I installed PGP plugins for Claws mail, but there is no option in the settings to import my existing keys.
Is it possible? How to import key that was generated? I can not decrypt incoming messages in Claws without my imported private key.
I have added keys to Claws by adding them to Thunderbird:
Install Enigmail extension for Thunderbird.
Add public/private keys to Enigmail.
You will get key ID.
Copy ID and paste in the Claws settings.
An awkward solution. Tested on Linux only.
I hope there is something better.
UPDATE:
I found a solution.
Use Certificate Manager and Unified Crypto GUI to import all keys. In my case I use a preinstalled "Kleopatra".
Claws will discover added keys.
Related
I'm working on a project where two clients can send files to each other via web sockets (using Socket.IO). Each chunk is encrypted with AES.
Currently, the clients connect to the server, they each generate an RSA public/private key pair on their devices, they then announce their public keys to the server which sends them to the other client, and this gets stored by said client. Before data is sent, it is encrypted with AES using a random key and a random IV, and the AES key is then encrypted using the other client's public key. The data is sent across, the other client then decrypts the AES key using their RSA private key, and finally decrypts the content using the decrypted AES key and saves it to a file on their disk.
The issue is that the server could easily just replace one client's public key with its own, and steal the data. The only solution I can think of is for the clients to contact one another and manually verify their public keys... I'm not sure how I'd go about automating this process. Services that provide E2EE seem to generate a matching code on each device, but I'm having trouble finding any information about how this is actually implemented, like how would two devices generate matching codes without talking to a server or each other in between, and if they do, then the server knows the code anyway right?
I've considered using WebRTC to send the public key from one client to the other without having the data go through the server, but I'd appreciate alternative approaches. Thank you in advance! :)
To prevent MITM, users are supposed to "manually compare public key fingerprints through an outside channel", as explained in this article regarding the Signal Protocol.
Usually, it means checking an hexadecimal string over a trusted communication: face to face, phone, ... Depending on your requirements, you might also consider that an attacker cannot access both your tool and emails at the same time and consider emails your trusted communication.
I have an ETL that is Un-PGPing a file sent to us. This process works for two people on our team but fails for the rest on the unPGP step. We all use Kleopatra for our key encryption/decryption and have the same key's imported.
I have noticed that the keys on the systems that work are set to the trust level "This is my certificate" (sometimes called Ultimate trust). However the option to set to that level on the other systems are grayed out.
I have tried to change the level via a CMD prompt based on this article:
https://security.stackexchange.com/questions/129474/how-to-raise-a-key-to-ultimate-trust-on-another-machine
However I do not get the same prompts as described.
When debuging with CMD /K I see:
gpg: decryption failed: No secret key
UNPGP Failure Message
I found out how to change my trust,
gpg --edit-key [key-id]
trust
5
though this didn't end up solving my problems.
I discovered when I typed gpg --list-secret-keys I would get nothing in return despite having kleopatra tell me the keys were properly installed.
I found and staged the secret key's I needed then imported them using GPG.
gpg --allow-secret-key-import --import "filename.asc"
This fixed my issue!
I downloaded the upload_cert.der file from the Play store. I added the root certificate to my keystore just fine. But Android Studio won't let me use it because there is no password for it. Android Studio complains that I must enter a key password before it let's me do the build.
Is there a way to generate a password protected private key from this upload_cert.der file?
Is there a way to just get Android Studio to let me get past this "error" and do the build?
I'm using Windows and the upload_cert.der file was added to my Windows certificate store. Could I just signed the APK outside of Android Studio (even though I'd rather stay within the tools for this)?
I found someone else ask this question and none of the answers mentioned the password, just explanations for why there are multiple entries of the wrong type in the keystore, etc. To be clear, I can create a key in the keystore of my own making and with a password, just fine. I deal with deleting an alias before I try to add a key of any sort. I just don't know how to use the .der file from the play store when Android Studio wants a password for the key and there is none!
Here's the exact error if I use a password that is just random jiberish:
Failed to read key rep from store "C:\Users\xxxx\xxxx.jks": trusted certificate entries are not password-protected
So it's clear that there is no way to fake this out somehow.
The important fact you are missing:
Google Play never gives you a key you use to sign things. It only ever gives you certificates to verify with.
I'll start with the basics you probably know. In public key cryptography, there is a private key and a public key. Only the person who signs has the private key. Otherwise anyone could sign. The public key anyone can have. They can use it to check the signature is valid.
The upload_cert.der download only contains the public key. The reason Google Play lets you download it for verification. You can verify offline your signatures match what the Play Store expects. You probably never need to do this.
Why doesn't Google give you the signing key?
Google Play doesn't give you the private key for the upload certificate for 2 reasons.
Google doesn't have the private part of your upload key! You created the private key part of the upload key, when you enrolled in Google Play App signing. You never gave it to Google. All Google has is the public key part.
If Google did give it to you, the key would have no value. The whole point of the upload key is that even if a hacker breaks into your Play Console account they still cannot upload a new version of your app. They would need the upload key as well. The upload key means Google Play knows the app came from you. If they let you download the signing key from your account, then a hacker could just download it too. Then it would be worthless.
How do I get the upload key I need for signing?
So now the question you probably have is "how do I get the public key I need for signing?". The answer is "you create it". When you first upload your APK, that APK was signed with a key (Google insists on it). It was probably stored in your Android Studio. That key becomes your upload key. Find where you kept it.
What if I lost it?
Now you might be in a place where you don't know where the key is that you originally used. This is the great thing about Google Play App Signing. If you were signing your app yourself and lost the signing key you would be stuck, you'd have to create a new app. But with Google Play App Signing you can contact Play Console support and they can help you. The process is on the help page.
Look at the section entitled "Create a new upload key". Notice step 1 is you create the key. Google still never has it.
I'm wondering if it's possible to encrypt text client side.
The situation is that I have a block of text I want to encrypt, and then save the encrypted text to a file. Only after a certain amount of time has passed will my program decrypt it. Another requirement I have is to be able to transfer the file with the encrypted text and be able to decrypt it with other copies of my program on various machines.
The problem is where to store the key. The only implementation I can think of that would work is if I store the key server side, and have it return the key after a certain time has passed.
Is there a way to do this client side (i.e. without any internet access)?
You can surely encrypt text on the client side, but the real problem is key management.
If the assumption is no Internet access, then you're going to have to package a certificate in the client that contains both keys, private to encrypt, public to decrypt, unless you use a symmetric key. Was going to suggest just generating a local, temporary symmetric key, but you state you must be able to decrypt the text on other machines that won't have it, so that won't work. At first blush, and maybe I'm overlooking something obvious, is packaging a cert on the client with public and private keys, and that introduces its own set of problems, eg protecting the cert with the private key.
I know how asymmetric cryptography works. I know there are two keys (one private and one public).
When someone wants to communicate they exchange their public keys encrypt messages with those public keys AND then the respective message could be decrypted ONLY by the user that has the private key.
Now, I'm using Node.js and I need to do something like this...
I need an application that EACH hour reads a database, extracts data and saves it to a file that I need to send to another server.
My problem is that I DON'T WANT that file will be visible to other, I do the transfer using SSH so there is no problem BUT
I must encrypt that file because I'm not the admin of that server SO maybe someone could read it. Unfortunately the admin is the same for both servers.
So my idea is to encrypt the file with a public key, and then only he who has the private key(me) could decrypt it.
I think it is pointless using something like:
var key = 'blablabla'
If I use a public key, there is no problem, all can read it..... it is public indeed. But with this public key, nobody can decrypt the message, so it is
something like one-way encryption.
Now, could someone tell me if I need a signer/verifier to do this job, OR maybe I have to generate two keys (public/private) with openssl and pass those keys to a cipher/dechiper?
I'm looking at crypto modules, but there are no examples....
In general, your idea is right - you encrypt using public key and decrypt using private key of yours. However, practically the procedure is more complex. Random symmetric key is generated and the data is encrypted using that key. Then the public key is used to encrypt the random key. Encrypted key is sent to recipient together with encrypted data. On the other side encrypted key is decrypted using a private key, then the data is decrypted.
You can use OpenPGP keys or X.509 certificates to do the job.
In case of OpenPGP the standard offers encryption and decryption as atomic procedures (on the user level). In case of X.509 certificates you need to use PKCS#7 / CMS.
OpenSSL library offers operations with PKCS#7 / CMS, however when I look at nodeJS API for OpenSSL, that API is very limited and doesn't expose those functions. Maybe you can write your own nodeJS module which will interface with OpenSSL and provide missing functions.
Another alternative is to use OpenPGP keys and node-gpg module. That module uses gnupg to do the actual job, so gnupg must be installed.
Unfortunately I don't see any other suitable libraries in the 3rd-party module list provided in nodeJS wiki.