- Introduction to Encryption
- Using GNU GPG
- Using SSH
- Hashing Utilities
- Using PKI Certificates in Linux
Introduction to Ecryption
- Linux has built-in ability to encrypt files
- Protects files in storage
- Protection during transmission
- Uses common standard algorithms
- MD5 & SHA for Hashing
- 3DES & AES for data encryption
- Supports many other algorithms as well
- PKI enabled
- OS can generate self-signed certificates
- Can use 3rd party generted certs
Using GNU GPG
- GNU Privacy Guard comes built-in with most distros
- Complete implementation of the OpenPGP Internet tandard a described in RFC 2440
- Most popular personal encryption package
- Ability to encrypt and digitally sign files
- Used to send secure email messages
- Used to encrypt files in storage
- Uses DSA, EIGamal, 3DES and Twofish as encryption algorithms
- Many other algorithms also supported
- Some algorithms not legal for export outside US – obtain from International sites
- First step is to generate a key pair (one public, one private)
- Command to generate is ‘gpg –gen-key’
- Use higher key length – minimum is 768
- Enter user name and email address – key is generated baed upon this info
- Enter password that will be used – use complex password rules
- Export public key so others may exchange data securely with you
- Other public keys can be imported as well
- Sign your public keys before issue so others will know they are valid, and only accept signed keys from others
- Encrypt data to send to others
- Decrypring involves receiving and converting encrypted file
- Digitally sign all encrypted files to verify they came from you
- GPG has both command and GUI utilities
- Use ‘gpg’ command with various options,performs all encryption/descryption tasks
- GPG Demonstration
Using Secure Shell
- Secure Shell(SSH) developed to protect communications
- Telnet and FTP do not encrypt data; passwords and login info pased as plaintext
- ‘r’ commands(rlogin, rsh, rcp, and rdist) also insecure
- SSH developed to take their place and encrypt all data during communications session
- SSH can also be used over X-windows
- SSH allows remote login as root to perform system maintenance tasks
- Several versions available, including SSH Tectia, OpenSSH, F-secure, and Reflection for Secure IT
- OpenSSH is most popular in Linux distros
- RSA authentication or conventional password based authentication can be used
- Secure Shell then opens up a user program or interactive shell
- Current version of OpenSSH is OpenSSH 8.7/8.7p1
- SSH uses 2 protocol versions, 1 and 2
- Version 1 is insecure due to integer overflow vulnerabilities
- Use SSH implementation with version 2 protocol instead
Hashing Utilities
- Hashed are produced to ensure file integrity
- Ensure file has not been altered
- Slightest alteration changes hash and indicates a file change
- Hashing is method of verifying installation files and packages, as well as system files
- Hashing also encrypts password
- Actual passwords not stored,but hashes are stored
- User enters password, which is hashed
- Matching hash from /etc/shadow indicates correct password
- Linux uses 2 major hashing algorithms
- SHA(160-bit and higher)
- MD5(Message Digest version 5) 128-bit
- SHA is newer and stonger algorithm
- Available in 160-bit, (SHA-1), 224, 256, and 512-bit versions (SHA-2)
- Successor to MD5; required for US govt applications under FIPS 180-2
- SHA2 preferred due to identified collision vulnerabilities in SHA1
- Built-in Linux SHA utilities include:
- sha1sum: computes and checks message digest(hash) for file
- dgst: older utility that computes hashes using sha1 or md5
- MD5 is older(but still widely used) hashing algorithm
- Developed by Ron Rivest and replaced earlier algorithm MD4
- 128-bit strength algorithm
- Discovered to be vulnerable due to collision problems
- MD5 utilities include:
- md5sum: computes or checks hash value of file
- md5crypt: encrypts a password for use in Grub boot loader
Using PKI Certificates in Linux
- Linux has built-in ability to use and generate digital certificates
- Used for variety of purposes:
- Secure trasactions, web site verification, user authentication, and software sigining
- Linux can use trusted certificates from 3rd parties
- Can self-generate its own certifictes
- Use ‘genkey’ command to generate SSL certificates and cert requests
Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Cotocus
Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
My Email - contact@DevOpsSchool.com
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
My Email - contact@DevOpsSchool.com
Latest posts by Rajesh Kumar (see all)
- Packer Tutorials: Amazon Secrets Manager Data Source – amazon-secretsmanager - May 25, 2023
- Packer Tutorials: Amazon Data Sources – amazon-parameterstore - May 25, 2023
- What is DevSecTestOps? - May 25, 2023
