Install and configure Gnupg & Use Gnupg to encrypt file in PHP

Install and configure Gnupg & Use Gnupg to encrypt file in PHP

I am using FreeBSD 7.0. Now let's start to install Gnupg.

First, use ports to install Gnupg. Create a directory .gnupg in /home/username, Most people said chmod 777 /home/username/.gnupg. (May cause a warning later, chmod 700 recommended)

# cd /usr/ports/security/gnupg # make install clean
Alternatively, you can use pkg_add or sysinstall (text based GUI utility) command to install the same:
$ sudo pkg_add -r -v gnupg

Second, install pinentry.

# cd /usr/ports/security/pinentry # make install clean

Unforturnately, I met some error after a long time wait. It says:

/usr/bin/ld: cannot find -lgio-2.0 gmake: *** [libgiofam.la] Error 1 *** Error code 2 Stop in /usr/ports/devel/gio-fam-backend. *** Error code 1 Stop in /usr/ports/accessibility/atk. *** Error code 1 Stop in /usr/ports/security/pinentry.

I checked /usr/ports/UPDATING, use :

$ less /usr/ports/UPDATING

and search for 20080323 typing "/20080323" (without quotes)

It says:

AFFECTS: users of devel/glib20 and future users of devel/gio-fam-backend AUTHOR: gnome@FreeBSD.org In order to update to glib 2.16 or higher, you must first update the glib20 port on its own or you will get a failure trying to install devel/gio-fam-backend saying it cannot find -lgio-2.0. Portmaster users can do: portmaster glib-2/* or, if you're using portupgrade: portupgrade glib-2/*
       
If you tried both commands above, and they return "portmaster: not found" or "portupgrade: not found", you need to install portmaster or portupgrade from ports.

cd /usr/ports/ports-mgmt/portmaster/ make install clean

then you can run

portmaster glib-2/*

after it finished, continue to run

# cd /usr/ports/security/pinentry # make install clean

You may met another error, it says:

configure: error: pixman >= 0.10.0 is required (http://cairographics.org/releases/) ===> Script "configure" failed unexpectedly. Please run the gnomelogalyzer, available from "http://www.freebsd.org/gnome/gnomelogalyzer.sh", which will diagnose the problem and suggest a solution. If - and only if - the gnomelogalyzer cannot solve the problem, report the build failure to the FreeBSD GNOME team at gnome@FreeBSD.org, and attach (a) "/usr/ports/graphics/cairo/work/cairo-1.6.4/config.log", (b) the output of the failed make command, and (c) the gnomelogalyzer output. Also, it might be a good idea to provide an overview of all packages installed on your system (i.e. an `ls /var/db/pkg`). Put your attachment up on any website, copy-and-paste into http://freebsd-gnome.pastebin.com, or use send-pr(1) with the attachment. Try to avoid sending any attachments to the mailing list (gnome@FreeBSD.org), because attachments sent to FreeBSD mailing lists are usually discarded by the mailing list software. *** Error code 1 Stop in /usr/ports/graphics/cairo. *** Error code 1 Stop in /usr/ports/graphics/cairo. *** Error code 1 Stop in /usr/ports/x11-toolkits/pango. *** Error code 1 Stop in /usr/ports/x11-toolkits/gtk20. *** Error code 1 Stop in /usr/ports/security/pinentry.
It's caused by your pixman's version. Uninstall and install again

cd /usr/ports/x11/pixman/ make deinstall make install clean

After this, you should update to 0.10.0 version.

Retry

# cd /usr/ports/security/pinentry # make install clean

You should success this time. (Please leave the comment if you met some other problems.)

Okay, let's start to configure Gnupg.

First, generate a new key.

$ gpg --gen-key (or /usr/local/bin/gpg) gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection?

GnuPG is able to create several different types of keypairs, but a primary key must be capable of making signatures. There are therefore only three options. Option 1 actually creates two keypairs. A DSA keypair is the primary keypair usable only for making signatures. An ElGamal subordinate keypair is also created for encryption. Option 2 is similar but creates only a DSA keypair. Option 4[1] creates a single ElGamal keypair usable for both making signatures and performing encryption. In all cases it is possible to later add additional subkeys for encryption and signing. For most users the default option is fine.

You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits, and an ElGamal key may be of any size. GnuPG, however, requires that keys be no smaller than 768 bits. Therefore, if Option 1 was chosen and you choose a keysize larger than 1024 bits, the ElGamal key will have the requested size, but the DSA key will be 1024 bits.

DSA keypair will have 1024 bits. ELG keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)

The longer the key the more secure it is against brute-force attacks, but for almost all purposes the default keysize is adequate since it would be cheaper to circumvent the encryption than try to break it. Also, encryption and decryption will be slower as the key size is increased, and a larger keysize may affect signature length. Once selected, the keysize can never be changed.

Finally, you must choose an expiration date. If Option 1 was chosen, the expiration date will be used for both the ElGamal and DSA keypairs.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)
For most users a key that does not expire is adequate. The expiration time should be chosen with care, however, since although it is possible to change the expiration date after the key is created, it may be difficult to communicate a change to users who have your public key.

You must provide a user ID in addition to the key parameters. The user ID is used to associate the key being created with a real person.

You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: mini4

Only one user ID is created when a key is created, but it is possible to create additional user IDs if you want to use the key in two or more contexts, e.g., as an employee at work and a political activist on the side. A user ID should be created carefully since it cannot be edited after it is created.

GnuPG needs a passphrase to protect the primary and subordinate private keys that you keep in your possession.

You need a Passphrase to protect your private key.   

Enter passphrase:

And repeat passphrase.

There is no limit on the length of a passphrase, and it should be carefully chosen. From the perspective of security, the passphrase to unlock the private key is one of the weakest points in GnuPG (and other public-key encryption systems as well) since it is the only protection you have if another individual gets your private key. Ideally, the passphrase should not use words from a dictionary and should mix the case of alphabetic characters as well as use non-alphabetic characters. A good passphrase is crucial to the secure use of GnuPG.

To communicate with others you must exchange public keys. To list the keys on your public keyring use the command-line option --list-keys.

gpg --list-keys /home/huo/.gnupg/pubring.gpg ------------------------ pub 1024D/E659C6BF 2009-09-17 uid mini4 (test) <hjzdhr@163.com> sub 2048g/34527F1C 2009-09-17 Then import public key: gpg --import sample.asc gpg: key XXXXXXXX: public key imported gpg: Total number processed: 1 gpg: imported: 1

To check the new key, you can rungpg --list-keys   again.

Once a key is imported it should be validated. GnuPG uses a powerful and flexible trust model that does not require you to personally validate each key you import. Some keys may need to be personally validated, however. A key is validated by verifying the key's fingerprint and then signing the key to certify it as a valid key. A key's fingerprint can be quickly viewed with the --fingerprint command-line option, but in order to certify the key you must edit it.

gpg --edit-key sample pub 1024D/9E98BC16 created: 2002-06-04 expires: never trust: -/q sub 1024g/5C8CBD41 created: 2002-06-04 expires: never (1) sample Command> fpr pub 1024D/9E98BC16 1999-06-04 sample Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16
            
A key's fingerprint is verified with the key's owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. If the fingerprint you get is the same as the fingerprint the key's owner gets, then you can be sure that you have a correct copy of the key.

After checking the fingerprint, you may sign the key to validate it. Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key's fingerprint with the owner before signing the key.

Command> sign pub 1024D/9E98BC16 created: 2002-06-04 expires: never trust: -/q Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16 sample Are you really sure that you want to sign this key with your key: "mini4 (test) <hjzdhr@163.com>" Really sign?

Once signed you can check the key to list the signatures on it and see the signature that you have added. Every user ID on the key will have one or more self-signatures as well as a signature for each user that has validated the key.

Command> check uid sample sig! 9E98BC16 2002-06-04 [self-signature] sig! BB7576AC 2009-09-17 mini4 (test) <hjzdhr@163.com>

Now, let's use it in PHP.

$recipient = 'moulton'; putenv("GNUPGHOME=/home/huo/.gnupg"); $secret_file = "/home/vhosts/sample.com/htdocs/test.php"; echo shell_exec("$gpg -a -e -r $recipient $secret_file");


This one will generate an encrypted file named "test.php.asc". Remove the "-a" option, it will generate "test.php.gpg".

If you got nothing generated, and you can generate the encrypted file in shell command. That's the permission issue. You can chmod 644 /home/username/.gnupg/*, but you will get a warning for the gpg.conf.

gpg: WARNING: unsafe permissions on configuration file "/home/username/.gnupg/gpg.conf"

Run chmod 600 gpg.conf

 Another common warning messages is as follows:

gpg: WARNING: unsafe enclosing directory permissions on configuration file "/home/username/.gnupg/gpg.conf"

This message is shown if the file permissions of the directory that contains the configuration file allows others to read its contents. If you see this warning, it is recommended that you execute the following command to change the file permissions:

chmod 700 /home/username/.gnupg

That's all. Really a hard work takes me lots of time to make it worked. Good luck to you guys. Hope this article can help you.

SEE ALSO:
http://www.gnupg.org/gph/en/manual/c14.html
http://centos.org/docs/4/html/rhel-sbs-en-4/s1-gnupg-warnings.html