Novice Level

Encrypt a File Using GPG

Pricing
1 hour
  • 5 Learning Objectives

About this Hands-on Lab

With the prevalence of cloud servers in use today, security should be at the forefront of their deployments. Just as important is the security of important local files and documents. We can employ the GNU Privacy Guard, or GPG, toolset to encrypt files; and through the use of sharing public keys with other users, we can decrypt files from other people. In this hands-on lab, we will walk through creating a new public GPG key, encrypt a file and sign it, and send that file to another user to decrypt with our public key.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a GPG Key for `cloud_user`

  1. After you log in to the server as the cloud_user account, generate a new GPG key, accepting the defaults for each prompt. For the Real name, enter cloud_user, and for the Email address, use cloud_user@localhost. You can leave the comment field blank by just pressing Enter.

    gpg --gen-key

  2. Use the following for the key’s passphrase: password321 (In the real world, you would want to use a more secure passphrase!).

  3. After the key has been created, we will need to export it so that Gordon Freeman can decrypt files from us. Export the cloud_user public key for gfreeman to use.

    gpg -a -o gfreeman.key --export [key ID]

    Use the public key reference ID from the output of the key generation.

  4. Using the mail command, send an email to Gordon Freeman containing the cloud_user public key as an attachment.

    mail -s "here is your key" -a gfreeman.key gfreeman@localhost
Don't lose this!  I'll call you with the passphrase.
.

  5. Press Enter after the final dot to send the message.

Configure GPG for Gordon

  1. Now you will need to set up the GPG environment for Gordon Freeman. Use a secure shell session to log into the gfreeman account (the password for this user is the same as the cloud_user account).

    ssh gfreeman@localhost

  2. Just as you did with the cloud_user account, generate a GPG key for Mr. Freeman, accepting the defaults for each prompt. For the Real name, enter gfreeman, and for the Email address, use gfreeman@localhost. You can leave the comment field blank (just press Enter).

    gpg --gen-key

  3. Use the following for the key’s passphrase: password321 (In the real world, you would want to use a more secure passphrase!).

  4. After creating the key for Mr. Freeman, open up the mutt email client, and save the public key sent over by the cloud_user account. Press Enter on the email message, then the [v] key to view the attachment, and press the [s] key to save it to Mr. Freeman’s home directory. Press the [q] key to exit mutt.

  5. Now we need to import the public key from cloud_user into Mr. Freeman’s keyring. Run the following command to do so:

    gpg --import gfreeman.key

  6. Run the following command to view the contents of Mr. Freeman’s keyring:

    gpg --list-keys

  7. Log out of gfreeman‘s account:

    exit
Generate a Signed Document and Send It to Gordon

When we digitally sign a file, we are using our private GPG key to guarantee that this file came from us. The user that receives the file will use their copy of the public key from you to verify that the file was signed by you.

  1. Run the following command to generate a test document:

    echo "Just need you to verify this file." > note.txt

  2. Now we are going to use cloud_user‘s private key to sign the file. Run the following command to do so, and use the passphrase that was set for the key:

    gpg --clearsign note.txt

    There should now be a note.txt.asc file in cloud_user‘s home directory.

  3. Create an email, attach the note.txt.asc file to the message, and send it to gfreeman@localhost.

    mail -s "check this out" -a note.txt.asc gfreeman@localhost
Could you verify this file for me?
.
Verify the Signature of the Emailed Document

  1. Use a secure shell session to log in to the gfreeman account (the password for this user is the same as the one for the cloud_user account).

    ssh gfreeman@localhost

  2. Use the mutt email client to view and save the new email message’s attachment.

  3. Next, verify the note.txt.asc file that was emailed using the following:

    gpg --verify note.txt.asc

  4. You will receive a warning about the signature not being verified by a third party, and that’s ok. What is important is the following line from the output:

    gpg: Good signature from "cloud_user <cloud_user@localhost>"

    This is what a verfied file displays.

  5. Next, encrypt a copy of the /etc/fstab file with the following:

    cp /etc/fstab ~
gpg -a -r cloud_user -e ~/fstab

    You will see a general warning displayed about the key possibly not belonging to the named person. We know that this key is from cloud_user, as we have verified this. Type y at the prompt.

  6. Verify that there is a file called fstab.asc in gfreeman‘s home directory. Create a new email to cloud_user, and attach this file:

    mail -s "looks good" -a fstab.asc cloud_user@localhost
Can you decrypt this?
.

  7. Log out of Mr. Freeman’s account:

    exit
Decrypt the Attached File

  1. As the cloud_user, open up the mutt email client and save the fstab.asc attachment from the new email.

  2. Decrypt the saved fstab.asc file with the gpg command. Enter the passphrase for cloud_user‘s key when prompted.

    gpg fstab.asc

  3. Verify that you can read the contents of the decrypted file.

    cat fstab
Contact SalesSee Pricing

Additional Resources

Open your activity guide for instructions on completing this activity.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization