Silk Road forums
Discussion => Security => Topic started by: Oompaloompa on July 14, 2012, 12:29 pm
-
Hi, I'm asking here as I figure you guys'll have a better idea than most on how to get this to work.
I previously had a windows OS and GPG4Win but have now scrapped windows and installed Linux Ubuntu 12.04
I saved all my public/private keys but I've had problems setting up GPG on Linux. The only encryption program I could find was the enigmail add-on for thunderbird & I've set that up but I've got some queries:
1: Enigmail only seems to encrypt while sending e-mail, which I don't want. I want to write a message encrypt it then copy/paste the pgp message to SR (as with gpg4win) but the only way I've found is to save the e-mail as draft, encrypt on saving and then go into drafts & copy the pgp message. Surely there's an easier way to do this?
2: Similarly I can't find how to decrypt a pgp message sent to me on SR?
3: I'm uneasy with having my (fake) PGP e-mail and keys associated with my real e-mail setup. Enigmail only lets me encrypt when I create an e-mail draft with my real mail settings otherwise I get the errors
"INV_RECP 0 <anonymous@test.co.uk>" and
"Unable to save your message as draft.
Please verify that your Mail & Newsgroups account settings are correct and try again."
Are there any security risks here? and is there a way to create encrypted messages without any connection to my realworld e-mail settings?
4: I tried the S/MIME option but got the message "You need to set up one or more personal certificates before you can use this security feature. Would you like to do so now?" when I click yes I get to a security screen & try to select a certificate. But I get
"Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages."
What sort of file do I need? Not sure if I had thison GPG4Win but I think so and it should be backed up so what am I looking for?
Sorry for the long message but I'm just getting to grips with Linux and enigmail and I want to get this sorted out securely but haven't been able to find clear answers elsewhere online. Hopefully someone here can help me.
-
Hi, I'm asking here as I figure you guys'll have a better idea than most on how to get this to work.
I previously had a windows OS and GPG4Win but have now scrapped windows and installed Linux Ubuntu 12.04
I saved all my public/private keys but I've had problems setting up GPG on Linux. The only encryption program I could find was the enigmail add-on for thunderbird & I've set that up but I've got some queries:
This bit is excellent.
1: Enigmail only seems to encrypt while sending e-mail, which I don't want. I want to write a message encrypt it then copy/paste the pgp message to SR (as with gpg4win) but the only way I've found is to save the e-mail as draft, encrypt on saving and then go into drafts & copy the pgp message. Surely there's an easier way to do this?
Enigmail is a GPG frontend specifically for email through Thunderbird. It's very good, but not ideal when a lot of your encrypting and decrypting will take place outside of Thunderbird.
If you need a frontend then you should consider the options on this page:
http://www.gnupg.org/related_software/frontends.en.html
Perhaps KGpg or Seahorse. I can't vouch for either of them since I use GPG on the command line or within an Emacs buffer.
2: Similarly I can't find how to decrypt a pgp message sent to me on SR?
You would save the encrypted message as a file and then decrypt it with a frontend or on the command line (the command is "gpg filename.txt.asc" unless the sender has done something clever, like use the for-your-eyes-only option).
3: I'm uneasy with having my (fake) PGP e-mail and keys associated with my real e-mail setup. Enigmail only lets me encrypt when I create an e-mail draft with my real mail settings otherwise I get the errors
"INV_RECP 0 <anonymous@test.co.uk>" and
"Unable to save your message as draft.
Please verify that your Mail & Newsgroups account settings are correct and try again."
Are there any security risks here? and is there a way to create encrypted messages without any connection to my realworld e-mail settings?
I would try to avoid mixing the SR data with regular data.
If you want to access the SR stuff from your default installation (i.e. without messing around with VMs, flash drives, hidden systems, etc.) then do something like this:
1) Install TrueCrypt.
2) Create a new volume (make sure it has lots of space) to be mounted to something like "/homes/" or "/home2/" (the normal directory is "/home/").
3) Mount it.
4) Create a new user for your SR usage. When creating the account make sure that the home directory is set to "/homes/$USERNAME" (as long as the first part matches the volume created in step 2 and $USERNAME can be whatever you want).
5) Log into the new account and set it up as you like (installing GPG keys, configuring Thunderbird & Enigmail to access Tor Mail, setting up the Tor Browser and anything else that makes it easy to use).
When you are not using that account, unmount the TrueCrypt volume and all those details will be inaccessible. Plus if you accidentally leave something decrypted in that user account, it will still be protected by TrueCrypt.
4: I tried the S/MIME option but got the message "You need to set up one or more personal certificates before you can use this security feature. Would you like to do so now?" when I click yes I get to a security screen & try to select a certificate. But I get
"Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages."
What sort of file do I need? Not sure if I had thison GPG4Win but I think so and it should be backed up so what am I looking for?
S/MIME is an alternative method of achieving email encryption. It depends on a MIME capable mail client so it will not be helpful on SR.
Sorry for the long message but I'm just getting to grips with Linux and enigmail and I want to get this sorted out securely but haven't been able to find clear answers elsewhere online. Hopefully someone here can help me.
Quite alright. Once you get used to it you won't look back.
-
That's great, really helpful,
I'll check out the gpg frontend and truecrypt.
Thanks
-
LouisCypher, hope you don't mind if I ask some more questions of you - or anyone else who knows what they're doing with Linux
I'm having some problems setting up a gpg frontend, largely due to my inexperience with linux.
I tried installing Seahorse first but couldn't do anything to install it through the GUI so had to go into the terminal & try typing. Turns out it couldn't install as my Intltool is too old.Don't know why as I've just installed Linux so would've thought it'd all be up to date. I looked into installing this but its way too complex for me.
I then tried GPA instead but its install instructions are You need the GNU development tools plus the GTK+ library, version
1.3 or higher, installed on your system. Unpack the tarball, `cd'
into the new directory, configure, compile, and install GPA:
tar xvzf gpa-0.5.0.tar.gz
cd gpa-0.5.0
./configure
make
su -c "make install"
To do this I need to switch to the terminal (which only opens in full screen) type what I can remember of above, go back to GUI to remember some more, as I can't paste into the terminal.
Is there an easier way to do this as its a bit of a pain, especially as I don't really know what I'm doing with Linux.
Is it possible to install things on Linux without needing to know a programming language & work through a terminal?
Is it even possible to shrink the terminal window from full screen so i can read what I need to type into the terminal?
GPA instructions also tell me In order to do anything useful with GPA you also need the
GNU Privacy Guard (GnuPG) installed - see http://www.gnupg.org.
Looking at the download options for this I see there's a range of versions running from gnupg-1.0.0.tar.gz to gnupg-2.0.9.tar.bz2 but the latest version still only has a date of March 2008. Is this normal? as I'd expect it to be a bit more recent.
I've got the book Linux for Dummies, unfortunately its about 600 pages & I've not got beyond ch1 yet so any assistance'd be appreciated.
-
LouisCypher, hope you don't mind if I ask some more questions of you - or anyone else who knows what they're doing with Linux
Sure.
I'm having some problems setting up a gpg frontend, largely due to my inexperience with linux.
I tried installing Seahorse first but couldn't do anything to install it through the GUI so had to go into the terminal & try typing. Turns out it couldn't install as my Intltool is too old.Don't know why as I've just installed Linux so would've thought it'd all be up to date. I looked into installing this but its way too complex for me.
It is possible that Ubuntu may be using an older library. The libraries included with a distribution like Ubuntu (or Fedora) may dictate that GPG and its frontends can only be installed using the package management system (apt-get or aptitude).
I then tried GPA instead but its install instructions are You need the GNU development tools plus the GTK+ library, version
1.3 or higher, installed on your system. Unpack the tarball, `cd'
into the new directory, configure, compile, and install GPA:
tar xvzf gpa-0.5.0.tar.gz
cd gpa-0.5.0
./configure
make
su -c "make install"
If you have GPG 2.0.x installed then GPA should be installed already.
To do this I need to switch to the terminal (which only opens in full screen) type what I can remember of above, go back to GUI to remember some more, as I can't paste into the terminal.
You should be able to change the size of the terminal screen. You should also be able to select and copy text from it.
Go into a terminal and type these commands and then paste the output back here:
gpg --version
which gpg
which gpg2
ls -l `which gpg`
Is there an easier way to do this as its a bit of a pain, especially as I don't really know what I'm doing with Linux.
Is it possible to install things on Linux without needing to know a programming language & work through a terminal?
Yes, but you need to use the package management system that comes with Ubuntu. It should have a GUI to make it easier to access.
Is it even possible to shrink the terminal window from full screen so i can read what I need to type into the terminal?
Yes. You should be able to adjust it with the mouse.
GPA instructions also tell me In order to do anything useful with GPA you also need the
GNU Privacy Guard (GnuPG) installed - see http://www.gnupg.org.
Looking at the download options for this I see there's a range of versions running from gnupg-1.0.0.tar.gz to gnupg-2.0.9.tar.bz2 but the latest version still only has a date of March 2008. Is this normal? as I'd expect it to be a bit more recent.
The current versions of GPG are: GPG 1.4.12 and GPG 2.0.19. You should probably stick with the version that is installed on Ubuntu by default.
I've got the book Linux for Dummies, unfortunately its about 600 pages & I've not got beyond ch1 yet so any assistance'd be appreciated.
Paste the output of the commands I listed above and we'll go from there.
-
You should also read this thread and try the fix mentioned in it:
http://dkn255hz262ypmii.onion/index.php?topic=28763.msg317823#msg317823
-
I've run the gpg version commands. Outputs are:
gpg --version
gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cypher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
which gpg
/usr/bin/gpg
which gpg2
- Nothing comes up here, just the next prompt
ls -l `which gpg`
-rwxr-xr-x 1 root root 992984 Nov 21 2011 /usr/bin/gpg
Hope that means something.
I've got the terminal sizing sorted, I've found I can open a resizable terminal with ctrl+Alt+T rather than a full screen terminal (with no mouse or copy paste) with ctrl+alt+f1 to f6
Where on the GUI should I be looking for 'the package management system that comes with Ubuntu' - aptitude, I've searched applications for apt but nothing's appearing?
I took a look at the link you posted and have installed geany via the terminal, I'll try it out later when I'm back from work.
Thanks
-
I've run the gpg version commands. Outputs are:
...
Hope that means something.
Yep. It tells me that you don't have GPG 2.0.x installed, the default installation is GPG 1.4.11. This is fine (I'm using 1.4.12), but it doesn't come with any frontends.
I've got the terminal sizing sorted, I've found I can open a resizable terminal with ctrl+Alt+T rather than a full screen terminal (with no mouse or copy paste) with ctrl+alt+f1 to f6
Where on the GUI should I be looking for 'the package management system that comes with Ubuntu' - aptitude, I've searched applications for apt but nothing's appearing?
It'll be there, but it might be tucked away under some system management menu. Probably called something like System or Utilities. It's been a few years since I've done anything with Ubuntu and they've changed their default window manager since then.
I took a look at the link you posted and have installed geany via the terminal, I'll try it out later when I'm back from work.
Cool.
For a frontend, everyone I know using either Windows or Ubuntu swears by GnuPG Shell. The home page for it is here:
http://www.tech-faq.com/gnupg-shell.html
What you want to do is open a terminal and run the following commands:
wget -t 0 -c http://www.tech-faq.com/gnupg-shell/gnupgshell-1.0.0.i386.deb.gz
gunzip gnupgshell-1.0.0.i386.deb.gz
sudo dpkg -i gnupgshell-1.0.0.i386.deb
Sudo will prompt for a password, this is your user password for logging into Ubuntu.
It should install to a relevant menu within the window manager, but if you can't find it then running "gnupgshell" in a terminal should launch it. The screenshots on the home page should give a good indication of what it will be able to do.
Assuming, of course, that everything behaves properly. Personally I haven't used a frontend (not counting Enigmail) for years. For all the stuff here I use a combination of the command line and the Emacs text editor with EasyPG (with plugins for Firefox and Thunderbird so I can use Emacs with them). That's probably not the route you want to take at this stage, though. Emacs can be a little complex and it takes a long time and a lot of effort to get used to.
Anyway, try this and let me know how it goes.
-
I've now installed gnupgshell but it won't run:
Selecting previously unselected package gnupgshell.
(Reading database ... 177299 files and directories currently installed.)
Unpacking gnupgshell (from gnupgshell-1.0.0.i386.deb) ...
Setting up gnupgshell (1.0.0-1) ...
anonymous@myubuntusystem:~$ gnupgshell
gnupgshell: command not found
I've tried Geany too, it installs ok but trying to follow the instructions on the other threadBefore we get started you should already have made a key in seahorse and imported (and signed) at least one persons public key that you want to send messages to. After you have done that you can then do the following
TO ENCRYPT MESSAGES:
Just open a new document and write your message.
Once you are done click on the "Tools" menu
Go to the "GeanyPG" sub-menu and choose encrypt
You can then select who you want to encrypt it for, from any of the keys that you have imported into Seahorse
And you can also choose to sign the message with one of your keys
now you have the encrpyted message and you can just copy and paste it into your email/PM
My keys are in 'Passwords & keys' rather than seahorse so don't know if thats the reason but in the tools (or any other) menu there's no 'GeanyPG' sub-menu or anything that looks like it deals with encryption.
Quote from: Oompaloompa on Today at 07:07 AM
I've got the terminal sizing sorted, I've found I can open a resizable terminal with ctrl+Alt+T rather than a full screen terminal (with no mouse or copy paste) with ctrl+alt+f1 to f6
Where on the GUI should I be looking for 'the package management system that comes with Ubuntu' - aptitude, I've searched applications for apt but nothing's appearing?
It'll be there, but it might be tucked away under some system management menu. Probably called something like System or Utilities. It's been a few years since I've done anything with Ubuntu and they've changed their default window manager since then.
I've got the synaptic package manager, which I installed and looking through it I find apt - described as command line package manager. There's also listed what look to be uninstalled 'apt-offline-gui' an offline apt package manager - GUI. Presume I can just tick its box & install it or just continue to use synaptic.
Interestingly synaptic shows gnupgshell as installed but it doesn't come up in the 'DashHome' app search bit or run via the terminal. Any suggestions?
-
I've now managed to find GnuPGShell in the ubuntu software centre which tells me "This program is run from a terminal:
wxGnuPGShell"
and sure enough it runs with wxGnuPGShell
Haven't tried to encrypt/decrypt with it yet but at least I can get it open now. Any idea how to get it runnable from the desktop, like an icon on the desktop rather than going via the terminal each time?
Had a little test of this now, I can encrypt/decrypt stuff with my own key but unlike gpg4win it seems like you can only encrypt something for one other key/recipient rather than multiple recipients & I can't select myself & another as recipient.
Is that the case?
Not a big problem it just means I can't decrypt messages I've sent to check the contents, but is there a way to do this I've missed? when I tried I got the error "Decryption of file /home/anonymous/Desktop/testing.gpg failure due to errors."
Also it doesn't seem to give any notification that clicking sign files actually does anything so I'm not sure if it does or not, presume I need to sign before encrypting?
-
Had a little test of this now, I can encrypt/decrypt stuff with my own key but unlike gpg4win it seems like you can only encrypt something for one other key/recipient rather than multiple recipients & I can't select myself & another as recipient.
Is that the case?
The place to set this is within GPG's configuration for this account (this is one of the reasons I recommended creating a different Ubuntu user account for your SR usage).
In your home directory there will be a hidden directory called ~/.gnupg/ which contains your public keyring, your secret keyring and your gpg.conf file. Make a copy of the ~/.gnupg/gpg.conf file as a backup (it's always good to have one) and then open gpg.conf in your preferred text editor (e.g. Nano, Vim, Emacs or whatever - Nano is the easiest to use).
You will want to set the "default-key" to the short key ID for your key. The option to automatically encrypt everything to yourself is a couple of paragraphs down with the "encrypt-to" option, set that with the same key ID as for "default-key" option. Do not use any of the "default-recipient" options, they won't achieve the result you want for SR.
GPG also has the facility to set groups of keys so that a name to a collection of keys in the gpg.conf file to encrypt to multiple recipients (or it can be done on the command line by invoking "-r" or "-R" multiple times). A group specified in this way should be able to be identified and used by any frontend (which are just passing your mouse clicks to the corresponding command line options). That said, it might be better to play around with multiple frontends and see which one(s) best fits your needs.
Also it doesn't seem to give any notification that clicking sign files actually does anything so I'm not sure if it does or not, presume I need to sign before encrypting?
You can sign and encrypt simultaneously and that's what usually happens with email (e.g. with Enigmail in Thunderbird). Some systems will clearsign a message first and then encrypt that (e.g. Hushmail), but that is not the majority.
There are also multiple forms of signing, mainly differentiated by whether there is a separate file containing the signature or whether that is included in the original message (that's what "--clearsign" produces). So it depends on which method the frontend is using.
-
Thanks for all your help Louis, I've not tried setting up the config yet as I've been busy sorting out port forwarding for a Tor relay but it looks like I'm sorted for gpg now.
Cheers
-
Thanks for all your help Louis, I've not tried setting up the config yet as I've been busy sorting out port forwarding for a Tor relay but it looks like I'm sorted for gpg now.
Excellent! :)