SeahorseGPG

User Days Seahorse and GPG Session

Encryption

  • Symmetric

    symmetric_lock.png

  • Public Key Cryptography

    pki_lock.png

Implementations

  1. SSH
  2. GnuPG
  3. SSL/TLS

Uses in Ubuntu

  1. Repositories
  2. PPAs
  3. Code of Conduct

Seahorse/Gnome Keyring

Seahorse.png

  1. Creating GPG keys

    Seahorse-New-PGP.png Seahorse-PersonalKeys-Fingerprint.png

    1. exporting to keyserver

      Keyserver-Lookup.png

    2. import from keyserver

      Seahorse-Found.png

    3. key signing

      Seahorse-PGP-Sign.png

  2. Creating SSH keys

    Seahorse-New-SSH.png

    1. Setup with remote server
  3. Password management

    Seahorse-New-Password.png

    1. login keyring

Uses by Users

  1. File encryption
    1. archives (tar.gz)

      Nautilus-Encrypt.png

  2. Email

    Evolution-Account-Security.png

    1. Encryption
    2. Signing

      Evolution-Email-Signature.png

  3. SSH

Session Logs

   1 === cjohnston changed the topic of #ubuntu-classroom to: Ubuntu Classroom || Ubuntu User Days | Current Session: Seahorse and GnuPG ~~ Presented by mhall119 || Please ask questions in #ubuntu-classroom-chat || Ubuntu User Days Survey: http://www.surveymonkey.com/s/WQWHJQY
   2 [18:00] <cjohnston> Our next speaker is another member of the Ubuntu Florida LoCo team!
   3 [18:00] <cjohnston> Michael Hall has been working in software development for 10 years. He has been a Desktop Linux user for 6 years, the last 4 being on Ubuntu.
   4 [18:00] <cjohnston> He is the main developer of Qimo, an Ubuntu-derived Linux Distribution for kids. He currently spends his days doing Python development for the
   5 [18:00] <cjohnston> Moffitt Cancer Research Center in Tampa, FL.
   6 [18:01] <mhall119> thanks cjohnston
   7 [18:02] <mhall119> so I'm going to be talking about cryptography, what it is and how it's used by Ubuntu
   8 [18:02] <mhall119> and also how it can be used by you
   9 [18:03] <mhall119> if you go over to my notes for this session, there's some helpful images and screenshots https://wiki.ubuntu.com/UserDays/01232010/SeahorseGPG
  10 [18:04] <mhall119> so there are two types of encryption in regular use
  11 [18:04] <mhall119> in the past, the most often used form was symmetric cryptography
  12 [18:04] <mhall119> what this means it that you have one key, and that key is used to both encrypt and decrypt the data
  13 [18:05] <mhall119> much like a physical lock
  14 [18:05] <mhall119> so, if you want to use that to securely send a box to someone, you need to send them the box, the lock, and a copy of the key
  15 [18:06] <mhall119> now, the problem is that you have a much harder time keeping that key safe, because it's having to be passed around, or you have to give out multiple copies
  16 [18:07] <mhall119> and if you send them all together, then it defeats the purpose of locking the box in the first place
  17 [18:07] <mhall119> so some time ago some very smart people developed an alternative method called public key cryptography
  18 [18:08] <mhall119> and what makes that different is that instead of one key, you have two
  19 [18:08] <mhall119> and those two keys are different, but related
  20 [18:09] <mhall119> specifically, they are used in a new kind of lock, and if you use one of the keys to lock it, then only the other key can unlock it
  21 [18:10] <mhall119> now, the reason it's called "public key" cryptography is because you make one of these keys publicly available, to anyone that wants it
  22 [18:10] <mhall119> and you keep the other one completely private, you never give it to anybody, you don't let anybody see it
  23 [18:11] <mhall119> so now if you want to send a box to your friend, you get their public key (which they made available to everyone), and you use that to lock the box
  24 [18:11] <mhall119> and because you used their public key to lock it, only their private key can be used to unlock it.  Not even the key you used to lock it can unlock it
  25 [18:12] <mhall119> so now you can send the locked box over an unsecured route like the post office, knowing that the only person in the world who has a key that can unlock it is your friend
  26 [18:13] <mhall119> for added security, you can lock the box twice
  27 [18:13] <mhall119> once as before, using your friend's public key
  28 [18:13] <mhall119> and then again, using your private key
  29 [18:13] <mhall119> and what that does is not only let you know that only your friend can open it
  30 [18:14] <mhall119> but now your friend, using your public key to unlock it, knows that you are the only person in the world who could have sent it
  31 [18:14] <mhall119> any questions so far?
  32 [18:15] <mhall119> oskude> as i haven't ever had something i would need to be a secret that only a key can open... where do you need this ?
  33 [18:15] <mhall119> very shortly I'm going to show you how this is used in Ubuntu, and the benefits it gives you
  34 [18:16] <nigelbabu> question - how strong should a key be? in your screenshots you use strength 768
  35 [18:16] <mhall119> okay, so public key cryptography has several implementations
  36 [18:16] <mhall119> the key strenght is up to you, I used the default values in my screenshots
  37 [18:17] <mhall119> the larger the key, the longer it would take some evil government to crack it
  38 [18:17] <mhall119> but it also takes longer for it to encrypt and decrypt things
  39 [18:17] <mhall119> so it's a judgement call, what level of security do you need?
  40 [18:18] <mhall119> so, Ubuntu has a few implementations of this
  41 [18:18] <mhall119> SSH, or the secure shell, which provides an encrypted connection between two boxes similar to telnet
  42 [18:19] <mhall119> GnuPG, which is an open source implementation of PGP (Pretty Good Privacy), which is used to sign and encrypt files and email
  43 [18:19] <cjohnston> < Brot1> and which key length is recommended?
  44 [18:19] <mhall119> and SSL, which you should all be familiar with, is the underlying technology behind HTTPS
  45 [18:19] <mhall119> I personally use 4096 bit keys, which is probably overkill, but I'm not encrypting things where speed of encryption matters
  46 [18:20] <mhall119> for something like SSL or SSH, it might slow you down slightly
  47 [18:20] <mhall119> I'm sure there's plenty of references on the internet with people arguing for or against larger keys
  48 [18:21] <mhall119> okay, moving on
  49 [18:21] <mhall119> Ubuntu uses these technologies for some of it's underlying systems
  50 [18:21] <mhall119> the repositories that feed apt and synaptic are secured through GPG
  51 [18:22] <mhall119> every package on them is signed by Canonical
  52 [18:22] <mhall119> so that means that you can verify that every package you download hasn't been modified by someone else
  53 [18:23] <mhall119> even if someone hacked into the repository server,and replaced packages with their own that contained a virus
  54 [18:23] <mhall119> it wouldn't let you install it, because the signature wouldn't match
  55 [18:23] <mhall119> the same goes for the PPA (personal package archives) available on Launchpad
  56 [18:24] <mhall119> those packages aren't signed by Canonical, but rather the owner of the PPA
  57 [18:24] <mhall119> so if you trust the owner of the PPA not to include a virus or trojan in their packages, you add their public key to your system, and that will be used to verify their packages
  58 [18:25] <mhall119> finally, if you want to become a contributor to Ubuntu, you will need to sign the code of conduct
  59 [18:26] <mhall119> and that requires that you use your private key to "sign" the actual CoC file
  60 [18:27] <mhall119> signing doesn't encrypt the data, but rather is creates a short encrypted "signature" of the data, which when checked with the other key in the pair, will tell someone that the plain text message matches what the sender signed
  61 [18:27] <mhall119> any questions before we move on?
  62 [18:28] <mhall119> great
  63 [18:28] <mhall119> now for the fun part
  64 [18:28] <mhall119> Under Applications->Accessories you will find "Passwords and Encryption Keys"
  65 [18:28] <mhall119> this is a graphical frontend to GnuPG called Seahorse
  66 [18:29] <mhall119> and it will let you manage your PGP and SSH keys, and also will store passwords for you so that you don't have to remember them all
  67 [18:30] <mhall119> so now we're going to walk through creating a private and public key of your very own
  68 [18:30] <mhall119> Go to File->New
  69 [18:30] <mhall119> and select PGP Key
  70 [18:30] <mhall119> Put in your Name, email, and a comment
  71 [18:31] <mhall119> you can see in my screenshot that I made one specifically for this session
  72 [18:31] <mhall119> under the "Advanced" settings is where you can is where you can set the type and length of the key
  73 [18:32] <mhall119> so fill that out and press the create button
  74 [18:32] <mhall119> this will take a few minutes, depending on your CPU speed and key size
  75 [18:32] <mhall119> so we'll stop for questions
  76 [18:32] <mhall119> if there are any
  77 [18:33] <mhall119> again, you can follow along with the screenshots here if you aren't actually making the keys: https://wiki.ubuntu.com/UserDays/01232010/SeahorseGPG
  78 [18:34] <_marx_> QUESTION If I lose or forget the passphrase will i have to make a new key?
  79 [18:34] <mhall119> yes
  80 [18:34] <mhall119> you can change the passphrase if you want, but you will need to know the old one to do so
  81 [18:34] <mhall119> do not forget your passphrase, and do not lose your private key, or you will need to make new ones
  82 [18:35] <mhall119> and your old public key will not no longer be usable
  83 [18:35] <_marx_>  question - what is the diference with DSA (elgamal) and DSA (only sign)
  84 [18:35] <mhall119> I'm not really sure what DSA (elgamal) is
  85 [18:36] <cjohnston> < somnoliento> QUESTION What's the relationship between this PGP keys and the keyring (a common dialog in ubuntu sessions)
  86 [18:36] <mhall119> you can ignore the (only sign), those are flags for users, you can still encrypt with those keys
  87 [18:36] <mhall119> good question
  88 [18:37] <mhall119> a keyring is a single place to store multiple keys
  89 [18:37] <mhall119> your GnuPG keyring contains your private keys, your public keys, and the public keys of other people you know
  90 [18:38] <mhall119> alright, we're gonna have to move one due to time
  91 [18:38] <mhall119> if anyone is still generating keys, you can follow along with the screenshots
  92 [18:38] <mhall119> once you have your key, you can view it's properties
  93 [18:39] <mhall119> you should note the Key ID and Fingerprint for your key, you will use them later
  94 [18:39] <mhall119> now, it's time to make your public key public
  95 [18:40] <mhall119> select your new key, and goto Remote->Sync and publish keys
  96 [18:40] <mhall119> click on the Key Servers button to see the public keyservers available
  97 [18:41] <mhall119> on the "Publish keys to: " drop down, select the ubuntu server
  98 [18:41] <mhall119> you also have two more options here
  99 [18:42] <mhall119> you can have your system automatically check these key servers for a person's public key when you recieve something encrypted or signed by them
 100 [18:42] <mhall119> you can also have it automatically sync the public keys in your keyring if you change them
 101 [18:42] <mhall119> it's up to you if you want to enable those, I do for convenience
 102 [18:43] <mhall119> okay, now close that dialog and click the Sync button
 103 [18:43] <mhall119> this will upload your public key to the ubuntu keyserver
 104 [18:43] <mhall119> and it will eventually be sent to the other public keyservers too, as they all share key data
 105 [18:44] <cjohnston> < oskude> QUESTION - i assume there is no confirmation screen after "sync" ?
 106 [18:44] <mhall119> you can check that your key has been uploaded by going to the web interface: http://keyserver.ubuntu.com:11371/ and doing a search on your name
 107 [18:44] <mhall119> no, I don't think there is a confirmation on sync
 108 [18:44] <mhall119> it may take a few minutes to get published
 109 [18:46] <mhall119> alright, now we need to get someone's public key from those keyservers
 110 [18:46] <mhall119> back in Seahorse, go to Remote->Find Remote Keys
 111 [18:47] <mhall119> and search for "Ubuntu User Day"
 112 [18:47] <mhall119> you will see a few of them now, as it seems some of you used the same comment I did :)
 113 [18:47] <mhall119> my key, as you saw in the screenshots, has id 08FBB574
 114 [18:47] <cjohnston> < Yos> Question is there a way to delete from these keyservers obsolete public keys
 115 [18:48] <mhall119> right-click that and select Import
 116 [18:48] <mhall119> cjohnston, I don't think so, when a key is obsolete, you generally add it to a published "revokation" list
 117 [18:48] <mhall119> so that people know it was explicitly removed from use
 118 [18:49] <mhall119> alright, now if you go to the "Other Keys" tab, you should see my User Day key there
 119 [18:49] <mhall119> double-click that to view it's properties
 120 [18:50] <mhall119> now for some more magic
 121 [18:50] <_marx_> 10 minutes
 122 [18:50] <mhall119> if you go to the Trust tab you can sign my public key with your private key
 123 [18:50] <mhall119> and what this does it let other people know that you believe that key belongs to me
 124 [18:50] <mhall119> so even if someone else doesn't know that, if they trust you, then they can be assured
 125 [18:50] <mhall119> wow, 10 minutes left, okay the next will have to go by fast
 126 [18:51] <mhall119> I'm gonna skip the ssh and password parts, they're pretty straight forward, you can see the screenshots
 127 [18:51] <mhall119> now, you can integrate your new PGP key into Evolution to sign and encrypt outgoing email
 128 [18:52] <mhall119> and also to decrypt and verify incoming email
 129 [18:52] <mhall119> in Evolution, go to Edit->Preferences and select your account
 130 [18:52] <mhall119> on the Security tab, you can put the key id from your key, and evolution will use that
 131 [18:53] <mhall119> when someone sends you an encrypted or signed email, Evolution will display an icon at the bottom telling you the state of it
 132 [18:53] <mhall119> whether it was valid, and who it was from
 133 [18:54] <mhall119> finally, if you install the package seahorse-plugins, you will have extra options in Nautilus and GEdit to sign or encrypt
 134 [18:54] <mhall119> in nautilus, you can right-click any file (not folder) and encrypt it
 135 [18:54] <mhall119> if you want more than one file, compress them into a .zip or .tar.gz and encrypt that
 136 [18:55] <_marx_> 5 minutes
 137 [18:55] <mhall119> and from Gedit, under the Edit menu will be options to sign/encrypt/decrypt and verify
 138 [18:55] <mhall119> alright, any questions in the last 5 minutes?
 139 [18:55] <pleia2> < oskude> QUESTION - Should i copy that "Key ID" (8 characters) row from Seashore (Passwords and Encryption Keys) or right click and select copy (gets a longer string) ? (for the evolution settings)
 140 [18:55] <_marx_> QUESTION - Should i copy that "Key ID" (8 characters) row from Seashore (Passwords and Encryption Keys) or right click and select copy (gets a longer string) ? (for the evolution settings)
 141 [18:55] <mhall119> just the key id
 142 [18:56] <mhall119> anything else?
 143 [18:56] <mhall119> you have my email address now (it on my public key), so you can always email me for more questions
 144 [18:56] <mhall119> or find me in #ubuntu-us-fl just about any time
 145 [18:57] <mhall119> okay, well thank you all for coming, and enjoy your new cryptographic powers!
 146 

UserDays/01232010/SeahorseGPG (last edited 2010-01-24 00:27:10 by lyz)