This wiki explains how to localy encrypt and send e-mails (the software sendEmail will be used) with IPFire. This can be useful, for example, if you want a secure periodical system state of the IPFire system via e-mail. To ensure this email are encrypt securely, the software GPG, which is a part of IPFires basic system, will be used.
Gpg4win, is required to generate a GPG key with Windows.
The GPGtools can be used as an extension for Apples mail client mail.app.
Here, GPG is normally contained. For e.g. Fedora: Package gnupg-1.4.13-2.fc18.x86_64 (state 21.05.2013)
An e-mail client: K9
To check, you can enter the following in Ubuntus shell:
dpkg -l gnupg
A positive result should looks similar to this:
ii gnupg 1.4.10-2ubuntu GNU privacy guard - a free PGP replacement
If not, the following can be typed into the Ubuntu shell:
sudo apt-get update
sudo apt-get install gnupg
For Fedora with yum:
sudo yum install gnupg
GPG is a free encryption program. GPG can be used for the en- and decryption of files and e-mails, but it can also be used for signatures. For more info take a look in here.
Tip! The GPG keys used for other purposes, you prefer to generate more and comment on this for a specific purpose. This is for the loss of private keys vulnerable not all what you have encrypted it! Makes you backup the key! If a key is deleted or otherwise unusable you come without this key is no longer encrypted information!
To create now a key, use to following code line:
Now, the query comes which form should be used to generated a key, for our case it is the choice (1) :
gpg (GnuPG) 1.4.13; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Selection of the encryption size - 2048 bit may enough ?! ;-)
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
Now the expiry date can be specified e.g. 2y as an example for two years.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)
Information of the owner of the key:
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <firstname.lastname@example.org>" Real name:
Example will be confirmed with 0:
Real name: IPFire Email address: email@example.com Comment: Statusmail You selected this USER-ID: "IPFire (Statusmail) <firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key.
Output while the key generation:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ...........+++++ .+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ......+++++ +++++ gpg: key ABC123 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2015-05-27 pub 2048R/ABC123 2013-05-27 [expires: 2015-05-27] Key fingerprint = CD31 1234 ABCD 0B82 A98D 0AV8 C4FF BFF0 AAFF XYZZ uid IPFire (Statusmail) <email@example.com> sub 2048R/XYZ890 2013-05-27 [expires: 2015-05-27]
Display the systemwide applied keys:
pub 2048R/ABC123 2013-05-27 [expires: 2015-05-27] Key fingerprint = CD31 1234 ABCD 0B82 A98D 0AV8 C4FF BFF0 AAFF XYZZ uid IPFire (Statusmail) <firstname.lastname@example.org> sub 2048R/XYZ890 2013-05-27 [expires: 2015-05-27]
Gpg4win instructions for the creation of private and public GPG keys.
|Under Gpg4win go to keys, an apply "New key".|
|Indicate the apprpopriate owner -> e.g. IPFire|
|deposit your e-mail address -> e.g. email@example.com|
|Make a backup of the private-keys in the desired folder. This private-key is required to encrypt the data. The key must not be passed on, otherwise there is the danger of malpractice and thus the trust can not be guaranteed.|
|Now put the password for the key - at least 8 characters, numbers and special characters strengthen the security of this key.|
|Choose the filed location.|
|Last but not least, export the public-key. Required to Decrypt on the mail client.|
Using the public key with the Thunderbird addon enigmail.
|For the function OpenGPG in TB the appropriate application must be deposited, deposit the path to the installation on the reference to gpg2.exe. Go under TB then under "Settings" in the application menu and click OpenGPG.|
|Deposit the public-key. Go to the application menu on OpenPGP to "Manage keys"|
|Click now the "Import" button.|
|Select the provided public key now. Then click OK and the import is finished.|
|Double check whether the key was properly deposited. Under "Managing Keys" in the search box under the corresponding name, enter here "IPFire". The result should look similar to this.|
scp filename.asc root@ipfire:/tmp/
Then, the import of the private-keys needs to be made to enabling the the encryption:
gpg --import /tmp/filename.asc
Proof the GPG keys, this key ID is needed for the key signing.
The generated key should look like similar to this:
pub 2048B/ABC123 2013-05-22 [expires: 2018-05-22] uid NameX <firstname.lastname@example.org> sub 2048g/XYZ789 2013-05-22 [expires: 2018-05-22]
The Key ID in this part can be find in this string "pub 2048B/ABC123", more specifically "ABC123".
There are two variants to sign the key. The sign is required, otherwise a message will be shown "do you really want to encrypt the file", and thus a y/n input is expected.
gpg --sign-key key-id
gpg --edit-key key-id
The following options for the Trust Level are offered:
Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = Not sure 2 = No, i don´t trust him 3 = I trust him a little 4 = I trust fully 5 = I have absolute trust to him m = Back to main menu Your choice?
The item 5 should be chosen, only here following positions of trust are fully specified.
Exa. on (4) trust: full validity: unknown
Exa. on (5) trust: ultimate validity: ultimate
With quit you belong back to the shell again.
To ensure that no errors have sneak in, you can check the encryption to proove if everything works properly.
and send GPG afterwards
gpg --encrypt -a --recipient ABC123 /tmp/test.txt;
Under the /tmp/ directory now, a test.txt.asc should be findable. With the less command on this file, the similar output should bee seen:
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.12 (GNU/Linux) hQIOA+k4SP53wN2PEAf/UQ1Oljc0Hsdrn8jgiqIpMq+8OqDLaN0oBy2HiMCFZoby lJpylR3O3KGVcCdiKr9toqn6uk6W3g2G5HDGZSOI569N/dlgDGkhEYF1hzDG8RK2 7W3Iy0zzR00L3ocTfgWoJFcOrNovnne2MT7drX9jYcSzners3M0BONFlfDWOBZtj mdkkExCwE3XAjflsMyjNk3+KDw80C5XQ5fkHvTxdzu1PxOvGkx76eRMsukheJL9I BBhujVPSsyrwDFRjvXEn/Um0r5P61daddmgBt/yjUVUo2L2XvPOQimiwqj10Wjcj ... ...
Now adjust sendEmail accordingly for the GPG function.
Here's a word to mobile devices and sensitive data. If the private key (the master key) stored on the mobile device, there is a further source of danger, for example by Loss of the device or malware on the device can grab it. It is therefore advisable not to store private keys on such easy "vulnerable" between environments and use.
|What do we need? A smartphone with Android. LOL|
|At this time only one Android mail client which supports GPG is known K9|
|Now we need an app which manages the GPG keys, APG was used for this.|
|To use now the keys, the private-key (for decryption) and the public-key for encryption (here optional if wished) should be imported. Therefor start APG.|
|Now use the menu button and manage the private keys. Press Import the Key and store the previously saved key from the IPFire. Optionally, if it should be encrypted, repeat this stepfor the public key.|
|If successful, the key will be displayed. Under Settings, there is still the option for the Key Server, this one can be removed.|
|After receiving the status message of the IPFire we see the following.|
|The content looks even illegible - but thanks to the integrated GPG function of K9 in the right field of the e-mail it is possible to decyrpt this mail.|
|The results speak for themselves 8-) .|
Little hint! Also K9 can use SSL/TLS for mail retrival (e.g. imap.gmx.net port 993) and e-mail sending (e.g. mail.gmx.net Port 465). You should also use this way.
If your GPG keys are not in the corresponding scrip directory, problems can be appear. A possible error could be that the cronjob can´t encrypt the /tmp/sysinfo.txt and the GPG-mail delivery works not complete or not at all.
Here, is a way to proof this.
Find error message:
Therefor we create a script which manages the encryption and the delivery of the status-mail atachement (only use the my-sendemail.sh without integrated encryption). In addition, we extend the script with the value set-X to turn on the debug mode and pipe the output to a text file.
filename = debug-my-gpg.sh
#!/bin/bash - #################################### # Execute my-sendemail.sh, # encrypt sys_info and send an debug textfile to /tmp dir # 5p9 08.07.2013 #################################### set -x (/root/my-sendemail.sh | \ /usr/bin/gpg -ear 1234567) > /tmp/gpglog.txt 2>&1
1234567 = Find out the key ID of the GPG key like described in here.
my-sendemail.sh = Integrate the script like described in here to fcrontab.
*/1 * * * * /path/dir/script.sh
After this procedure, the gpglog.txt should contain the hint to the missing GPG-pubkey.
Now determine the env details for fcrontab, if all variables are set correctly, therfor deposit another frontab - which works also without script.
*/1 * * * * /usr/bin/env > /tmp/envlog.txt
If Cron has been run, the result looks like this:
CONSOLE=/dev/console SHELL=/bin/bash TERM=linux USER=root INIT_VERSION=sysvinit-2.88 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin _=/usr/bin/env RUNLEVEL=3 PWD=/ PREVLEVEL=N [b]HOME=/[/b] SHLVL=3 LOGNAME=root
"HOME=/" - Is in our purpose wrong. Thats why the script needs at the very beginning an export HOME=/root entry.
filename = my-sendemail-gpg.sh
#!/bin/bash - #################################### # Execute sys_info, # encrypt sys_info and send an email # ummeegge 25.03.2013 #################################### export HOME=/root skript="/mnt/harddisk/mo_scripts/sys_info" cd $skript; ./sys_info1.sh > /tmp/sysinfo.txt; gpg --encrypt -a --recipient A94AB589 /tmp/sysinfo.txt; sendEmail -f email@example.com -t firstname.lastname@example.org \ -u Sys_Status -m "Good morning, here again, the system status as an attachment" \ -s smtp.web.de:587 -xu username -xp top_secret \ -o tls=yes -a /tmp/sysinfo.txt.asc; rm -rf /tmp/sysinfo.*;
After the work is done, you should undo this changes.