GPG enryption & emailing

This wiki explains how to localy encrypt and send e-mails (the software sendEmail will be used) with IPFire. This can be useful, for example, if you want a secure periodical system state of the IPFire system via e-mail. To ensure this email are encrypt securely, the software GPG, which is a part of IPFires basic system, will be used.

Additional addon for mail clients

Enigmail is an GPG addon for the mail client Thunderbird. Thunderbird is also available on different OS platforms.

For Windows

Gpg4win, is required to generate a GPG key with Windows.

For Max OS X

The GPGtools can be used as an extension for Apples mail client mail.app.

For Ubuntu / Fedora

Here, GPG is normally contained. For e.g. Fedora: Package gnupg-1.4.13-2.fc18.x86_64 (state 21.05.2013)

Additional addons for Android smartphones

An e-mail client: K9

GPG-Tool: APG

Proof for a possibly installation

To check, you can enter the following in Ubuntus shell:

dpkg -l gnupg

A positive result should looks similar to this:

ii  gnupg          1.4.10-2ubuntu GNU privacy guard - a free PGP replacement

If not, the following can be typed into the Ubuntu shell:

sudo apt-get update

Than a:

sudo apt-get install gnupg

For Fedora with yum:

sudo yum install gnupg

Create a GPG key

GPG is a free encryption program. GPG can be used for the en- and decryption of files and e-mails, but it can also be used for signatures. For more info take a look in here.

Tip! The GPG keys used for other purposes, you prefer to generate more and comment on this for a specific purpose. This is for the loss of private keys vulnerable not all what you have encrypted it! Makes you backup the key! If a key is deleted or otherwise unusable you come without this key is no longer encrypted information!

Creation under IPFire / Ubuntu or Fedora

To create now a key, use to following code line:

gpg --gen-key

Now, the query comes which form should be used to generated a key, for our case it is the choice (1) :

gpg (GnuPG) 1.4.13; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection?

Selection of the encryption size - 2048 bit may enough ?! ;-)

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Now the expiry date can be specified e.g. 2y as an example for two years.

Please specify how long the key should be valid.
       0 = key does not expire
    <n>  = key expires in n days
    <n>w = key expires in n weeks
    <n>m = key expires in n months
    <n>y = key expires in n years
Key is valid for? (0)

Information of the owner of the key:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
  "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name:

Example will be confirmed with 0:

Real name: IPFire
Email address: your.mail@mail.de
Comment: Statusmail

You selected this USER-ID:
  "IPFire (Statusmail) <your.mail@mail.de>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Output while the key generation:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...........+++++
.+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
+++++
gpg: key ABC123 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2015-05-27
pub   2048R/ABC123 2013-05-27 [expires: 2015-05-27]
    Key fingerprint = CD31 1234 ABCD 0B82 A98D  0AV8 C4FF BFF0 AAFF XYZZ
uid                  IPFire (Statusmail) <your.mail@mail.de>
sub   2048R/XYZ890 2013-05-27 [expires: 2015-05-27]

Display the systemwide applied keys:

gpg --key-list

pub   2048R/ABC123 2013-05-27 [expires: 2015-05-27]
    Key fingerprint = CD31 1234 ABCD 0B82 A98D  0AV8 C4FF BFF0 AAFF XYZZ
uid                  IPFire (Statusmail) <your.mail@mail.de>
sub   2048R/XYZ890 2013-05-27 [expires: 2015-05-27]

Generate GPG key with Windows via Gpg4win

Gpg4win instructions for the creation of private and public GPG keys.

ToDo Screenshot
Under Gpg4win go to keys, an apply "New key".
Indicate the apprpopriate owner -> e.g. IPFire
deposit your e-mail address -> e.g. your.email@mail.de
Make a backup of the private-keys in the desired folder. This private-key is required to encrypt the data. The key must not be passed on, otherwise there is the danger of malpractice and thus the trust can not be guaranteed.
Now put the password for the key - at least 8 characters, numbers and special characters strengthen the security of this key.
Choose the filed location.
Last but not least, export the public-key. Required to Decrypt on the mail client.

Thunderbird-addon and the GPG-key

Using the public key with the Thunderbird addon enigmail.

ToDo Screenshot
For the function OpenGPG in TB the appropriate application must be deposited, deposit the path to the installation on the reference to gpg2.exe. Go under TB then under "Settings" in the application menu and click OpenGPG.
Deposit the public-key. Go to the application menu on OpenPGP to "Manage keys"
Click now the "Import" button.
Select the provided public key now. Then click OK and the import is finished.
Double check whether the key was properly deposited. Under "Managing Keys" in the search box under the corresponding name, enter here "IPFire". The result should look similar to this.

GPG key copy & import

If the GPG private key (not filename.pub.asc) was created on another system, it must be copied to the IPFire, this can be done with WinSCP on Windows or on Linux systems via scp.

scp filename.asc root@ipfire:/tmp/

Then, the import of the private-keys needs to be made to enabling the the encryption:

gpg --import /tmp/filename.asc

Find out the GPG key ID

Proof the GPG keys, this key ID is needed for the key signing.

gpg --list-keys
or even
gpg -k

The generated key should look like similar to this:

pub   2048B/ABC123 2013-05-22 [expires: 2018-05-22]
uid                    NameX <yourmail@mail.de>
sub   2048g/XYZ789 2013-05-22 [expires: 2018-05-22]

The Key ID in this part can be find in this string "pub 2048B/ABC123", more specifically "ABC123".

Signing the GPG key

There are two variants to sign the key. The sign is required, otherwise a message will be shown "do you really want to encrypt the file", and thus a y/n input is expected.

Possibility 1:

gpg --sign-key key-id

Possibility 2:

gpg --edit-key key-id

gpg> trust

The following options for the Trust Level are offered:

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = Not sure
2 = No, i don´t trust him
3 = I trust him a little
4 = I trust fully
5 = I have absolute trust to him
m = Back to main menu

Your choice?

The item 5 should be chosen, only here following positions of trust are fully specified.

Exa. on (4) trust: full validity: unknown

Exa. on (5) trust: ultimate validity: ultimate

With quit you belong back to the shell again.

Manuelle test for GPG

To ensure that no errors have sneak in, you can check the encryption to proove if everything works properly.

touch /tmp/test.txt

and send GPG afterwards

gpg --encrypt -a --recipient ABC123 /tmp/test.txt;

Under the /tmp/ directory now, a test.txt.asc should be findable. With the less command on this file, the similar output should bee seen:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (GNU/Linux)

hQIOA+k4SP53wN2PEAf/UQ1Oljc0Hsdrn8jgiqIpMq+8OqDLaN0oBy2HiMCFZoby
lJpylR3O3KGVcCdiKr9toqn6uk6W3g2G5HDGZSOI569N/dlgDGkhEYF1hzDG8RK2
7W3Iy0zzR00L3ocTfgWoJFcOrNovnne2MT7drX9jYcSzners3M0BONFlfDWOBZtj
mdkkExCwE3XAjflsMyjNk3+KDw80C5XQ5fkHvTxdzu1PxOvGkx76eRMsukheJL9I
BBhujVPSsyrwDFRjvXEn/Um0r5P61daddmgBt/yjUVUo2L2XvPOQimiwqj10Wjcj
...
...

sendEmail script

Now adjust sendEmail accordingly for the GPG function.

This script can then be deposited for Cron according to the desired cycles, like here.

Prepare GPG for Android

Here's a word to mobile devices and sensitive data. If the private key (the master key) stored on the mobile device, there is a further source of danger, for example by Loss of the device or malware on the device can grab it. It is therefore advisable not to store private keys on such easy "vulnerable" between environments and use.

ToDo Screenshot
What do we need? A smartphone with Android. LOL
At this time only one Android mail client which supports GPG is known K9
Now we need an app which manages the GPG keys, APG was used for this.
To use now the keys, the private-key (for decryption) and the public-key for encryption (here optional if wished) should be imported. Therefor start APG.
Now use the menu button and manage the private keys. Press Import the Key and store the previously saved key from the IPFire. Optionally, if it should be encrypted, repeat this stepfor the public key.
If successful, the key will be displayed. Under Settings, there is still the option for the Key Server, this one can be removed.

Decrypt GPG-Mail on Android

ToDo Screenshot
After receiving the status message of the IPFire we see the following.
The content looks even illegible - but thanks to the integrated GPG function of K9 in the right field of the e-mail it is possible to decyrpt this mail.
The results speak for themselves 8-) .

Little hint! Also K9 can use SSL/TLS for mail retrival (e.g. imap.gmx.net port 993) and e-mail sending (e.g. mail.gmx.net Port 465). You should also use this way.

GPG Debug

If your GPG keys are not in the corresponding scrip directory, problems can be appear. A possible error could be that the cronjob can´t encrypt the /tmp/sysinfo.txt and the GPG-mail delivery works not complete or not at all.

Here, is a way to proof this.

Find error message:

Therefor we create a script which manages the encryption and the delivery of the status-mail atachement (only use the my-sendemail.sh without integrated encryption). In addition, we extend the script with the value set-X to turn on the debug mode and pipe the output to a text file.

filename = debug-my-gpg.sh

#!/bin/bash -

####################################
# Execute my-sendemail.sh,
# encrypt sys_info and send an debug textfile to /tmp dir
# 5p9 08.07.2013
####################################

set -x

(/root/my-sendemail.sh | \
 /usr/bin/gpg -ear 1234567) > /tmp/gpglog.txt 2>&1

1234567 = Find out the key ID of the GPG key like described in here.

my-sendemail.sh = Integrate the script like described in here to fcrontab.

*/1 * * * * /path/dir/script.sh

After this procedure, the gpglog.txt should contain the hint to the missing GPG-pubkey.

Now determine the env details for fcrontab, if all variables are set correctly, therfor deposit another frontab - which works also without script.

*/1 * * * * /usr/bin/env > /tmp/envlog.txt

If Cron has been run, the result looks like this:

CONSOLE=/dev/console
SHELL=/bin/bash
TERM=linux
USER=root
INIT_VERSION=sysvinit-2.88
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
_=/usr/bin/env
RUNLEVEL=3
PWD=/
PREVLEVEL=N
[b]HOME=/[/b]
SHLVL=3
LOGNAME=root

"HOME=/" - Is in our purpose wrong. Thats why the script needs at the very beginning an export HOME=/root entry.

filename = my-sendemail-gpg.sh

#!/bin/bash -

####################################
# Execute sys_info,
# encrypt sys_info and send an email
# ummeegge 25.03.2013
####################################

export HOME=/root
skript="/mnt/harddisk/mo_scripts/sys_info"

cd $skript;
./sys_info1.sh > /tmp/sysinfo.txt;
gpg --encrypt -a --recipient A94AB589 /tmp/sysinfo.txt;
sendEmail -f username@web.de -t username@web.de \
-u Sys_Status -m "Good morning, here again, the system status as an attachment" \
-s smtp.web.de:587 -xu username -xp top_secret \
-o tls=yes -a /tmp/sysinfo.txt.asc;
rm -rf /tmp/sysinfo.*;

After the work is done, you should undo this changes.

Edit Page ‐ Yes, you can edit!

Older Revisions • August 26, 2019 at 9:14 pm • Jon