I have been tasked with duplicating the functionality of SecureZip; namely encrypting and digitally signing a file and then sending via SFTP.
I've been able to put together a java program based on the bouncycastle examples, and have been able to encrypt and decrypt files (with a locally generated PGP key) using this program. However, now I'm trying to implement the digital signature and want to capture the keys used for signing on the AIX system that is running the SecureZip commands.
So when I run the command
pkzipc -listcertificates
I get a response that indicates there are two OpenPGP certificates available for signing. Referring to them using
pkzipc -archivetype=pgp -add -recipient=<PUBLIC KEY RECIPIENT> -certificate=<CERT NAME> -sign=files file.out file.in
allows me to create the encrypted files using this CERT NAME cert. My question is, where? Where are these certificates located? Does AIX have a central OpenPGP certificate location or are these somehow imported into some SecureZip storage location?
Using SecureZip Server Version 14 for AIX
Using AIX 7100-03
I found the certificate location. Evidently there are three locations in UNIX that PKZIPC looks (according to the manual I finally got my hands on):
For public keys:
$PK_OPENGPG_PUBLIC_RING
$HOME/.pgp/pubring.pkr
For private keys:
$PK_OPENPGP_SECRET_RING
$HOME/.pgp/secring.skr
$HOME/.gnupg/secring.gpg
Related
I'm not using command line, merely two separate GUI programs that should functionally work together, but I'm unable to both verify a signed file and decrypt a file sent to me by someone else using Symantec's PGP program and I'm using "GPG Keychain." They have my public key and I have theirs. Any idea why they're not working when they should be?
Can someone please give me an example for corporatePasswordStore that is mentioned here:
https://docs.corda.net/node-administration.html?fbclid=IwAR0gRwe5BtcWO0NymZVyE7_yMfthu2xxnU832vZHdbuv17S-wPXgb7iVZSs#id2
I've been doing a lot of research in the last few days on how to hide the plain passwords from node.conf; it's a new topic for me and this is what I came up with so far:
Create a priv/pub key with gpg2
Create a password store with pass (using the key that I generated earlier).
Store all the plain passwords from node.conf inside that password store.
Replace the plain passwords in node.conf with environment variables (e.g. keyStorePassword = ${KEY_PASS})
Create a script file (e.g. start_node.sh) that will do the following:
a. Set an environment variable to one of the passwords from the password store: export key_store_password=$(pass node.conf/keyStorePassword)
b. Start the node: java -jar corda.jar
c. Restart the gpg agent to clear the cached passwords, otherwise you can get any password from the store without passing the passphrase: gpgconf --reload gpg-agent
Pros:
Using the bash file start_node.sh allows to set many passwords as environment variables at once (e.g. keyStore, trustStore, db passwords, RPC user password)
Since we are running the bash file with bash start_node.sh and not source start_node.sh, the environment variable is not exposed to the parent process (i.e. you cannot read that environment variable value inside the terminal where you ran bash start_node.sh
History commands are not enabled by default inside bash scripts.
Cons:
You no longer can have a service that automatically starts on VM startup, because the start_node.sh script will ask for the passphrase for your gpg key that was used to encrypt the passwords inside the password store (i.e. it's an interactive script).
Am I over-complicating this? Do you have an easier approach? Is it even necessary to hide the plain passwords?
I'm using Corda open source so I can't use the Configuration Obfuscator (which is for Enterprise only): https://docs.corda.r3.com/tools-config-obfuscator.html#configuration-obfuscator (edited)
I wrote a detailed article here: https://blog.b9lab.com/enabling-corda-security-with-nodes-configuration-file-412ce6a4371c, which covers the following topics:
Enable SSL for database connection.
Enable SSL for RPC connection.
Enable SSL for Corda webserver.
Enable SSL for Corda standalone shell.
Hide plain text passwords.
Set permissions for RPC users.
I am confused with the certificated associated with the google cloud iot core.
which CA certificate is used at the registry level and how to generate it.
And the "roots.pem" certificate used to communicate between device and cloud iot core using mqtt bridge, which i got from this link 'https://pki.google.com/roots.pem'. Is it different than the one which is associated with the registry level certificate?
I have tried adding roots.pem certificate but it throws an error that file is too big. I have also added public key which is used to authenticate device using public/private key pair it was added successfully. but i get confused which one to use and where to use and how to generate one.
How to verify Device with registry level ca certificates for more security?
I am using following command,
for getting roots.pem certificate
'https://pki.google.com/roots.pem'
for getting public/private key pair
openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -days 1000000 -out rsa_cert.pem -subj "/CN=unused"
I hope I can help answer your question. One thing that pops out is your use of the Google roots.pem. I'm not sure what that file is, but I haven't needed it in order to validate my GCP IoT clients. I use an openssl command nearly identical to yours (I just haven't been using the "-days:" parameter, but maybe I should!), then on the GCP Console web page for the device I use the "Add public key" to manually copy/paste the contents of the generated public key file (i.e.: "rsa_cert.pem"). Finally, I use the generated private key file (i.e.: "rsa_private.pem") in my code to sign the JWT.
Does that help? I'm not an "expert", but I've been working pretty regularly with this stuff for a couple months.
-C
I personally use python to connect my device and the line of code looks like this:
self.Mqttclient = self.get_client(
self.projectId, cloud_region, self.registryId, self.deviceId,
self.credential, algorithm, root_certificate,
mqtt_hostname, mqtt_port)
so yes I created the root.pem exactly like you did, and create the public and private file with a python script that basically is the same thing you do with openssl in command line.
You can have a look here for more info about certificates.
http://hbase.apache.org/book.html#_server_side_configuration_3
I have checked the URL in which it'll encrypt the data based on the Java java.security.KeyStore. But we need to keep the file .jks which contains master key for all the hbase servers (all master and Region servers have to have this file).
NOTE: Also the password to open the file has been given in hbase-site.xml.
For HDFS alone, there is option to keep the keystore file in the KMS server and not for HBase. Still now we need to keep it in the local store.
I don't need KMS option. I need something to keep the value in common place has to be accessed instaed of having same file in the all servers.
Is there any method/custom class available to get master key from the common storage like DB/redis/Zookeeper?
UPDATE #1
Someone has asked similar question but no solution for that: Encrypt HBase at-rest data in Cloud.
Workstation: Win7 Pro
Server: Win 2008
VB.net - using the System.Diagnostics.Process tools
Gpg4win 2.2.5 in stalled on both computers.
The Key Pair was generated on Win 7 and backed up to the server.
A public key was provided by the recipient.
Both keys were moved to a file share
Both gpg installations were cleared of all keys.
The Backup of the key pair was imported as well as the Public key of the recipient.
Both keys were trusted. This was all done in DOS command window.
gpg --allow-secret-key-import --import "//fileshare/KeyBackup.gpg"
(results indicate Secret key is available)
gpg --allow-secret-key-import --import "//fileshare/PUBLIC.asc"
gpg --edit-key pairkey#mycompany.com (trusted "ultimately")
gpg --edit-key publicKeys#their.com (trusted "ultimately")
In visual studio, on my work station, a vb.net app successfully encrypts and signs a file.
Move the app to the server and run under IIS, encryption fails with message, "No Secret Key". To make it more fun, encryption DOES work on the server if you use manual DOS commands.
The file to be encrypted is on a share and both applications reference it.
That I can tell both Gpg4win installations are identical and have the very same keys. Both keys were imported from the same location in the same manner.
I await the opinions of the superior minds of Stackoverflow.
Thanks
I tried setting the GNUPGHOME environmental variable to a specific location, my ASP.NET application running from IIS didn't seem to honor it and couldn't find my keys.
Eventually I discovered it kept trying to find the key files from c:\gnupg on the iis server (irrespective of GNUPGHOME). I copied all the keyring files to that location, and it finally worked.