GnuPG on Raspberry Pi


Overview

GnuPG itself is a commandline tool without any graphical stuff.

It is the real crypto engine which can be used directly from a command prompt, from shell scripts or by other programs. Therefore it can be considered as a backend for other applications.

Public Keys is a concept where two keys are involved.

One key is a Public Key that can be spread through all sorts of media and may be obtained by anyone.

The other key is the Private Key. This key is secret and is only available to the owner.

Now the sender will encrypt the message with the public key belonging to the receiver.

Then decryption will be done with the secret key of the receiver.

Fuller description available here

http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html

I’m using the Pi with Debian GNU/Linux 7.0 (wheezy)

Ensure you have updated your server with the latest available code

gnupg will be already installed by default

All these examples are using the terminal so can be setup remotely, headless or through the terminal on startx.

Create a file and encrypt it

Start in your home folder

Get the public key (from me) and import it to your gpg list

cd ~

wget http://glynrob.com/publickeys/publicexample.asc

gpg --import publicexample.asc

View your keys

gpg --list-keys

pub   2048R/5753B9DE 2013-03-02

uid                  GlynRobOpen (Open Public key example)

We no longer need that file we downloaded so lets remove it:

rm publicexample.asc

Lets create a new file that we want to encrypt

nano secretdoc.txt

Type in any message you want and save it by Ctrl x, then enter

Encrypt that file:

gpg -r "GlynRobOpen" --encrypt secretdoc.txt

Use this key anyway? (y/N): y

You will now have a new file called secretdoc.txt.gpg which is encrypted

To look at the file

nano secretdoc.txt.gpg

you will see that the message you entered can not be seen.

This is now safe to pass to me (or the owner of the private key) and if anyone else gets that file it will be usless to them as they can’t decrypt it.

To try this yourself quickly you can download http://www.gpg4win.org/download.html and create your own public key to pass to the pi (via FTP is the easiest way on port 22)

Creating a private and public key on the Pi

gpg --gen-key

Select kind of key: 1

What keysize do you want? 2048 (entropy issues if you try a larger keysize on the pi)

Key is valid for? : 0 (For this example so it never expires)

Is this correct? : y

Real name: GlynRob

Email address: abc@gmail.com

Comment: Backupsys

You selected this USER-ID:

“GlynRob (Backupsys) ”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?: O (Everything is correct)

Enter passphrase: password (Yours will be something more secure)

Repeat passphrase: password

We need to generate a lot of random bytes…

 

This is where it is a bit nasty.

The Pi needs to generate lots of random entropy but can only do this on the actions that the user is currently taking.

If you can access the Pi’s UI then open Scratch (seems to be good at providing enough key generation entropy) and do some things to make the processor work hard

OR

If you can only work headless then you need to open a second terminal window and pull some source code

Second terminal:

wget http://curl.haxx.se/download/curl-7.20.0.tar.gz

rm curl-7.20.0.tar.gz (deletes what you downloaded)

That seems to be enough for the key generation entropy but you may need to do more things like untar the file etc.

View your keys

pi@raspberrypi ~ $ gpg --list-keys

/home/pi/.gnupg/pubring.gpg

—————————

pub   2048R/2304E911 2013-03-02

uid                  GlynRob (Backupsys)

sub   2048R/37949CB6 2013-03-02

View your secret keys

pi@raspberrypi ~ $ gpg --list-secret-keys

/home/pi/.gnupg/secring.gpg

—————————

sec   2048R/2304E911 2013-03-02

uid                  GlynRob (Backupsys)

ssb   2048R/37949CB6 2013-03-02

Exporting keys

We need to get the public key so we can pass it to others

gpg -r "GlynRob" -o 'pipublickey.asc' --export

Now pipublickey.asc can be shared to anyone so they can encrypt files but only you can decrypt them.

So on windows you can use Gpg4win http://www.gpg4win.org/download.html to import the public key and encrypt a file.

FTP that file back to the pi.

Now we need to get the pi to decrypt it

Lets say you made a text document called ‘mysecrets.txt’ with any text inside you wanted that you encrypted with this public key.

So the file will now be called ‘mysecrets.txt.gpg’

You have placed it in your home folder

cd ~

ls -la

so you can see it listed.

Decrypt the provided file

gpg -o 'mysecrets.txt' --decrypt mysecrets.txt.gpg

Enter Passphrase (The pass phrase you entered when creating the private key)

nano mysecrets.txt and you can see the original contents of the file you created.

Ctrl x to exit out of that view

Easy as that

So what can this be used for:

Securly passing data to or from your pi

Backing up sensitive information from the pi to an external server (or the other way around)

Automatic secure backup:

This example is going to show you how to backup any information you want that is on the pi to an external server securly.

This requires you to have already understood “Create a file and encrypt it”

So you need a private key where you will be downloading the backup.

Likely this is not going to be a Pi but a normal computer.

So either us http://www.gpg4win.org/download.html on windows or another package to create your private and public keys

Pass the public key to your pi (FTP or any way you choose)

Import the new key

sudo apt-get install python-gnupg

get the python package for gnupg

Now lets create the script to backup your documents folder every hour

mkdir backupsys

cd backupsys/

nano backup.py

Contents of the python script:

Change the parts that you need to for your public key, the folder you want to backup and the FTP details (if you have any)

To check that it works

python backup.py

Now we set this up on a cron to run every 10 mins (or what ever time period you require)

Setup permissions so it can execute the file

chmod a+x backup.py

Setup a cron to run every 10 mins (or how ever often you require)

crontab -e

paste in at the bottom:

*/10 * * * * /usr/bin/python script.py

Ctrl x to (save and exit)

And there we have it. Your Raspberry Pi now zips up all files inside your documents folder, encrypts it and then FTP’s it to your server.

You can pull this file whenever you want and decrypt it with the private key you have on your main computer

There is allot more you can do with GnuPG like signing and checking signatures but this should be enough to get you going.

Ref: http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html

3 comments for “GnuPG on Raspberry Pi

  1. David
    November 26, 2014 at 11:46 am

    Hi!

    gpg –import publicexample.asc

    should be:

    gpg –import publicexample.asc

    🙂

    .d.

  2. David
    November 26, 2014 at 11:48 am

    Ooops, your messaging prog doesn’t like two negative signs together…. There should be two negative signs before import….

    .d.

  3. GlynRob
    November 30, 2014 at 6:31 pm

    Thanks David. I have updated that 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *