[ic] GPG how-to for hosted servers

Patrick J. Walsh interchange-users@interchange.redhat.com
Mon Dec 17 16:26:01 2001


    Since I didn't find any help like this in the archives, I thought I
would give a brief description of what I did to get GPG encryption working
for me in a shared environemnt.

    I can't afford a nice hosting solution such as with RedHat, so I am
using a hosting provider that uses CPanel to manage multiple virtual domains
and services.  One of the services that they offer is Interchange 4.8.2.
They also have GPG 1.0.6 installed.  Unfortunately, getting the provider to
do things like install a key in the interch user's key file is next to
impossible.  Here's the workaround that worked for me:

    First, you need to make sure gpg is installed and available to you.  Try
using the command `whereis gpg`.  Then create your keys for the account that
you will encrypt to using a command like `/usr/bin/gpg --gen-key`.  [Note: I
created two keys, one to encrypt the orders to and one to encrypt the credit
card info to.  You may wish to do the same.]  I'll assume that the key you
made has the e-mail address orders@example.com.  Make sure you know where
your keys were placed.  Probably they were put in this directory:
/home/your-user-name/.gnupg/.  Now make sure you can use the key properly by
using this command:

echo "testing" | /usr/bin/gpg --no-default-keyring --always-trust --keyring
/home/your-user-name/.gnupg/pubring.gpg -e -a --batch -t -r
'orders@example.com'

    If it works, great, if not, you need to look into the gpg documentation
and the gpg newsgroups and mailing lists to fix it before proceeding or
bothering the interchange folks.

    The next step is setting your variables properly.  To do this, use the
admin interface and go to Administration->Preferences->Encryption.  If you
don't have all of the variables listed below there, then you should create
them just to be consistent with these instructions.  Use the New Entry
submenu item.

ENCRYPTOR    <blank>
PGP    /usr/bin/gpg --no-default-keyring --always-trust --keyring
/home/dyna-q/.gnupg/pubring.gpg -e -a --batch -t -r '%s'
PGP_CC_KEY    orders-cc@example.com
PGP_KEY            orders@example.com

[Note: make the PGP_CC_KEY the same as PGP_KEY if you want to encrypt the
credit card info to the same key as the overall message.]

    Finally, edit your catalog.cfg file.  Search for the EncryptProgram and
EncryptKey lines.  If they exist, edit them, otherwise, add them before the
routes start:

EncryptProgram __PGP__
EncyptKey __PGP_KEY__

    then search through the rest of your file for Route main and make sure
the following entries are set:

credit_card    1
encrypt        1
encrypt_program    "__PGP__"
email        '__ORDERS_TO__'
pgp_cc_key    "__PGP_CC_KEY__"
pgp_key    "__PGP_KEY__"

    I also went through the etc/report file and removed all of the mime
types as it was causing problems for me.  GPG was encrypting the mime parts
and separators and my e-mail software didn't see the message.

    If you're having problems at this point, you'll want to look at the gpg
error messages.  In my environment, this was not simple as I did not have
root, or even interch access.  The logs are stored in the tmp/ directory as
pgp*.err.  In my case, I didn't have permissions to read these files.  To
circumvent this, do the following:

    First, figure out which file is the most recent that you want to look at
by typing `ls -lt *.err |head` -- probably the first entry is the one you're
after.  Next, go to the admin interface and navigate to Content.  Select
'..' then 'tmp' and choose the file you are interested in from the list.
This will give you the details of any errors that gpg is spitting out.
Ignore the insecure memory errors, the don't stop gpg from doing anything.

    And that's how you use your own keys in a hosted/shared environment.
Good luck.

..Patrick

Keywords: GPG, CPanel, Hosted, Shared, Virtual Domain, Permissions, Encrypt,
PGP, ENCRYPTOR