Message Encryption - SearchStax

In some situations, SearchStax® support analysts must send logon credentials to users through email. We encrypt those messages to keep them private.

This page describes a simple approach to Public-Key Encryption for those times when cleartext is not appropriate.

Contents of this page:


PKI Overview

The virtues of Public-Key Infrastructure (PKI) have been enumerated in thousands of web pages. This encryption technology is extremely popular. Ironically, this popularity floods the web with PKI pages that baffle novices.

This overview presents the essential concepts of PKI to help a new user get oriented.

Key Pairs

This is the great virtue of PKI: Each correspondent has two encryption keys. These keys are created as a matched pair.

A specific key cannot encrypt and then decrypt the same message. There must be two matched keys to complete the cycle.

Public/Private Keys

The first step in setting up PKI is to generate a key pair.

Securing a Message

It is very simple to send a message that only one person in the world can read.

Abby writes a message for Bill in a simple text file. She uses Bill's public key to encrypt the file. She sends the encrypted file to Bill as an email attachment. Bill decrypts the file using his private key. Bill reads the message.

Since the message was encrypted using Bill's public key, the only way to decrypt it is to use Bill's private key. Bill is the only person in the world with Bill's private key. Therefore, Bill is the only person who can read the message.

That simple scenario is all we need to securely send messages containing SearchStax credentials. If SearchStax support personnel encrypt a text file using your public key, then the contents are secure. You are the only person who can read the file.

PGP, GPG, and WinGPG

Pretty Good Privacy (PGP) is an encryption program that is widely used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions. It is a well-known internet standard for secure communications.

GNU Privacy Guard (GPG) is a free utilty providing PGP features on Linux platforms.

GPG4Win is a Windows version of GPG. It is also free.

The GPG examples on this page work identically in Linux and in Windows.

Is GPG already installed on your system? It is a popular package in Linux distributions, for instance. Try this command in a Linux bash shell or Windows command line:

gpg --help

If you get a long help message, GPG is already there. If not, go to the GPG Download Page, locate the correct version for your operating system, and install it.

Create a Key Pair

For us to send you an encrypted file, we need your public key. If you don't have a key pair, you need to create one.

Do you already have a public/private key pair? Try:

gpg --list-secret-keys

GPG will display a list of private keys on your computer. Your key pair is identified by your name and email address. Each entry will resemble this one:

sec   rsa2048 2018-05-03 [SC] [expires: 2020-05-02]
      BE9773D08EBD231B6120C047FA3E60C14BE6CB11
uid           [ultimate] Bruce Clayton <bruceclayton4@gmail.com>
ssb   rsa2048 2018-05-03 [E] [expires: 2020-05-02]

If you don't have a key pair, GPG can create one for you. Presuming that you are logged in as a user (not as ROOT), type this command:

gpg --gen-key

GPG will conduct a brief dialog with you, asking for your true name and the email address that you want to associate with this key. It will also ask you to supply a passphrase. This is a password you will need when you use the key to decrypt a message. (Security experts stress that you should use an extremely strong password here.)

Extract the Public Key

The next step is to extract the public key from the key pair so you can send it to us. This command extracts a public key and writes it to a file.

gpg --armor --export bruceclayton4@gmail.com > mykey.asc

A key is a long binary number which, for various reasons, becomes corrupted when included in an email message. For this reason, extracted keys are writen in "armored ASCII." This is a text format that survives emailing.

This is the "armored ASCII" version of a public key from the file mykey.asc:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFrrVdMBCADaHdlKNQ2XlkShmmPVcXB61aV9qmfxFGI7PaLuCwzk+0idDbO0 rZPnR1BqpYM3v9qYGYM1HJugIeVo//xV8/e/Nrth01JgXjuNLyC/zLiT63BrpdUE XOYtWpguQY0OhrIoYzx6qoULQ8SZDmaSTgbWQGKxzxZ2kz+rKv43SQG4aBnJ3x43 Pgech7gNFMB5jmia/2ijic4AJWuvCLMx/gOMjKgEgVoJKm1gOY2o20mEVoZS+LOt EYi8Dxb8iJm5fyNdqSfLeOPme8fWrCGJVoIRuNtJhmKCD57LBUad5dKD7VP8dpGl gXS7IjWOxizgWsot9ryp6ecCZUyBYuoX8wm7ABEBAAG0J0JydWNlIENsYXl0b24g PGJydWNlY2xheXRvbjRAZ21haWwuY29tPokBVAQTAQgAPhYhBL6Xc9COvSMbYSDA R/o+YMFL5ssRBQJa61XTAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA AAoJEPo+YMFL5ssRogUH/3FzCetYXuRyEQe5+YN2UjEUoFg/ZQdMJbg1iSUCn9zs kRbwTX6g5tCq/agyJEXItyDbT1JQ9PNj43JpqteayRcuYxZ1SIbCYyoeuMmE2qXT wbD+hfmRYiYLhFw146g5P2ImFF8u4E7Z8ViCiE+cBr4OAJLbYhWhkeBibUc7lhM5 mylirDTLOYNejjL8/vd058LzT3Q28FFCHhcNs364AkZAgKyDbzMnQrExKLfGUrui RofhqiU259SNdC9Rk8CLKQ3nK/uQVH9TQOCAMutG0vkkhdPKlD8t8r4w8H6FDPhT frtXuIFyo9hrtOp2Jvu2u0zV81mixrPmAWWbFsVZXrC5AQ0EWutV0wEIAN6FXCWO 6kyoaFsiYYck+o9bUeTzm2Kd1SMCi6PwlEFLHGvv7eh6nGf4vZZYaH/2yaBT91UC mEaW5L3GLOCIcCz3S1+Ds9Hy6zkknsdZBzVB6Pr41cZcHjwwDONtao8Z25cUf/OA mWAt/+CTaUSu4yvMmUNI+PQ9rqVSgFRkTWDuRUJLNsjSGCDCXkvSo/5bzNctx/Cu VrYLWybtTzLRUF7g+ADgpLrXKJi4/6YcioBc6H/YedmKtWUhESGkXaOHxKKvCUsS taQZZQ3nDjB/8KOVRj0DVx3ke49C1ENAz//lgiFpptGGAATpSJm672DYUS1xncI+ tzJahHPSy7ZcdaMAEQEAAYkBPAQYAQgAJhYhBL6Xc9COvSMbYSDAR/o+YMFL5ssR BQJa61XTAhsMBQkDwmcAAAoJEPo+YMFL5ssRvTgH/1IgKQ1cQCBL/IorNIXf2efV SfVayyLVzcr2CmgblG7MMz5zN0BmYEpeScygDZKltPGM8sLVefFd0xt50z+vGnIN +kdOsjp4DRa9qe8F7+26C1BXwLUZepRO8+RvVuG826tr4Dw0MSkCfYJNhOUMCkPi Yt7r8KPe3z1m+is1jNEwiQqYq9WQwyez/csP+BH28KH8ubIJo5w3vdvsEKuKbW3o YOVgCjrJH3yKcTrKIT3JfFijOKUivQ8t5KehksHSM44PyRlIsBdA3z15ffjQRacS EE+NPde7a4Z5EcMvRglgWirqdrGOUYEf5oC7SzbaZ6tQ0GT4z4PKhaEFuv8XhQw= =FYFB -----END PGP PUBLIC KEY BLOCK-----

Send the Key to Us

Remember that this is your public key, so it is all right to send it insecurely through email. Send us mykey.asc as an email attachment, or just paste the key block into the body of the email.

You may also publish your public key to a key server on the internet, making it available to the world. There is no fee for this service. We often use the key server at the Massachusetts Institute of Technology.

Our Next Steps...

This section briefly notes the next few steps in the process. This all happens at our end.

First, we import your key into a local "keyring" on one of our computers.

gpg --import mykey.asc

Then we create a text file containing the credentials we need to communicate to you. Let's call this file secure.txt.

User: john
Password: sT3nk*zWF8k

We encrypt secure.txt using your public key as a new file, secure.gpg.

gpg --output secure.gpg --encrypt --recipient bruceclayton4@gmail.com secure.txt

If we open secure.gpg we see encrypted gibberish: SearchStax PKI We then email secure.gpg to you.

Decrypt the Message

When you receive the email, put secure.gpg in some convenient location. Open a shell or command window and navigate to that location. Then decrypt the file. In this example, the cleartext will appear in a new file, secure2.txt:

gpg --output secure2.txt --decrypt secure.gpg

If your private key is protected by a passphrase (some are not), you will be prompted for it: SearchStax PKI
After you enter the passphrase, GPG will tell you which private key it used to decrypt the file:

gpg: encrypted with 2048-bit RSA key, ID AA449FA38E0C3270, created 2018-05-03
      "Bruce Clayton <bruceclayton4@gmail.com>"

When you open secure2.txt, you will see our original message:

User: john
Password: sT3nk*zWF8k

Questions?

Don't hesitate to reach out to the SearchStax Support Desk. We are happy to answer your questions.