|Home||Uniquely NZ||Travel||Howto||Pauline||Small Firms|
|Secure Storage and Email
PGP, OpenPGP, GNUPG and True/VeraCrypt
I have always been concerned about security of data. One aspect which affects many people is having to memorise a large number of pins and passwords with all the new opportunities for Internet transactions, we have over 50 such pins and passwords. It is all very well keeping things at the bank and having sophisticated alarms but if you have to still keep complex passwords on scraps of paper or lock up your hard disk when you leave the house it does not help. It gets even worse when one thinks about the risks to a laptop.
The first and still one of the best encryption tools is PGP. Pretty Good Privacy (PGP) is an application for secure e-mail and file encryption developed by Phil R. Zimmermann which was originally published as Freeware and the source code has always been available for public scrutiny. PGP uses a variety of algorithms, like IDEA, RSA, DSA, MD5, SHA-1 for providing encryption, authentication, message integrity, and key management. There were many problems with the USA government over the strong encryption employed and Phil was nearly locked up. For many years it was illegal to export the electonic code and the source was printed and then scanned in in other countries. Some of the history is still at . It now even has its own official protocol (RFC 1991).
As time has gone on PGP and regulation have been relaxed PGP has become more commercialised but a deal was done by Paul that a free version of the basic program would always remain available and that is still certainly true with version 8 which I am using and 9 which I have downloaded but not needed to install. For a period it was owned by NAI and was in the McAfee stable. and the free versions disappeared but they are once more accessible - look for Downloads - PGP Product Trial and read the print carefully and you will find it is still Freeware. This is the solution for email under Windows but for PGPDisk you are looking at about £63.
Secure Storage: PGP was initially written for secure communications, however my interest has always been more in securing files. Fortunately the versions from 1998 have not only gives high quality encryption for email but now also allows you to "mount" a completely secure virtual drive with strong encryption using a passphrase (a passphrase is groups of words which are used in stead of a password for additional security). The extension is called PGPdisk. It can be set to demount if the machine is unused for a given number of minutes (typically 15 minutes) and when you turn off. Once the drive is mounted it seems indistinguishable from a normal drive (I have it set to Z:), you even have to format it before you can use it! You can have several secure virtual drives (called volumes) which can be individually mounted with different passphrases and several passphrases can be allocated to each drive. This gives total security against not only thieves but also the kids, the partner or, in the case of firms, staff accessing confidential information. The last version which was free with PGPdisk was 6.02i where the disk package accidently leaked and I used that for many years until I changed to Windows XP which PGPdisk could not use. I have therefore bought a desktop licence for PGP 8.02 to maintain access to my files and use the Free PGP 8.02 on my other Windows machines .
Secure email: PGP use up to keys of up to 4096 bits and 128 bit strong encryption in various international standards. This level of encryption can not be broken even by a security agency and should be secure for several decades. There have been a lot of problems with this level of encryption being exported from the USA and eventually a loophole was found and each update has all the source code printed, carried out to Europe and scanned, all 6000 pages of it. The first time a team of 250 volunteers were used, it is now much more automatic. PGP was bought by Network Associates (who also own McAfee) but they still support free use of the "International" versions which was up to 6.02i when I installed. They then sold it and it is run by the PGP Corporation. PGP is integrated seamlessly into the clipboard and most standard email packages (other than Netscape) and operating systems. There is a new icon in the tooltray so you can also work on files or the clipboard (encrypt/decrypt and sign/verify and work with keys etc). There are also buttons on the Windows Explorer toolbars and entries on the drop down menus - they can also be added to most standard email packages and the clipboard can also be used. The interface is probably the most comprehensive of all the encryption packages I know and will cover here.
What are Public and Private Keys? Secure email needs cooperation between the parties and the information needed to encode and decode are called Keys - the longer the keys the higher the security - PGP can use keys of up to 4096 bits. When you want to be able to receive secure email you give people copies of your Public Key which anybody sending email to you can use to encrypt it. The key does not enable anyone to decode it - only you have the Private Key used for decryption. When you want to send email you first have to get a copy of the recipients Public Key which he can email to you or may well have on his web site or a Key Server where you can search by name or email address. When you have collected it you can add it to your Key Ring and associate it with his email address. We have not added our Public Key to a Key Server yet - we will probably eventually add it to the PGP Key Server when we are sure we are stable. Creating the keys was easy and we have made a backup to a floppy which will live in the Bank strong box. When I exported my Public Key it looked just like an ascii file full of random characters and has a .asc file type which is now associated with PGP - a recipient running PGP just clicks on it and it asks which Key Ring to add it to.
PGP Documentation and Installation: This can only be an overview of a very powerful utility which seems to have been thought through. There are many additional things you can do including deleting files so they can not be recovered and clearing all the unused disk space of fragments of information. I do not have the time to cover all these or go into the background so it is well worth having a look at PGP Corporation where there are series of manuals and background documentation.
Impressions: I have been using it now for over 7 years on many of my machines primarily for the secure drive facility (PGPdisk) and my impressions are very favourable. It is very quick to "mount" the secure drive after which you can work as normal on the Z or whatever you have chosen drive. If you set up short cuts to your files or whatever you quickly get reminded when the programs can not find the file or drive. It only took 25 seconds to mount my secure drive when I just tried it, most of which was entering my long passphrase.
I have experimented with email and again it was all fairly obvious - once the buttons have been clicked they remain down until you send and then you are asked to select the recipients public key from your keyring and the message is encrypted and signed by you entering your passphrase. Decrypting is a single click and passphrase entry and the message is in clear. You can save the changes or just close it and leave it encrypted. Sending or receiving an encrypted message probably takes an extra minute which seems quite acceptable.
Since the sections above were written a lot has happened over and above what I have edited in. PGP in its initial form was completely open and the PGP Corporation which took over from NAI once more respect its background and provide source code for inspection. The Open Source movement also became involvedand the OpenPGP Alliance was formed to protect PGP when it fell into the hands of NAI. The result is that OpenPGP is now the most widely used email encryption standard in the world. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 2440. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991.
As those who have come to the page from my Fun with Ubuntu Linux pages will know I have seen the light and am escaping from the security nightmare of Microsoft Windows and am shifting to Ubuntu Linux for all mobile activities and most serious work at home. An early priority was to investigate encryption under [Ubuntu] Linux. In tthe same way that OpenPGP use on Windows machines is still dominated by the original PGP now provided in Free and paid versions by PGP Corporation Linux has GNUPG. The GNU Privacy Guard is fully OpenPGP compliant, supports most of the optional features and provides some extra features. GNUPG is used as the standard encryption and signing tool included in all significant GNU/Linux distributions and offers a superset of the usual PGP standard but with defaults are compatible with the encryption levels available in PGP 8 which we are using. GNUPG is in fact not only freely available for GNU/Linux, nearly all other Unix systems but also Microsoft Windows and some other operating systems. As a GNU program it can be used commercially or non-commercially without any costs.
The basic access is through the gpg program which operates in terminal mode. To show that terminal access is not that bad I have included some examples. The following encrypts and decrypts files on the desktop in a way compatible with pgp ie the .pgp extension - the default extension and action gives a file with a .gpg extension added.
gpg --encrypt ~/Desktop/homewine.htm --output ~/Desktop/homewine.htm.pgp
gpg --decrypt ~/Desktop/homewine.htm.pgp --output ~/Desktop/homewine.htm
The above - for clarity - used the long format for the commands and, for example, the encryption can done with just
gpg -e ~/Desktop/homewine.htm -o ~/Desktop/homewine.htm.pgp
gpg -e ~/Desktop/homewine.htm
with encrypt into homewine.htm.gpg on the desktop
Most Windows users feel that even simple Command line operations are a retrograde step whilst forgetting they are still integral in Windows for any system work. Linux users tend to like command line operation in many cases and even converts from Windows like myself have to admit it often makes things quicker and more flexible. For those who wwant to avoid using a terminal then a GUI interface to gpg has been writen called Seahorse (which can be installed by Add/Remove on Ubuntu) which certainly handles the creation and management of keys much easier tha using gpg directly. It also adds facilities into the text editor and file browser. One only has to right click on a file to get to an encryption option and there are encryption/decryption in the text editor which work fine as does the GUI programme to create and manage keys. Double clicking on a .gpg file brings up the screens to open it but there seems to be a problem in Seahorse 8.1 or Ubuntu Dapper Drake which prevent the same for .pgp files although they were equally acceptable elsewhere. After a bit of searching and playing about I realised that if worked when the .gpg extension was used it was a simple job to add the same program as an option for opening .pgp files namely seahorse --decrypt using the right click menu on a .pgp file -> Open with other application -> Use a Custom Command and filling in the box with seahorse --decrypt .
In the same way as Outlook has options built into it by PGP, Evolution has built in encryption and signing for emails using keys created in terminal mode or managed by Seahorse. Full details of how to set it up and use it are in the Evolution help files. Regretably, there is currently no support in Thunderbird under Windoz or Linux
The other feature which is required for looking after data securely is a way to erase files without traces. It is no good being able to encrypt a file if you can not delete the original or working copies. PGP under Windows offers a Secure Delete option. Linux has a built in command shred which does a multiple pass write of data selected to make a read based on residual information at the edges of the magnetic tracks almost impossible before the file is deleted. This is not foolproof for all file systems and programs as temporary copies made be made and modern file systems do not always write data in the same place however on an ext2 or ext3 system with the default settings in Ubuntu Linux it is acceptable. Do a man shred to find out more.
This section originated on my Fun with Ubuntu Linux pages and has been lifted and dropped here for completeness - it should work on all Linux distributions as it is actually all very basic stuff when you look closely although it is very useful.
There is no GUI interface for shred so I used this as an excuse to write a simple script. This took a few evenings to get up the learning curve of programming in the scripting language called bash and learn more of how the system was set up which will pay off handsomely in the future. A good place to start on scripting is LinuxCommand.org: Learning the shell. The important piece of information is that the addition of a path to a /bin directory is set in ubuntu linux in .bashrc not .bash_profile as is described in some places. Also note that files starting with a . are hidden - use View -> Hidden Files in the File browser to find them. The lines I added were:
# Additions to the standard ~/.bashrc file to set up path to
# /bin directory in home folder
I then had a folder in which to put script files which could be accessed from any directory. My first script to shred a file follows - if you want to follow it in detail remember that man any_command gives a summary of what it does and its options:
The reads at the end of each part are necessary to prevent the Terminal Window closing before you have seen what happens.
The script files must be given the correct permissions by
The last step is to create a launcher on the desktop which can also be dragged onto the bars. Right click anywhere on the desktop -> Create Launcher Fill in a name; browse to the ~/bin directory and script name; tick run in terminal; add an icon if required and that is it. The Launcher can also be dragged onto the panel.
It all sounds very simple but it took me a while to get scripting together the first time despite having done some programming in my time.
I have used Truecrypt on all my machines and despite various well documented shock withdrawal by the authors it was still well regarded and safe. See https://www.grc.com/misc/truecrypt/truecrypt.htm. There are many conspiracy theories based round the fact that the security services could not crack it for its sudden withdrawal. Fortunately it has now been forked and continues Opensource with enhanced security as VeraCrypt. There is the transcript of a podcast by Steve Gibson which covers the security testing and his views on changing to VeraCrypt at https://www.grc.com/sn/sn-582.htm and he now supports the shift. VeraCrypt is arguably now the most popular disk encryption software over all machines and I have shifted on most of my machines. VeraCrypt can continue to use Truecrypt vaults and also has an improved but very compatible format of its own.
It creates a Virtual Disk with the contents encrypted into a single file or onto a disk partition or removable media such as a USB stick. The encryption is all on the fly so you have a file, you mount it as a disk and from then on it is used just like a real disk and everything is decrypted and re-encrypted invisibly in real time. The virtual Drive is unmounted automatically at close down and one should have closed all the open documents using the Virtual Drive by that point just like when you shut down normally. The advantage is that you never have the files copied onto a real disk so there are no shadows or temporary files left behind and one does not have to do a secure delete.
Truecrypt and its replacement VeraCrypt obviously install deep into the operating system in order to encrypt decrypt invisibly on the fly. This has meant in the past that it was specific to a Linux Kernel and had to be recompiled/installed every time a Kernel was updated. Fortunately it can be downloaded as as an installer in both 32 and 64 bit versions – make sure you get the correct version.
The VeraCrypt installers for Linux are now packed into a single compressed file typically veracrypt-1.21-setup.tar.gz just download, double click to open the archive and drag the appropriate installer say veracrypt-1.21-setup-gui-x64 to the desktop, double click it then click 'Run in Terminal' to run the installer script.
This linux version of Vera/TrueCrypt has a GUI interface almost identical to that in Windows. It can be run from the standard menu although with Cinnamon you may need to do a cCinnamon or full restart before it is visible. It can also be run by just typing veracrypt in a terminal. It opens virtual disks which are placed on the desktop. Making new volumes (encrypted containers) is now trivial – just use the wizard. Old files can be opened but it is best to create a new volume and copy the contents across. This is now a very refined product under Linux.
The only feature I have found is that one has to have administrative privileges to mount ones volumes. This means that one is asked for ones administrative password on occasions as well as the volume password. There is a way round this by providing additional 'rights' specific to just this activity to a user (or group) by additions to the sudoer file. There is information on the Sudoers file and editing it at:
Because sudo is such a powerful program you must take care not to put anything formatted incorrectly in the file. To prevent any incorrect formatting getting into the file you should edit it using the command visudo run as root or by using sudo ( sudo visudo ). The default editor for visudo has changed to vi, a terminal editor, which is close to incomprehensible at least to those used to Windows so it is fortunate we only have single line to add!
You launch visudo in a terminal
There are now two ways to proceed, if you have a lot of users then it is worth creating a group, changing veracrypt to be a member of that group and adding all the users that need veracrypt to that group. You then use sudoer to giving group members the 'rights' to use it without a password. See:
If you only have one or two users then it is easier to give them individual rights by adding a line(s) to the configuration file by launching visudo in a terminal and appending one of the following lines for either a single user (replace USERNAME with your username) or a group called veracrypt (the last option is brute force and gives everyone access) :
USERNAME ALL = (root) NOPASSWD:/usr/bin/veracrypt
%veracrypt ALL = (root) NOPASSWD:/usr/bin/veracrypt
Type the line carefully and CHECK - there is no cut and paste into Visudo
Save by Cntr O and exit by Cntr X - if there are errors there will be a message and a request what to do in the terminal.
I have used it both the simple way and by creating a group called truecrypt or veracrypt.
The combination of techniques above keep my data and email communications secure on the desktop and whilst mobile under Windows and Linux. I have found a similar program to Truecrypt which runs on my XDA Exec Pocket PC called Cryptainer PPC LE, an Encryption program providing a virtual encrypted and compressed drive of up to 2 Mbytes in its free version for the Pocket PC. The matching free Windows version is limited to 25 Mbyte containers and it is not available for Linux hence my choice at the time of TrueCrypt. If you only have Windows and Pocket PCs then you should try both as it may be a better choice for you.