Symmetric Encryption
- User A sends a password to user B.
- The password is used to encrypt the messages.
- A secure way to share the password is required.
Asymmetric Encryption
- Users A and B have a public key and a private key.
- The public keys are shared, and they are used to encrypt the messages.
- The users can use their private keys to decrypt the messages.
GPG
GPG uses asymmetric encryption to sign, encrypt and decrypt files.
Create a Set of Keys
gpg --full-gen-key
Select ECC (sign and encrypt) - The most secure option
Select default curve
Encrypt a File
gpg --encrypt -r email@example.org <file> # Encrypt with the recipient (-r) key.
Decrypt a File
gpg --decrypt --output <file-output> <file> # Use the private key to decrypt a file.
Encrypt a Message
echo "Very safe message" | --encrypt --armor -r email@example.org
-armorSaves the encrypted info in plain text. (Great for blog posts or copying/pasting)
Decrypt a Message
GPG automatically figures out which private key to use. The encrypted file includes some metadata.
cat encrypted-message.txt | gpg --decrypt
Sign a Message
Uses a public key to sign a message, making sure that the contents are not tampered with.
echo "Very important message" | gpg --clearsign -u email@example.org
-clearsignIs used to sign plain (clear) text.
Sign a File
The signature is embedded in the file
gpg --sign -u email@example.org <file>
The signature is separate from the file
gpg --detach-sign -u email@example.org <file>
Verify Signed message/file
gpg --verify signed-message.txt
# or, if detached
gpg --verify <file.sig> <file>
Import
gpg --import public.pgp
gpg --import private.pgp
# To be able to use the key for encryption, it must be trusted.
gpg --edit-key email@example.com
> trust
> 5
Export
gpg --output public.pgp --armor --export email@example.com
gpg --output private.pgp --armor --export-secret-keys email@example.com
List Keys
gpg --list-keys # Same as gpg -k
gpg --list-secret-keys
Cryptsetup
Cryptsetup manages encrypted volumes using the LUKS standard. It allows you to create, open, and control encrypted partitions or file-based containers.
Encrypted File Container
dd if=/dev/zero of=encrypted.img bs=1M count=100 # Create a 100M container
# Format the file as a LUKS encrypted volume
sudo cryptsetup luksFormat encrypted.img
sudo cryptsetup luksOpen encrypted.img encryptedVolume # Open the container
# Format the volume with an ext4 filesystem
sudo mkfs.ext4 /dev/mapper/encryptedVolume
Mount
sudo mount /dev/mapper/encryptedVolume /mnt/encrypted
Unmount
sudo umount /mnt/encrypted
sudo cryptsetup luksClose encryptedVolume # Close the encrypted container
Encrypted Storage Devices
A Storage Device can be a USB drive, disk, SD card, etc…
If you have access to a desktop environment, you can use the GNOME Disks APP, for example, to create an encrypted partition.
Prepare the Device
- If your device is mounted, unmount all mount points before continuing:
lsblk # List the storage devices available
sudo umount <mount_point>
- Populate the partition with random data to avoid pattern-based encryption attacks: (optional)
This process will WIPE the device and overwrite all data on it! Make sure to back up your files before proceeding.
# Slow, but more random values
sudo dd if=/dev/urandom of=/dev/sdX bs=4K status=progress
# Faster solution, but not as random
sudo badblocks -c 10240 -s -w -t random -v /dev/sdX
- Prepare the partition to encrypt:
In this example, the whole device will be erased and encrypted, but you can also create a separate partition to encrypt, instead of the entire device.
# Clear all partitions
echo ",,;" | sudo sfdisk /dev/sdX
Encrypt the Partition
First, the partition must be formatted with Linux Unified Key Setup (LUKS). LUKS stores metadata at the beginning of the partition which contain the type of encryption and a randomly generated key, encrypted with the passphrase provided to luksFormat.
It’s recommended to use at least 3 random words as the passphrase.
# Format the device
sudo cryptsetup luksFormat /dev/sdX1
# Create a virtual device to manage the encrypted device
sudo cryptsetup luksOpen /dev/sdX1 myusb
# Format the partition using the encrypted device created earlier.
sudo mkfs.ext4 /dev/mapper/myusb -L <label>
sudo cryptsetup luksClose myusb # Close the device
After performing these steps, you may disconnect the drive.
Accessing the Device
When connected the device, your file manager should prompt you for a password. If you are not using a desktop environment, you might have to mount it yourself:
sudo cryptsetup luksOpen /dev/sdX1 myusb
sudo mkdir -p /media/myusb
sudo mount /dev/mapper/myusb /media/myusb
Then, to unmount:
sudo umount /media/myusb
sudo cryptsetup luksClose myusb