Back when one of my users created their GPG keys, they put some bogus text in the Comment field because they didn't realize the public nature of the field. So their name looks like:

Joe Smith (bogus text) jsmith@example.com

Which isn't really what we wanted it to look like. So the question is how to adjust the key on the fly using WinPT and publish the changes. We could just revoke the key and create a new one, but that would require re-signing and re-doing trust information for the new key.

According to various sources, the proper way to do this is with the "REVUID" command (not the "DELUID" command). While you can never remove a UID associated with your keys from the public key servers, a revocation tells people that the old identity (UID) is no longer used.

Performing the key edit in WinPT:

1. Open up the WinPT key manager, find your key, right-click and choose "Key Edit"
   
2. The "Key Edit" window will display showing the keys associated with this key set (top pane) and the User IDs (UIDs) associated with the key set (lower pane).
   
3. Highlight the incorrect UID, pick "REVUID" from the Command list and click "Ok"
   
4. You will be prompted for your passphrase. Enter it.
   
5. You will be asked to confirm this operation.
   
6. The Validity column for this UID will now say "Revoked".
   
7. In the Command list, choose "ADDUID" and click "OK".
   
8. Enter the correct information for your new ID. Remember that all 3 fields are public information. Comment is typically either the name of your company or a website URL.
   
9. Backup your keys (especially the secret key).
   
10. Distribute your updated public key.
    

For information on backing up a key, see my previous post on GPG4Win.

Note #1: If you have multiple UIDs associated with a key, you can use the "PRIMARY" command to flag one of the UIDs as the default UID to display in the key list. Simply select "PRIMARY" from the Command list, highlight the UID you want as the primary and click "OK". However, this only works in WinPT... in most other implementations, the default UID is the last one added to the key.

Note #2: Prior to exporting the key or giving it to anyone else, you can use the DELUID to remove UIDs from the key. But once you have published a UID for a particular key, only the REVUID command will do what you want.

Labels: Encryption, GnuPG, Security

TrueCrypt comes in handy for securing external USB or Firewire drives. Especially when those drives are used for backups of sensitive files or if you are going to ship the drives from point A to point B. Or even if you are worried about someone swiping the drive and mounting it on another workstation to access files that you have stored there.

Plus, as long as you know the passphrase and/or have the keyfiles used to decrypt the volume, you can move the USB device from workstation to workstation without losing access to the content.

A. right-click on My Computer, choose "Manage"

1. Under "Storage", go to "Disk Management"
   
2. Find the USB drive that you wish to convert to TrueCrypt (note that this will DESTROY all data on the USB drive)
   
3. Remove any existing partitions / drive letters assigned to the USB drive.
   

B. Create the new partition on the USB drive

1. Right-click, New Partition
   
2. Create a "Primary" partition
   
3. Use the entire drive (or only part of the drive if you wish)
   
4. Do not assign a drive letter
   
5. Do not format the partition
   
6. Click "Finish", note the "Disk #"
   

C. Create the TrueCrypt drive on the partition

1. Open up TrueCrypt, click on "Create Volume"
   
2. Create a standard TrueCrypt volume
   
3. Click on "Select Device" and choose the empty USB disk and partition
   
4. Double-check that you've selected the correct device
   
5. Encryption algorithm: AES, Hash: RIPEMD-160
   
6. Size cannot be adjusted
   
7. Enter your passphrase twice
   
8. Begin the format (NTFS for anything over a few gigabytes)
   

Once the partition has been formatted with TrueCrypt you can then return to the TrueCrypt window and mount the drive to a drive letter. If this drive is always connected to the system you may wish to mount it upon login by making it a "favorite" volume in TrueCrypt.

Labels: Encryption, Security, TrueCrypt

EMail-Security using GnuPG for Windows - GPG4Win offers better integration of GnuPG into Windows them past products (such as using WinPT with the command-line version of GnuPG). That means that the user experience is a lot nicer and it doesn't seem as clunky.

You can download GPG4Win here. The current version is: 1.0.2

Notes:

• GPGol (the MS Outlook plugin) only works with Microsoft Outlook 2003 (or later?), so if you are using older versions of MSOutlook be sure to *not* install this
  
• You probably won't need to install Sylpheed-Claws either, unless you are looking for a new e-mail program
  
• I prefer WinPT over GPA, but your tastes may be different
  

Installation:

1. Download and run the gpg4win-1.0.2.exe file
   
2. When you reach the "Choose Components" screen, you should deselect GPGol, GPA and Sypheed. And unless you speak German, you should deselect the Novice Manual and Advanced Manual components. So for most users you will only be installing: GnuPG, WinPT and GPGee.
   
3. Click "Next" and proceed.
   
4. At the "Install Options", I recommend only installing links to the "Start Menu" (and not the Desktop or Quick Launch bar).
   
5. Finally, proceed forward (using the "Next") button until you reach the "Install" button.
   
6. Clicking on "Install" will begin the installation.
   
7. After installation finishes, you can click on "Next" and "Finish" to exit the installation wizard.
   

Getting started

1. Go to "Start" --> "Programs" --> GnuPG for Windows --> WinPT
   
2. That will start the WinPT application.
   
3. If you have pre-existing GnuPG keyrings, you should probably select the import option (Copy GnuPG keyrings from another location). But you can also import existing keys at a later time.
   
4. For now, we will create a GnuPG key pair
   
5. Click on the "Expert" button
   
6. Key type: DSA and ELG (default)
   
7. Subkey size in bits: 2048 (you may wish to use 3072 or 4096)
   
8. Real name: (enter the name that you wish to associate with this key) This name will appear alongside your key on public keyservers.
   
9. Comment (optional): (typically a company name) Note that comments are public information and will appear alongside your key on the keyserver. Most people put their company name in this field, while others enter their website address (i.e. "www.tgharold.com").
   
10. Email address: (enter the e-mail address associated with the key) Again, this is public information that will be on the keyservers to allow people to find your public key.
    
11. Expire Date: Uncheck "Never" and enter an expiration date of a few years (I'd recommend 2 or 3 years).
    
12. Click the "Start" button
    
13. Enter the passphrase that you wish to use when protecting this key. I would recommend a rather strong one made up of numerous randomly picked words, letters, numbers and symbols. I will talk about protecting this passphrase later on.
    
14. Repeat your passphrase in the new window. This is done to ensure that you didn't mistype it the first time.
    
15. The progress dialog will now appear as GnuPG creates the keys for you. This can take a while as GnuPG needs to obtain random data from the system. You can speed the process up by typing nonsense into a document and moving the mouse in an erratic manner.
    
16. When GnuPG finishes, it will pop up a window that says "Key Generation Completed"
    
17. You will be offered the chance to backup your keyring. Click "Yes" and choose a location. I would recommend a USB key or a floppy disk as a backup target.
    
18. The key has been created and is now listed in the WinPT Key Manager
    

Configuring WinPT Options

1. Right-click on the WinPT icon in the System Tray
   
2. Select Preferences --> WinPT
   
3. Any options that I do not mention are optional and can be set to anything you desire. (Meaning that I don't have a specific recommendation for that option.)
   
4. CHECK - Do not use any temporary files
   
5. CHECK - Use clipboard viewer to display the plaintext
   
6. Cache passphrase for N minutes should be set to a value that you are comfortable with. If you set your machine to automatically lock after 5 minutes, you could cache the passphrase for longer. But if you don't automatically lock your workstation whenever you are away from the machine you should choose a shorter timeout period.
   
7. CHECK - Automatic keyring backup
   
8. SELECT "Backup to" and choose a folder location that is on a drive other then C: (such as a USB key drive or a TrueCrypt volume)
   

Configuring GnuPG Options

1. Right-click on the WinPT icon in the System Tray
   
2. Select Preferences --> GPG
   
3. There's nothing in particular that I feel needs to be changed here, but it does let you add a comment line for ASCII armored files.
   

Importing old keys into WinPT

1. Right-click on the WinPT icon in the System Tray
   
2. Select "Key Manager"
   
3. Under the "Key" menu, select "Import"
   
4. Browse to your old secring.gpg file
   
5. Highlight the keys that you want to import and click "Import"
   
6. For each key that you've imported, you will need to set the "trust" level of the key. Note that you can only set "owner/trust" values for keys that have not expired (see the "Validity" column in the key manager).
   
7. Right-click the key and choose "Properties"
   
8. If you are able to change the trust level, the "Change" button next to the "Ownertrust" field will be enabled. Click on "Change" and set your trust level for a particular key.
   
9. Note: Trust values are important. Never set a trust level higher then you feel comfortable with. Verify that you have the right key and that you have validated the fingerprint of the key through a secure channel.
   
10. 2nd Note: WinPT does sometimes crash after importing large quantities of keys. And you sometimes have to exit the Key Manager before you can see newly imported keys.
    

Final notes:

• I would recommend not using the "encrypt current window" functionality of WinPT. It is not working properly for me at the moment. However, the encrypt/decrypt clipboard functionality works fine.
  
• Make sure that you backup your secret key files
  

Backing up your secret key and passphrase on paper

1. In the WinPT Key Manager, highlight your key
   
2. From the menu, choose "Key" then "Export Secret Key"
   
3. Export this key to a secure location (such as a USB key drive, a floppy disk, or a encrypted volume / folder)
   
4. Open the .ASC file in Notepad
   
5. Change the font size using "Format, Font...". I would suggest a font of "Courier New" in a 11 or 12 point font.
   
6. Print out a copy of your private key block. That way, in a worst-case scenario, you could hand-enter (or OCR) it back into a new machine.
   
7. Jot a note to yourself at the bottom of the page to remind yourself what the passphrase is for this secret key. You may wish to be explicit or simply leave yourself vague hints.
   
8. Fold the paper up and place it into a "security" envelope. Security envelopes have printing on the inside of the envelope which is designed to prevent the contents of the letter from being read without opening the envelope. For additional security, you may wish to wrap a 2nd sheet of paper around your original sheet.
   
9. You may also include the floppy diskette containing the secret key inside of the envelope.
   
10. Seal the envelope
    
11. Write something memorable (signature, today's date, a song that is playing on the radio) along the sealed flap. That will give you a chance to detect tampering if the attacker does not reseal the envelope in a way that the markings still line up.
    
12. For additional security, place clear tape over the flap edge (and over your writing). That makes it more difficult to open without destroying your writing.
    
13. Jot a note to yourself on the outside of the envelope (today's date, the e-mail address of the key)
    
14. Place the envelope in a secure location (such as a bank vault, document safe), preferably at a location that is physically distant from your computer. You should keep this envelope as secure as you would your will or other important financial papers.
    

Labels: Encryption, GnuPG, Security

Probably the easiest way to get started with on-the-fly encryption is to create a TrueCrypt volume file and mount that as a Windows drive letter. The volume file (i.e. "mydrive.tc") can be stored on any hard drive and can be easily backed up as long as the volume is not mounted. Controlling who can mount a volume can be limited by using either a passphrase and/or a set of "keyfiles".

Once you have created the volume, you can store files inside it (using the mounted volume's drive letter) just like you would store files on any regular hard drive, USB/Firewire drive, or network share. It's completely invisible to the application. This makes it ideal for storing application data such as e-mail, financial programs, or other sensitive data.

For starters, I recommend creating a volume file that is protected with only a passphrase. This file should be small enough to copy off to CD or DVD media as a periodic backup. The passphrase should be something easy to remember, but difficult to guess. Punctuation and mixed-case should be part of the passphrase.

Once you have a good passphrase, you should guard against its discovery or loss. A good way of doing this is to write the passphrase down on an 3x5 index card. Fold the card in half and place it inside a folded piece of letter-sized paper. Place all of that inside a security envelope (security envelopes have a printed pattern on the interior which is designed to make it difficult to shine light through the envelope to read the contents). Seal the envelope and write your name or information over the edge of the flap, then place clear packing tape over the flap edge. Store the envelope in a secure location such as a bank vault or document safe. You should be reasonably secure against someone opening it up without discovery.

Creating and mounting the volume file:

1. Open up the TrueCrypt window.


2. Click the "Create Volume" button, this opens up the TrueCrypt Volume Creation Wizard


3. Create a standard TrueCrypt volume, click "Next"


4. Pick a location for your volume file. I would recommend an easy to locate folder such as C:\ or C:\Data. Give the file a reasonable name that is not overly specific (i.e. "ZDrive.tc"). You can use a file extension other then ".TC", but a determined attacker will be able to find out which files are TrueCrypt volumes anyway. Click "next" once you have specified where the volume file will be created.


5. Choose your encryption and hash algorithms. The defaults (AES and RIPEMD-160) are generally good enough. Click "Next" when done.


6. Enter your volume size. 650MB (CD-sized) or 4050MB (DVD-sized) are good values which allow you to easily backup your volume file to optical media. You can always create another, larger, volume later and copy your data from the old one to the new one. Click "Next" when ready.


7. Enter your passphrase that you picked earlier. Click "Next" when ready.


8. Now you are ready to format the encrypted volume. For smaller volumes (less then 1GB), I would recommend FAT. Click "Format" when finished.


9. Click "Exit" to leave the wizard.

Now you are ready to mount your new volume:

1. In the "Volume" section at the bottom of the TrueCrypt window, click on the "Select File..." button.


2. Browse to and select your volume from the list.


3. Choose an unused drive letter in the upper window.


4. Click on the "Mount" button.


5. You will be prompted to enter your passphrase for the volume.


6. You may now start copying data to your new encrypted volume.

Labels: Encryption, Security, TrueCrypt

I've been looking for a good disk encryption system for a while. In the past few years, I've been using PGP's PGPDisk tool with good success, but there have been a few annoyances.

- Difficulty interacting with WindowsXP, drives have to be mounted at bootup or they won't show up after being mounted. This made it difficult to keep PGP volumes on DVD-R for ad-hoc mounting to refer to information contained within the encrypted disk.

- PGPDisk does not remember how to mount disks at the previously mounted drive letter. (Something that DriveCrypt did very well.)

- Pricing. The PGP suite with PGPDisk has gotten more and more expensive over the years. It used to be available for well under US$100 with no subscription but now costs US$80/yr for each user. That cost precludes using it for more then a handful of users.

So, with all that in mind, I've been looking at TrueCrypt which is a replacement for the PGPDisk tool. It offers the same functionality, but is open-source and free.

Note: Disk encryption works in two ways.

1) You create a file on your hard drive that contains a virtual drive. The PGPDisk / TrueCrypt / DriveCrypt software allows you to mount this file as a drive letter on your system. Any data inside of that virtual drive is encrypted on the fly. When the drive is not mounted, the data is safe from prying eyes.

2) You create an encrypted partition on a dedicated hard drive (or a partition on a hard drive). This is called "whole disk encryption" by some vendors. It has some advantages over the file-based method but mostly works in an identical manner.

...

So why should someone use disk encryption?

The easiest scenario to sell is with someone who uses Quicken or MS Money to manage their finances. This is the primary reason that I started using disk encryption back in 2000. Since I keep my Quicken program on my laptop, I want to protect my financial data in case the laptop gets stolen. By storing my Quicken files inside of an encrypted volume that is rarely mounted, a thief who steals the laptop will not have access to those files.

In addition, if the hard drive fails, I don't have to worry about getting it back up and running to wipe the data before getting a replacement.

Labels: Encryption, Security, TrueCrypt

infoAnarchy Wiki

Eraser - File Wipe Tool (Note: I would recommend not using the new 5.8 beta until all the bugs are worked out.)

Wikipedia - File Wiping

Also, the GnuPG folks have upgraded their tools to be a little more integrated with Windows. See GPG4Win which includes WinPT, GPG and a few other tools collected into an easy to use and easy to install package. It's a lot nicer then the old system where WinPT called the commandline version of GnuPG.

...

Encryption 101

TrueCrypt - allows you to create "virtual" hard drives where the contents are fully encrypted. The simplest method is to create a virtual drive as a file on a hard drive. This file is then mounted and assigned to a drive letter. Once mounted, applications can use it just like any other drive with no compatibility issues. These drives are typically protected by pass phrases that you type in to mount the drive. Virtual drives can be configured to automatically dismount after a period if inactivity.

GPG4Win - e-mail / clipboard / file encryption. Requires the creation of a public/private keypair. The public key can be published and does not need to be kept secret at all (in fact, it's most useful when public). The private key needs to be kept secure and protected with a strong passphrase. Items encrypted with the public key can only be decrypted with the private key. For e-mail, someone would encrypt the contents of the e-mail with your private key, send it to you with the assurances that only you can decrypt the contents of the message (using your private key). In addition, messages can be encrypted with multiple public keys allowing them to be decrypted by any of the matching private keys (one message, multiple recipients). Individual files can also be encrypted by GPG/PGP, but must be decrypted before use.

Windows EFS (Encrypting File System) - A component of Windows 2000 / Windows XP. It allows you to flag individual folders or files on a hard drive for encryption on-the-fly. This allows you to work with encrypted files without having to manually decrypt/re-encrypt them. The downside is that it's difficult to backup the EFS keys, the keys can be compromised easily, and if the host O/S dies or is reinstalled you will lose access to the files. Mostly useful as a slight speedbump or in cases where you are concerned about data being left on a dead hard drive after it fails. Data kept safe using EFS must be backed up regularly (such as copying it to a TrueCrypt volume) in order to avoid data loss.

...

Practical uses:

A) Encrypted USB backup drive. I have a USB hard drive hooked up to my laptop. This drive contains a single TrueCrypt volume that I mount at login and use as a backup target every few hours. So if the laptop dies, I just install TrueCrypt on the new laptop/hard drive, mount the backup drive, and I can restore my data. But I don't have to worry about anyone else getting at the data and restoring it.

B) Encrypted volume on my laptop's hard drive. I have financial data stored on my laptop (since it's my primary machine). Needless to say, if someone were to steal my laptop, I worry greatly about their access to that information. So I have a TrueCrypt volume file in the root of my C: (C:\Personal.tc) that I mount to a drive letter whenever I need to access my financial records. In order to keep this data safe, I periodically copy the TC file to another drive or to CD-R.

Labels: Encryption, GnuPG, Security, TrueCrypt, WindowsEFS