PGP/GPG Encryption Tools
What is GPG?
GPG (GNU Privacy Guard) is a complete and
free replacement for PGP (Pretty Good Privacy). It is an OpenPGP compliant
application which can be used to encrypt sensitive files on your site.
Files or email messages encrypted using GPG
can be decrypted using your PGP 5.x software.
GPG is particularly useful if you are
receiving sensitive information through your web site. By utilizing
GPG, you can modify the popular FormMail from
Matt's Script Archive
which will automatically encrypt your form results using GPG before mailing
them to you. This means that if you use a special version of FormMail to
automatically email yourself the results, then the information provided by
your visitors is secure not only while it travels from your visitor's
computer to your site, but also from the moment it is received at your site
until it reaches you as part of an email message. You only decrypt the
information once it reaches your hard drive. That gives you peace of mind if
you intend to conduct sensitive business, such as receiving credit card
information, over the Internet.
The remainder of this chapter will describe
how to setup and use GPG on your web site. For further information about
GPG, please visit the GNU Privacy Guard web
site.
How to use GPG
If you are not familiar with the basics of
public key encryption, you may find it useful to review one or more of the
following before proceeding with setting up GPG/PGP on your site:
In a nutshell, if you want to send an
encrypted message to Joe, you use Joe's public key to encrypt the message,
and when Joe receives the message he will use his private key to decrypt it.
Furthermore, to send an encrypted message to Joe you would need to keep
Joe's public key in your public key ring (your own collection of public
keys).
To email form results to yourself using
FormMail.pl, you will need to have or create your own public/private PGP key
pair on your hard drive, then you will need to upload your public key to
your web site and import it into your GPG public keyring so that you (and
FormMail.pl) can use it to encrypt mail to yourself.
Install PGP Software on Your Hard Drive
If you do not already have PGP Software on
your hard drive you will need to install it. A freeware version (for
non-commercial purposes) can be downloaded from
The International PGP Home Page. That site will also give you
information on where to obtain a commercial version. Please take care when
you download the software that you do not violate US export laws - if you
read the information on the site carefully there should be no problem. PGP
software is also available from most good software shops.
The discussion below is based on using PGP
5.5 with Windows, but should be useful even if you are using other PGP
software (versions 5.x only).
After you have downloaded the PGP software,
begin the installation by double-clicking on the file you have just
downloaded in Windows Explorer. Follow the setup instructions. As part of
the installation, PGP will prompt you to create your own public/private key
pair. When you are prompted for an email address, you should use the email
address at which you intend to receive your sensitive form results.
Create Your GPG Key Pair
You will need to create a GPG public/private
key pair on your server. This key pair should be set up using a different
email address than the one you created the key pair for on your hard drive.
This is necessary so that you can use your GPG key to sign (vouch for) the
key you created on your hard drive. Our catch-all email system means that
you can choose anyaddress@yoursite.com for your GPG key pair. For example,
you could use verify@yoursite.com for your GPG key pair.
To create your GPG key pair,
SSH Telnet in to
your site and type:
gpg --gen-key
This will create a directory
/home/~username/.gnupg. It will place several default files in that
directory including an empty public keyring file (pubring.gpg) and an empty
private key ring file. It will then commence the key generation process. To
generate your key pair, GPG will ask you several questions. If you would
like more information on how to customize your answers, please read
Creating a Key in the
GnuPG Mini HOWTO, otherwise just use the default answers below:
- GPG will ask you to select what kind of
key you want. Choose (1) - DSA + ElGamal (it is not patented);
- When asked what key size you want, press
ENTER to accept the default (1024);
- GPG will ask you when the key should
expire. Usually you would choose 0 (never expire);
- You will then be required to enter your
Real Name (e.g. Joe Bloggs or Your Company), your email address (e.g.
verify@yoursite.com - remember to make it a different address to the one
you will be sending your orders to), and a comment (any text you like);
- GPG will ask you to confirm that the
information you entered is correct. If it is, choose O (for OK);
- You will be prompted to enter a pass
phrase for your secret key. It is critical that your pass phrase cannot
be guessed easily, and that you do not reveal it to anyone else. A
mixture of numbers and upper and lower case letters is best. Be sure to
write your pass phrase down somewhere safe;
- GPG will then go ahead and start to create
your keys. If the process stalls for a while, just type randomly on the
keyboard. Eventually it will generate enough random bytes to complete
the process and will give you the message "public and secret key created
and signed".
Upload your public key to your site
You now need to use the PGP software on your
hard drive (e.g. PGPKeys) to export your PGP public key to a file (e.g.
yourname.asc). With PGPKeys, simply click on your username in the list, and
choose Export from the Keys menu. Choose a name for your file - do not
include spaces in the file name. Click on Save to export your public key.
Upload the file you just created to your site (using ASCII transfer mode) -
place it in the directory /home/~username/.gnupg.
Import your public key into your GPG keyring
SSH/Telnet into your server and go to the
.gnupg directory (immediately after logging in type 'cd .gnupg'). Import
your PGP public key into your GPG public key ring by typing:
gpg --import < yourname.asc
where yourname.asc is the name of the file
you uploaded.
Sign Your Public Key
You now need to use your GPG key to sign the
PGP key you just imported. If you uploaded your PGP key for, say,
sales@yoursite.com, you would type the following at the Telnet/SSH prompt to
start the signing process:
gpg --edit sales@yoursite.com
You will then be presented with a Command>
prompt. Type 'sign' at the command prompt. GPG will show you the details of
the key for sales@yoursite.com and ask you if you really want to sign it. If
you do, answer 'y'. You will be prompted to enter your GPG pass phrase to
authorize the signature.
The Command> prompt will appear again. Type
'q' to quit and answer 'y' when you are asked if you want to save changes.
Now that you have finished using your GPG
secret key ring (for the time being) you may like to consider downloading it
to a safe place on your hard drive and deleting it from your server to
minimize the chance of it being compromised. If you do this, download it
using binary mode. If you need to upload it later (e.g. to sign another
key), upload it into your /home/~username/.gnupg directory using binary mode
and then SSH Telnet into your /home/~username/.gnupg directory and type:
chmod 600 secring.gpg
so that only you have permission to read or
write to the file.
Use FormMail.pl
When you create a secure form on your server
and would like the results emailed to you, simply use the following as the
action of your form:
ACTION="https:///secure18.u-build-it.net/~loginname/cgi-bin/EncFormMail.pl"
and include other FormMail fields as usual
(please see the FormMail Section
of our Online Manual for full instructions). The email address you specify
in the recipient field of your form should be the email address for which
you created a public/private key pair using your PGP software.
When a visitor to your site submits the form,
you will be emailed the results in encrypted format. You should then use
your PGP software to decrypt the message. For example, with the freeware
version of PGP with Windows, to decrypt the message you would:
- Highlight the PGP part of the message
(including BEGIN and END lines);
- Copy the highlighted selection to the
clipboard (Ctrl-C);
- Use your right mouse button to click on
the PGP Tray icon on the status bar at the bottom right-hand corner of
your screen;
- When the PGP Tray menu appears, choose
Decrypt/Verify clipboard;
- When prompted, enter your secret key pass
phrase;
- Once you have entered your pass phrase,
the decrypted message will appear.
TEST AND RETEST
Because setting up GPG can be challenging
and sometimes difficult, we strongly encourage you to test and retest
before make a form public or live.
Follow the instructions for GPG setup at
your own risk.
We also do not typically provide support
for GPG due to it's complex and challenging setup and testing demands.
Using GPG in your own programs
You can use GPG commands within your own CGI
programs.
For further information on using GPG and PGP,
please refer to:
|
