How to encrypt and decrypt files using gpg in Linux

Use the following command to generate a key (if you already have a key, you can skip this step):

#gpg –gen-key

Note: it asked me to input some info, I choose default for everything except for name, email, and passphrase. My inputs are gpg_encrypt(name), myemail@gmail.com(email), and simonljb(passphrase).

The key generation process is very long, so be patient.  Once the key is generated, you are ready to encrypt some files.

I have a file named test, and the contents of the file are:

This is a testing file.  The contents will be encrypted.

Use the following command to encrypt the file:

# gpg -e -r gpg_encrypt test

Note: gpg_encrypt is the name you entered during the key generation process.
A new file test.gpg will be generated, and the contents of the file are:

<85>^A^L^C^PK¡\ëõÎÆ^A^H^@<89>ønNB]+>zá^Y´ìÌ<92>;æ½ÒA<9f>ÉñÆi¼<9Ãœ<98>^YÃŽt<94>þ^\sK^R<84><8d>< ù×^A<9c>!©h¦ ÂÂúó^[aèã^VhSøÄj^W<8Z\Ø^^Fß<9e>^ZÚN¦¸·mÀ^Nh}¿.nàþ.V½{^KÛ®ªÃg<81>^M<91>xé¹ÇCª³<8f><92>ùµé#ïÄ]<89>Ã’ZÃ^V;r^CÂÚÖ^@ÃŒ<88>ø”aR©à/<82><8b>pÛò±^Kt^Düo^X^JÓ¥^XJÖ^^Ø^\^DÃ…cc^G­£<83><85>ª­í¼^_¢^^¡Q.ÖøJCËZ\XE^^^OÃ¥D<8d>ËvvÀ¤ßF0^_^CÉéCXX Ã…^P”Ã
^;<86>kO~SX4/<83>^W¡Öt ^C·)xÇu·apÿYâú^?^RT-Nm^T*ù¯^@Ê¥µX-7;MTzø¾pw<96>RÅ~<9f>Å<94>y_A

To decrypt the file, use the command:

# gpg –output test2 –decrypt test.gpg

Type in your passphrase to decrypt test.gpg, and a decryped file test2 will be generated. The contents of test2 should be the same as the original test file:

This is a testing file.  The contents will be encrypted.

 

Reference: http://forum.codecall.net/topic/48235-gpggnupg-encyrption-tutorial/

Advertisements
Posted in Linux Tips | Leave a comment

Signing rpm packages with GPG

The user will have an increased sense of security when downloading RPM packages that are signed since the digital signature can help authenticate the packages being provided.  If you do this, your packages will be more reputable.  In my previous post “How to install and configure yum server for Cloudstack 4.0 on CentOS 6.4“, I’ve showed you how to deploy a yum server. Now I’ll show you how to sign it with GPG.

On server side

1. Generate a GPG key
# gpg –gen-key

Note: it asked me to input some info, I choose default for everything except for name, email, and passphrase. My inputs are simonljb(name), myemail@gmail.com(email), and simonljb(passphrase).

2. Confirm if the GPG key was created successfully
# gpg –list-keys
/root/.gnupg/pubring.gpg
————————
pub   2048R/8F5BA5B1 2013-06-06
uid               simonljb <myemail@gmail.com>
sub   2048R/563294AD 2013-06-06

3. Export the key
# gpg –export -a simonljb > /var/www/html/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0

4. Add the GPG signing details to your rpm environment
# echo “%_signature gpg” > ~/.rpmmacros
# echo “%_gpg_name simonljb” >> ~/.rpmmacros

5. Sign RPMs with the GPG key
# cd /var/www/html/cloudstack4.0/
# rpm –resign *.rpm

6. Create the repository
# createrepo –database /var/www/html/cloudstack4.0/


On client side

1. Configure yum repository
# cd /etc/yum.repos.d/

Create the CloudStack.repo file, add the following:

[cloudstack]
name=cloudstack
baseurl=http://192.168.0.9/cloudstack4.0
enabled=1
gpgcheck=1
gpgkey=http://192.168.0.9/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0

Note: I assume the IP of my yum server is 192.168.0.9

# yum makecache

2. List availabe repositories to check if there is cloudstack
# yum repolist

3. Install cloud-agent package to check if it works. If it works, it will give the similar following info:

# yum install cloud-agent

(159/159): zip-3.0-1.el6.x86_64.rpm                                                               | 260 kB   00:00
—————————————————————————————
Total                                                                                                    39 MB/s | 146 MB     00:03    warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key 0xC105B9DE:
Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>
Package: centos-release-6-4.el6.centos.10.x86_64 (@anaconda-CentOS-201303020151.x86_64/6.4)
From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Is this ok [y/N]: y
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 8f5ba5b1: NOKEY
Retrieving key from http://192.168.0.9/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0
Importing GPG key 0x8F5BA5B1:
Userid: “simonljb <myemail@gmail.com>”
From  : http://192.168.0.9/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0
Is this ok [y/N]: y

Reference
http://linuxsysconfig.com/2013/04/create-a-yum-repository-with-custom-gpg-signed-packages/

Posted in CloudStack 4.0 | Leave a comment

Install Caching-Only DNS server on CentOS 6.4

From wikipedia, The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.

Assume the IP of the caching-only DNS server is 192.168.1.2.

Install bind packages
# yum install bind bind-chroot bind-utils -y

Configure Caching-Only DNS server
# cd /var/named/chroot/etc/
# cp /etc/named.* .
# chown root:named named.*

Edit the named.conf file
# vi named.conf
options {
   listen-on port 53 { 127.0.0.1; 192.168.1.2; };
   listen-on-v6 port 53 { ::1; };
   directory “/var/named”;
   dump-file “/var/named/data/cache_dump.db”;
   statistics-file “/var/named/data/named_stats.txt”;
   memstatistics-file “/var/named/data/named_mem_stats.txt”;
   allow-query { any; };
   allow-query-cache { any; };
   recursion yes;

   dnssec-enable yes;
   dnssec-validation yes;
   dnssec-lookaside auto;

   /* Path to ISC DLV key */
   bindkeys-file “/etc/named.iscdlv.key”;

   managed-keys-directory “/var/named/dynamic”;
};

logging {
   channel default_debug {
      file “data/named.run”;
      severity dynamic;
   };
};

zone “.” IN {
   type hint;
   file “named.ca”;
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

Make sure that ROOTDIR is /var/named/chroot
# awk “/^[^#]/” /etc/sysconfig/named
ROOTDIR=/var/named/chroot

Start named service
# service named start

Make named service start at boot time
# chkconfig named on

Test on other server
# dig @192.168.1.2 google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> @192.168.1.2 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1328
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 289 IN A 74.125.26.100
google.com. 289 IN A 74.125.26.113
google.com. 289 IN A 74.125.26.138
google.com. 289 IN A 74.125.26.102
google.com. 289 IN A 74.125.26.139
google.com. 289 IN A 74.125.26.101

;; AUTHORITY SECTION:
google.com. 172787 IN NS ns3.google.com.
google.com. 172787 IN NS ns2.google.com.
google.com. 172787 IN NS ns4.google.com.
google.com. 172787 IN NS ns1.google.com.

;; ADDITIONAL SECTION:
ns2.google.com. 172787 IN A 216.239.34.10
ns1.google.com. 172787 IN A 216.239.32.10
ns3.google.com. 172787 IN A 216.239.36.10
ns4.google.com. 172787 IN A 216.239.38.10

;; Query time: 0 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Tue May 28 15:54:36 2013
;; MSG SIZE rcvd: 260

Posted in Linux Admin Basics | 6 Comments

Install and configure NFS server and client on CentOS 6.4

From wikipedia, Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system.

I prepared two virtual servers on our CloudStack environment. One worked as NFS server(192.168.1.2), the other as NFS client(192.168.1.3).

Install NFS Server
# yum install nfs-utils -y
# service rpcbind start
# service nfs start
# chkconfig nfs on

Configure NFS Server
# mkdir /nfs-pub
# chmod 777 /nfs-pub
# vi /etc/exports
/nfs-pub 192.168.1.3(rw,root_squash)

# exportfs -a
# showmount -e
Export list for vm2:
/nfs-pub 192.168.1.3

Configure NFS Client
# modprobe nfs
# cat /proc/filesystems | grep nfs
nodev nfs
nodev nfs4

Test
On client side
# mkdir /nfs-mnt
# mount -t nfs 192.168.1.2:/nfs-pub /nfs-mnt
# cp /etc/passwd /nfs-mnt/passwd.c-root
# ls -l /nfs-mnt/
total 4
-rw-r–r–. 1 nfsnobody nfsnobody 1091 May 28 07:46 passwd.c-root

On server side
# ls -l /nfs-pub/
total 4
-rw-r–r–. 1 nfsnobody nfsnobody 1091 May 28 07:46 passwd.c-root

Test using the no_root_squash export option
On client side
# umount /nfs-mnt
On server side
# vi /etc/exports
/nfs-pub 192.168.1.3(rw,no_root_squash)

# exportfs -a

On client side
# mount -t nfs 192.168.1.2:/nfs-pub /nfs-mnt
# cp /etc/group /nfs-mnt/group-nrs.root
# ls -l /nfs-mnt/
total 8
-rw-r–r–. 1 root root 526 May 28 08:04 group-nrs.root
-rw-r–r–. 1 nfsnobody nfsnobody 1091 May 28 07:46 passwd.c-root

From the above, if root_squash is used, NFS shares change the root user (of clients) to the nfsnobody user, an unprivileged user account. In this way, all root-created files are owned by nfsnobody, which prevents uploading of programs with the setuid bit set.

If no_root_squash is used, remote root users are able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute.

Reference
http://zenit.senecac.on.ca/wiki/index.php/NAD710_Lab_6

Posted in Linux Admin Basics | Leave a comment

Deleting files with inode on Linux

Let’s say you want to delete a file called abc.txt in the current directory.  To see the inode number of the file, use the command ls -i.  Let’s say the inode number is 11111, then you need to use the command: rm -f $(find . -inum 11111).  Therefore, the format of the command is: rm -f $(find . -inum [inode number]).

You may ask, why is this useful?  If you have a file with a really weird name, then deleting using file name may not work .

Posted in Linux Tips | Leave a comment

How to check your IP and gateway on Linux

Command for checking IP:
ifconfig
see the inet addr of the Ethernet card

Command for checking gateway:
route

Posted in Linux Tips | Leave a comment

How to use tar command in Linux

tar command is very useful for file compression.  The format of the command is like this:
tar cvzf [archive_name].tar.gz [what_to_compress]

For example:
You have the files abc.txt and def.txt and you want to compress them into an archive called
archive.tar.gz

The command is:
tar cvzf archive.tar.gz abc.txt def.txt

To extract the files from the archive, you need to use:
tar xvf archive.tar.gz

note: you can omit the v in cvzf and xvf, since v just shows you the files being compressed or extracted from a compressed archive.

Posted in Linux Tips | 1 Comment