Password protecting files using GnuPG

I found a useful way of using GnuPG today when someone couldn’t decrypt a passworded zip file I sent them (probably using p7zip/infozip instead of “proper” unzip).

You can use symmetric encryption with GnuPG, i.e. just a password rather than a keypair+passphrase, and you don’t have to exchange keys or sign things etc:

gpg --symmetric myfile.pdf

Then decrpyt with simply “gpg myfile.pdf”.

I also fixed my NASL’s scripts with a bit of sed, this example replaces all the 50000 script_id()’s with 950000 ones:

for nasl in *.nasl ; do sed 's/script_id(5/script_id(95/g' $nasl > $ ; done
for nasl in *.nasl ; do mv $ $nasl ; done

Then just re-sign them and re-install them into Nessus, as root:

/etc/init.d/nessusd stop
cd /opt/nessus/lib/nessus/plugins/
for files in /git/nessus/*.nasl ; do /opt/nessus/bin/nasl -S $files > ls $files | awk -F/  {'print $8'} ; done
/opt/nessus/sbin/nessusd -R
/etc/init.d/nessusd start

The only problem then is that the current Nessus 4.2.2 with webserver version 2.0.0 truncates the plugin ID in the lists as the Flash needs updating to make the column wider, apparently will be fixed in 4.4

More Of The Same

I’ve been testing PGP10 with GnuPG2 again, and noticed that GnuPG2 seems to embed the filename of encrypted files incorrectly – they’re always called “-&25”. Whilst they decrypt fine using GPG which I guess ignores the embedded filename and uses the actual filename, PGP cannot handle it. The fix is to add: set-filename "" to ~/.gnupg/gpg.conf

I installed my Corsair H50-1 watercooling system the other day, and on the final step found that I had a mis-manufactured part so am awaiting delivery of a replacement – which is being helped up getting between the US and Europe due to bloody Icelandic ash! So I had to put everything back together again, wasting about three hours of my time. I did at least confirm that I can get a 2-fan setup into my case, its a bit tight with the graphics card and PCI bracket though.

I installed Solaris 10u8 under VirtualBox yesterday and found that they’ve improved security by default – a lot of policies that had to be manually tightened are already set, such as SSHv2 and no root SSH. I meant to test them before applying the patch cluster, as the fixes could be due to the cluster. Update 9 should be due next month, which is the first post-Oracle release.

I’ve been playing with Nessus 4.2 exporting to Excel, using custom XSLT’s and writing more NASL’s. I installed 4.2.2 but it still doesn’t cache the SWF object.

I’m awaiting a replacement hard disk caddy for my laptop as it recently stopped working. I’m pretty sure its not the disk that’s dead as its barely been used and works fine the 10% of the time it actually does boot.

My Samsung F3 hard disk has started humming and vibrating like all the F1’s did, so I expect that is on its way out, so backing up regularly and will probably order a WD Caviar Black 1Tb next month, I’m fed up of Samsung, they’re the new Maxtor/Deskstar of the hard disk world I reckon!

GnuPG and PGP

I’ve been playing with the commercial PGP Desktop Pro today. Its funny, how for 185ukp its frontend really isn’t as nice as the free Seahorse and the PGP 10 backend isn’t [reportedly] as secure as the opensource GnuPG 2.

They both comply to the OpenPGP standard so I found I could use public/private keys generated on one with the other; and create encrypted/signed files using one tool and decrypt and verify on the other.

I’ve also been doing a lot more work with Nessus scripting lately – writing a lot of NASL plugins and also a parser to convert from the new Nessus 4.2 XML format to an Excel spreadsheet.

The other day I tried to get MS Office 2007 installed under WINE. Well it didn’t go well, eventually I did it (by removing the SP2 files from the installer) but the installed applications wouldn’t start. So I decided to try those Crossover Pro 8 licenses I won. Well all I can say is I’m glad I got them for free not seventy bucks, as even though they did install and run Word 2007 without modification like WINE, the installer screwed up my MIME associations. Plus the de-installer didn’t clean up after itself.

I don’t know how CodeWeavers are making money out of Crossover when the few advantages it has over WINE (GUI config etc.) actually break things that WINE wouldn’t. So I think I’ll stick to unzipping .docx files and opening them in OpenOffice.

Wire speed!

Dad came over the other day and helped me run some CAT6 cable from my computer room to my lounge so I can stream video’s etc at gigabit speed over NFS from the fileserver upstairs to the Mac Mini which is now hanging off the LCD TV using my new HDMI-to-DVI cable.

MacOSX at 1920×1080 on a 37″ screen is incredible! I’m awaiting my wireless keyboard/trackerball so I can use it to surf downstairs as well as running Plex (Xbox Media Center ported to the X86 Mac) with the Mac’s remote control. I’ve watched my first 720p and 1080p movies, and you can actually see the difference from a regular 480p XviD or DVD – not just the resolution, but the detail like hair and leather textures and lack of compression artefacts, plus you get DTS 5.1 sound and so on that the Xbox1 simply can’t cope with.

I’m going to order 15m of white CAT6 or 5e from ebay though, as the blue looks a bit naff against my white walls.

I’ve been playing with Windows Vista today under VirtualBox3, it really is a pile of poo – can you believe that to install Service Pack 2 you actually have to first install SP1? They each take about an hour, and afterwards there’s still more to get from Windows Update. Literally to install Vista, Norton and Office (plus service packs etc.) must have taken well over four hours! Nothing like RedHat where you install 5.0, type “yum -y update”, go make a cup of tea and come back to 5.3 with OpenOffice and so on pre-installed.

Weather’s still boiling hot, in fact I’ve come out in prickly heat/heat rash, so am showering every few hours to keep my core body temperature down and minimise sweat.

I also finally found my old GnuPG key, so I’ve revoked the Jedi one from the keyservers, leaving the more up-to-date Synaptic one which uses better encryption.

Encrypted backups

I’ve been looking for ways to securely backup my encrypted partitions – what’s the point of having a secure place for your data if the backups are in plain text?!

So instead of having another encrypted partition for backup, say on another machine or disk, I thought I’d use GnuPG 2 to encrypt and sign my backups.

The command would be:

tar -cf directory/ directory.tar
gpg2 -ser myuser directory.tar

However, I found nice a nice little utility called Seahorse, which has Nautilus integration that allows you to right-click a directory, and then it tar+bzip2’s (or zips, whatever), encrypts and signs it in one operation, so you go straight from directory/ to directory.tar.pgp, it also does things like SSH key management, GPG signature checking etc.

So now I can include the encrypted data with my normal unencrypted rsync backup regimen, as data that is important enough to be encrypted is definitely important enough to be backed up!

I’ve also setup sudo and SSH keys allowing me to rsync privileged files from one machine on the LAN (desktop) to another (fileserver). I found that to allow the SSH keyserver to forward your keystore to another user i.e. to the root user when using sudo, you have to add the following to /etc/sudoers:

Defaults env_keep += "SSH_AUTH_SOCK"
myuser ALL=NOPASSWD:/usr/bin/rsync

Then to do the backup as root, but using your unprivileged user’s SSH key, as we don’t allow root SSH, you run the rsync command (over SSH, not rsync protocol) like this, for backing up /etc:

sudo rsync -ae "ssh -i /home/myuser/.ssh/id_rsa" \
  --rsync-path="sudo rsync" myuser@ /backups/etc/

Of course you’ve then got the problem of how to backup your GPG/SSH private keys, without which you couldn’t decrypt the backups, or run the rsync. I guess they’re safe to be backed up unencrypted as they have good passphrases, and are already encrypted themselves.

I’ve migrated from the unmaintained Quickcode to WP-Syntax for my code snippets as you can see above, it also adds syntax highlighting and line-numbering.