Quick and dirty introduction to GnuPG (GPG) on Linux

It’s a few simple steps to create GPG encryption keys and use these for signing and encrypting files and emails.

GPG Key Creation

  1. Create a new pair of public/private cryptographic keys:
    user@yourhost:~$ gpg --gen-key

    follow the prompts use the defaults if unsure, Enter your name and email address.
  2. List keys
    tom@tomsalmon:~$ gpg --list-keys

    pub 1024D/C96ACE6A 2010-03-30 [expires: 2015-03-29]
    uid      Tom Salmon <tom@tomsalmon.com>
    sub 4096g/2BEF6E4A 2010-03-30 [expires: 2015-03-29]

  3. Upload the Public Key to one of the Key servers
    gpg --keyserver hkp://keys.gnupg.net --send-keys C96ACE6A
    The key ID is retrieved using the above list keys function.
  4. Export the Public Key in ASCII
    tom@tomsalmon:~$ gpg --export -a C96ACE6A
    Sample output
  5. Import a Public Key in ASCII format
    gpg --import < key.asc
    gpg --edit-key C96ACE6A
    … run the commands: 'trust', 'sign', 'save', 'quit'

GPG with Email

  • Mutt comes with built-in GPG support and integrates perfectly with the system's GPG setup

File Encryption

  • Encrypting
    gpg -r your@emailaddress.org -e intheclear.txt
    Creates a new file intheclear.txt.gpg which is encrypted with your public key. Only your private key can decrypt this file.
  • Decrypting
    gpg [-d] secret.txt.gpg
    (requires that you enter your passphrase) creates the unencrypted file 'secret.txt', if the '-d' flag is used the unencrypted data is displayed on the command line

You may encrypt files for other people if you have imported their Public Key. Only their Private Key will be able to decrypt the file.

Key Signing

  1. Search the Keyserver:
    gpg --keyserver hkp://keys.gnupg.net --search-keys tom@tomsalmon.com
    … select the most recent key that matches, find the Key ID
    To make life easier, add the following line to your .bashrc file:
    alias gpgsearch='gpg --keyserver hkp://keys.gnupg.net --search-keys'
    restart your shell, and run 'gpgsearch user@example.com'
  2. Verify the Key fingerprint with its owner (manually, in person)
    gpg --fingerprint KEY_ID
  3. Set the trust level and sign the key
    gpg --edit-key KEY_ID
    … run the commands: 'trust', 'sign', 'save', 'quit'
  4. Upload the signed key to the keyserver
    gpg --keyserver hkp://keys.gnupg.net --send-keys KEY_ID

Checking signatures on new keys

  1. Search the keyserver and download the matching key
  2. Check to see if the key has been signed by any trusted keys
    gpg --check-sigs KEY_ID
  3. Based on this result, you can determine if the key belongs to the user

Implementing IPv6 Privacy Extensions (RFC4941)

IPv6 auto configuration on Linux will normally assign the same address every time when connecting to a specific network. This address would normally be formed from the network prefix and local interface MAC address.

When using IPv4 your identity is slightly masqued by NAT. Although your single public IP address may be tracked, it is hard to track individual devices that exist on the local network. This is not the case with IPv6 where there is no NAT. Every device has a visible unique public IP address that rarely changes.

RFC4941 (obsoletes 3041) defines privacy extensions to IPv6 which will randomly assign an additional Global IPv6 address to the interface. This additional random address will have the same network prefix and be used for outgoing internet connections.

To enable the privacy extensions under Linux (using Debian Wheezy):
echo 2 > /proc/sys/net/ipv6/conf/${ifname}/use_tempaddr
replace ${ifname} with the name of your interface, eg wlan0

Possible values for this setting:
(0=off, 1=assign, 2=prefer)

Now at least you will be anonymized amongst the other nodes of your local network.

Data download and Nagios Plugin for MyBasis

Update: myBasis have changed their API, breaking the scripts below.
– January 2014

Tested and being used on Debian Wheezy. Script download

These scripts will retrieve your biometric data from MyBasis for the last hour. The results can be checked from a Nagios host file, using the downloaded plugin.

First you must find your BasisID, and set the ‘uid‘ value in get_basis_data.py

Execute the script ‘get_basis_data.py‘ from crontab, setting it to run no more frequently than every 15 minutes (Basis data is uploaded once every 15 minutes, at best). It is recommended to run the script in crontab as user nobody.
Basis data is now written to several files in /tmp

The file nagios_plugins/usr/lib/nagios/plugins/check_basis should be copied to directory: /usr/lib/nagios/plugins/ on the Nagios Server, and permission set to 0755 (-rwxr-xr-x).

The file nagios_plugins/etc/nagios-plugins/config/basis.cfg should be copied to directory: /etc/nagios-plugins/config/ on the Nagios Server.

The commands check_basis and check_basis_body may be called from a standard Nagios Host configuration file. Example:
define service{
use generic-service
host_name tom
service_description Check max heartrate
check_command check_basis!hr!max!110!130
}

Substitude ‘hr‘ for ‘gsr‘, ‘air_temp‘ or ‘skin_temp‘. ‘max‘ may be replaced with ‘min‘. The other two values set the warning and critical thresholds.

The other command ‘check_basis_body‘ takes no parameters and is only informative.

You can now be monitored by your NMS!

Nagios - MyBasis

Generate White Noise using Raspberry Pi

As an alternative to listening to unwanted background noise or uncomfortable silence, create white noise with the Raspberry Pi.

Using Raspbian (other distros may vary):
apt-get install sox

Create your shell script:
#!/bin/bash

len='7:00:00'
export AUDIODRIVER=alsa
export AUDIODEV=hw:0,0
play -t sl - synth $len pinknoise band -n 1200 200 tremolo 20 .1 < /dev/zero

(adapted from the unreasonable man)

Backport of Aircrack-ng for Debian Wheezy

I have created a backport of aircrack-ng based on the version in Jessie/Testing. This may be installed with the command:
dpkg -i aircrack-ng_1.1-6~bpo70+1_amd64.deb
(remove the package with command: dpkg -r aircrack-ng)
download here

This package is now available in Debian wheezy-backports.

Back in March 2012 I built the latest svn version from source, available here.
I have included the necessary scripts and binary files in the ‘bin/’ directory. Copy these to somewhere like: /usr/local/sbin/