Tag Archives: gpg

Sending mail on the Linux command line (Ubuntu 18.04)

How to send end-to-end encrypted emails on the Linux command line.

Unencrypted mail

Install package "bsd-mailx":

$ sudo apt-get install bsd-mailx

Edit /etc/mail.rc and add the following lines:

set smtp=smtp://mail.example.com
alias root postmaster@example.com

Run mailx:

$ mailx root
Subject: test 
This is a test. 
. 
Cc: 

Notes:

  • Mail gets sent to postmaster@example.com (see mail.rc).
  • Mail server is mail.example.com (see mail.rc).
  • Email message body is terminated by a single "." as the last line.

Encrypted mail (PGP)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

If you haven't done so before, create private and public GnuPG key.

$ gpg --gen-key

Import public PGP key from recipient.

$ gpg --import alice.pub

First sign message (clearsign - ascii signature will be appended to text), then encrypt message, then mail message.

$ echo "Hello Alice, if you can read this your PGP mail client is working." | gpg --clearsign | gpg -a -r alice@example.com --encrypt | mailx alice@example.com -s "PGP encrypted mail test"

Notes:

  • First sign the message. "gpg --clearsign" uses the default private key to sign message. Check with "gpg -K". Otherwise use option "--default-key bob@example.com" to choose a specific private key.
  • Then encrypt the message. Check with "gpg -k" that recipient is properly added to your GPG keyring.
  • Finally send mail message. Email body is simply the signed and encrypted message text in ASCII format.
  • Email subject will not be encrypted.

Encrypted mail (S/MIME)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

You need your own public certificate / private key pair, and the public certificate from the recipient (all in PEM format).

You can get a S/MIME email certificate for free from COMODO. Or you run your own certificate authority. Either way, both your own certificate and your own key need to be in a single file in PEM format (in the following example it is called "bob.pem").

-----BEGIN PRIVATE KEY-----
 ...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

The public certificate of the recipient must be in PEM format too (in the following example it is called "alice.pem"). You can extract it from an email signature if the recipient already sent you a signed email.

-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

Install the package "ssmtp".

$ sudo apt-get install ssmtp

Again (as in the above example for PGP encrypted mail), all commands for signing, encrypting and sending the message can be chained together to a single command line.

$ echo "Hello Alice, if you can read this your S/MIME mail client is working." | \
    openssl smime -sign -signer bob.pem -text | \
    openssl smime -encrypt -from bob.example.com -to alice@example.com -subject "S/MIME encrypted mail test" -aes-256-cbc alice.pem | \
    ssmtp -t

Notes:

  • Email body is simply the signed and encrypted message text in ASCII format. OpenSSL adds all required headers to it (sender, recipient, subject).
  • If you are using a S/MIME certificate from a public CA (like COMODO) to sign your message, it is easier for the recipient to validate your signature, compared to PGP encrypted emails.
  • You still need the public certificate of the recipient, and make somehow sure that it is authentic.
  • Again, the email subject will not be encrypted.
Share

Pinentry not working over SSH with x11forwarding (Thunderbird with Enigmail)

If you use Enigmail in Thunderbird over a SSH connection, sometimes you cannot input the passphrase for your private GPG key. pinentry-qt / pinentry-gnome3 / pinentry-gtk2 are not showing any dialog boxes.

Here is a workaround: You can cache the passphrase with gpg-agent, even if Thunderbird is already running. Enigmail will then use the cached passphrase from gpg-agent, because it runs gpg2 commands in a subshell in order to encrypt or sign messages.

Connect to the server using x11forwarding:

$ ssh -Y server

Note your DISPLAY environment variable:

$ echo $DISPLAY
localhost:10.0

Unset / delete the DISPLAY environment variable:

unset DISPLAY

Export GPG_TTY environment variable for gpg:

export GPG_TTY=$(tty)

Make sure that gpg-agent is running:

$ ps aux | grep gpg-agent
user 2058 0.0 0.0 168068 2228 ? Ss Nov10 0:07 gpg-agent --homedir /home/user/.gnupg --use-standard-socket --daemon

Insert the passphrase for your GPG key in gpg-agent by signing a dummy message. Make sure that you enter your passphrase in the pinentry tui not the gpg command prompt.

$ echo test | gpg2 --use-agent -s

The passphrase you are about to enter should be cached by gpg-agent. The cache lifetime is controlled by settings in ~/.gnupg/gpg-agent.conf . Now set the DISPLAY environment variable again to run Thunderbird. Use the value from previous command.

export DISPLAY=localhost:10.0

Start Thunderbird. You should now be able to sign and encrypt email messages with Enigmail without having to enter your gpg passphrase again because it is already cached by gpg-agent.

thunderbird &

 

Share

Secure download of RHEL ISO installation images

You will probably download the RHEL ISO image from within the Red Hat Customer Portal and therefore use an encrypted HTTPS connection (download URL is https://access.cdn.redhat.com/...). The SHA-256 checksums for the ISO images are on the download page.

Red Hat also provides a page with all GPG keys they use for signing their software packages. In Customer Portal, go to "Security" -> "Product Signing (GPG) Keys)" (https://www.redhat.com/security/team/key/)

There are download links for the public keys (https://www.redhat.com/...). The keys are also available on the keyserver pgp.mit.edu . So you can use the following command to import the main Red Hat key into your GPG keyring:

# gpg --recv-keys fd431d51
# gpg --fingerprint -k fd431d51

Compare the fingerprint of the Red Hat public key with the fingerprint on the Customer Portal website. You cannot use the GPG key for verifying the ISO files, but it is useful for e.g. verifying RPM package updates that you can download directly from Red Hat websites and that are not installed the usual way via an official yum repository.

 

Share

Secure download for CentOS 7

The basic idea  for downloading a CentOS 7 installation image in a secure way is this:

  1. Download the CentOS public key from a public keyserver.
  2. By using that key you can verify the signature of the checksum file of the CentOS ISO image.
  3. With the checksum file you check the downloaded ISO image to see if it is the original file and has not been changed or tampered with.
[CentOS Public Key]  ->  [Signature of checksum file]  ->  [ISO image]

Here are the steps to take:

0. Most important: Make sure to follow this procedure on a computer that is secure and that you fully trust. Otherwise all of the following steps are pretty much useless.

1. Download the CentOS 7 public key:
gpg --search-keys --keyserver-options proxy-server=http://proxy.local.example:8080 F4A80EB5
(or without using a proxy server: gpg --search-keys F4A80EB5)
Accept the key by typing "1". If there was no key found, try using a specific keyserver with the "--keyserver" option". By default gpg uses "keys.gnupg.net".

Make sure the key has really been imported into your public gpg keyring
gpg --fingerprint -k

The "--fingerprint" option shows the fingerprint of the just imported key. Compare it with the fingerprint on the official CentOS website: https://www.centos.org/keys/
Make sure to double check the SSL certificate of that website in your browser.

2. Download the checksum file for the DVD image. It contains checksums for a large variety of CentOS ISO images:
wget http://buildlogs.centos.org/rolling/7/isos/x86_64/sha256sum.txt.asc

Check the validity of the checksum file:
gpg --verify sha256sum.txt.asc

3. Check the validity of the downloaded ISO image file:
sha256sum -c centos-sha256sum.txt.asc

Share

Secure download for Debian

The basic idea  for downloading the Debian installation image in a secure way is this:

  1. Download the Debian public key from keyring.debian.org.
  2. Using that key you verify the signature of checksum file of the ISO image.
  3. With the checksum file you check the downloaded iso image to see if it is the original file and has not been changed or tampered with.

Here are the steps to take:

0. Most important: Make sure to follow this procedure on a computer that is secure and that you fully trust. Otherwise all of the following steps are pretty much useless.

1. Download the Debian public key:
gpg --keyserver hkp://keyring.debian.org --recv-keys 6294BE9B

Make sure the key has really been imported in your public gpg keyring:
gpg --fingerprint -k

The "--fingerprint" option shows the fingerprint of the just imported key. Compare it with the fingerprint on the official Debian website: https://www.debian.org/CD/verify
Make sure to double check the SSL certificate of that website in your browser.

2. Download the checksum file for the ISO image and the corresponding signature file:
wget http://cdimage.debian.org/.../SHA512SUMS
wget http://cdimage.debian.org/.../SHA512SUMS.sign

Check the validity of the checksum file:
gpg --verify SHA512SUMS.sign

3. Check the validity of the downloaded ISO image file:
sha512sum -c SHA512SUMS

Share