GnuPG itself is a commandline tool without any graphical stuff.
It is the real crypto engine which can be used directly from a command prompt, from shell scripts or by other programs. Therefore it can be considered as a backend for other applications.
Public Keys is a concept where two keys are involved.
One key is a Public Key that can be spread through all sorts of media and may be obtained by anyone.
The other key is the Private Key. This key is secret and is only available to the owner.
Now the sender will encrypt the message with the public key belonging to the receiver.
Then decryption will be done with the secret key of the receiver.
Fuller description available here
I’m using the Pi with Debian GNU/Linux 7.0 (wheezy)
Ensure you have updated your server with the latest available code
gnupg will be already installed by default
All these examples are using the terminal so can be setup remotely, headless or through the terminal on startx.
Create a file and encrypt it
Start in your home folder
Get the public key (from me) and import it to your gpg list
gpg --import publicexample.asc
View your keys
pub 2048R/5753B9DE 2013-03-02
uid GlynRobOpen (Open Public key example)
We no longer need that file we downloaded so lets remove it:
Lets create a new file that we want to encrypt
Type in any message you want and save it by Ctrl x, then enter
Encrypt that file:
gpg -r "GlynRobOpen" --encrypt secretdoc.txt
Use this key anyway? (y/N): y
You will now have a new file called secretdoc.txt.gpg which is encrypted
To look at the file
you will see that the message you entered can not be seen.
This is now safe to pass to me (or the owner of the private key) and if anyone else gets that file it will be usless to them as they can’t decrypt it.
To try this yourself quickly you can download http://www.gpg4win.org/download.html and create your own public key to pass to the pi (via FTP is the easiest way on port 22)
Creating a private and public key on the Pi
Select kind of key: 1
What keysize do you want? 2048 (entropy issues if you try a larger keysize on the pi)
Key is valid for? : 0 (For this example so it never expires)
Is this correct? : y
Real name: GlynRob
Email address: firstname.lastname@example.org
You selected this USER-ID:
“GlynRob (Backupsys) ”
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?: O (Everything is correct)
Enter passphrase: password (Yours will be something more secure)
Repeat passphrase: password
We need to generate a lot of random bytes…
This is where it is a bit nasty.
The Pi needs to generate lots of random entropy but can only do this on the actions that the user is currently taking.
If you can access the Pi’s UI then open Scratch (seems to be good at providing enough key generation entropy) and do some things to make the processor work hard
If you can only work headless then you need to open a second terminal window and pull some source code
rm curl-7.20.0.tar.gz (deletes what you downloaded)
That seems to be enough for the key generation entropy but you may need to do more things like untar the file etc.
View your keys
pi@raspberrypi ~ $ gpg --list-keys
pub 2048R/2304E911 2013-03-02
uid GlynRob (Backupsys)
sub 2048R/37949CB6 2013-03-02
View your secret keys
pi@raspberrypi ~ $ gpg --list-secret-keys
sec 2048R/2304E911 2013-03-02
uid GlynRob (Backupsys)
ssb 2048R/37949CB6 2013-03-02
We need to get the public key so we can pass it to others
gpg -r "GlynRob" -o 'pipublickey.asc' --export
Now pipublickey.asc can be shared to anyone so they can encrypt files but only you can decrypt them.
So on windows you can use Gpg4win http://www.gpg4win.org/download.html to import the public key and encrypt a file.
FTP that file back to the pi.
Now we need to get the pi to decrypt it
Lets say you made a text document called ‘mysecrets.txt’ with any text inside you wanted that you encrypted with this public key.
So the file will now be called ‘mysecrets.txt.gpg’
You have placed it in your home folder
so you can see it listed.
Decrypt the provided file
gpg -o 'mysecrets.txt' --decrypt mysecrets.txt.gpg
Enter Passphrase (The pass phrase you entered when creating the private key)
nano mysecrets.txt and you can see the original contents of the file you created.
Ctrl x to exit out of that view
Easy as that
So what can this be used for:
Securly passing data to or from your pi
Backing up sensitive information from the pi to an external server (or the other way around)
Automatic secure backup:
This example is going to show you how to backup any information you want that is on the pi to an external server securly.
This requires you to have already understood “Create a file and encrypt it”
So you need a private key where you will be downloading the backup.
Likely this is not going to be a Pi but a normal computer.
So either us http://www.gpg4win.org/download.html on windows or another package to create your private and public keys
Pass the public key to your pi (FTP or any way you choose)
Import the new key
sudo apt-get install python-gnupg
get the python package for gnupg
Now lets create the script to backup your documents folder every hour
Contents of the python script:
Change the parts that you need to for your public key, the folder you want to backup and the FTP details (if you have any)
To check that it works
Now we set this up on a cron to run every 10 mins (or what ever time period you require)
Setup permissions so it can execute the file
chmod a+x backup.py
Setup a cron to run every 10 mins (or how ever often you require)
paste in at the bottom:
*/10 * * * * /usr/bin/python script.py
Ctrl x to (save and exit)
And there we have it. Your Raspberry Pi now zips up all files inside your documents folder, encrypts it and then FTP’s it to your server.
You can pull this file whenever you want and decrypt it with the private key you have on your main computer
There is allot more you can do with GnuPG like signing and checking signatures but this should be enough to get you going.