GnuPG

16 results back to index


Linux Security Cookbook by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Debian, GnuPG, MITM: man-in-the-middle, web of trust

DROP, refusing packets with disabling TCP service invocation by remote request inserting firewall rules in particular position listing firewall rules logging and dropping certain packets permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address simulating packet traversal through to verify firewall operation testing firewall configuration ipchains-restore loading firewall configuration ipchains-save checking IP addresses saving firewall configuration viewing rules with IPSec iptables --syn flag to process TCP packets blocking access for particular remote host for a particular service blocking access for some remote hosts but not others blocking all access by particular remote host blocking all incoming HTTP traffic blocking incoming HTTP traffic while permitting local HTTP traffic blocking incoming network traffic blocking outgoing access to all web servers on a network blocking outgoing Telnet connections blocking outgoing traffic blocking outgoing traffic to particular remote host blocking remote access, while permitting local blocking spoofed addresses building chain structures controlling access by MAC address default policies deleting firewall rules disabling reverse DNS lookups (-n option) disabling TCP service invocation by remote request DROP and REJECT, refusing packets with error packets, tailoring inserting firewall rules in particular position listing firewall rules permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address rule chain for logging and dropping certain packets testing firewall configuration website iptables-restore loading firewall configuration iptables-save checking IP addresses saving firewall configuration viewing rules with IPv4-in-IPv6 addresses, problems with ISP mail servers, acceptance of relay mail issuer (certificates) self-signed [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] John the Ripper (password-cracking software) dictionaries for download site wordlist directive [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] kadmin utility adding Kerberos principals to IMAP mail server adding users to existing realm modifying KDC database for host running on new host setting server to start at boot kadmind command (Kerberos) kaserver (Andrew Filesystem) kdb5_util command (Kerberos) KDC [See Key Distribution Center] KDE applications, certificate storage Kerberos authentication in /etc/pam.d startup file hosts, adding to existing realm IMAP, using with Key Distribution Centers (KDCs) ksu ksu command PAM, using with without passwords POP, using with setting up MIT Kerberos-5 KDC sharing root privileges via SSH, using with debugging SSH-1 protocol Telnet, using with users, adding to existing realm web site (MIT) KerberosTgtPassing (in sshd_config) kernel /proc files and collection of messages from by system logger enabling source address verification IP forwarding flag ipchains (Versions 2.2 and up) iptables (Versions 2.4 and up) process information recorded on exit runtime integrity checkers source address verification, enabling Key Distribution Center (KDC), setting up for MIT Kerberos-5 keyring files (GnuPG) adding keys to viewing keys on information listed for keys keys, cryptographic [See also cryptographic authentication] adding to GnuPG keyring backing up GnuPG private key dummy keypairs for imapd and pop3d encrypting files for others with GnuPG generating key pair for GnuPG GnuPG, viewing on your keyring key pairs in public-key encryption keyring files for GnuPG keys obtaining from keyserver and verifying OpenSSH programs for creating/using PGP keys, using in GnuPG revoking a public key sharing public keys securely Tripwire viewing on GnuPG keyring keyserver adding key to informing that a public keys is no longer valid obtaining keys from uploading new signatures to killing processes authorizing users to kill via sudo command pidof command, using terminating SSH agent on logout kinit command (Kerberos) 2nd 3rd -f option (forwardable credentials) klist command (Kerberos) 2nd known hosts database (OpenSSH server) kpasswd command (Kerberos) krb5.conf file, copying to new Kerberos host krb5.keytab file krb5kdc kstat (integrity checker) ksu (Kerberized su) authentication via Kerberos sharing root privileges via [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] last command 2nd lastb command lastcomm utility bugs in latest version lastdb command lastlog command databases from several systems, merging multiple systems, monitoring problems with ldd command libnet (toolkit for network packet manipulation) libnids (for TCP stream reassembly) libpcap (packet capture library) 2nd binary files Snort logging directory, creating in logging Snort data to libpcap-format files network trace files, ngrep Snort, use by libwrap, using with xinetd Linux /proc filesystem differing locations for binaries and configuration files in distributions encryption software included with operating system vulnerabilities Red Hat [See Red Hat Linux] supported distributions for security recipes SuSE [See SuSE Linux] ListenAddress statements, adding to sshd_config listfile module (PAM) ACL file entries local acces, permitting while blocking remote access local facilities (system messages) local filesystems, searching local key (Tripwire) creating with twinstall.sh script fingerprints, creating in secure integrity checks read-only integrity checking local mail (acceptance by SMTP server) local password authentication, using Kerberos with PAM localhost problems with Kerberos on SSH SSH port forwarding, use in unsecured mail sessions from logfile group configuration file (logwatch) logger program writing system log entries via shell scripts and syslog API logging access to services combining log files firewalls, configuring for nmap -o options, formats of PAM modules, error messages rotating log files service access via xinetd shutdowns, reboots, and runlevel changes in /var/log/wtmp Snort 2nd to binary files partitioning into separate files permissions for directory stunnel messages sudo command remotely system [See system logger] testing with nmap stealth operations loghost changing remote logging of system messages login shells, root logins adding another Kerberos principal to your ~/.k5login file Kerberos, using with PAM monitoring suspicious activity printing information about for each user recent logins to system accounts, checking testing passwords for strength CrackLib, using John the Ripper, using logouts, history of all on system logrotate program 2nd 3rd logwatch filter, defining integrating services into listing all sudo invocation attempts scanning log files for messages of interest scanning Snort logs and sending out alerts scanning system log files for problem reports lsh (SSH implementation) lsof command +M option, (for processes using RPC services) -c option (command name for processes) -i option (for network connections) -p option (selecting processes by ID) -u option (username for processes) /proc files, reading IP addresses, conversion to hostnames network connections for processes, listing [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] m4 macro processor MAC addresses controlling access by spoofed mail [See email IMAP POP] Mail application (Mozilla) mail clients connecting to mail server over SSL support for secure POP and IMAP using SSL mail facility (system messages) mail servers receiving Internet email without visible server support for SSL testing SSL connection locally Mailcrypt mc-deactivate-passwd to force passphrase erasure official web site using with GnuPG mailpgp (script for encrypting/sending email) mailsnarf command -v option, capturing only unencrypted messages malicious program, /tmp/ls man-in-the-middle (MITM) attacks dsniff, proof of concept with self-signed certificates, risk of services deployed with dummy keys manual integrity checks mask format, CIDR Massachusetts Institute of Technology (MIT) Kerberos matching anything (ALL keyword) 2nd max_load keyword (xinetd) 2nd mc-encrypt function MD5 checksum verifying for RPM-installed files merging system log files MH (mail handler) mirroring a set of files securely between machines MIT Kerberos MITM [See man-in-the-middle attacks] modules PAM CrackLib listfile 2nd pam_stack Perl Sys::Lastlog and Sys::Utmp Sys::Syslog XML::Simple monitoring systems for suspicious activity account use checking on multiple systems device special files directing system messages to log files displaying executed commands executed command, monitoring filesystems searching effectively finding accounts with no password finding superuser accounts finding writable files insecure network protocols, detecting local network activities log files, combining logging login passwords logins and passwords logwatch filter for services not supported lsof command, investigating processes with network-intrusion detection with Snort 2nd decoding alert messages logging output partitioning logs into files ruleset, upgrading and tuning networking observing network traffic with Ethereal GUI open network ports, testing for packet sniffing with Snort recovering from a hack rootkits rotating log files scanning log files for problem reports search path, testing searching for strings in network traffic security incident report, filing sending messages to system logger setuid and setgid programs, insecure syslog configuration, testing syslog messages, logging remotely tracing processes writing system log entries shell scripts with C with Perl scripts monitoring tools for networks NIH page web page information on morepgp (script for decrypting/reading email) mount command -o nodev (prohibiting device special files) grpid option noexec option nosuid option setuid and setgid programs, protecting against misuse mounts file (/proc) Mozilla certificate storage encrypted mail with Mail & Newsgroups Muffet, Alec (Crack utility) multi-homed hosts firewall for SSH client, problems with canonical hostname multi-homed server machines, socket mail server is listening on multicast packets multithreaded services (in inetd.conf) mutt mailer home web page securing POP/IMAP with SSL [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] NAMEINARGS flag for xinetd NAT gateway, canonical client hostname and National Infrastructure Protection Center (NIPC) (U.S.)

(firewalls) DER (binary format for certificates) converting to PEM DES-based crypt( ) hashes in passwd file destination name for remote file copying detached digital signature (GnuPG) devfs device special files inability to verify with manual integrity check securing DHCP, initialization scripts dictionary attacks against terminals diff command, using for integrity checks DIGEST-MD5 authentication (SMTP) digital signatures ASCII-format detached signature, creating in GnuPG binary-format detached signature (GnuPG), creating email messages, verifying with mc-verify function encrypted email messages, checking with mc-verify GnuPG-signed file, checking for alteration signing a text file with GnuPG signing and encrypting files signing email messages with mc-sign function uploading new to keyserver verifying for keys imported from keyserver verifying on downloaded software for X.509 certificates directories encrypting entire directory tree fully-qualified name inability to verify with manual integrity check marking files for inclusion or exclusion from Tripwire database recurse=n attribute (Tripwire) recursive remote copying with scp restricting a service to a particular directory setgid bit shared, securing skipping with find -prune command specifying another directory for remote file copying sticky bit set on disallowed connections [See hosts.deny file] DISPLAY environment variable (X windows) 2nd display filter expressions using with Ethereal using with tcpdump display-filters for email (PinePGP) Distinguished Encoding Rules [See DER] DNS Common Name for certificate subjects using domain name in Kerberos realm name dormant accounts monitoring login activity DOS [See denial-of-service attacks] DROP pings, preventing REJECT and, refusing packets (iptables) specifying targets for iptables dsniff program -m option (matching protocols used on nonstandard ports) Berkeley database library, requirement of downloading and installing filesnarf command insecure network protocols auditing use of detecting libnet, downloading and compiling libnids downloading and installing reassembling TCP streams with libpcap snapshot, adjusting size of mailsnarf command urlsnarf command dual-ported disk array dump-acct command [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] editing encrypted files 2nd elapsed time (displayed in ticks) elm mailer ELMME+ Emacs encrypted email with Mailcrypt package, using with GnuPG encrypted files, maintaining with email encryption with elm with Emacs with Evolution with MH with mutt with vim Mailcrypt package [See Mailcrypt] POP/IMAP security with SSH with SSH and Pine with SSL with SSL and Evolution with SSL and mutt with SSL and Pine with stunnel and SSL protecting encouraging use of encryption encrypted mail with Mozilla between mail client and mail server at the mail server receiving Internet email without visible server from sender to recipient sending/receiving encrypted email with Pine testing SSL mail connection sending Tripwire reports by SMTP server, using from arbitrary clients empty passphrase in plaintext key empty quotes ("") encryption asymmetric [See public-key encryption] of backups decrypting file encrypted with GnuPG email [See email, encryption] files [See also files, protecting] entire directory tree with password public-key [See public-key encryption] symmetric [See symmetric encryption] encryption software Enigmail (Mozilla) env program changes after running su X windows DISPLAY and XAUTHORITY, setting environment variables Equifax (Certifying Authority) error messages (system), including in syslog 2nd errors onerr keyword, PAM listfile module PAM modules, debugging Ethereal (network sniffing GUI) observing network traffic capture and display filter expressions data view window packet list window tree view window payload display tethereal (text version) tool to follow TCP stream verifying secure mail traffic Evolution mailer certificate storage POP/IMAP security with SSL 2nd exclamation point [See !

.), in search path Perl scripts CA.pl canonical hostname for SSH client, finding CrackLib, using with module functions provided by system logger API merging lastlog databases from several systems merging log files process accounting records, reading and unpacking writing system log entries 2nd permissions 2nd changes since last Tripwire check examining carefully for security inability to track with manual integrity check log files preventing directory listings Snort logging directory world-writable files and directories, finding PermitRootLogin (sshd_config) PGP (Pretty Good Privacy) Evolution mailer, using with integrating with MH keys, using in GnuPG operations setting in mutt mailer headers PID (process ID) adding to system log messages looking up pidof command, killing all processes with given name Pine securing POP/IMAP with SSH and Pine securing POP/IMAP with SSL and sending/receiving encrypted email PinePGP pings nmap, use of TCP and ICMP pings for host discovery preventing responses to plaintext keys including in system backups, security risks of using with forced command Pluggable Authentication Modules [See PAM] policies default, for ipchains and iptables Tripwire displaying generating in human-readable format and adding file to modifying signing with site key POP capturing messages from with dsniff mailsnarf command enabling POP daemon within xinetd or inetd Kerberos authentication, using with mail server, running with SSL running mail server with SSL securing email session with SSL and mutt securing mail server with SSH securing mail server with SSH and Pine securing mail server with stunnel and SSL securing with SSL and pine STLS command testing SSL connection to server port forwarding disabling for authorized keys SSH tunneling TCP session through SSH port numbers, conversion to service names by netstat and lsof port scanners, presence evidenced by SYN_RECV state portmappers displaying registrations with lsof +M querying from a different machine ports assigned to RPC services default, IMAP and POP over SSL nonstandard, used by network protocols SSL-port on mail servers testing for open nc command, using nmap command, port scanning capabilities port scans with nmap TCP port, testing with telnet connection TCP RST packets returned by firewalls blocking ports UDP ports, problems with preprocessors, Snort alert messages produced by enabling or tuning prerotate and postrotate scripts Pretty Good Privacy [See PGP] principals, Kerberos adding another principal to your ~/.k5login file adding new with ank command adding to IMAP service on server host database for records for users and hosts database, creating for KDC host principal, testing for new host ksu authentication new host, adding to KDC database POP, adding to setting up with admin privileges and host principal for KDC host priority levels for Snort alerts for system messages private keys [See cryptographic authentication]2nd GnuPG, backing up PGP, exporting and using in GnuPG process accounting displaying all executed commands lastcomm utility, using dump-acct command enabling with accton command process IDs adding to system log messages looking up process substitution processes /proc/<pid> directories killing with pidof command with sudo command listing all open files (and network connections) for all processes all open files for specific command name (lsof -c) by ID (lsof -p) network connections for all by username (lsof -u) owned by others, examination by superuser that use RPC services, examining with losf +M tracing strace command, using promiscuous mode (for network interfaces) enabling for specific interfaces with ifconfig performance and setting for Snort prosum (integrity checker) protocol tree for selected packet (Ethereal) protocols attacks on, detection by Snort preprocessors insecure, detecting use of with ngrep matching a filter expression, searching network traffic for network, detecting insecure ps command, reading /proc files psacct RPM 2nd pseudo-ttys disabling allocation of for authorized keys forcing ssh to allocate PubkeyAuthentication (sshd_config) public keys adding to GnuPG keyring inserting into current mail buffer with mc-insert-public-key keyserver, storing and retrieving with listing for GnuPG PGP, exporting and using in GnuPG public-key authentication [See cryptographic authentication] public-key encryption decrypting files encrypted with GNUPG expiration for keys find method, use by GnuPG 2nd bit length of keys generating key pair secret passphrase for keys sharing public keys unique identifier for keys [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] queueing your mail on another ISP quotation marks, empty double-quotes ("") [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] race conditions during snapshot generation rc files, storing load commands for firewall read permission, preventing directory listing read-only access to shared file via sudo read-only integrity checks realms, Kerberos adding hosts to existing realm adding users to existing realm choosing name for 2nd reboots, records of recent logins to system accounts, checking for recipes in this book, trying recurse=n attribute (Tripwire) recursion in PAM modules recursive copying of remote directory Red Hat Linux authconfig utility default dummy keypairs and certificates for imapd and pop3d Evolution, testing of pre-installed trusted SSL certificates facility local7, use for boot messages firewall rules, saving and restoring Guide to Password Security IMAP/SSL certificate on server imapd with Kerberos support Kerberos packages, installing loading firewall rules at boot time rc files ÒiptablesÓ and ÒipchainsÓ MD5-hashed passwords stored in shadow file (v. 8.0) MIT Kerberos-5 PAM, enforcing password strength requirements preconfiguration to run tripwire nightly via cron process accounting RPM script allowing users to start/stop daemons Snort, starting at boot SSL certificates adding new certificate TCP wrappers 2nd redirect keyword (xinetd) redirecting blocking redirects connections to another socket standard input from /dev/null regular expressions (and pattern matching) extracting passwords with grep patterns fgrep command and identifying encrypted mail messages ngrep, finding strings in network traffic urlsnarf, use with REJECT blocking incoming packet and sending error message DROP and, refusing packets (iptables) pings and preventing only SSH connections from nonapproved hosts relative pathnames directories in search path in remote file copying relay server for non-local mail remote filesystems, searching remote hosts blocking access for some but not others blocking access from particular remote host blocking access to particular host preventing from pretending to be local to network restricting access by (xinetd with libwrap) restricting access to TCP service inetd via xinetd remote integrity checking remote programs, invoking securely interactive programs noninteractive commands remote users, restricting access to network services renamed file, copying remotely with scp reports, Tripwire ignoring discrepancies by updating database printing latest revocation certificate distributing for revoked key revoking a public key rhost item (PAM) RhostsRSAAuthentication keyword (OpenSSH) rlogin session that used no password, detection with dsniff root logins, preventing on terminal devices multiple root accounts packet-sniffing programs, running as PermitRootLogin (sshd_config) privileges, dispensing root login shell, running running nmap as running root commands via SSH running X programs as root (while logged in as normal user) setuid root for ssh-keysign program setuid root program hidden in filesystems sharing privileges via Kerberos via multiple superuser accounts via SSH (without revealing password) sharing root password sudo command invoking programs with restricting privileges via running commands as another user rootkits looking for searching system for subversion of exec call to tripwire rotating log files process accounting routers firewalls for hosts configured as packet sniffers and RPC services displaying information about with nmap -sR port numbers assigned to printing dynamically assigned ports for processes that use, examining with lsof +M rpcinfo command 2nd RPM-installed files, verifying rsync utility --progress option -n option (not copying files) integrity checking with remote integrity checking with ssh, mirroring set of files securely between machines runlevel changes, records of runlevels (networking), loading firewall rules for runtime kernel integrity checkers [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] S/MIME native support by Mozilla support by Evolution mailer sa -s command (truncating process accounting the log file) Samhain (integrity checker) scp command mirroring set of files securely between computers options for remote file copying securely copying files between computers syntax scripts, enabling/disabling network interfaces search path, testing .


pages: 274 words: 58,675

Puppet 3 Cookbook by John Arundel

Amazon Web Services, cloud computing, continuous integration, Debian, defense in depth, DevOps, don't repeat yourself, GnuPG, Larry Wall, place-making, Ruby on Rails, web application

ff Installs the Percona APT key with which the packages are signed ff Configures the Percona repo URL as a file in /etc/apt/sources.list.d ff Runs apt-get update to retrieve the repo metadata ff Adds an APT pin configuration in /etc/apt/preferences.d First of all, we install the APT key: exec { 'add-percona-apt-key': unless => '/usr/bin/apt-key list |grep percona', command => '/usr/bin/gpg --keyserver hkp://keys.gnupg.net --recvkeys 1C4CBDCDCD2EFD2A && /usr/bin/gpg -a --export CD2EFD2A | apt-key add -', notify => Exec['percona-apt-update'], } The unless parameter checks the output of apt-key list to make sure that the Percona key is not already installed, in which case we needn't do anything. Assuming it isn't, the command runs: /usr/bin/gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A && /usr/bin/gpg -a --export CD2EFD2A | apt-key add - This command retrieves the key from the GnuPG keyserver, exports it in the ASCII format, and pipes this into the apt-key add command, which adds it to the system keyring.

Similarly, if you're using a distributed Puppet setup like that described in Chapter 1, Puppet Infrastructure, every machine has a copy of the whole repo, including secrets for other machines that it doesn't need and shouldn't have. How can we prevent this? One answer is to encrypt the secrets using the GnuPG tool, so that any secret information in the Puppet repo is undecipherable (for all practical purposes) without the appropriate key. Then we distribute the key securely to the people or machines who need it. Getting ready First you'll need an encryption key, so follow these steps to generate one. If you already have a GnuPG key that you'd like to use, go on to the next section: 1. Run the following command. Answer the prompts as shown, except to substitute your name and e-mail address for mine.

First, we've created a custom function to allow Puppet to decrypt the secret files using GnuPG: module Puppet::Parser::Functions newfunction(:secret, :type => :rvalue) do |args| `gpg --no-tty -d #{args[0]}` end end The preceding code creates a function named secret that takes a file path as argument, and returns the decrypted text. It doesn't manage encryption keys, so you need to ensure that the ubuntu user has the necessary key installed. You can check this with: ubuntu@cookbook:~/puppet$ gpg --list-secret-keys /home/ubuntu/.gnupg/secring.gpg ------------------------------sec uid ssb 2048R/46055037 2013-05-06 John Arundel <john@bitfieldconsulting.com> 2048R/D5B0735B 2013-05-06 101 Working with Files and Packages Having set up the secret function and the required key, we now encrypt a message to this key: ubuntu@cookbook:~/puppet$ gpg -e -r john@bitfieldconsulting.com /home/ ubuntu/secret_message This creates an encrypted file which can only be read by someone with access to the secret key (or Puppet running on a machine which has the secret key).


Multitool Linux: Practical Uses for Open Source Software by Michael Schwarz, Jeremy Anderson, Peter Curtis

business process, Debian, defense in depth, GnuPG, index card, indoor plumbing, Larry Wall, MITM: man-in-the-middle, optical character recognition, publish or perish, RFC: Request For Comment, Richard Stallman, SETI@home, slashdot, two and twenty, web application

The first time you ever run GPG, it will probably say this: [bubba@mars bubba]$ gpg —gen-key gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: /home/bubba/.gnupg: directory created gpg: /home/bubba/.gnupg/options: new options file created gpg: you have to start GnuPG again, so it can read the new options file Unless your system administrator has a .gnupg directory set up for new accounts automatically, GPG must create a .gnupg directory and set it up with default configurations and empty private and public keyrings.

For these two tasks, encryption and authentication/authorization, we'll use another very handy Linux tool, GnuPG. Securing Everything We are now entering the part of this chapter where it starts to get really funky. Encryption and digital signatures are not new, but when it comes to your use of this technology, you might be new to it and not quite sure of how to go about using it. Don't panic! Chapter 10, Secure Your E-Mail with GPG, discusses everything you need to know about GnuPG. Using GnuPG to Handle Authorizations One small problem with this version of the e-mail console is that anyone is able to send an e-mail to your system and execute commands from your user account.

Your private keys are kept in secring.gpg, and your public key and the public keys of any of your correspondents are in pubring.gpg. The other file in the .gnupg directory is options. This file may be modified to change the default settings for GPG. In its default state, it is configured to interoperate with the commercial PGP 5 software. I recommend leaving these defaults alone until the whole world wakes up and starts using GPG instead! Once the .gnupg directory is set up, you generate a key as follows: [bubba@mars bubba]$ gpg —gen-key gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY.


pages: 678 words: 159,840

The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas

bash_history, Debian, distributed generation, do-ocracy, en.wikipedia.org, failed state, Firefox, GnuPG, Google Chrome, Jono Bacon, MITM: man-in-the-middle, NP-complete, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, Valgrind, web application, zero day, Zimmermann PGP

.] $ dpkg -c /var/cache/apt/archives/gnupg_1.4.12-7_amd64.deb drwxr-xr-x root/root 0 2013-01-02 19:28 ./ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/share/ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/share/doc/ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/share/doc/gnupg/ -rw-r--r-- root/root 3258 2012-01-20 10:51 ./usr/share/doc/gnupg/TODO -rw-r--r-- root/root 308 2011-12-02 18:34 ./usr/share/doc/gnupg/FAQ -rw-r--r-- root/root 3543 2012-02-20 18:41 ./usr/share/doc/gnupg/Upgrading_From_PGP.txt -rw-r--r-- root/root 690 2012-02-20 18:41 ./usr/share/doc/gnupg/README.Debian -rw-r--r-- root/root 1418 2012-02-20 18:41 .

/usr/share/doc/gnupg/README.Debian -rw-r--r-- root/root 1418 2012-02-20 18:41 ./usr/share/doc/gnupg/TODO.Debian [...] $ dpkg -I /var/cache/apt/archives/gnupg_1.4.12-7_amd64.deb new debian package, version 2.0. size 1952176 bytes: control archive=3312 bytes. 1449 bytes, 30 lines control 4521 bytes, 65 lines md5sums 479 bytes, 13 lines * postinst #!/bin/sh 473 bytes, 13 lines * preinst #!/bin/sh Package: gnupg Version: 1.4.12-7 Architecture: amd64 Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> Installed-Size: 4627 Depends: libbz2-1.0, libc6 (>= 2.4), libreadline6 (>= 6.0), libusb-0.1-4 (>= 2:0.1.12), zlib1g (>= 1:1.1.4), dpkg (>= 1.15.4) | install-info, gpgv Recommends: libldap-2.4-2 (>= 2.4.7), gnupg-curl Suggests: gnupg-doc, xloadimage | imagemagick | eog, libpcsclite1 Section: utils Priority: important Multi-Arch: foreign Homepage: http://www.gnupg.org Description: GNU privacy guard - a free PGP replacement GnuPG is GNU's tool for secure communication and data storage.

/bin/sh Package: gnupg Version: 1.4.12-7 Architecture: amd64 Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> Installed-Size: 4627 Depends: libbz2-1.0, libc6 (>= 2.4), libreadline6 (>= 6.0), libusb-0.1-4 (>= 2:0.1.12), zlib1g (>= 1:1.1.4), dpkg (>= 1.15.4) | install-info, gpgv Recommends: libldap-2.4-2 (>= 2.4.7), gnupg-curl Suggests: gnupg-doc, xloadimage | imagemagick | eog, libpcsclite1 Section: utils Priority: important Multi-Arch: foreign Homepage: http://www.gnupg.org Description: GNU privacy guard - a free PGP replacement GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 4880. [...] GOING FURTHER Comparison of versions Since dpkg is the program for handling Debian packages, it also provides the reference implementation of the logic of comparing version numbers.


pages: 562 words: 153,825

Dark Mirror: Edward Snowden and the Surveillance State by Barton Gellman

4chan, A Declaration of the Independence of Cyberspace, active measures, Anton Chekhov, bitcoin, Cass Sunstein, cloud computing, corporate governance, crowdsourcing, data acquisition, Debian, desegregation, Donald Trump, Edward Snowden, financial independence, Firefox, GnuPG, Google Hangouts, informal economy, Jacob Appelbaum, job automation, Julian Assange, MITM: man-in-the-middle, national security letter, planetary scale, private military company, ransomware, Robert Gordon, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Saturday Night Live, Seymour Hersh, Silicon Valley, Skype, social graph, standardized shipping container, Steven Levy, telepresence, undersea cable, web of trust, WikiLeaks, zero day, Zimmermann PGP

even experts foundered: Disheartening proof is easy to find in the GnuPG-users listserv, an email forum populated exclusively by geeks, where hundreds of thousands of words have been spilled on the software’s mysteries. See the GnuPG-users Archives, http://lists.gnupg.org/pipermail/gnupg-users/. manual could swallow: The horror classic runs to about twenty-five thousand words. GPG boasts a sixteen-thousand-word manual and eleven thousand words of “frequently asked questions.” See Robert Louis Stevenson, The Strange Tale of Dr. Jekyll and Mr. Hyde, www.gutenberg.org/files/42/42.txt; “The GNU Privacy Handbook,” www.gnupg.org/gph/en/manual.html; and “GNUPG FREQUENTLY ASKED QUESTIONS,” www.gnupg.org/faq/gnupg-faq.txt.

GPG, the gold standard of email and file encryption: GPG, also known as Gnu Privacy Guard and GnuPG, is a free, open-source implementation of the encryption standard pioneered by Phil Zimmermann in the commercial software package called Pretty Good Privacy, or PGP. (Already we have four names for the same basic product, five if we add OpenPGP.) The original author of GPG remains sole custodian of the code. He marked its first decade in a post to an email listserv, archived here: Werner Koch, “GnuPG’s 10th birthday,” December 20, 2007, https://lists.gnupg.org/pipermail/gnupg-announce/2007q4/000268.html. See also Julia Angwin, “The World’s Email Encryption Software Relies on One Guy, Who Is Going Broke,” ProPublica, February 5, 2015, http://propub.li/223gPN8.

Hyde, www.gutenberg.org/files/42/42.txt; “The GNU Privacy Handbook,” www.gnupg.org/gph/en/manual.html; and “GNUPG FREQUENTLY ASKED QUESTIONS,” www.gnupg.org/faq/gnupg-faq.txt. After drafting this comparison, I found a fine blog post with a similar comparison to the forty-thousand-word novel Fahrenheit 451. See Moxie Marlinspike, “GPG and Me,” February 4, 2015, www.thoughtcrime.org/blog/gpg-and-me/. Even the commercial PGP software, which had a friendly graphical interface, was baffling to ordinary users. In a controlled test with a dozen beginners, three accidentally made public their secret encryption keys (which defeated the main protection of PGP), all twelve disregarded instructions to choose a complex passphrase, one forgot her passphrase, and one never managed to send an encrypted message at all.


pages: 422 words: 104,457

Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance by Julia Angwin

AltaVista, Ayatollah Khomeini, barriers to entry, bitcoin, Chelsea Manning, Chuck Templeton: OpenTable:, clean water, crowdsourcing, cuban missile crisis, data is the new oil, David Graeber, Debian, disinformation, Edward Snowden, Filter Bubble, Firefox, Garrett Hardin, GnuPG, Google Chrome, Google Glasses, Ida Tarbell, informal economy, Jacob Appelbaum, John Markoff, Julian Assange, Marc Andreessen, market bubble, market design, medical residency, meta-analysis, mutually assured destruction, Panopticon Jeremy Bentham, prediction markets, price discrimination, randomized controlled trial, RFID, Robert Shiller, Ronald Reagan, security theater, Silicon Valley, Silicon Valley startup, Skype, smart meter, Steven Levy, Tragedy of the Commons, Upton Sinclair, WikiLeaks, Y2K, zero-sum game, Zimmermann PGP

“I think that might be why I’m into data”: Ibid. 13. LONELY CODES First, I downloaded free encryption software: “The GNU Privacy Guard,” Free Software Foundation, Inc., http://gnupg.org/. a program called Enigmail: “A Simple Interface to OpenPGP Email Security,” The Enigmail Project, https://www.enigmail.net/home/index.php. designed to run with: GnuPG, “GnuPG Frequently Asked Questions,” http://www.gnupg.org/faq/GnuPG-FAQ.html. The Postbox support page said: Postbox, Inc., “Extending Postbox,” http://www.postbox-inc.com/extensions. The Enigmail support forums said: SourceForge, Inc., “PostBox 3.0.7 and Enigmail 1.2.3 Freezing Problem” (forum), http://sourceforge.net/p/enigmail/forum/support/thread/bfd56f75/?

It turned out he was: Evan Schoenberg, in discussion with author, November 25, 2012. When the antinuclear activist Phil Zimmermann: Phil Zimmermann, “Creator of PGP and Zfone: Background,” Philzimmermann.com (personal blog), http://www.philzimmermann.com/EN/background/index.html. The software I was using: “The GNU Privacy Guard,” GnuPG, http://gnupg.org/. On March 9, 1993, Eric Hughes published: Eric Hughes, “A Cypherpunk’s Manifesto,” March 9, 1993, http://www.activism.net/cypherpunk/manifesto.html. The U.S. Customs Service began investigating whether: Phil Zimmermann, “Testimony of Philip R. Zimmermann to the Subcommittee on Science, Technology, and Space of the US Senate Committee on Commerce, Science, and Transportation,” philzimmermann.com (personal blog), June 26, 1996, http://www.philzimmermann.com/EN/testimony/.

Later, at a conference after-party, I lamented my GPG incompetence to David Robinson, a law and technology consultant who helped found Princeton University’s Center for Information Technology Policy. Robinson showed me a website that made me feel better. It was the personal website of Karl Fogel, a leading software developer. It displayed his public key and this disclaimer: “I don’t trust my ability to use GnuPG.… Guarding against [possible attacks on GPG] would require constant vigilance, and I’m not up to the task. Therefore, if it’s important that your message to me be truly secret, please contact me before you send it, and we’ll work something out.” * * * The fatal flaw of public key encryption is that it relies on individuals to protect their keys.


PostgreSQL Cookbook by Chitij Chauhan

database schema, Debian, fault tolerance, GnuPG, Google Glasses, index card

The following are a series of steps that are used to demonstrate the usage of public and private key pairs to encrypt and decrypt data using the previously described functions: First, create the table in which you are going to store data:CREATE TABLE testuserscards( card_id SERIAL PRIMARY KEY, username varchar(100), cc bytea ); Next, insert records in the table and encrypt the data:INSERT INTO testuserscards(username, cc) SELECT robotccs.username, pgp_pub_encrypt(robotccs.cc, keys.pubkey) As cc FROM (VALUES ('robby', '41111111111111111'), ('artoo', '41111111111111112') ) As robotccs(username, cc) CROSS JOIN (SELECT dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK----- ') As pubkey) As keys; You might then see the records in the table:SELECT username, cc FROM testuserscards; Now, you can use pgp_keyid to verify which public key you used to encrypt your data:SELECT pgp_key_id(dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK-----')); The output of this query shows that the following public key was encrypting data: pgp_key_id ------------------ 2C226E1FFE5CC7D4 (1 row) The next step is to verify whether the public key that you got was used to encrypt the data in the table:hrdb=# SELECT username, pgp_key_id(cc) As keyweused FROM testuserscards; username | keyweused ----------+------------------ robby | 2C226E1FFE5CC7D4 artoo | 2C226E1FFE5CC7D4 Finally, decrypt the data using the private key that matches the public key you used to encrypt the data with:SELECT username, pgp_pub_decrypt(cc, keys.privkey) As ccdecrypt FROM testuserscards CROSS JOIN (SELECT dearmor('-----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) lQG7BELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6awAAn2F+iNBElfJS 8azqO/kEiIfpqu6/DQG0I0VsZ2FtYWwgMjA0OCA8dGVzdDIwNDhAZXhhbXBsZS5v cmc+iF0EExECAB4FAkLIIgoCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQSOnN Vv6maNvTwwCYkpcJmpl3aHCQdGomz7dFohDgjgCgiThZt2xTEi6GhBB1vuhk+f55 n3+dAj0EQsgiIhAIAJI3Gb2Ehtz1taQ9AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D 29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMXMhoWyw8ZF5Zs1mLIjFGVorePrm94N3MN PWM7x9M36bHUjx0vCZKFIhcGY1g+htE/QweaJzNVeA5z4qZmik41FbQyQSyHa3bO kTZu++/U6ghP+iDp5UDBjMTkVyqITUVNgC+MR+da/I60irBVhue7younh4ovF+Cr VDQJC06HZl6CAJJyA81SmRfi+dmKbbjZLF6rhz0norPjISJvkIqvdtM4VPBKI5wp gwCzpEqjuiKrAVujRT68zvBvJ4aVqb11k5QdJscAAwUH/jVJh0HbWAoiFTe+Nvoh frA8vPcD0rtU3Y+siiqrabotnxJd2NuCbxghJYGfNtnx0KDjFbCRKJVeTFok4Unu VYhXdH/c6i0/rCTNdeW2D6pmR4GfBozRPw/ARf+jONawGLyUj7uq13iquwMSE7Vy NuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0RQsetMq/iNBWraayKZnWUd+eQqNzE+NUo 7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiFZ1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qun fGW00ZMMTCWabg0ZgxPzMfMeIcm6525AYn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/R dWYAAVQKFPXbRaxbdArwRVXMzSD3qj/+VwwhwEDt8zmBGnlBfwVdkjQQrDUMmV1S EwyISQQYEQIACQUCQsgiIgIbDAAKCRBI6c1W/qZo25ZSAJ4sgUfHTVsG/x3p3fcM 3b5R86qKEACggYKSwPWCs0YVRHOWqZY0pnHtLH8= =3Dgk -----END PGP PRIVATE KEY BLOCK-----') As privkey) As keys; username | ccdecrypt ----------+------------------- robby | 41111111111111111 artoo | 41111111111111112 (2 rows) There's more...

The following are a series of steps that are used to demonstrate the usage of public and private key pairs to encrypt and decrypt data using the previously described functions: First, create the table in which you are going to store data:CREATE TABLE testuserscards( card_id SERIAL PRIMARY KEY, username varchar(100), cc bytea ); Next, insert records in the table and encrypt the data:INSERT INTO testuserscards(username, cc) SELECT robotccs.username, pgp_pub_encrypt(robotccs.cc, keys.pubkey) As cc FROM (VALUES ('robby', '41111111111111111'), ('artoo', '41111111111111112') ) As robotccs(username, cc) CROSS JOIN (SELECT dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK----- ') As pubkey) As keys; You might then see the records in the table:SELECT username, cc FROM testuserscards; Now, you can use pgp_keyid to verify which public key you used to encrypt your data:SELECT pgp_key_id(dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK-----')); The output of this query shows that the following public key was encrypting data: pgp_key_id ------------------ 2C226E1FFE5CC7D4 (1 row) The next step is to verify whether the public key that you got was used to encrypt the data in the table:hrdb=# SELECT username, pgp_key_id(cc) As keyweused FROM testuserscards; username | keyweused ----------+------------------ robby | 2C226E1FFE5CC7D4 artoo | 2C226E1FFE5CC7D4 Finally, decrypt the data using the private key that matches the public key you used to encrypt the data with:SELECT username, pgp_pub_decrypt(cc, keys.privkey) As ccdecrypt FROM testuserscards CROSS JOIN (SELECT dearmor('-----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) lQG7BELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6awAAn2F+iNBElfJS 8azqO/kEiIfpqu6/DQG0I0VsZ2FtYWwgMjA0OCA8dGVzdDIwNDhAZXhhbXBsZS5v cmc+iF0EExECAB4FAkLIIgoCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQSOnN Vv6maNvTwwCYkpcJmpl3aHCQdGomz7dFohDgjgCgiThZt2xTEi6GhBB1vuhk+f55 n3+dAj0EQsgiIhAIAJI3Gb2Ehtz1taQ9AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D 29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMXMhoWyw8ZF5Zs1mLIjFGVorePrm94N3MN PWM7x9M36bHUjx0vCZKFIhcGY1g+htE/QweaJzNVeA5z4qZmik41FbQyQSyHa3bO kTZu++/U6ghP+iDp5UDBjMTkVyqITUVNgC+MR+da/I60irBVhue7younh4ovF+Cr VDQJC06HZl6CAJJyA81SmRfi+dmKbbjZLF6rhz0norPjISJvkIqvdtM4VPBKI5wp gwCzpEqjuiKrAVujRT68zvBvJ4aVqb11k5QdJscAAwUH/jVJh0HbWAoiFTe+Nvoh frA8vPcD0rtU3Y+siiqrabotnxJd2NuCbxghJYGfNtnx0KDjFbCRKJVeTFok4Unu VYhXdH/c6i0/rCTNdeW2D6pmR4GfBozRPw/ARf+jONawGLyUj7uq13iquwMSE7Vy NuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0RQsetMq/iNBWraayKZnWUd+eQqNzE+NUo 7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiFZ1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qun fGW00ZMMTCWabg0ZgxPzMfMeIcm6525AYn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/R dWYAAVQKFPXbRaxbdArwRVXMzSD3qj/+VwwhwEDt8zmBGnlBfwVdkjQQrDUMmV1S EwyISQQYEQIACQUCQsgiIgIbDAAKCRBI6c1W/qZo25ZSAJ4sgUfHTVsG/x3p3fcM 3b5R86qKEACggYKSwPWCs0YVRHOWqZY0pnHtLH8= =3Dgk -----END PGP PRIVATE KEY BLOCK-----') As privkey) As keys; username | ccdecrypt ----------+------------------- robby | 41111111111111111 artoo | 41111111111111112 (2 rows) There's more...

The following are a series of steps that are used to demonstrate the usage of public and private key pairs to encrypt and decrypt data using the previously described functions: First, create the table in which you are going to store data:CREATE TABLE testuserscards( card_id SERIAL PRIMARY KEY, username varchar(100), cc bytea ); Next, insert records in the table and encrypt the data:INSERT INTO testuserscards(username, cc) SELECT robotccs.username, pgp_pub_encrypt(robotccs.cc, keys.pubkey) As cc FROM (VALUES ('robby', '41111111111111111'), ('artoo', '41111111111111112') ) As robotccs(username, cc) CROSS JOIN (SELECT dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK----- ') As pubkey) As keys; You might then see the records in the table:SELECT username, cc FROM testuserscards; Now, you can use pgp_keyid to verify which public key you used to encrypt your data:SELECT pgp_key_id(dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK-----')); The output of this query shows that the following public key was encrypting data: pgp_key_id ------------------ 2C226E1FFE5CC7D4 (1 row) The next step is to verify whether the public key that you got was used to encrypt the data in the table:hrdb=# SELECT username, pgp_key_id(cc) As keyweused FROM testuserscards; username | keyweused ----------+------------------ robby | 2C226E1FFE5CC7D4 artoo | 2C226E1FFE5CC7D4 Finally, decrypt the data using the private key that matches the public key you used to encrypt the data with:SELECT username, pgp_pub_decrypt(cc, keys.privkey) As ccdecrypt FROM testuserscards CROSS JOIN (SELECT dearmor('-----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) lQG7BELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6awAAn2F+iNBElfJS 8azqO/kEiIfpqu6/DQG0I0VsZ2FtYWwgMjA0OCA8dGVzdDIwNDhAZXhhbXBsZS5v cmc+iF0EExECAB4FAkLIIgoCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQSOnN Vv6maNvTwwCYkpcJmpl3aHCQdGomz7dFohDgjgCgiThZt2xTEi6GhBB1vuhk+f55 n3+dAj0EQsgiIhAIAJI3Gb2Ehtz1taQ9AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D 29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMXMhoWyw8ZF5Zs1mLIjFGVorePrm94N3MN PWM7x9M36bHUjx0vCZKFIhcGY1g+htE/QweaJzNVeA5z4qZmik41FbQyQSyHa3bO kTZu++/U6ghP+iDp5UDBjMTkVyqITUVNgC+MR+da/I60irBVhue7younh4ovF+Cr VDQJC06HZl6CAJJyA81SmRfi+dmKbbjZLF6rhz0norPjISJvkIqvdtM4VPBKI5wp gwCzpEqjuiKrAVujRT68zvBvJ4aVqb11k5QdJscAAwUH/jVJh0HbWAoiFTe+Nvoh frA8vPcD0rtU3Y+siiqrabotnxJd2NuCbxghJYGfNtnx0KDjFbCRKJVeTFok4Unu VYhXdH/c6i0/rCTNdeW2D6pmR4GfBozRPw/ARf+jONawGLyUj7uq13iquwMSE7Vy NuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0RQsetMq/iNBWraayKZnWUd+eQqNzE+NUo 7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiFZ1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qun fGW00ZMMTCWabg0ZgxPzMfMeIcm6525AYn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/R dWYAAVQKFPXbRaxbdArwRVXMzSD3qj/+VwwhwEDt8zmBGnlBfwVdkjQQrDUMmV1S EwyISQQYEQIACQUCQsgiIgIbDAAKCRBI6c1W/qZo25ZSAJ4sgUfHTVsG/x3p3fcM 3b5R86qKEACggYKSwPWCs0YVRHOWqZY0pnHtLH8= =3Dgk -----END PGP PRIVATE KEY BLOCK-----') As privkey) As keys; username | ccdecrypt ----------+------------------- robby | 41111111111111111 artoo | 41111111111111112 (2 rows) There's more...


Producing Open Source Software: How to Run a Successful Free Software Project by Karl Fogel

active measures, AGPL, barriers to entry, Benjamin Mako Hill, collaborative editing, continuous integration, corporate governance, Debian, Donald Knuth, en.wikipedia.org, experimental subject, Firefox, GnuPG, Hacker Ethic, Internet Archive, iterative process, Kickstarter, natural language processing, patent troll, peer-to-peer, pull request, revision control, Richard Stallman, selection bias, slashdot, software as a service, software patent, SpamAssassin, web application, zero-sum game

Approval is not simply a matter of inspecting the release for obvious flaws; ideally, the developers download the package, build and install it onto a clean system, run the regression test suite (see the section called “Automated testing” in Chapter 8, Managing Participants), and do some manual testing. Assuming it passes these checks, as well as any other release checklist criteria the project may have, the developers then digitally sign each container (the .tar.gz file, .zip file, etc) using GnuPG (gnupg.org), PGP (pgpi.org), or some other program capable of producing PGP-compatible signatures. In most projects, the developers just use their personal digital signatures, instead of a shared project key, and as many developers as want to may sign (i.e., there is a minimum number, but not a maximum).

That is, the qualification for receiving pre-notification is threefold: the recipient must run a large, important service where a compromise would be a serious matter; the recipient must be known to be someone who won't blab about the security problem before the go-public date; and you must have a way (such as via GnuPG-encrypted email) to communicate securely with the recipient, so that any eavesdroppers between you and your recipient can't read the message.[67] Pre-notification should be done via secure means. If email, then encrypt it, for the same reasons explained in the section called “Receive the report”, but if you have a phone number or other out-of-band secure way to contact the administrator, use that.


pages: 549 words: 134,988

Pro Git by Scott Chacon, Ben Straub

Chris Wanstrath, continuous integration, creative destruction, Debian, distributed revision control, GnuPG, pull request, remote working, revision control, web application

If you decide to sign the tag as the maintainer, the tagging may look something like this: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Scott Chacon <schacon@gmail.com>" 1024-bit DSA key, ID F721C45A, created 2009-02-09 If you do sign your tags, you may have the problem of distributing the public PGP key used to sign your tags. The maintainer of the Git project has solved this issue by including their public key as a blob in the repository and then adding a tag that points directly to that content. To do this, you can figure out which key you want by running gpg --list-keys: $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 1024D/F721C45A 2009-02-09 [expires: 2010-02-09] uid Scott Chacon <schacon@gmail.com> sub 2048g/45D02282 2009-02-09 [expires: 2010-02-09] Then, you can directly import the key into the Git database by exporting it and piping that through git hash-object, which writes a new blob with those contents into Git and gives you back the SHA-1 of the blob: $ gpg -a --export F721C45A | git hash-object -w --stdin 659ef797d181633c87ec71ac3f9ba29fe5775b92 Now that you have the contents of your key in Git, you can create a tag that points directly to it by specifying the new SHA-1 value that the hash-object command gave you: $ git tag -a maintainer-pgp-pub 659ef797d181633c87ec71ac3f9ba29fe5775b92 If you run git push --tags, the maintainer-pgp-pub tag will be shared with everyone.

If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG. GPG Introduction First of all, if you want to sign anything you need to get GPG configured and your personal key installed. $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 2048R/0A46826A 2014-06-04 uid Scott Chacon (Git signing key) <schacon@gmail.com> sub 2048R/874529A9 2014-06-04 If you don’t have a key installed, you can generate one with gpg --gen-key. gpg --gen-key Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting.

All you have to do is use -s instead of -a: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Ben Straub <ben@straub.cc>" 2048-bit RSA key, ID 800430EB, created 2014-05-04 If you run git show on that tag, you can see your GPG signature attached to it: $ git show v1.5 tag v1.5 Tagger: Ben Straub <ben@straub.cc> Date: Sat May 3 20:29:41 2014 -0700 my signed 1.5 tag -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABAgAGBQJTZbQlAAoJEF0+sviABDDrZbQH/09PfE51KPVPlanr6q1v4/Ut LQxfojUWiLQdg2ESJItkcuweYg+kc3HCyFejeDIBw9dpXt00rY26p05qrpnG+85b hM1/PswpPLuBSr+oCIDj5GMC2r2iEKsfv2fJbNW8iWAXVLoWZRF8B0MfqX/YTMbm ecorc4iXzQu7tupRihslbNkfvfciMnSDeSvzCpWAHl7h8Wj6hhqePmLm9lAYqnKp 8S5B/1SSQuEAjRZgI4IexpZoeKGVDptPHxLLS38fozsyi0QyDyzEgJxcJQVMXxVi RUysgqjcpT8+iQM1PblGfHR4XAhuOqN5Fx06PSaFZhqvWFezJ28/CLyX5q+oIVk= =EFTF -----END PGP SIGNATURE----- commit ca82a6dff817ec66f44342007202690a93763949 Author: Scott Chacon <schacon@gee-mail.com> Date: Mon Mar 17 21:52:11 2008 -0700 changed the version number Verifying Tags To verify a signed tag, you use git tag -v [tag-name].


pages: 282 words: 79,176

Pro Git by Scott Chacon

Chris Wanstrath, continuous integration, creative destruction, Debian, distributed revision control, GnuPG, pull request, revision control

All you have to do is use -s instead of -a: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Scott Chacon <schacon@gee-mail.com>" 1024-bit DSA key, ID F721C45A, created 2009-02-09 If you run git show on that tag, you can see your GPG signature attached to it: $ git show v1.5 tag v1.5 Tagger: Scott Chacon <schacon@gee-mail.com> Date: Mon Feb 9 15:22:20 2009 -0800 my signed 1.5 tag -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEABECAAYFAkmQurIACgkQON3DxfchxFr5cACeIMN+ZxLKggJQf0QYiQBwgySN Ki0An2JeAVUCAiJ7Ox6ZEtK+NvZAj82/ =WryJ -----END PGP SIGNATURE----- commit 15027957951b64cf874c3557a0f3547bd83b3ff6 Merge: 4a447f7... a6b4c97... Author: Scott Chacon <schacon@gee-mail.com> Date: Sun Feb 8 19:02:46 2009 -0800 Merge branch 'experiment' A bit later, you’ll learn how to verify signed tags.

If you decide to sign the tag as the maintainer, the tagging may look something like this: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Scott Chacon <schacon@gmail.com>" 1024-bit DSA key, ID F721C45A, created 2009-02-09 If you do sign your tags, you may have the problem of distributing the public PGP key used to sign your tags. The maintainer of the Git project has solved this issue by including their public key as a blob in the repository and then adding a tag that points directly to that content. To do this, you can figure out which key you want by running gpg --list-keys: $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 1024D/F721C45A 2009-02-09 [expires: 2010-02-09] uid Scott Chacon <schacon@gmail.com> sub 2048g/45D02282 2009-02-09 [expires: 2010-02-09] Then, you can directly import the key into the Git database by exporting it and piping that through git hash-object, which writes a new blob with those contents into Git and gives you back the SHA–1 of the blob: $ gpg -a --export F721C45A | git hash-object -w --stdin 659ef797d181633c87ec71ac3f9ba29fe5775b92 Now that you have the contents of your key in Git, you can create a tag that points directly to it by specifying the new SHA–1 value that the hash-object command gave you: $ git tag -a maintainer-pgp-pub 659ef797d181633c87ec71ac3f9ba29fe5775b92 If you run git push --tags, the maintainer-pgp-pub tag will be shared with everyone.


pages: 139 words: 35,022

Roads and Bridges by Nadia Eghbal

AGPL, Airbnb, Amazon Web Services, barriers to entry, Benevolent Dictator For Life (BDFL), corporate social responsibility, crowdsourcing, cryptocurrency, David Heinemeier Hansson, Debian, DevOps, en.wikipedia.org, Firefox, GnuPG, Guido van Rossum, Khan Academy, Kickstarter, Marc Andreessen, market design, Network effects, platform as a service, pull request, Richard Stallman, Ruby on Rails, side project, Silicon Valley, Skype, software is eating the world, Tragedy of the Commons, Y Combinator

Jim Zemlin, the executive director of the Linux Foundation, gathered nearly $4 million in pledges from thirteen corporate donors, including Amazon Web Services, IBM, and Microsoft, to support security-related infrastructure projects over the next three years. [178] They are also building government support, including support from the White House. [179] The CII is officially a project of the Linux Foundation. Since its formation in April 2014, the CII has sponsored development work on a number of projects, including OpenSSL, NTP, GnuPG (a communication encryption system), and OpenSSH (a set of security-related protocols). The CII primarily focuses on security-related projects as a subset of infrastructure . In October 2015, Mitchell Baker, chair of the Mozilla Foundation, announced the Mozilla Open Source Support Program (MOSS), pledging $1M to support free and open source software.


pages: 349 words: 114,038

Culture & Empire: Digital Revolution by Pieter Hintjens

4chan, airport security, AltaVista, anti-communist, anti-pattern, barriers to entry, Bill Duvall, bitcoin, blockchain, business climate, business intelligence, business process, Chelsea Manning, clean water, commoditize, congestion charging, Corn Laws, correlation does not imply causation, cryptocurrency, Debian, disinformation, Edward Snowden, failed state, financial independence, Firefox, full text search, German hyperinflation, global village, GnuPG, Google Chrome, greed is good, Hernando de Soto, hiring and firing, independent contractor, informal economy, intangible asset, invisible hand, James Watt: steam engine, Jeff Rulifson, Julian Assange, Kickstarter, M-Pesa, mass immigration, mass incarceration, mega-rich, MITM: man-in-the-middle, mutually assured destruction, Naomi Klein, national security letter, Nelson Mandela, new economy, New Urbanism, Occupy movement, offshore financial centre, packet switching, patent troll, peak oil, pre–internet, private military company, race to the bottom, rent-seeking, reserve currency, RFC: Request For Comment, Richard Feynman, Richard Stallman, Ross Ulbricht, Satoshi Nakamoto, security theater, selection bias, Skype, slashdot, software patent, spectrum auction, Steve Crocker, Steve Jobs, Steven Pinker, Stuxnet, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, trade route, transaction costs, twin studies, union organizing, wealth creators, web application, WikiLeaks, Y2K, zero day, Zipf's Law

Anonymous broadcasting -- using the Usenet protocols or something very much like them -- also solves the problem of how to avoid flooding the Cellnet. Social Networks There are ways to communicate that are considered secure. People do still trust Tor, "Off-the-record" (OTR) chatting, and cryptographic layers like GnuPG. However, as I've explained, these are still vulnerable in various ways. Even if you do wrap your messages in unbreakable end-to-end security, so no server in the middle can ever see the unencrypted data, you are still providing that metadata, which can be sufficient to build a case against you. Simply talking to a person of interest, no matter what you say, can make you a person of interest in turn.

However, why even take the risk? We can build social networks over the Cellnet. They will be asynchronous and distributed and impossible to trace, except by physical seizure or brute-force hacking of individual devices, the most costly and impractical of surveillance options. We would want end-to-end security, as GnuPG or ZeroMQ provides, and some form of anonymous routing across nodes, as I've already described. We could exchange security keys by touching our phones together, using the near-field communications, or NFC, feature that many smartphones have. Then we could share data privately, and securely, over multiple hops, whether we're still in the same city, or half-way around the world.


pages: 296 words: 86,610

The Bitcoin Guidebook: How to Obtain, Invest, and Spend the World's First Decentralized Cryptocurrency by Ian Demartino

3D printing, AltaVista, altcoin, bitcoin, Bitcoin Ponzi scheme, blockchain, buy low sell high, capital controls, cloud computing, corporate governance, crowdsourcing, cryptocurrency, distributed ledger, Dogecoin, Edward Snowden, Elon Musk, Ethereum, ethereum blockchain, fiat currency, Firefox, forensic accounting, global village, GnuPG, Google Earth, Haight Ashbury, Jacob Appelbaum, Kevin Kelly, Kickstarter, litecoin, M-Pesa, Marc Andreessen, Marshall McLuhan, Oculus Rift, peer-to-peer, peer-to-peer lending, Ponzi scheme, prediction markets, QR code, ransomware, Ross Ulbricht, Satoshi Nakamoto, self-driving car, Skype, smart contracts, Steven Levy, the medium is the message, underbanked, WikiLeaks, Zimmermann PGP

At the time of this writing, Valhalla and AlphaBay are two of the most popular and reputable, but their status could change at any time. Deepdotweb.com and Reddit’s subforums r/Darkmarkets and r/DarkmarketNoobs are great resources for individuals looking to order something from the Deep Web. Ordering from these sites requires PGP and Bitcoin. Guides on how to use Bitcoin can be found in this book and countless places online. GnuPG (or GPG for short, often still referred to as PGP) is the open-source version of PGP, which was the world’s most popular and arguably powerful personal encryption software until GPG was released. It was invented by Phil Zimmerman and owned by the PGP Corporation until 2010, when it was purchased by Symantec.15 Since Windows is extremely unsecure and Tor has been shown to be compromised, it has been suggested that users with particularly strong concerns about privacy and anonymity should take the extra steps of using TailsOS, which I mentioned earlier.


pages: 360 words: 96,275

PostgreSQL 9 Admin Cookbook: Over 80 Recipes to Help You Run an Efficient PostgreSQL 9. 0 Database by Simon Riggs, Hannu Krosing

business intelligence, business process, database schema, Debian, en.wikipedia.org, full text search, GnuPG, MITM: man-in-the-middle, Skype

If for some reason, you don't have openssl or just don't want to use it, it is possible to compile a version of pg_crypto without it, with a smaller number of supported encryption algorithms, and slightly reduced performance. 150 Chapter 6 See also PgCrypto page in postgreSQL online documentation at the following website: http://www.postgresql.org/docs/9.0/static/pgcrypto.html The OpenSSL web page at the following website: http://www.openssl.org/ The GNU Privacy Handbook at the following website: http://www.gnupg.org/gph/en/manual.html 151 7 Database Administration In this chapter, we will cover the following: ff Writing a script that either all succeeds or all fails ff Writing a psql script that exits on first error ff Performing actions on many tables ff Adding/removing columns on tables ff Changing data type of a column ff Adding/removing schemas ff Moving objects between schemas ff Adding/removing tablespaces ff Moving objects between tablespaces ff Accessing objects in other PostgreSQL databases ff Making views updateable Introduction The Tables & Data chapter spent time looking at the contents of tables and various complexities.


pages: 398 words: 107,788

Coding Freedom: The Ethics and Aesthetics of Hacking by E. Gabriella Coleman

activist lawyer, Benjamin Mako Hill, commoditize, crowdsourcing, Debian, disinformation, Donald Knuth, dumpster diving, en.wikipedia.org, financial independence, ghettoisation, GnuPG, Hacker Conference 1984, Hacker Ethic, Herbert Marcuse, informal economy, Jacob Appelbaum, Jaron Lanier, Jason Scott: textfiles.com, Jean Tirole, knowledge economy, laissez-faire capitalism, Larry Wall, Louis Pasteur, means of production, Paul Graham, peer-to-peer, pirate software, popular electronics, RFC: Request For Comment, Richard Stallman, rolodex, Ronald Reagan, Silicon Valley, Silicon Valley startup, slashdot, software patent, software studies, Steve Ballmer, Steven Levy, Ted Nelson, The Hackers Conference, the scientific method, The Structural Transformation of the Public Sphere, web application, web of trust, Yochai Benkler

It soon became clear to me, however, that this was not done for my benefit; humor saturates the social world of hacking. Hackers, I noticed, had an exhaustive ability to “misuse” most anything and turn it into grist for the humor mill. Once I began to master the esoteric and technical language of pointers, compilers, RFCs, i386, X86, AMD64, core dumps, shells, bash, man pages, PGP, GPG, gnupg, OpenPGP, pipes, world writeable, PCMCIA, chmod, syntactically significant white space, and so on (and really on and on), a rich terrain of jokes became sensible to me. My enjoyment of hacker humor thus provided a recursive sense of comfort to a novice ethnographer. Along with personally enjoying their joshing around, my comprehension of their jokes indicated a change in my outsider status, which also meant I was learning how to read joking in terms of pleasure, creativity, and modes of being.


Version Control With Git: Powerful Tools and Techniques for Collaborative Software Development by Jon Loeliger, Matthew McCullough

continuous integration, Debian, distributed revision control, GnuPG, Larry Wall, peer-to-peer, peer-to-peer model, pull request, revision control, web application, web of trust

Lightweight tags are simply references to a commit object and are usually considered private to a repository. These tags do not create a permanent object in the object store. An annotated tag is more substantial and creates an object. It contains a message, supplied by you, and can be digitally signed using a GnuPG key according to RFC4880. Git treats both lightweight and annotated tag names equivalently for the purposes of naming a commit. However, by default, many Git commands work only on annotated tags, because they are considered “permanent” objects. You create an annotated, unsigned tag with a message on a commit using the git tag command: $ git tag -m "Tag version 1.0" V1.0 3ede462 You can see the tag object via the git cat-file -p command, but what is the SHA1 of the tag object?


Engineering Security by Peter Gutmann

active measures, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, en.wikipedia.org, endowment effect, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Markoff, John von Neumann, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Network effects, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, Skype, slashdot, smart meter, social intelligence, speech recognition, statistical model, Steve Jobs, Steven Pinker, Stuxnet, sunk-cost fallacy, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Tragedy of the Commons, Turing complete, Turing machine, Turing test, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP

, Marc Conrad, Tim French, Wei Huang and Carsten Maple, Proceedings of the 1st International Conference on Availability, Reliability and Security (ARES’06), April 2006, p.482. [191] “Graphical Representations of Authorization Policies for Weighted Credentials”, Isaac Agudo, Javier Lopez and Jose Montenegro, Proceedings of the 11th Australasian Conference on Information Security and Privacy (ACISP’06), Springer-Verlag LNCS No.4058, July 2006, p.87. [192] ”Vulnerability analysis of certificate graphs”, Eunjin Jung and Mohamed Gouda, International Journal of Security and Networks, Vol.1, No.1/2 (2006), p.13. [193] “Towards a Precise Semantics for Authenticity and Trust”, Reto Kohlas, Jacek Jonczy and Rolf Haenni, Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, October 2006, Article No.18. [194] “A Hybrid Trust Model for Enhancing Security in Distributed Systems”, Ching Lin and Vijay Varadharajan, Proceedings of the 2nd International Conference on Availability, Reliability and Security (ARES’07), April 2007, p.35. [195] “A Probabilistic Trust Model for GnuPG”, Jacek Jonczy, Markus Wűthrich and Rolf Haenni, presentation at the 23rd Chaos Communication Congress (23C3), December 2006, https://events.ccc.de/congress/2006/Fahrplan/attachments/1101-JWH06.pdf. [196] “Trust-Based Recommendation Systems: an Axiomatic Approach”, Reid Andersen, Christian Borgs, Jennifer Chayes, Uriel Feige, Abraham Flaxman, Adam Kalai, Vahab Mirrokni and Moshe Tennenholtz, Proceedings of the 17th World Wide Web Conference (WWW’08), April 2008, p.199. [197] “An Adaptive Probabilistic Trust Model and Its Evaluation” Chung-Wei Hang, Yonghong Wang and Munindar Singh, Proceedings of the 7th Conference on Autonomous Agents and Multiagent Systems (AAMAS’08), May 2008, p.1485. [198] “Trust*: Using Local Guarantees to Extend the Reach of Trust”, Stephen Clarke, Bruce Christianson and Hannan Xiao, Proceedings of the 17th Security Protocols Workshop (Protocols’09), Springer-Verlag LNCS No.7028, April 2009, p.189. [199] “Trust Is in the Eye of the Beholder”, Dimitri DeFigueiredo, Earl Barr and S.Felix Wu, Proceedings of the Conference on Computational Science and Engineering (CSE’09), August 2009, Vol.3, p.100.