SeahorseGPG
User Days Seahorse and GPG Session
Encryption
- Symmetric
- Public Key Cryptography
Implementations
- SSH
- GnuPG
- SSL/TLS
Uses in Ubuntu
- Repositories
- PPAs
- Code of Conduct
Seahorse/Gnome Keyring
- Creating GPG keys
- exporting to keyserver
- import from keyserver
- key signing
- exporting to keyserver
- Creating SSH keys
- Setup with remote server
- Password management
- login keyring
Uses by Users
- File encryption
- archives (tar.gz)
- archives (tar.gz)
- Email
- Encryption
- Signing
- SSH
Session Logs
1 === cjohnston changed the topic of #ubuntu-classroom to: Ubuntu Classroom || Ubuntu User Days | Current Session: Seahorse and GnuPG ~~ Presented by mhall119 || Please ask questions in #ubuntu-classroom-chat || Ubuntu User Days Survey: http://www.surveymonkey.com/s/WQWHJQY
2 [18:00] <cjohnston> Our next speaker is another member of the Ubuntu Florida LoCo team!
3 [18:00] <cjohnston> Michael Hall has been working in software development for 10 years. He has been a Desktop Linux user for 6 years, the last 4 being on Ubuntu.
4 [18:00] <cjohnston> He is the main developer of Qimo, an Ubuntu-derived Linux Distribution for kids. He currently spends his days doing Python development for the
5 [18:00] <cjohnston> Moffitt Cancer Research Center in Tampa, FL.
6 [18:01] <mhall119> thanks cjohnston
7 [18:02] <mhall119> so I'm going to be talking about cryptography, what it is and how it's used by Ubuntu
8 [18:02] <mhall119> and also how it can be used by you
9 [18:03] <mhall119> if you go over to my notes for this session, there's some helpful images and screenshots https://wiki.ubuntu.com/UserDays/01232010/SeahorseGPG
10 [18:04] <mhall119> so there are two types of encryption in regular use
11 [18:04] <mhall119> in the past, the most often used form was symmetric cryptography
12 [18:04] <mhall119> what this means it that you have one key, and that key is used to both encrypt and decrypt the data
13 [18:05] <mhall119> much like a physical lock
14 [18:05] <mhall119> so, if you want to use that to securely send a box to someone, you need to send them the box, the lock, and a copy of the key
15 [18:06] <mhall119> now, the problem is that you have a much harder time keeping that key safe, because it's having to be passed around, or you have to give out multiple copies
16 [18:07] <mhall119> and if you send them all together, then it defeats the purpose of locking the box in the first place
17 [18:07] <mhall119> so some time ago some very smart people developed an alternative method called public key cryptography
18 [18:08] <mhall119> and what makes that different is that instead of one key, you have two
19 [18:08] <mhall119> and those two keys are different, but related
20 [18:09] <mhall119> specifically, they are used in a new kind of lock, and if you use one of the keys to lock it, then only the other key can unlock it
21 [18:10] <mhall119> now, the reason it's called "public key" cryptography is because you make one of these keys publicly available, to anyone that wants it
22 [18:10] <mhall119> and you keep the other one completely private, you never give it to anybody, you don't let anybody see it
23 [18:11] <mhall119> so now if you want to send a box to your friend, you get their public key (which they made available to everyone), and you use that to lock the box
24 [18:11] <mhall119> and because you used their public key to lock it, only their private key can be used to unlock it. Not even the key you used to lock it can unlock it
25 [18:12] <mhall119> so now you can send the locked box over an unsecured route like the post office, knowing that the only person in the world who has a key that can unlock it is your friend
26 [18:13] <mhall119> for added security, you can lock the box twice
27 [18:13] <mhall119> once as before, using your friend's public key
28 [18:13] <mhall119> and then again, using your private key
29 [18:13] <mhall119> and what that does is not only let you know that only your friend can open it
30 [18:14] <mhall119> but now your friend, using your public key to unlock it, knows that you are the only person in the world who could have sent it
31 [18:14] <mhall119> any questions so far?
32 [18:15] <mhall119> oskude> as i haven't ever had something i would need to be a secret that only a key can open... where do you need this ?
33 [18:15] <mhall119> very shortly I'm going to show you how this is used in Ubuntu, and the benefits it gives you
34 [18:16] <nigelbabu> question - how strong should a key be? in your screenshots you use strength 768
35 [18:16] <mhall119> okay, so public key cryptography has several implementations
36 [18:16] <mhall119> the key strenght is up to you, I used the default values in my screenshots
37 [18:17] <mhall119> the larger the key, the longer it would take some evil government to crack it
38 [18:17] <mhall119> but it also takes longer for it to encrypt and decrypt things
39 [18:17] <mhall119> so it's a judgement call, what level of security do you need?
40 [18:18] <mhall119> so, Ubuntu has a few implementations of this
41 [18:18] <mhall119> SSH, or the secure shell, which provides an encrypted connection between two boxes similar to telnet
42 [18:19] <mhall119> GnuPG, which is an open source implementation of PGP (Pretty Good Privacy), which is used to sign and encrypt files and email
43 [18:19] <cjohnston> < Brot1> and which key length is recommended?
44 [18:19] <mhall119> and SSL, which you should all be familiar with, is the underlying technology behind HTTPS
45 [18:19] <mhall119> I personally use 4096 bit keys, which is probably overkill, but I'm not encrypting things where speed of encryption matters
46 [18:20] <mhall119> for something like SSL or SSH, it might slow you down slightly
47 [18:20] <mhall119> I'm sure there's plenty of references on the internet with people arguing for or against larger keys
48 [18:21] <mhall119> okay, moving on
49 [18:21] <mhall119> Ubuntu uses these technologies for some of it's underlying systems
50 [18:21] <mhall119> the repositories that feed apt and synaptic are secured through GPG
51 [18:22] <mhall119> every package on them is signed by Canonical
52 [18:22] <mhall119> so that means that you can verify that every package you download hasn't been modified by someone else
53 [18:23] <mhall119> even if someone hacked into the repository server,and replaced packages with their own that contained a virus
54 [18:23] <mhall119> it wouldn't let you install it, because the signature wouldn't match
55 [18:23] <mhall119> the same goes for the PPA (personal package archives) available on Launchpad
56 [18:24] <mhall119> those packages aren't signed by Canonical, but rather the owner of the PPA
57 [18:24] <mhall119> so if you trust the owner of the PPA not to include a virus or trojan in their packages, you add their public key to your system, and that will be used to verify their packages
58 [18:25] <mhall119> finally, if you want to become a contributor to Ubuntu, you will need to sign the code of conduct
59 [18:26] <mhall119> and that requires that you use your private key to "sign" the actual CoC file
60 [18:27] <mhall119> signing doesn't encrypt the data, but rather is creates a short encrypted "signature" of the data, which when checked with the other key in the pair, will tell someone that the plain text message matches what the sender signed
61 [18:27] <mhall119> any questions before we move on?
62 [18:28] <mhall119> great
63 [18:28] <mhall119> now for the fun part
64 [18:28] <mhall119> Under Applications->Accessories you will find "Passwords and Encryption Keys"
65 [18:28] <mhall119> this is a graphical frontend to GnuPG called Seahorse
66 [18:29] <mhall119> and it will let you manage your PGP and SSH keys, and also will store passwords for you so that you don't have to remember them all
67 [18:30] <mhall119> so now we're going to walk through creating a private and public key of your very own
68 [18:30] <mhall119> Go to File->New
69 [18:30] <mhall119> and select PGP Key
70 [18:30] <mhall119> Put in your Name, email, and a comment
71 [18:31] <mhall119> you can see in my screenshot that I made one specifically for this session
72 [18:31] <mhall119> under the "Advanced" settings is where you can is where you can set the type and length of the key
73 [18:32] <mhall119> so fill that out and press the create button
74 [18:32] <mhall119> this will take a few minutes, depending on your CPU speed and key size
75 [18:32] <mhall119> so we'll stop for questions
76 [18:32] <mhall119> if there are any
77 [18:33] <mhall119> again, you can follow along with the screenshots here if you aren't actually making the keys: https://wiki.ubuntu.com/UserDays/01232010/SeahorseGPG
78 [18:34] <_marx_> QUESTION If I lose or forget the passphrase will i have to make a new key?
79 [18:34] <mhall119> yes
80 [18:34] <mhall119> you can change the passphrase if you want, but you will need to know the old one to do so
81 [18:34] <mhall119> do not forget your passphrase, and do not lose your private key, or you will need to make new ones
82 [18:35] <mhall119> and your old public key will not no longer be usable
83 [18:35] <_marx_> question - what is the diference with DSA (elgamal) and DSA (only sign)
84 [18:35] <mhall119> I'm not really sure what DSA (elgamal) is
85 [18:36] <cjohnston> < somnoliento> QUESTION What's the relationship between this PGP keys and the keyring (a common dialog in ubuntu sessions)
86 [18:36] <mhall119> you can ignore the (only sign), those are flags for users, you can still encrypt with those keys
87 [18:36] <mhall119> good question
88 [18:37] <mhall119> a keyring is a single place to store multiple keys
89 [18:37] <mhall119> your GnuPG keyring contains your private keys, your public keys, and the public keys of other people you know
90 [18:38] <mhall119> alright, we're gonna have to move one due to time
91 [18:38] <mhall119> if anyone is still generating keys, you can follow along with the screenshots
92 [18:38] <mhall119> once you have your key, you can view it's properties
93 [18:39] <mhall119> you should note the Key ID and Fingerprint for your key, you will use them later
94 [18:39] <mhall119> now, it's time to make your public key public
95 [18:40] <mhall119> select your new key, and goto Remote->Sync and publish keys
96 [18:40] <mhall119> click on the Key Servers button to see the public keyservers available
97 [18:41] <mhall119> on the "Publish keys to: " drop down, select the ubuntu server
98 [18:41] <mhall119> you also have two more options here
99 [18:42] <mhall119> you can have your system automatically check these key servers for a person's public key when you recieve something encrypted or signed by them
100 [18:42] <mhall119> you can also have it automatically sync the public keys in your keyring if you change them
101 [18:42] <mhall119> it's up to you if you want to enable those, I do for convenience
102 [18:43] <mhall119> okay, now close that dialog and click the Sync button
103 [18:43] <mhall119> this will upload your public key to the ubuntu keyserver
104 [18:43] <mhall119> and it will eventually be sent to the other public keyservers too, as they all share key data
105 [18:44] <cjohnston> < oskude> QUESTION - i assume there is no confirmation screen after "sync" ?
106 [18:44] <mhall119> you can check that your key has been uploaded by going to the web interface: http://keyserver.ubuntu.com:11371/ and doing a search on your name
107 [18:44] <mhall119> no, I don't think there is a confirmation on sync
108 [18:44] <mhall119> it may take a few minutes to get published
109 [18:46] <mhall119> alright, now we need to get someone's public key from those keyservers
110 [18:46] <mhall119> back in Seahorse, go to Remote->Find Remote Keys
111 [18:47] <mhall119> and search for "Ubuntu User Day"
112 [18:47] <mhall119> you will see a few of them now, as it seems some of you used the same comment I did :)
113 [18:47] <mhall119> my key, as you saw in the screenshots, has id 08FBB574
114 [18:47] <cjohnston> < Yos> Question is there a way to delete from these keyservers obsolete public keys
115 [18:48] <mhall119> right-click that and select Import
116 [18:48] <mhall119> cjohnston, I don't think so, when a key is obsolete, you generally add it to a published "revokation" list
117 [18:48] <mhall119> so that people know it was explicitly removed from use
118 [18:49] <mhall119> alright, now if you go to the "Other Keys" tab, you should see my User Day key there
119 [18:49] <mhall119> double-click that to view it's properties
120 [18:50] <mhall119> now for some more magic
121 [18:50] <_marx_> 10 minutes
122 [18:50] <mhall119> if you go to the Trust tab you can sign my public key with your private key
123 [18:50] <mhall119> and what this does it let other people know that you believe that key belongs to me
124 [18:50] <mhall119> so even if someone else doesn't know that, if they trust you, then they can be assured
125 [18:50] <mhall119> wow, 10 minutes left, okay the next will have to go by fast
126 [18:51] <mhall119> I'm gonna skip the ssh and password parts, they're pretty straight forward, you can see the screenshots
127 [18:51] <mhall119> now, you can integrate your new PGP key into Evolution to sign and encrypt outgoing email
128 [18:52] <mhall119> and also to decrypt and verify incoming email
129 [18:52] <mhall119> in Evolution, go to Edit->Preferences and select your account
130 [18:52] <mhall119> on the Security tab, you can put the key id from your key, and evolution will use that
131 [18:53] <mhall119> when someone sends you an encrypted or signed email, Evolution will display an icon at the bottom telling you the state of it
132 [18:53] <mhall119> whether it was valid, and who it was from
133 [18:54] <mhall119> finally, if you install the package seahorse-plugins, you will have extra options in Nautilus and GEdit to sign or encrypt
134 [18:54] <mhall119> in nautilus, you can right-click any file (not folder) and encrypt it
135 [18:54] <mhall119> if you want more than one file, compress them into a .zip or .tar.gz and encrypt that
136 [18:55] <_marx_> 5 minutes
137 [18:55] <mhall119> and from Gedit, under the Edit menu will be options to sign/encrypt/decrypt and verify
138 [18:55] <mhall119> alright, any questions in the last 5 minutes?
139 [18:55] <pleia2> < oskude> QUESTION - Should i copy that "Key ID" (8 characters) row from Seashore (Passwords and Encryption Keys) or right click and select copy (gets a longer string) ? (for the evolution settings)
140 [18:55] <_marx_> QUESTION - Should i copy that "Key ID" (8 characters) row from Seashore (Passwords and Encryption Keys) or right click and select copy (gets a longer string) ? (for the evolution settings)
141 [18:55] <mhall119> just the key id
142 [18:56] <mhall119> anything else?
143 [18:56] <mhall119> you have my email address now (it on my public key), so you can always email me for more questions
144 [18:56] <mhall119> or find me in #ubuntu-us-fl just about any time
145 [18:57] <mhall119> okay, well thank you all for coming, and enjoy your new cryptographic powers!
UserDays/01232010/SeahorseGPG (last edited 2010-01-24 00:27:10 by alderaan)