GnuPG

back to index

18 results

Linux Security Cookbook

by Daniel J. Barrett, Richard E. Silverman and Robert G. Byrnes  · 8 Jun 2003

Recipe 7.3. Prohibiting Directory Listings Recipe 7.4. Encrypting Files with a Password Recipe 7.5. Decrypting Files Recipe 7.6. Setting Up GnuPG for Public-Key Encryption Recipe 7.7. Listing Your Keyring Recipe 7.8. Setting a Default Key Recipe 7.9. Sharing Public Keys Recipe 7

Maintaining Encrypted Files with Emacs Recipe 7.24. Maintaining Encrypted Files with vim Recipe 7.25. Encrypting Backups Recipe 7.26. Using PGP Keys with GnuPG Chapter 8. Protecting Email Recipe 8.1. Encrypted Mail with Emacs Recipe 8.2. Encrypted Mail with vim Recipe 8.3. Encrypted Mail with Pine

messages in transit over the Internet. But let's delve a little deeper. Did you perform the encryption on a secure system? What if the GnuPG binary (gpg) has been compromised by a cracker, replaced by an insecure lookalike? What if your text editor was compromised? Or the shared libraries

zillion different usernames, passwords, and SSH passphrases for various remote hosts and web sites. 6.15.2 Solution Store them in a file encrypted with GnuPG. Maintain it with Emacs and crypt++.el [Recipe 7.23] or with vim. [Recipe 7.24] Create handy scripts to extract and print passwords

is your closely guarded secret. Although other people may have your public key, it won't allow them to decrypt the message. Symmetric encryption is GnuPG's simplest operating mode: just provide the same password for encrypting and decrypting. [Recipe 7.4] Public-key encryption requires setup, at the very

who vouch for keys, this interconnected graph is called a web of trust . To participate in this web, try to collect signatures on your GnuPG key from widely trusted people within particular communities of interest, thereby enabling your key to be trusted automatically by others. Public-key methods are also

handling multiple files at once, as in scripts: A bad idea: #!/bin/sh for file in file1 file2 file3 ... do gpg -c "$file" done GnuPG will prompt for the password for each file during encryption and decryption. This is tedious and error-prone. Public-key encryption does not have this

without the mistyped (and therefore unknown) password. gpg prompts you for the password twice, so there's less chance you'll mistype it, but GnuPG's public-key encryption leaves less opportunity to mistype a password unknowingly. It's not much good for sharing files securely, since you'd also

can decrypt, without sharing any secrets like an encryption password. This recipe discusses just the initial setup. First you need to generate your very own GnuPG keypair, which consists of a secret (private) key and a public key. This is accomplished by: $ gpg --gen-key You'll be asked various

a personal key. gpg places keys into keyring files held in your account. View your default keyring with: $ gpg --list-secret-keys /home/smith/.gnupg/secring.gpg --------------------------------- sec 1024D/967D108B 2001-02-21 Shawn Smith (My work key) <smith@example.com> ssb 2048g/6EA5084A 2001-02-21 sec 1024D/2987358A

) <smith@example.com> ssb 2048g/FC9274C2 2000-06-04 Normally the first secret (sec) key listed is the default for GnuPG operations. To change this, edit the GnuPG options file, ~/.gnupg/options, which is automatically created by gpg with default values. Modify the default-key line, setting its value to the ID

of your desired secret key: ~/.gnupg/options: default-key 2987358A 7.8.4 See Also Key IDs can also be specified by email address or other identifying information: see the gpg

yourself as well, include your own public key at encryption time (-r your_key_id). 7.11.3 Discussion This is a classic use of GnuPG: encrypting a file to be read only by an intended recipient, say, Barbara Bitflipper. To decrypt the file, Barbara will need her private key

7.19.2 Solution Send the key to the keyserver: $ gpg --keyserver server_name_or_IP_address --send-keys key_ID Some well-known PGP/GnuPG keyservers are: wwwkeys.pgp.net www.keyserver.net pgp.mit.edu Additionally, most keyservers have a web-based interface for adding and locating keys. 7

.19.3 Discussion A keyserver is a resource for storing and retrieving public keys, often accessible via the Web. Most widely-used GnuPG keyservers share keys automatically amongst themselves, so it is not necessary to send your key to all of them. Your key should be available on

if you were to verify the signature on some downloaded software signed with a key you didn't have (gpg verify foo.tar.gz.sig), GnuPG would automatically download and import that key from your keyserver, if available. Additionally, most keyservers have a web-based interface for adding and locating keys

etc.) and the public key is legitimate. For example, if you use gpg verify to check the signature of a key imported from a keyserver, GnuPG may still produce the following warning, even if the signature itself is good: gpg: WARNING: This key is not certified with a trusted signature! gpg

is only a convenient way to share keys and their associated certificates; all responsibility for checking keys against identities rests with you, the GnuPG user, employing the normal GnuPG web-of-trust techniques. To trust a given key K, either you must trust K directly, or you must trust another key

-tables))) 7.23.3 Discussion crypt++ provides a transparent editing mode for encrypted files. Once the package is installed and loaded, simply edit any GnuPG-encrypted file. You'll be prompted for the passphrase within Emacs, and the file will be decrypted and inserted into an Emacs buffer. When you

files in place with vim, without decrypting them to disk. 7.24.2 Solution Add the following lines to your ~/.vimrc file: " Transparent editing of GnuPG-encrypted files " Based on a solution by Wouter Hanegraaff augroup encrypted au! " First make sure nothing is written to ~/.viminfo while editing " an encrypted

normal text, directly " after the file has been written. autocmd BufWritePost,FileWritePost *.gpg,*.asc u augroup END 7.24.3 Discussion vim can edit GnuPG-encrypted files transparently, provided they were encrypted for your key of course! If the stanza in our recipe has been added to your ~/.vimrc file

You use an Emacs mailer (vm, rmail, etc.) and want to send and receive encrypted email messages. 8.1.2 Solution Use mailcrypt.el with GnuPG: ~/.emacs: (load-library "mailcrypt") (mc-setversion "gpg") Then open a mail buffer, and use any Mailcrypt functions or variables as desired: mc-encrypt Encrypt

send the message normally. If you receive an encrypted message, and you already have the sender's key (indexed by her email address) on your GnuPG public keyring, simply invoke: M-x mc-decrypt for the buffer containing the message. If you receive a signed message, check the signature by invoking

else fails, save the encrypted message to a file and decrypt it with gpg manually. [Recipe 7.5] By default, Mailcrypt will remember your GnuPG passphrase once enteredbut only for the duration of the current Emacs session. You can run mc-deactivate-passwd to force Mailcrypt to erase your passphrase

want to send and receive encrypted email conveniently with Mozilla's Mail & Newsgroups application. 8.4.2 Solution Use Enigmail from enigmail.mozdev.org for GnuPG encryption support. S/MIME is also supported natively within Mozilla. 8.4.3 Discussion Once you have downloaded and installed Enigmail, compose a message

normally, addressing it to someone whose public key is in your GnuPG keyring. Instead of clicking the Send button, notice that your message window has a new menu, Enigmail. From this menu, you choose to encrypt

sign your message, or both, and it is immediately sent. To decrypt a message you receive, simply view it and Mozilla will prompt for your GnuPG passphrase. Your Mail & Newsgroups window also has a new Enigmail menu. Explore both menus where you'll find numerous useful options and utilities: generating

.rc, pgp5.rc, and gpg.rc, ready to use with pgp2, pgp5, and gpg, respectively. Include one of these files inside your ~/.muttrc. (For GnuPG support, obviously include gpg.rc.) 8.6.3 Discussion Compose a message normally. Notice the headers include a setting called PGP: From: Daniel Barrett <dbarrett

encrypting or signing. Select one and the message will be sent. To decrypt a message you receive, simply view it. mutt will prompt for your GnuPG passphrase and display the decrypted message. 8.6.4 See Also mutt(1), and Mutt's supplied documentation in /usr/share/doc/mutt*, in

binary data encrypted files libpcap-format files searching for with ngrep -X option binary format (DER), certificates converting to PEM binary-format detached signature (GnuPG) bootable CD-ROM, creating securely broadcast packets btmp file, processing with Sys::Utmp module buffer overflow attacks detection with ngrep indicated by system daemon messages

(firewalls) DER (binary format for certificates) converting to PEM DES-based crypt( ) hashes in passwd file destination name for remote file copying detached digital signature (GnuPG) devfs device special files inability to verify with manual integrity check securing DHCP, initialization scripts dictionary attacks against terminals diff command, using for integrity checks

[T] [U] [V] [W] [X] editing encrypted files 2nd elapsed time (displayed in ticks) elm mailer ELMME+ Emacs encrypted email with Mailcrypt package, using with GnuPG encrypted files, maintaining with email encryption with elm with Emacs with Evolution with MH with mutt with vim Mailcrypt package [See Mailcrypt] POP/IMAP security

SMTP server, using from arbitrary clients empty passphrase in plaintext key empty quotes ("") encryption asymmetric [See public-key encryption] of backups decrypting file encrypted with GnuPG email [See email, encryption] files [See also files, protecting] entire directory tree with password public-key [See public-key encryption] symmetric [See symmetric encryption]

] executables ignoring setuid or setgid attributes for linked to compromised libraries prohibiting entirely execute permission, controlling directory access executed commands [See process accounting] expiration for GnuPG keys exporting PGP key into file extended regular expressions, matching with ngrep [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G]

]2nd encrypted, maintaining with Emacs encrypting directories encrypting with password encryption, using maintaining encrypted files with vim permissions [See permissions] PGP keys, using with GnuPG prohibiting directory listings revoking a public key shared directory sharing public keys uploading new signatures to keyserver world-writable, finding files, searching effectively [See find

) Generic Security Services Application Programming Interface (GSSAPI) Kerberos authentication on IMAP Kerberos authentication on POP gethostbyname function GNU Emacs [See Emacs] Gnu Privacy Guard (GnuPG) 2nd 3rd adding keys to keyring backing up private key decrypting files encrypted with default secret key, designating for direct support by ELMME+ mailer encrypting

problems with testing server with nmap -I for security identification file (SSH2 key files) 2nd identity idfile script (manual integrity checker) IDs for cryptographic keys (GnuPG default secret key) ifconfig program -a option (information about all network interfaces and loaded drivers) controlling network interfaces enabling promiscuous mode for specific interfaces enabling

imapd enabling within xinetd or inetd Kerberos support SSL, using with validation of passwords, controlling with PAM importing keys from a keyserver PGP, importing into GnuPG incident report (security), filing gathering information for includedir (xinetd.conf) incoming network traffic, controlling [See firewalls networks, access control] incorrect net address (sshd) inetd

Internet email without visible server support for SSL testing SSL connection locally Mailcrypt mc-deactivate-passwd to force passphrase erasure official web site using with GnuPG mailpgp (script for encrypting/sending email) mailsnarf command -v option, capturing only unencrypted messages malicious program, /tmp/ls man-in-the-middle (MITM) attacks

directory world-writable files and directories, finding PermitRootLogin (sshd_config) PGP (Pretty Good Privacy) Evolution mailer, using with integrating with MH keys, using in GnuPG operations setting in mutt mailer headers PID (process ID) adding to system log messages looking up pidof command, killing all processes with given name Pine

interfaces search path, testing . (period) in relative directories in, dangers of SEC_BIN global variable (Tripwire) secret keys adding to GnuPG keyring default key for GnuPG operations listing for GnuPG secret-key encryption secure integrity checks creating bootable CD-ROM securely dual-ported disk array, using Secure Sockets Layer [See SSL] securetty

separate system inability to verify with manual integrity check permission bits, ignoring scp command and symmetric encryption file encryption with gpg -c files encrypted with GnuPG, decrypting problems with single encrypted file containing all files in directory SYN_RECV state, large numbers of network connections in synchronizing files on two

using rsync instead of weaknesses Trojan horses checking for with chkrootkit planted in commonly-used software packages trust, web of trusted certificates trusted public keys (GnuPG) trusted-host authentication canonical hostname, finding for client implications of strong trust of client host weak authorization controls tty item (PAM) tunneling TCP session

testing for open port umask Linux chmod and umask commands preventing files from being world-writable setting as group writable unicast packets unique identifier for GnuPG keys unsecured IMAP connections unshadow command urlsnarf command Usenet news, tunneling NNTP connections through SSH user (inetd.conf file) user accounts allowing one account

Directory Recipe 7.3 Prohibiting Directory Listings Recipe 7.4 Encrypting Files with a Password Recipe 7.5 Decrypting Files Recipe 7.6 Setting Up GnuPG for Public-Key Encryption Recipe 7.7 Listing Your Keyring Recipe 7.8 Setting a Default Key Recipe 7.9 Sharing Public Keys Recipe

Maintaining Encrypted Files with Emacs Recipe 7.24 Maintaining Encrypted Files with vim Recipe 7.25 Encrypting Backups Recipe 7.26 Using PGP Keys with GnuPG Chapter 8. Protecting Email Recipe 8.1 Encrypted Mail with Emacs Recipe 8.2 Encrypted Mail with vim Recipe 8.3 Encrypted Mail with

Multitool Linux: Practical Uses for Open Source Software

by Michael Schwarz, Jeremy Anderson and Peter Curtis  · 7 May 2002

System Console Difficult-o-Meter: 4 (fairly high Linux knowledge required) Covers: Fetchmail http://www.tuxedo.org/~esr/fetchmail/ Procmail http://www.procmail.org/ GnuPG http://www.gnupg.org/ Question: How can I get access to my home Linux system when I'm either at work behind a firewall that only allows

results were returned securely, safe from snooping eyes. The solution to all of this lies with encryption and digital signatures found in another great utility, GnuPG (see Chapter 10, Secure Your E-Mail with GPG). The Project Now that you know the story of how the e-mail console came to

. You will be using the following utilities for this project: · Fetchmail— to get the mail · Procmail— to parse and execute the e-mail console script · GnuPG— to decrypt the e-mail and verify the authenticity of the sender The Disclaimer Doing this project could seriously damage your system. If you implement

plain text, you will have to encrypt the results. For these two tasks, encryption and authentication/authorization, we'll use another very handy Linux tool, GnuPG. Securing Everything We are now entering the part of this chapter where it starts to get really funky. Encryption and digital signatures are not new

how to go about using it. Don't panic! Chapter 10, Secure Your E-Mail with GPG, discusses everything you need to know about GnuPG. Using GnuPG to Handle Authorizations One small problem with this version of the e-mail console is that anyone is able to send an e-mail to

folder. In addition to authorization, our results should be kept private until the recipient gets the results. To do this, we'll use encryption. Using GnuPG to Encrypt the Results So long as the digital signature verifies, we can now get down to executing the commands contained in the e-mail

and placing the results in an encrypted e-mail back to the sender. We'll use GnuPG to encrypt the execution results. We'll do this by using the e-mail address in the From or Reply-to field as the public

: http://modules.apache.org/ Chapter 10. Secure Your E-Mail with GPG Difficult-o-Meter: 2 (light Linux skill required) Covers: gpg (GNUpg) v1.0.1 http://www.gnupg.org/ Question: I hear all the time about viruses spread by e-mail. How can I be sure that a message I get

GPG, you must generate a key. The first time you ever run GPG, it will probably say this: [bubba@mars bubba]$ gpg —gen-key gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome

to redistribute it under certain conditions. See the file COPYING for details. gpg: /home/bubba/.gnupg: directory created gpg: /home/bubba/.gnupg/options: new options file created gpg: you have to start GnuPG again, so it can read the new options file Unless your system administrator has a

.gnupg directory set up for new accounts automatically, GPG must create a .gnupg directory and set it up with default configurations and empty private and public keyrings. A keyring is simply a file that stores keys. The default

in secring.gpg, and your public key and the public keys of any of your correspondents are in pubring.gpg. The other file in the .gnupg directory is options. This file may be modified to change the default settings for GPG. In its default state, it is configured to interoperate with

leaving these defaults alone until the whole world wakes up and starts using GPG instead! Once the .gnupg directory is set up, you generate a key as follows: [bubba@mars bubba]$ gpg —gen-key gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO

share it, use the following command: [bubba@mars bubba]$ gpg --export --armor leroy -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDliXhYRBACPy47P0e71DUe+SvSSepRxi23KpM3xhLu3BsjQmKK5oNwShcPx LivsXB3WZZpdQ0TCPbf4DiihYOCo6FtPvPqFKqlLr/xiJq4SJ0syJFIivGKgiEx2 EHApzxwxOwBuhR+Qb80/aquBpN5sQwCGolAlPN6Vawd9gut8kCXBQkBpEwCg91CO mUEMjXa50BfYDEkABkg9J/UD/0XaXz0yny5t9pKZvzXLuuI+7ZkXSbxt3jiaJfnM sBNro2ZmXGSWx25Fr1mz5h49TKlmgvm1/icJ9qym8b1v336xt+7lN9ZZfjOgx9A8 C+t77wPIy3ADc5hkFh70RiduylQjs3EKafqMB5ZFtXYqLqvmyZO3vp6CPtgJXirF f6IhA/9nPBOyxD7tHNGWA7cm3VhQieVbQKbQzYmFVaMVKz62KYB6mJvOIs0EZsR9 E75CuikJ52eJwzbuZKP

legal.statement.asc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did NOT commit the crime! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5Y0qlix6AMQ6Pq2QRApSDAKDz/RLuUE3a7lxmgTzqZmtvbPdEHACdHFR1 NWedbupPVklTCFOUIVaJzsU= =NPHm -----END PGP SIGNATURE----- As you can see, the original content of the message is still

:~$ cat legal.statement.asc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did commit the crime! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5Y0qlix6AMQ6Pq2QRApSDAKDz/RLuUE3a7lxmgTzqZmtvbPdEHACdHFR1 NWedbupPVklTCFOUIVaJzsU= =NPHm -----END PGP SIGNATURE----- Boy, that surprises me! I know Leroy and I don't think

:~$ cat legal.statement.asc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did commit the crime! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5Y1L1oHgCFwxAlJgRAlaVAJ4hHP8aV03F46hx1LxQkIeDU1pOwgCglXc+ ksM5rPYWtetrPHG7/EhcTD0= =vODa -----END PGP SIGNATURE----- mars:40:~$ gpg legal.statement.asc gpg: Signature made Wed 05 Jul

will overwrite and delete). The second looks like this: [bubba@mars bubba]$ cat confession.asc -----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org hQIOA7MJzzjvdHQ7EAf7BGj1YuxeMpz0LOzBUHMd6GL4PlIbIECzblbJefx2MOj1 oA80kQNNNOGLVRgnvB0qMSt6zaaUt5UMyhFUbH/6wS0JSMyzpfZabcKrF9/6KCcP LhbOIScejBVWwRF6QML2g8jJBvj/GrRnLiroS/b+fZ83DtAH/CDxGkk3ilJC2tHl 5K38JePQiSwC7sXtb0WcCsiEik5M9dusAc7cpZAOPO0VRpMm006wAEh5RCyKFhZU TlJUO5Bc+MDyVXmecOfiKBXMV59o/RFoqTvjqH8uRVJB3YzV8HBXMhyMMVead7UC GV5jOnLsL0zZGKqgzdC1edcJaasJ9RXDYqk3echk0wf9E2vwjo4N1HGBDINYO3WK OXYuxY9Q6NFPJw3cO46RWrWh795JpVPaOquJi7GXzy4vJUJAyhlcxnzNbwwyZq+V 5NZQNXfAotTwgHRZybrJm3sgrWQLGQMtUVSo7fTP/im6gPXj0HEC0ofJqKFt/5uq

in the GPG chain. I know people who are so paranoid that their secret key is kept on a single floppy, symbolically linked to their .gnupg directory. They insert the floppy whenever they need it, and then unmount and file it when done. If they destroy the floppy, the key is

PGP supporting applications. This compatibility package is called pgpgpg. Here's some info: Package: pgpgpg Homepage: http://www.nessie.de/mroth/pgpgpg Download: ftp://ftp.gnupg.org/pub/gcrypt/pgpgpg-0.13.1.tar.gz Once you have this installed, you can use the older PGP commands (which is what elm

Puppet 3 Cookbook

by John Arundel  · 25 Aug 2013  · 274pp  · 58,675 words

edits to config files Using Augeas to automatically edit config files Building config files using snippets Using ERB templates Using array iteration in templates Using GnuPG to encrypt secrets Installing packages from a third-party repository Building packages automatically from source Comparing package versions Chapter 5: Users and Virtual Resources Introduction

some of the most common sysadmin tasks, including managing config files, using Augeas, generating files from snippets and templates, managing third-party package repositories, using GnuPG to encrypt secret data in Puppet, and building packages from source. Chapter 5, Users and Virtual Resources, explains what virtual resources are and how they

Using Augeas to automatically edit config files ff Building config files using snippets ff Using ERB templates ff Using array iteration in templates ff Using GnuPG to encrypt secrets ff Installing packages from a third-party repository ff Building packages automatically from source ff Comparing package versions Introduction In this chapter

Ruby expressions: MAILTO=<%= @emails.join(',') %> or any Ruby code you want: ServerAdmin <%= @sitedomain == 'coldcomfort.com' ? 'seth@coldcomfort. com' : 'flora@poste.com' %> See also ff Using GnuPG to encrypt secrets, in this chapter 95 Working with Files and Packages Using array iteration in templates In the previous example we saw that you

. Interface eth2 has the address 10.0.75.207. See also ff Using ERB templates, in this chapter 97 Working with Files and Packages Using GnuPG to encrypt secrets We often need Puppet to have access to secret information, such as passwords or crypto keys, for it to configure systems properly

other machines that it doesn't need and shouldn't have. How can we prevent this? One answer is to encrypt the secrets using the GnuPG tool, so that any secret information in the Puppet repo is undecipherable (for all practical purposes) without the appropriate key. Then we distribute the key

machines who need it. Getting ready First you'll need an encryption key, so follow these steps to generate one. If you already have a GnuPG key that you'd like to use, go on to the next section: 1. Run the following command. Answer the prompts as shown, except to

substitute your name and e-mail address for mine. When prompted for a passphrase, just hit Enter: ubuntu@cookbook:~/puppet$ gpg --gen-key gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO

money is buried under the old oak. 4. Encrypt this file with the following command (use the e-mail address you supplied when creating the GnuPG key): ubuntu@cookbook:~/puppet$ gpg -e -r john@bitfieldconsulting.com/ home/ubuntu/secret_message 100 Chapter 4 5. Move the resulting encrypted file into your

is buried under the old oak. How it works... First, we've created a custom function to allow Puppet to decrypt the secret files using GnuPG: module Puppet::Parser::Functions newfunction(:secret, :type => :rvalue) do |args| `gpg --no-tty -d #{args[0]}` end end The preceding code creates a function named

to ensure that the ubuntu user has the necessary key installed. You can check this with: ubuntu@cookbook:~/puppet$ gpg --list-secret-keys /home/ubuntu/.gnupg/secring.gpg ------------------------------sec uid ssb 2048R/46055037 2013-05-06 John Arundel <john@bitfieldconsulting.com> 2048R/D5B0735B 2013-05-06 101 Working with Files and

a key for web servers, and encrypt the data only for this key. If you want to use encrypted data with Hiera, there is a GnuPG backend for Hiera available: http://www.craigdunn.org/2011/10/secret-variables-in-puppet-withhiera-and-gpg/ See also ff The Importing configuration data with

repo class admin::percona_repo { exec { 'add-percona-apt-key': unless => '/usr/bin/apt-key list |grep percona', command => '/usr/bin/gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A && /usr/bin/gpg -a --export CD2EFD2A | apt-key add -', notify => Exec['percona-apt-update'], } exec { 'percona-apt-update': command => '/usr/bin

, we install the APT key: exec { 'add-percona-apt-key': unless => '/usr/bin/apt-key list |grep percona', command => '/usr/bin/gpg --keyserver hkp://keys.gnupg.net --recvkeys 1C4CBDCDCD2EFD2A && /usr/bin/gpg -a --export CD2EFD2A | apt-key add -', notify => Exec['percona-apt-update'], } The unless parameter checks the output of apt

is not already installed, in which case we needn't do anything. Assuming it isn't, the command runs: /usr/bin/gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A && /usr/bin/gpg -a --export CD2EFD2A | apt-key add - This command retrieves the key from the

GnuPG keyserver, exports it in the ASCII format, and pipes this into the apt-key add command, which adds it to the system keyring. You can

as creating databases: $password = 'sekrit' If you're concerned about putting secret data such as passwords in your Puppet manifests, see the recipe on Using GnuPG to encrypt secrets in Chapter 4, Working with Files and Packages for a better solution. We also define a variable representing the name of the

, we looked at a way to store encrypted data in our Puppet manifest which can be decrypted only with the appropriate key (see the Using GnuPG to encrypt secrets recipe in Chapter 4, Working with Files and Packages). If you're using Hiera to store your configuration data, there's a

. Create the file data/secret.yaml with the following contents: top_secret: 'xyzzy' 2. If you don't already have a GnuPG encryption key, follow the steps in the Using GnuPG to encrypt secrets recipe in Chapter 4, Working with Files and Packages to create one. 3. Encrypt the secret.yaml file

ability to decrypt .gpg files. So you can put any secret data into a .yaml file that you then encrypt to the appropriate key with GnuPG. Only machines that have the right secret key will be able to access this data. For example, you might encrypt the MySQL root password using

hiera-eyaml here: https://github.com/TomPoulton/hiera-eyaml See also ff The Importing configuration data with Hiera recipe in this chapter ff The Using GnuPG to encrypt secrets recipe in Chapter 4, Working with Files and Packages 212 Chapter 8 Generating manifests with puppet resource If you have a server

of a custom type to manage APT sources: https://github.com/deanwilson/puppet-aptsourced Creating your own functions If you've read the recipe Using GnuPG to encrypt secrets in Chapter 4, Working with Files and Packages, then you've already seen an example of a custom function (in that example

, we created a secret function, which shelled out to GnuPG). Let's look at custom functions in a little more detail now and build an example. How to do it... If you've read the

creating 231, 232 G generate function 83 Git used, for managing manifests 11-13 Git hooks used, for automatic syntax checking 29-31 gitrepo 228 GnuPG used, for encrypting secrets 98-101 grep command 89 H HAProxy using, to load-balance multiple web servers 174-177 haproxy daemon 177 Heartbeat installing

The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery

by Raphaal Hertzog and Roland Mas  · 24 Dec 2013  · 678pp  · 159,840 words

(address, telephone, geographical coordinates such as longitude and latitude, etc.). Some of the information (first and last name, country, username within the project, IRC username, GnuPG key, etc.) is public and available on the Web. → http://db.debian.org/ The geographical coordinates allow the creation of a map locating all of

(<< 20060617-3~) Depends: libapt-pkg4.12 (>= 0.9.7.9), libc6 (>= 2.4), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.6), debian-archive-keyring, gnupg Suggests: aptitude | synaptic | wajig, dpkg-dev, apt-doc, xz-utils, python-apt Conflicts: python-apt (<< 0.7.93.2~) Description-en: commandline package manager This

.debian.tar.gz Files: 88cfc18c0c7339528d5f5f463647bb5f 966899 zim_0.48.orig.tar.gz 608b6e74aa14252dfc6236ab184bdb0c 9615 zim_0.48-1.debian.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Signed by Raphael Hertzog iQEcBAEBCAAGBQJMSUAfAAoJEAOIHavrwpq5qjUIAKmM8p86GcHYTxMmKENoBUoW UPi5R7DzrLMbFrUXKgXWLvEKQTXpmkJhh2aSWq2iY+5piBSHwMiITfaBTpdTRvzU 5nT/n9MlF8sJFESet/NgZaMPFDzWUbIy5aYbuG1TXmn/7XiDrBaQGiVqKkVLPrqc yWhsotn3JNKIjbPDW/DjImYyKD5RZpXrbVjuIgDT1E6yxtNYwUyBlK0cx/GITNep uV48hsT8cj0paqVXl5+P9Ww8XIE3clxNpE/45/tvKvkqGOeysc6OPAqsIw6HYFY9 0EnvMTfMpeQOA68ZqsNpUjomv5r

7.1 amd64 Debian base system miscellaneous ii base-passwd 3.5.26 amd64 Debian base system master passwo [...] $ dpkg -c /var/cache/apt/archives/gnupg_1.4.12-7_amd64.deb drwxr-xr-x root/root 0 2013-01-02 19:28 ./ drwxr-xr-x root/root 0 2013-01

-01-02 19:28 ./usr/share/doc/ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/share/doc/gnupg/ -rw-r--r-- root/root 3258 2012-01-20 10:51 ./usr/share/doc/gnupg/TODO -rw-r--r-- root/root 308 2011-12-02 18:34 ./usr/share/doc

/gnupg/FAQ -rw-r--r-- root/root 3543 2012-02-20 18:41 ./usr/share/doc/gnupg/Upgrading_From_PGP.txt -rw-r--r-- root/root 690

2012-02-20 18:41 ./usr/share/doc/gnupg/README.Debian -rw-r--r-- root/root 1418

2012-02-20 18:41 ./usr/share/doc/gnupg/TODO.Debian [...] $ dpkg -I /var/cache/apt/archives

/gnupg_1.4.12-7_amd64.deb new debian package, version 2.0. size

4521 bytes, 65 lines md5sums 479 bytes, 13 lines * postinst #!/bin/sh 473 bytes, 13 lines * preinst #!/bin/sh Package: gnupg Version: 1.4.12-7 Architecture: amd64 Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> Installed-Size: 4627 Depends: libbz2-1.0, libc6 (>= 2.4), libreadline6 (>= 6.0), libusb

.4) | install-info, gpgv Recommends: libldap-2.4-2 (>= 2.4.7), gnupg-curl Suggests: gnupg-doc, xloadimage | imagemagick | eog, libpcsclite1 Section: utils Priority: important Multi-Arch: foreign Homepage: http://www.gnupg.org Description: GNU privacy guard - a free PGP replacement GnuPG is GNU's tool for secure communication and data storage. It can

't been altered either. The trusted keys are managed with the apt-key command found in the apt package. This program maintains a keyring of GnuPG public keys, which are used to verify signatures in the Release.gpg files available on the mirrors. It can be used to add new keys

advocate them by showing their work in a private way. At the same time, the candidate must generate a public/private RSA key pair with GnuPG, which should be signed by at least two official Debian developers. The signature authenticates the name on the key. Effectively, during a key signing party

Dark Mirror: Edward Snowden and the Surveillance State

by Barton Gellman  · 20 May 2020  · 562pp  · 153,825 words

-to-use anonymous browser at www.torproject.org. GPG, the gold standard of email and file encryption: GPG, also known as Gnu Privacy Guard and GnuPG, is a free, open-source implementation of the encryption standard pioneered by Phil Zimmermann in the commercial software package called Pretty Good Privacy, or PGP

custodian of the code. He marked its first decade in a post to an email listserv, archived here: Werner Koch, “GnuPG’s 10th birthday,” December 20, 2007, https://lists.gnupg.org/pipermail/gnupg-announce/2007q4/000268.html. See also Julia Angwin, “The World’s Email Encryption Software Relies on One Guy, Who Is

want an editor or publisher to be capable of making the decision for me. even experts foundered: Disheartening proof is easy to find in the GnuPG-users listserv, an email forum populated exclusively by geeks, where hundreds of thousands of words have been spilled on the software’s mysteries. See the

GnuPG-users Archives, http://lists.gnupg.org/pipermail/gnupg-users/. manual could swallow: The horror classic runs to about twenty-five thousand words. GPG boasts a sixteen-thousand-word manual and

Tale of Dr. Jekyll and Mr. Hyde, www.gutenberg.org/files/42/42.txt; “The GNU Privacy Handbook,” www.gnupg.org/gph/en/manual.html; and “GNUPG FREQUENTLY ASKED QUESTIONS,” www.gnupg.org/faq/gnupg-faq.txt. After drafting this comparison, I found a fine blog post with a similar comparison to the forty

, 284–85 governing norms, 248–49, 347–48 government: secrecy and, see secrecy, government in standoff with ES, 352–53 trust and, 180–84 GPG (GnuPG), 8, 365, 366 Graham, Don, 103 Graham, Katharine, 92, 379 Graham, Lindsey, 158 Graham, Mary, 263 Granick, Jennifer, 339, 342, 343 Graph-in-Memory, 174

Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance

by Julia Angwin  · 25 Feb 2014  · 422pp  · 104,457 words

personal website of Karl Fogel, a leading software developer. It displayed his public key and this disclaimer: “I don’t trust my ability to use GnuPG.… Guarding against [possible attacks on GPG] would require constant vigilance, and I’m not up to the task. Therefore, if it’s important that your

be why I’m into data”: Ibid. 13. LONELY CODES First, I downloaded free encryption software: “The GNU Privacy Guard,” Free Software Foundation, Inc., http://gnupg.org/. a program called Enigmail: “A Simple Interface to OpenPGP Email Security,” The Enigmail Project, https://www.enigmail.net/home/index.php. designed to run

with: GnuPG, “GnuPG Frequently Asked Questions,” http://www.gnupg.org/faq/GnuPG-FAQ.html. The Postbox support page said: Postbox, Inc., “Extending Postbox,” http://www.postbox-inc.com/extensions. The Enigmail support forums

PGP and Zfone: Background,” Philzimmermann.com (personal blog), http://www.philzimmermann.com/EN/background/index.html. The software I was using: “The GNU Privacy Guard,” GnuPG, http://gnupg.org/. On March 9, 1993, Eric Hughes published: Eric Hughes, “A Cypherpunk’s Manifesto,” March 9, 1993, http://www.activism.net/cypherpunk/manifesto.html

Producing Open Source Software: How to Run a Successful Free Software Project

by Karl Fogel  · 13 Oct 2005

to be someone who won't blab about the security problem before the go-public date; and you must have a way (such as via GnuPG-encrypted email) to communicate securely with the recipient, so that any eavesdroppers between you and your recipient can't read the message.[67] Pre-notification

as any other release checklist criteria the project may have, the developers then digitally sign each container (the .tar.gz file, .zip file, etc) using GnuPG (gnupg.org), PGP (pgpi.org), or some other program capable of producing PGP-compatible signatures. In most projects, the developers just use their personal digital signatures

Pro Git

by Scott Chacon and Ben Straub  · 12 Nov 2014  · 549pp  · 134,988 words

directly to that content. To do this, you can figure out which key you want by running gpg --list-keys: $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 1024D/F721C45A 2009-02-09 [expires: 2010-02-09] uid Scott Chacon <schacon@gmail.com> sub 2048g/45D02282 2009-02-09 [expires

First of all, if you want to sign anything you need to get GPG configured and your personal key installed. $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 2048R/0A46826A 2014-06-04 uid Scott Chacon (Git signing key) <schacon@gmail.com> sub 2048R/874529A9 2014-06-04 If you

.5 Tagger: Ben Straub <ben@straub.cc> Date: Sat May 3 20:29:41 2014 -0700 my signed 1.5 tag -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABAgAGBQJTZbQlAAoJEF0+sviABDDrZbQH/09PfE51KPVPlanr6q1v4/Ut LQxfojUWiLQdg2ESJItkcuweYg+kc3HCyFejeDIBw9dpXt00rY26p05qrpnG+85b hM1/PswpPLuBSr+oCIDj5GMC2r2iEKsfv2fJbNW8iWAXVLoWZRF8B0MfqX/YTMbm ecorc4iXzQu7tupRihslbNkfvfciMnSDeSvzCpWAHl7h8Wj6hhqePmLm9lAYqnKp 8S5B/1SSQuEAjRZgI4IexpZoeKGVDptPHxLLS38fozsyi0QyDyzEgJxcJQVMXxVi RUysgqjcpT8+iQM1PblGfHR4XAhuOqN5Fx06PSaFZhqvWFezJ28/CLyX5q+oIVk= =EFTF -----END PGP SIGNATURE----- commit ca82a6dff817ec66f44342007202690a93763949

PostgreSQL Cookbook

by Chitij Chauhan  · 30 Jan 2015

.cc, keys.pubkey) As cc FROM (VALUES ('robby', '41111111111111111'), ('artoo', '41111111111111112') ) As robotccs(username, cc) CROSS JOIN (SELECT dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW

use pgp_keyid to verify which public key you used to encrypt your data:SELECT pgp_key_id(dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW

the data with:SELECT username, pgp_pub_decrypt(cc, keys.privkey) As ccdecrypt FROM testuserscards CROSS JOIN (SELECT dearmor('-----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) lQG7BELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW

Pro Git

by Scott Chacon  · 17 Aug 2009  · 282pp  · 79,176 words

Tagger: Scott Chacon <schacon@gee-mail.com> Date: Mon Feb 9 15:22:20 2009 -0800 my signed 1.5 tag -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEABECAAYFAkmQurIACgkQON3DxfchxFr5cACeIMN+ZxLKggJQf0QYiQBwgySN Ki0An2JeAVUCAiJ7Ox6ZEtK+NvZAj82/ =WryJ -----END PGP SIGNATURE----- commit 15027957951b64cf874c3557a0f3547bd83b3ff6 Merge: 4a447f7... a6b4c97... Author: Scott Chacon <schacon@gee-mail.com> Date

directly to that content. To do this, you can figure out which key you want by running gpg --list-keys: $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 1024D/F721C45A 2009-02-09 [expires: 2010-02-09] uid Scott Chacon <schacon@gmail.com> sub 2048g/45D02282 2009-02-09 [expires

Culture & Empire: Digital Revolution

by Pieter Hintjens  · 11 Mar 2013  · 349pp  · 114,038 words

Coding Freedom: The Ethics and Aesthetics of Hacking

by E. Gabriella Coleman  · 25 Nov 2012  · 398pp  · 107,788 words

PostgreSQL 9 Admin Cookbook: Over 80 Recipes to Help You Run an Efficient PostgreSQL 9. 0 Database

by Simon Riggs and Hannu Krosing  · 23 Oct 2010  · 360pp  · 96,275 words

Version Control With Git: Powerful Tools and Techniques for Collaborative Software Development

by Jon Loeliger and Matthew McCullough  · 14 Aug 2012

Roads and Bridges

by Nadia Eghbal  · 139pp  · 35,022 words

The Bitcoin Guidebook: How to Obtain, Invest, and Spend the World's First Decentralized Cryptocurrency

by Ian Demartino  · 2 Feb 2016  · 296pp  · 86,610 words

Engineering Security

by Peter Gutmann

Docker: Up & Running: Shipping Reliable Containers in Production

by Sean Kane and Karl Matthias  · 14 May 2023  · 433pp  · 130,334 words