[cobalt-users] PGP and GnuPG Form-to-Email Instructions.

["Brian M. Rahill" <brian@xxxxxxxxxxxxxxxxxxxxxxx>]

Hi All,

Okay.  After thrashing this one out for waaay too many hours myself and 
then recruiting some help for a few more hours, I've finally got down the 
method to encrypt form results using a combination of PGP and GnuPG.

Here we go:

I prefer to use GnuPG on the server because: 1.  It's free, 2. It works 
great.  3. It's free.

My clients tend to like to use PGP because it integrates well with Outlook, 
Eudora and many other email programs and has a GUI interface.

Goal ---  Encrypt form results residing on client's site using GnuPG on the 
server and the client's public key generated with PGP.

Some of these steps may not be ESSENTIAL to get it to work.  I'm just 
writing down what works for me.

1.  Get GnuPG and install it on the server.  (www.gnupg.org)
2.  For install instrux.  check 
out  http://www.dewinter.com/gnupg_howto/english/  (I'm not a Linux guru 
but it was a pretty basic install for me).
2a.  You might also give Zeffie a buzz (www.zeffie.com)  he's created an 
RPM to install GnuPG and helped me troubleshoot the encryption part until 
we got it right.  Can't say enough good things about him. :)
3. Have your clients install the latest version of PGP (6.5.8) (Win2000 and 
WinME users should especially install the 6.5.8 version since earlier 
versions have been know to crash WinME big time).
4.  As long as it's not for commercial use the freeware version is 
available at:  http://www.pgp.com/products/freeware/default.asp  ;)
5. Have the client create a key pair using the "PGP Keys" program.  When it 
asks for Full Name, put in the clients username exactly as it is setup on 
the server  (i.e. someclient)  -- This may not be necessary but that's the 
way I do it. When it asks for the email address, put in the email address 
that your will eventually want the form results to go to.  ***This is very 
important. In my experience, you cannot use a key associated with one email 
address to encrypt email to another email address****  (Click Next)
6.  Create a Diffie-Hellman/DSS key.  (Click Next)
7.  Make the key size 1024 bits.  (Click Next)
8.  Set the key to never expire.(Click Next)
9.  Have them put in a passphrase that they'll remember.  They'll have to 
type it each time they want to  decrypt a message. (Click Next)
10. No need to send the key to the root server. (Click Next)
(Click Finish)
11.  Making a backup is a good idea unless you want to go through all this 
again sometime  (PGP will prompt you to make a backup when you try to exit 
the program after generating a new key.)
10.  While still in PGP Keys, click on the key you generated  (should have 
a person icon next to it).
11.  Click:  Keys...Export.  The file to export will be an ASCII 
file  (i.e.  someuser.asc).  This will only export the PUBLIC key, not the 
PRIVATE one.  There is NO security risk in sharing the public key. In fact 
you want others to have it so they can send you/your client encrypted emails.
12.  Close PGP.

13.  Open FTP and upload the key to one of the client's directories  (I 
upload it someplace above the web root).
14.  Telnet/SSH into the server as the client.  (You'll need to at least 
temporarily allow shell access to this username to get the key imported.)
15.  At the command prompt type:  gpg
16. This creates a .gnupg directory in the client's home dir.  This is 
where the public key will be kept.  If you ever have trouble in the future 
or screw something up down the line you can always delete this folder and 
start gpg fresh for this user.  ***Only delete this folder though if you 
don't care about deleting all the keys too.***
17.  You'll get a message spit out about creating the dirs and then the 
command prompt again.  (If you run into trouble "man gpg" works well for 
help as does  "gpg --help" for some quick command help)
18. Now to import the key, Type:  gpg 
--import  /path/to/uploaded/ascii/key/someuser.asc  (i.e. 
home/sites/www.clientsdomain.com/someuser.asc)
19. If all goes well then you should get some messages spit back something 
like:  Total number processed 1, Imported 1.
20.  You can see the key by typing:  gpg --list-key
21.  Test the key and gpg by typing at the command prompt:
echo 'hello client' | gpg --always-trust -ear  someuser
(make sure you replace "someuser" with the username of your client's public 
key)
22.  If you get a bunch of encrypted junk spit back, then all is well -- 
now all you've got to do is get the form script working.
22.  I've put up a copy of a script that works for me.  You can get it at:
www.rainstormconsulting.com/downloads/gnupgmail.zip
Most of it is commented pretty well.  If you've got questions check out 
Matt's FormMail docs or email me offlist.

A couple warnings.  The script is a modification of Matt's FormMail script 
so it probably has that well published vulnerability of being a spam 
senders dream.  It's probably an easy fix to patch it up, but in reality it 
probably won't be much use to a spammer since it'll send out all encrypted 
emails.  I've renamed it just to hide if from someone looking for 
formmail.pl .  There are also quite a few scripts that'll do PGP available 
at: www.cgi-resources.com  (SouperMail, SimpleSecure, cgiemail, etc) Use 
whatever works for you.

******Two points that may screw you up are:  1.  You CANNOT (as far as I 
know) use the  script to send email to an email address that is different 
from the email listed in your imported public key.  So when you set the 
recipient in the form script make sure it's EXACTLY the same as the email 
address listed in your public key -- you've been warned -- this one glitch 
cost me 15 hours.  2.  If you use another script make sure the 
--always-trust flag is used.   There is a way around this, but it involves 
signing the imported key with another key that you created on the server. 
Check out the manual for this one.  If GnuPG doesn't know to trust the 
public key, it won't send the email.

23.  Once you've gotten your first encrypted email then select the body of 
it from where it says -----BEGIN PGP MESSAGE-----    through where it says 
-----END PGP MESSAGE-----
24. Copy it to the clipboard.
25.  Open PGP tools and then select Decrypt and Verify.  When it brings up 
the box to browse for the file, look for the button that says "Clipboard" 
and click it.
26.  When prompted, enter the pwd you created in step #9.
27.  Viola!  You should have the decrypted email.  ** Note on Macs and some 
other machines you may actually need to do a Paste into a blank doc to see 
the decrypted stuff.  On my Win98 machine, it just pops up.

Good luck.  I hope I've saved someone a few hours of work.  This one dogged 
me for far too long.

BTW,  this is on a Raq4r.  Your mileage may vary.  Use at your own 
risk.  If you totally screw up your server with these instructions it's not 
my fault.

Brian