Krb-->B

Authenticity with asymmetric Cryptography
A-->Kra--->Kua-->B

Authentication and Confidentiality
A-->Kra--->Kub--->Krb--->Kua-->B

This is not intended to be a deep introduction to Cryptography, just some notes, if you are interested in more information contact me.

* How to create a Private Key and a Public Key in Linux with GPG ?
$ gpg --gen-key
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
(5) RSA (sign only)
Your selection? 1 (It is recomended to choose DSA and ElGamal since it is not patented)
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits default keysize is 1024 bits
highest suggested keysize is 2048 bits What keysize do you want? (1024) 2048 (Larger keys = more security)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all Is this correct (y/n)? y

Now you have to enter a password, better described by " keyphrase ", input uppercase and lowercase with numbers and a password that you will not forget, since if you do, any encripted information sent to you with you public key will not be restable. Now you keys where created !

* List the keys created with GPG Linux
[wlamagna@internet wlamagna]$ gpg --list-keys
/home/wlamagna/.gnupg/pubring.gpg
---------------------------------
pub 1024D/B070DC8F 2005-10-25 Walter Lamagna (Sysop)
sub 2048g/C89C0BA5 2005-10-25 ---------------------------------------------

* View or export a key with GPG in Linux and UNIX

$ gpg --export [UID]
[wlamagna@internet wlamagna]$ gpg --export -a wlamagna@hotmail.com
gpg: Warning: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBENer7URBACcip5EQKuI2Xu0Ol2QgXGvR1wjWxLsyVz2p3maRPZMGEL9V8qf
PePhXaMp7IR247JEHy1TBztP6EVohYcm12629OaubzDKS4ogzfaUXUVbp5oGguU/
95jPhrrAPg3gSoTsa1h0eFzZxwHFmJPwiVgJC2Ih22cPZHuH3bQulQ/yJwCg+xhj
qufw1hIOf0IxKbc+774ce2MD/3F3Z9tF7WNUHg9BeQ1EQRxGg+HOhhnLaYWQiU3M
IL9Ox/RSHnJGet9eIFnNX+4BPASxDVRWZ/03lNspVeidU2OCWvhrEBZ2CdCZ7OZ3
g/WK5WT66HYgshP3U1il6w7tJat+CZn1ynXRmzo03ZWNlqQ+rhuDrI8ewAdE1FN1
8ACsA/4wGkFtlQ87acZkqYOIBYVaut9fKbc4A5THHagmt8W8oXpAS3/KdK8t3D68
j+cQU9hGaEzqg1i4WtwzfuYcbFYeICFGP8Hr++Rj4O/9SKNU6JoojHjVh/UWAa5z
wkqMufSs6k4tGO6WoUKrtnHWylS2cX3jCmEKL6pDjP56X2688rQtV2FsdGVyIExh
bWFnbmEgKFN5c29wKSA8d2xhbWFnbmFAaG90bWFpbC5jb20+iFkEExECABkFAkNe
r7YECwcDAgMVAgMDFgIBAh4BAheAAAoJEHgOrOiwcNyP3hYAn1DzUhzY20wCqgfW
T1C2//Ib0qDBAKCF+IJlTMwQwE4BVVgK63urJNVmP7kCDQRDXq/AEAgAxmVnz0wO
tO5HamE5/vWPLehfRtI7GbrqeatVy0F0It170g4L1s4Jynpoqsr/YYjftEM/xgj9
9Xk6vu3BlgU5EsfCQdlZA6Buvy/q0MoSIR0dCmNbK1iel23nXFBzYaVo5MsD003R
jy0/Cnyx4wELfcj/cJgFY21rcUyzxLULVzAdcSlV0v3RuunuHjCKj2/oYYroYrSk
PyNGM1z3LbB93U6P3fB3HDiRbU23VZin2hdi1PXwXFZtTV6g5Xs6sz8wud6pqbe6
7zqXqjQsASWXdwPLT14QmAP2yq7zfgJrPXYQOfqm0mWjn0xU6aq/9km2nRdP3WlR
QH2XiYBA0g02PwADBQf/RwBcPsgsTeF7lIIWTZkW537rPorGPrsLhSQpDLeeZzwT
MMVY+1n6EHlcSejHr6DXTMj0cn9zUyXKzh01gpPoj5pyNpl9gffFQYkU4U7fXLQ5
A2+AU/oF73n6iliKQs0WmdMSvEw+pObrO7OOZLPuNmhkWqZYsorlxRVb02EEicVP
og9IBQY7mjrxZfnrd2o95tQEVzqGv4L1wuYVLTqfIcf6yQuiY2qusXWz+Ja8cqm4
fHCjMfVZL2put900Qy8lmf8Lky+eRnf/2iDgMNuFT9HRnfgO0bUWuWInbw7HvgvK
UbtXYQM2QvNNLUoDU5gXksLRSbEcs9+Gu0eSPGKIx4hGBBgRAgAGBQJDXq/AAAoJ
EHgOrOiwcNyP5sYAnRVCcKMnQfh4V44Sb0lrqt6L07jeAJ40tRY7P7SfBKrczAiF
UT9etzCMiA==
=1Ok9
-----END PGP PUBLIC KEY BLOCK-----
 [wlamagna@internet wlamagna]$

This is my public key, so your secret messages will be welcome. If you do not specify the UID it will print all the keys in your keyring and if you do not use "-a" i will print the key in non printable characters. If you export the public key (never give your private key to anybody)
you can exchange confidentiality information with somebody else who has your public key. You can exchange the password by writing it in a webpage, finger, ftp or uploading it to a Public Keys Server.

* Import Keys with GNU GPG
$ gpg --import [file]

When you receive a public key from somebody, add it to your keyring.

* Delete a public key with GNU GPG
$ gpg --delete-key [UID]

And finaly, how to list your secret (private) keys ? The keys your should not give anybody. Be carefull with the keyloggers, best use them in secure machines.

[wlamagna@internet wlamagna]$ gpg --list-secret-keys
/home/wlamagna/.gnupg/secring.gpg
---------------------------------
sec 1024D/B070DC8F 2005-10-25 Walter Lamagna (Sysop) 
ssb 2048g/C89C0BA5 2005-10-25

* To delete a secret (private) key with GNU GPG
$ gpg --delete-secret-key [UID]

* To modify a secret (private) key with GNU GPG
$ gpg --edit-key [UID]

After any power problem with the linux machine, the filesystem could be corrupted and you may not be able to login. When this happens, you will need e2fsck, the tool to recover ext2 or ext3 partitions. (Do not ever use it with a partition that has AFS or another format).

Boot with a live cd or the first cd of Redhat and write "linux rescue".
Do not let the rescue mode to detect the linux partitions, else it would mount them and you do not want to mount the partitions yet, the file system check (e2fsck) can cause severe problems on a mounted partition.

When you are at the rescue mode prompt, write:

# e2fsck -c -c -v -y /dev/hda1
It is important to user "-c -c" (twice) this means that badblocks will scan using a non-destructive read-write test.
"-v" to verbose and see the status of fsck.
"-y" says to answer "yes" to all the questinons from fsck.