Chapter 7. Protecting Files

So far we've been concerned mainly with securing your computer system. Now we turn to securing your data, specifically, your files. At a basic level, file permissions , enforced by the operating system, can protect your files from other legitimate users on your system. (But not from the superuser.) We'll provide a few recipes based on the chmod (change mode) command.

File permissions only go so far, however?your file data are still readable if an attacker masquerades as you (e.g., by stealing your login password) or breaks other aspects the system, perhaps using some security exploit to gain root access on the host, or simply stealing a backup tape.

To guard against these possibilities, use encryption to scramble your data, so that a secret password or key is required to unscramble and make it intelligible again. Thus, merely gaining the ability to read your file is not enough; an attacker must also have your secret password in order to make any sense out of the data. We'll focus on the excellent encryption software included with most Linux systems: the Gnu Privacy Guard , also known as GnuPG or GPG. If you've used PGP (Pretty Good Privacy), you'll find GnuPG quite similar but far more configurable. While the pgp command has around 35 command-line flags, its GnuPG equivalent gpg has a whopping 140 at press time.

GnuPG supports two types of encryption: symmetric (or secret-key) and asymmetric (or public-key). In symmetric encryption, the same key is used for encrypting and decrypting. Typically this key is a password. Public-key encryption, on the other hand, uses two related keys (a "key pair") known as the public and private (a.k.a. secret) keys. They are related in a mathematically clever way: data encrypted with the public key can be decrypted with the private one, but it is not feasible to discover the private key from the public. In daily use, you keep your private key, well... private, and distribute the public key freely to anyone who wants it, without worrying about disclosure. Ideally, you publish it in a directory next to your name, as in a telephone book. When someone wants to send you a secret message, she encrypts it with your public key. Decryption requires your corresponding private key, however, which is your closely guarded secret. Although other people may have your public key, it won't allow them to decrypt the message.

Symmetric encryption is GnuPG's simplest operating mode: just provide the same password for encrypting and decrypting. [Recipe 7.4] Public-key encryption requires setup, at the very least generating a key pair [Recipe 7.6], but it is more flexible: it allows others to send you confidential messages without the hassle of first agreeing on a shared secret key.

Before using a public key to encrypt sensitive data to send to someone, make sure that the key actually belongs to that person! GnuPG allows keys to be signed, indicating that the signer vouches for the key. It also lets you control how much you trust others to vouch for keys (called "trust management"). When you consider the interconnections between keys and signatures, as users vouch for keys of users who vouch for keys, this interconnected graph is called a web of trust . To participate in this web, try to collect signatures on your GnuPG key from widely trusted people within particular communities of interest, thereby enabling your key to be trusted automatically by others.

Public-key methods are also the basis for digital signatures : extra information attached to a digital document as evidence that a particular person created it, or has seen and agreed to it, much as a pen-and-ink signature does with a paper document. When we speak of "signing" a file in this chapter, we mean adding a digital signature to a file to certify that it has not been modified since the signature was created.

Once you're comfortable with encryption, check out Chapter 8 to integrate encryption into your preferred mail program.

    Chapter 9. Testing and Monitoring