Linux Hands-On Lab - Encrypt a File Using GPG

Linux Hands-On Lab - Encrypt a File Using GPG

Linux Learning Path for Cloud and DevOps Engineers

Francisco Souza's photo
Francisco Souza
·

6 min read

Table of contents

📝Introduction

This post will help you with the importance of security for local files and documents, especially with the prevalence of cloud servers used today. We can use the GNU Privacy Guard(GPG) toolset to encrypt files; and through the use of sharing public keys with other users, we can decrypt files from other people.

These are the objectives of this lab:

  • Create a GPG Key for a specific user

  • Configure GPG for another specific user

  • Generate a Signed Document and Send It to a specific user

  • Verify the Signature of the Emailed Document

  • Decrypt the Attached File

📝Log in to the AWS Management Console

Using your credentials, make sure you're using the right Region. In my case, I am using AWS as my cloud provider and chose us-east-1. However, you can choose any cloud provider and create your Linux Server VM (I am using a CentOS 7 distro) for this hands-on lab.

📌Note: You must create the AWS Access Key and AWS Secret Access Key and configure the AWS CLI in the terminal to use it.

You can use link1 and link2 for it.

📝Create a GPG Key for a specific user (user1)

Generate a GPG key to user1 (e.g. cloud_user):

gpg --gen-key

Accept the defaults for each prompt by just pressing Enter:

For Real name, enter <user1>, and use <user1>@localhost for the Email address.

We can leave the comment field blank by just pressing Enter and press o at the end for OK:

Choose a password for a passphrase, and use it when we're prompted to confirm it.

Now that the key has been created, it's highlighted below.

We need to export it so that user2 (e.g. Gordon Freeman) can decrypt the files he gets from us. We'll do that like this:

gpg -a -o gfreeman.key --export <KEY_ID>

📌Note: In that command, use the public key reference ID from the output of the key generation. It will be a random string and the line it's sitting on (in the key generation output) as highlighted above.

Now, we'll use the mail command to send an email to user2 (e.g. Gordon Freeman) containing the public key for the user you have created previously as an attachment:

mail -s "here is your key" -a <user2>.key <user2>@localhost
Don't lose this key! I'll request you the passphrase. Thanks
.

Include that final period (on the line by itself) and then press Enter to send the message. Expected output:

📝Configure GPG for another specific user (user2)

Now, we will change the login to another user in our system and configure a GPG to it. Rather than just su -, we'll log in to our host with the other user with SSH.

ssh <user2>@localhost

Just as we did with the first account, we'll generate a GPG key for this other user, accepting the defaults for each prompt. The only difference will be having a Real name of <user2> and an Email address of <user2>@localhost:

📌Note: Use the same password for the passphrase that you used for user1.

Once we've created the key for user2, we can open up the mutt email client(you can use this link to install Mutt), and save the public key sent over by the user1 account:

mutt

Arrow up and down to highlight the user1 message, then press Enter. Press v to view the attachment, and press s to save it to Mr. Freeman's home directory. Finally, press q to quit Mutt.

Now, to import the public key from user1 into user2 keyring, run the following command:

gpg --import <user2>.key

We can run this to view the contents of Mr. Freeman's keyring:

gpg --list-keys

Let's log out of gfreeman's account:

exit

📝Generate a Signed Document and Send It to another user (user3)

When we digitally sign a file, we are using our private GPG key to guarantee that this file came from us. The user that receives the file will use their copy of the public key from us to verify that we signed the file. Let's generate a test document:

echo "Just need you to verify this file." > note.txt

Now we'll use user1 private key to sign the file:

gpg --clearsign note.txt

📌Note: Remember that we need to use the passphrase we created earlier for user 1 and user2.

Now there should be a note.txt.asc file in user1 home directory. We can run a quick ls to make sure.

Now that we've made the file, let's email it to user2@localhost:

mail -s "check this out" -a note.txt.asc gfreeman@localhost
Could you please verify this attached file for me?
.

📝Verify the Signature of the Emailed Document

Log in to localhost again, as user2:

ssh <user2>@localhost

Use the mutt email client, and just as before, view and save the new email message's attachment.

Now, verify the note.txt.asc file that was emailed:

gpg --verify note.txt.asc

We'll get a warning about the signature not being verified by a third party, and that's ok. What is important is the following line from the output:

gpg: Good signature from "user1 <user1@localhost>"

This is what a verified file displays.

Next, encrypt a copy of the /etc/fstab file like this (you can use any other file):

cp /etc/fstab ~
gpg -a -r <user1> -e ~/fstab

You will see a general warning displayed about the key possibly not belonging to the named person. We already know where this key is from user1, so just press y at the prompt.

Verify that there is a file called fstab.asc in the user2 home directory (by running ls).

Create a new email to user1 and attach this file and log out of user2 account:

mail -s "File looks good" -a fstab.asc <user1>@localhost
Could you try decrypt this file?
.

exit

📝Decrypt the Attached File

Now, as user1, open up the mutt email client and save the fstab.asc attachment from the new email. Run ls command to check if fstab.asc is there.

Decrypt the saved fstab.asc file with the gpg command, and enter the passphrase for user1 key when prompted:

gpg fstab.asc

Now let's verify that we can read the contents of the decrypted file:

cat fstab

📌Note - At the end of each hands-on Lab, always clean up all the resources previously created to avoid being charged if you used a Cloud Provider to provision them.

Congratulations — you have completed this hands-on lab covering the basics of encrypting and decrypting files in Linux.

Thank you for reading. I hope you understood and learned something helpful from my blog.

Please follow me on CloudDevOpsToLearn and LinkedIn, franciscojblsouza

DevopsDevops articlesDevOps JourneyCloudCloud ComputingLinuxlinux for beginners