ICL11 - Automated Encryption Using PGP Command Line – Hands
advertisement
ICL11 - Automated Encryption Using PGP Command Line – Hands On Lab Description At the end of this lab, you should be able to: Notes During this lab you will have a chance to use PGP Command Line to create keys, encrypt data, and interact with simple scripts and even an application built with PGP Command Line instructions inside the code. Perform a customer demonstration of PGP Command Line. Explain to a customer common use cases and scenarios. Understand that PGP Command Line can be used with custom applications. A brief presentation will introduce this lab session and discuss key concepts. You are welcome to take with you the PGP Command Line folder on the Windows Desktop of the virtual machine. PGP Command Line Demonstration Use our Symantec Demo Script to explore PGP Command Line usage and see some specific operations such as encrypting a file. If necessary, login to the VM (CTRL+ALT+INSERT): Symc4now! If prompted to “restart” click “Restart Later”. Open the PGP Command Line folder on the windows desktop. Open the Script-Command-Line.txt file. Also open a Windows command prompt. Copy or type the first command from the text file into the command prompt and press enter (mkdir c:\temp). Perform the second command as well (cd c:\TEMP). Execute each command in the script by copying and pasting into the command prompt window from the Script-Command-Line.txt file, starting with: pgp --version 2 of 14 o The “pgp --version" command shows what version of the product is installed. o There are detailed instructions and expected results for each step after this: At any time you can type cls and press enter to clear the command prompt screen. pgp --help |more After entering this command, press the SPACEBAR to advance a page at a time until the C:\temp> prompt returns. 3 of 14 o The “pgp --help more” command shows details about all of the operations and switches available for the product. o The help file displayed here is very useful for determining exact usage. pgp --gen-key test-user --key-type DH --encryption-bits 2048 --passphrase test-user o The “pgp --gen-key test-user --key-type DH --encryption-bits 2048 -passphrase test-user” command creates a keypair to use for encrypting data. pgp --list-keys o The “pgp --list-keys” command shows what keys exist on the local system. o In this particular case we already have an Administrator keypair and we created the test-user keypair with our command. echo Testfile123>test-file.txt 4 of 14 o This is a Windows Command Prompt command that creates a file called test-file.txt and puts the text “Testfile123” in it. more test-file.txt o This is a Windows Command Prompt command that prints out the data in the test-file.txt file. o We could use any file. We are creating this so we have some data to encrypt. pgp --encrypt test-file.txt --recipient test-user --passphrase test-user 5 of 14 dir Note the encrypted file (.pgp extension) o An encrypted file will be created from the test-file.txt file. o The original file will also still be present in the directory. o The output of the encrypt command should be “0”, meaning no errors. o The file was encrypted to the test-user keypair we just created. You could also encrypt to the Administrator keypair or encrypt to any other key on this system or on searchable key servers. more test-file.txt.pgp o If we take a look at this file we see that it is encrypted. o It is protected with a binary form of encryption. 6 of 14 o PGP also supports ASCII armored encryption if needed. pgp --decrypt test-file.txt.pgp --passphrase test-user --output test-file-decrypted.txt dir o Note the test-file.decrypted.txt file. o This command creates a decrypted file from the encrypted test-file.txt.pgp file. o The encrypted file will still remain after decryption. o Also, we specify a file name for the decrypted file. The default would be to use the original file name minus the .pgp. o We also give the passphrase of the user’s private key. o After we run the command we get an output of zero again, which is good. o If we run a directory listing we see the decrypted file. more test-file-decrypted.txt o If we run a more command on the file we see the decrypted information in the file. SUMMARY: o What you have done in this exercise is see how you can encrypt and decrypt data manually using PGP Command Line. These same commands can be included in your batch processes, your shell scripts, or even integrated into C code through our SDK capabilities. o Everything you saw today can be fully automated, including the key generation that we did at the beginning. o A lot of solutions don't have key generation that is scriptable but our PGP Command Line technology does. 7 of 14 Encrypt and Transfer a File Using FTP In this lab you will create a batch file to automatically encrypt a file and transfer it with FTP to a backup location. After backing up the file Command Line will securely wipe the encrypted file on the local machine. So that we have a database file to encrypt move the ExampleDB file from the PGP Command Line demo folder to the root of the Enforce VM C:\ drive. Move a plaintext file over with FTP so you can see the file being moved without encryption: Create a new text file by opening Notepad (Start>All Programs>Accessories>Notepad). Enter the information shown in the following screenshot into the text document. Each entry requires its own line: Save the document to the root of the drive at “C:\” as “plain_transfer”. Open a Windows command prompt. cd C:\ ftp –s:plain_transfer.txt o This will move the ExampleDb.db file over to the local ftp directory. Open Windows Explorer and go to “C:\inetpub\ftproot\backup”. You will see the ExampleDB.db file. This folder is the local “ftp” folder. Delete the backup folder. Encrypt the file and move it using FTP: Create a new text file by opening Notepad (Start>All Programs>Accessories>Notepad). Enter the information shown in the following screenshot into the text document. Each entry requires its own line: 8 of 14 Save the document to the root of the drive at “C:\” as “encrypt_transfer.txt”. Next create a batch file with our encryption commands by opening Notepad and enter the information shown in the following screenshot using the same formatting: Click “File>Save As” and change the name of the file to “encrypt.bat” and save it to the root of the drive at “C:\”. When you save it make sure you use “all files” instead of saving it as a “.txt” file. Open a Windows command prompt (there is a shortcut on the toolbar). cd C:\ encrypt o This will automatically encrypt the ExampleDB.db file to the recipient key and transfer the file to an FTP location. After encrypting and transferring the file, the original encrypted file on the local disk will be securely deleted by Command Line. “C:\inetpub\ftproot\backup”. You will see the ExampleDB.db.pgp file. Note the .pgp extension as the file is now encrypted. 9 of 14 Encrypt to a password During this lab section you will encrypt some data to a Self-Decrypting Archive, or SDA, which can then be decrypted on systems that do not have an encryption application by simply double-clicking it and entering the password. Create a C:\temp folder Open the DLP folder on the desktop and then browse to the Demo Data folder. Copy the Federal folder to the C:\temp folder. Open a Windows command prompt. cd c:\temp pgp --encrypt Federal --sda --symmetric-passphrase joe --output fed.exe dir o o Note the fed.exe file This file can be placed on removable media or sent using other methods to recipients that don’t have their own encryption application. It could also be decrypted using PGP Command Line (and a script if desired) if the recipient has the product. 10 of 14 Copy the fed.exe file to the host desktop. Using Windows Explorer double-click the fed.exe file and enter the passphrase “joe”. o A Federal folder is created with the extracted files. 11 of 14 Use a Custom Application with PGP Command Line Encryption In this exercise you will see an example of a customized application written in Perl that will utilize PGP Command Line to encrypt or decrypt files as needed. This will demonstrate the power of using PGP Command Line and some creative programming by showing a simple application that can be used to create a folder where files can be dropped in and encrypted or decrypted automatically. Open the “PGP Command Line demo" folder on the host Windows Desktop. Copy the pgp-securebox-1.0.0.pl file to the “C:\temp\Federal” folder. Double-click the pgp-securebox-1.0.0.pl file. This application first creates a config file based on some questions that an administrator would answer. Answer “y” or “yes” to question # 1. Answer “2” to question #2. test-user is the answer to #3. For question #4 answer “2”, just delete them. 12 of 14 This will create a .conf file with our settings. o o Now we are ready to encrypt files using our custom application. If this application were being used in an actual environment, the example scenario would be that end users have a folder on the file server where they can place files that need to be encrypted, perhaps at the end of a project so they can then be archived. The files can then be encrypted by our script at regular intervals using task scheduler or manually by an administrator. To encrypt the files, double-click the pgp-securebox-1.0.0.pl file (again). Once the application exits look at the files in the temp\Federal folder. They should have a .pgp file extension, noting that they are encrypted. 13 of 14 Now experiment with the decrypt option for our “securebox” application by deleting the .conf file and going through the options again but selecting the decrypt option. Feel free to try out the other options in the application. If you would like to see how the “securebox” application was written you can rightclick on it and choose “Open With..” and “Wordpad”. There are notes at the top of the application that talk about what it does and how it can be used. By doing a search for “pgp” and then going through the matches you can get an idea of how and when the PGP Command Line application is called. 14 of 14
