PGP/GPG Encryption Tools

What is GPG?

GPG (GNU Privacy Guard) is a complete and free replacement for PGP (Pretty Good Privacy). It is an OpenPGP compliant application which can be used to encrypt sensitive files on your site.

Files or email messages encrypted using GPG can be decrypted using your PGP 5.x software.

GPG is particularly useful if you are receiving sensitive information through your web site.  By utilizing GPG, you can modify the popular FormMail from Matt's Script Archive which will automatically encrypt your form results using GPG before mailing them to you. This means that if you use a special version of FormMail to automatically email yourself the results, then the information provided by your visitors is secure not only while it travels from your visitor's computer to your site, but also from the moment it is received at your site until it reaches you as part of an email message. You only decrypt the information once it reaches your hard drive. That gives you peace of mind if you intend to conduct sensitive business, such as receiving credit card information, over the Internet.

The remainder of this chapter will describe how to setup and use GPG on your web site. For further information about GPG, please visit the GNU Privacy Guard web site.

How to use GPG

If you are not familiar with the basics of public key encryption, you may find it useful to review one or more of the following before proceeding with setting up GPG/PGP on your site:

In a nutshell, if you want to send an encrypted message to Joe, you use Joe's public key to encrypt the message, and when Joe receives the message he will use his private key to decrypt it. Furthermore, to send an encrypted message to Joe you would need to keep Joe's public key in your public key ring (your own collection of public keys).

To email form results to yourself using FormMail.pl, you will need to have or create your own public/private PGP key pair on your hard drive, then you will need to upload your public key to your web site and import it into your GPG public keyring so that you (and FormMail.pl) can use it to encrypt mail to yourself.

Install PGP Software on Your Hard Drive

If you do not already have PGP Software on your hard drive you will need to install it. A freeware version (for non-commercial purposes) can be downloaded from The International PGP Home Page. That site will also give you information on where to obtain a commercial version. Please take care when you download the software that you do not violate US export laws - if you read the information on the site carefully there should be no problem. PGP software is also available from most good software shops.

The discussion below is based on using PGP 5.5 with Windows, but should be useful even if you are using other PGP software (versions 5.x only).

After you have downloaded the PGP software, begin the installation by double-clicking on the file you have just downloaded in Windows Explorer. Follow the setup instructions. As part of the installation, PGP will prompt you to create your own public/private key pair. When you are prompted for an email address, you should use the email address at which you intend to receive your sensitive form results.

Create Your GPG Key Pair

You will need to create a GPG public/private key pair on your server. This key pair should be set up using a different email address than the one you created the key pair for on your hard drive. This is necessary so that you can use your GPG key to sign (vouch for) the key you created on your hard drive. Our catch-all email system means that you can choose anyaddress@yoursite.com for your GPG key pair. For example, you could use verify@yoursite.com for your GPG key pair.

To create your GPG key pair, SSH Telnet in to your site and type:

gpg --gen-key

This will create a directory /home/~username/.gnupg. It will place several default files in that directory including an empty public keyring file (pubring.gpg) and an empty private key ring file. It will then commence the key generation process. To generate your key pair, GPG will ask you several questions. If you would like more information on how to customize your answers, please read Creating a Key in the GnuPG Mini HOWTO, otherwise just use the default answers below:

  • GPG will ask you to select what kind of key you want. Choose (1) - DSA + ElGamal (it is not patented);
  • When asked what key size you want, press ENTER to accept the default (1024);
  • GPG will ask you when the key should expire. Usually you would choose 0 (never expire);
  • You will then be required to enter your Real Name (e.g. Joe Bloggs or Your Company), your email address (e.g. verify@yoursite.com - remember to make it a different address to the one you will be sending your orders to), and a comment (any text you like);
  • GPG will ask you to confirm that the information you entered is correct. If it is, choose O (for OK);
  • You will be prompted to enter a pass phrase for your secret key. It is critical that your pass phrase cannot be guessed easily, and that you do not reveal it to anyone else. A mixture of numbers and upper and lower case letters is best. Be sure to write your pass phrase down somewhere safe;
  • GPG will then go ahead and start to create your keys. If the process stalls for a while, just type randomly on the keyboard. Eventually it will generate enough random bytes to complete the process and will give you the message "public and secret key created and signed".

Upload your public key to your site

You now need to use the PGP software on your hard drive (e.g. PGPKeys) to export your PGP public key to a file (e.g. yourname.asc). With PGPKeys, simply click on your username in the list, and choose Export from the Keys menu. Choose a name for your file - do not include spaces in the file name. Click on Save to export your public key. Upload the file you just created to your site (using ASCII transfer mode) - place it in the directory /home/~username/.gnupg.

Import your public key into your GPG keyring

SSH/Telnet into your server and go to the .gnupg directory (immediately after logging in type 'cd .gnupg'). Import your PGP public key into your GPG public key ring by typing:

gpg --import < yourname.asc

where yourname.asc is the name of the file you uploaded.

Sign Your Public Key

You now need to use your GPG key to sign the PGP key you just imported. If you uploaded your PGP key for, say, sales@yoursite.com, you would type the following at the Telnet/SSH prompt to start the signing process:

gpg --edit sales@yoursite.com

You will then be presented with a Command> prompt. Type 'sign' at the command prompt. GPG will show you the details of the key for sales@yoursite.com and ask you if you really want to sign it. If you do, answer 'y'. You will be prompted to enter your GPG pass phrase to authorize the signature.

The Command> prompt will appear again. Type 'q' to quit and answer 'y' when you are asked if you want to save changes.

Now that you have finished using your GPG secret key ring (for the time being) you may like to consider downloading it to a safe place on your hard drive and deleting it from your server to minimize the chance of it being compromised. If you do this, download it using binary mode. If you need to upload it later (e.g. to sign another key), upload it into your /home/~username/.gnupg directory using binary mode and then SSH Telnet into your /home/~username/.gnupg directory and type:

chmod 600 secring.gpg

so that only you have permission to read or write to the file.

Use FormMail.pl

When you create a secure form on your server and would like the results emailed to you, simply use the following as the action of your form:

ACTION="https:///secure18.u-build-it.net/~loginname/cgi-bin/EncFormMail.pl"

and include other FormMail fields as usual (please see the FormMail Section of our Online Manual for full instructions). The email address you specify in the recipient field of your form should be the email address for which you created a public/private key pair using your PGP software.

When a visitor to your site submits the form, you will be emailed the results in encrypted format. You should then use your PGP software to decrypt the message. For example, with the freeware version of PGP with Windows, to decrypt the message you would:

  • Highlight the PGP part of the message (including BEGIN and END lines);
  • Copy the highlighted selection to the clipboard (Ctrl-C);
  • Use your right mouse button to click on the PGP Tray icon on the status bar at the bottom right-hand corner of your screen;
  • When the PGP Tray menu appears, choose Decrypt/Verify clipboard;
  • When prompted, enter your secret key pass phrase;
  • Once you have entered your pass phrase, the decrypted message will appear.

TEST AND RETEST

Because setting up GPG can be challenging and sometimes difficult, we strongly encourage you to test and retest before make a form public or live.

Follow the instructions for GPG setup at your own risk.

We also do not typically provide support for GPG due to it's complex and challenging setup and testing demands.

Using GPG in your own programs

You can use GPG commands within your own CGI programs.

For further information on using GPG and PGP, please refer to:

[Manual Index]

 

Copyright © 2000-2006 ActiveWebHost.com. All Rights Reserved. Terms and Conditions of Use and Privacy Policy. ActiveWebHost.com - Your Success Is Our Success