LPI 101-500 – 110.3: Protecting data with encryption part 2
- Create and integrate new keys, ssh-agent
With ssh, we also have the option of performing user authentication so that a user no longer has to enter a password. This is advantages when writing scripts using Ssh. We also use ssh KEYGAN for this, but this time on our client system. So I’m actually locked in on my client system. The command is actually the same, but this time not executed as root. So just ssh KEYDEN type RSA. This time we don’t change the path or file name. So the directory suggested to us is the dot ssh directory in our home directory, which we also use. And we also leave the suggested file name as it is. So we just have to hit enter and now we have to enter a passphrase.
This time I do not enter a passphrase, so I use just enter and that’s it. Now let’s look at the contents of the ssh directory. We see our wealth known hosts file and two newly added files, namely idrsa and idrsa pub. So again a private and a public key. If we had used Ecdsa instead of RSA, we would now have the files ID ecdsa and idcdsa Pop. The same applies of course to ed 25519. In order to be able to access a corresponding target system without entering a password, we have to upload the public key that has just been created to the server in a file called Authorized Keys, which is located in the user’s home directory in the sh folder on the ssh server.
Of course, this file does not exist yet, so we would have to create it and copy the public key into it with scp. Or we would use the tool especially made for this purpose, namely the ssh Copy ID tool. So we just enter the following command ssh copy ID and then again the IP address and it is still the one with 59 at the end. And here we see attempting to lock in with the new keys to filter out any that are already installed. One key remain to be installed if you are prompted. Now it is to install the new keys. Now I have to enter my password. And here you can see the confirmation number of keys added one. So our created public key was added to the recording file on the Ssh server.
And this file is the file authorized keys that is located in the ssh directory. So let’s switch to the server. Okay, I’m now on the server. You can see it here on the host name Monroe server. And now let’s take a look at the ssh directory. And we can see the authorized keys file was created successfully. Okay, let’s switch again to the other system and let’s try to log in again with ssh and then the IP address 59. And you see, I’m now logged in without having to enter a password that worked perfectly. So you can see here I’m now logged into Manual Server and not to Manual virtualbox anymore. I get out of it here. Now I’m back to my system.
Another possibility to use Ssh without entering a password is the so called authentication agent, or the Ssh agent. The Ssh agent can manage several keys for one user, so it is a password management tool. The ssh add command can be used to add keys to the Ssh agent. So we tell the Ssh agent on the client where our key is. The command is the following ssh add and then we have to enter the path of our key and of course, our key file. It’s this one here, ID RSA. So the private key, not the public key. The output says we added an identity. That means whenever we connect to the server, the Ssh agent will use the saved identity to add the password.
With the option l, we can check whether this identity has actually been saved. So ssh at l and we see the private RSA key here. With ssh at capital L, we can look at the public key. And here, that’s our public key with ssh and the option D, we can also remove a key. Again, your identity removed. Normally, we would have to explicitly specify a key here that should be removed. But in this case we only have one key. Therefore, this command also leads to success. By the way, the capital D option means that all keys are removed. If we had several on file, of course you should avoid configuring an automatic login in the operational environment because, of course, this is always a security risk.
- GnuPG, gpg-agent
At the end of this chapter, and thus also at the end of this entire course. We still have to look at new PG or Gpg for short. What Gpg data can be encrypted? This can be for example, word documents or exolis, or also emails. Gpg creates key pairs, just as we learned about it before. There is again a public key and a private key. With a public key we can encrypt something, and with a private key we can decrypt it again. So first we create such a key pair. To do this we use the Gpg command with a gen key option key. And now I have to enter my name and my email address. This data are only used to make the key identifiable. And now I could change the name, the email address, or I could quit.
Or I can say okay, so it’s okay for me. Everything is correct. And now I’m asking for a path phrase. Okay, and here we see a little bit text. Here we need to generate a lot of random bytes. It is a good idea to perform some action. So type on the keyboard, move the mouse and so on. During the prime generation, this gives the random number generator a better chance to gain enough entropy and the same again. But now the keys are ready. You can see here we have a public key. This one here expires and marked as trusted. We have a directory here, my home directory, and then gnuPG. And this was created. But first of all, let’s take a look at another command.
Personally, I prefer to use the following command to create key pairs so Gpg full generate key. This command gives me significantly more opportunities to influence key generation. So the first step, I can choose which encryption method I want to use here. So numbers three and four are only there to create so called signatures. Sign only. But we don’t just need a signature, we need a key pair. So I choose number one. Here it is, RSA and RSA default. Now I can choose how many bits my key should be. I can choose between 1024 and 4096. 3072 is suggested to me and I would use this value. So enter. In the next field I can specify how long the key should be valid.
Incidentally, this does not mean that the encryption will no longer work when the time has expired, but only that the signature is no longer valid. At this point I would choose zero. So the key does not expire. Zero enter. Is this correct? Yes, that’s correct. And then I can enter my name, my email address and comment. And with O I confirm again that I am done. I have to enter any password. And now I have to move my mouse a little bit to create data. That’s it. The key pair has now been created. We should now be able to find the keys in our Gpg standard directory similar to Ssh. This can be found in our home directory.
In the hidden subdirectory gnuPG. In the top ring KBX file we find the public keys that we created with Gpg. The private keys are located in the subdirectory with the name Private Keys volume 1D. So let’s go into this. This subdirectory does not exist in older Gpg versions. Instead there is a file called sakurin gpg that contains the private key, but as I said, only in older versions. But keep that in mind for the exam. In newer Gpg versions, this file SEC ring gpg does not exist anymore and you can find the keys in gnuPG and then private keys v trustdb gpg file contains signature keys used by other users whom we trust ourselves. Okay, we have now created the keys and can now use Gpg to encrypt files.
I’m going to create a text file called gpg text or test gpg test is better and save it in the documents directory. So for example, VI documents and then I create a file with the name gpg test ODT. For example, this is encryption test. I think that’s enough. And here you can see we have our gpg test file and we have this content here. This is an encryption test. We can see that this file has 29 bytes. Now we encrypt the file with the following command gpg encrypt and then simply gpg test ODT we are now asked for a user ID. You did not specify user ID. You may use the option R. Enter the user ID and we only have one now, so just using the first letter is enough for Gpg to know which user ID is to use.
So we only enter the first, or if you like, the first three letters of the name that I used when creating the key. Now the corresponding user ID is suggested to me. This one here. To be honest, I find it a bit confusing now because since the program asks again, it looks as if our entry did not work. But it worked. So just press enter again and the file will be encrypted. And we can now see that the original file has been preserved and another file has been created with a file extension gpg and this is now our encrypted file. So we can no longer open this file. So for example, cat gpg test ODT gpg and you see, cannot read the content anymore. Let’s have another try with VI gpg tests gpg and the same.
So we cannot see the content here because it is completely encrypted. So that the encryption of our file made sense. We should of course delete the original file. So let me do that. Okay, if we now want to decrypt the file again, we use the following command gpg decrypt and then the file name gpg test ODT gpg and then we have to use this one here. And then the new file name is gpgtest ODT. Now we have to enter a password, namely that which we signed when creating the key. The encrypted file has been decrypted and we can see here now we can access it again. So cat Gpg test. And here we have again our content. This is an encryption test and of course it also works with VI.
But I think I don’t have to show it again. Another important function of Gpg is the creation of signatures. The recipient of a file can use a signature to verify that the data really comes from the known sender. For example, if we want to create a signature for our text file that has just been decrypted, we could use the following command gpg detach sign and then gpg test ODT ll and as a result, we see that another file with the extension SIG has now been created. This is the digital signature for the Gpg test ODT file. So if you want to make the file gpg test ODT available to someone, you should send both files to this person. The recipient can also use Gpg to check whether the file really came from us.
To do this, the recipient would use the following command gpg verify and then gpg test odtsig the recipient can now see that this file has been signed by me. So here is my name and my email address. So everything is correct. Similar to Ssh and the Ssh agent, Gpg also has a Gpg agent. It fulfills the same task as the Ssh agent, namely storing passwords. You don’t have to know more about that, I think. So that’s it. We have now actually come to the end of this course. I hope you enjoyed the course and I keep my fingers crossed for your upcoming exam. So good luck. Thank you very much and see you soon. Bye.