ICL11 - Automated Encryption Using PGP Command Line– Hands On LabDescriptionAt the end of this lab,you should be able to:NotesDuring this lab you will have a chance to use PGP Command Line tocreate keys, encrypt data, and interact with simple scripts and evenan application built with PGP Command Line instructions inside thecode. Perform a customer demonstration of PGP Command Line. Explain to a customer common use cases and scenarios. Understand that PGP Command Line can be used withcustom applications. A brief presentation will introduce this lab session anddiscuss key concepts. You are welcome to take with you the PGP CommandLine folder on the Windows Desktop of the virtualmachine.
PGP Command Line DemonstrationUse our Symantec Demo Script to explore PGP Command Line usage and see somespecific operations such as encrypting a file. If necessary, login to the VM (CTRL ALT INSERT): Symc4now! If prompted to “restart” click “Restart Later”. Open the PGP Command Line folder on the windows desktop. Open the Script-Command-Line.txt file. Also open a Windows command prompt. Copy or type the first command from the text file into the command prompt andpress enter (mkdir c:\temp). Perform the second command as well (cd c:\TEMP). Execute each command in the script by copying and pasting into the commandprompt window from the Script-Command-Line.txt file, starting with:pgp --version2 of 14
oThe “pgp --version" command shows what version of the product isinstalled.oThere are detailed instructions and expected results for each step after this:At any time you can type cls and press enter to clear the command prompt screen.pgp --help more After entering this command, press the SPACEBAR to advance a page at a timeuntil the C:\temp prompt returns.3 of 14
oThe “pgp --help more” command shows details about all of the operationsand switches available for the product.oThe help file displayed here is very useful for determining exact usage.pgp --gen-key test-user --key-type DH --encryption-bits 2048 --passphrase test-useroThe “pgp --gen-key test-user --key-type DH --encryption-bits 2048 -passphrase test-user” command creates a keypair to use for encryptingdata.pgp --list-keysoThe “pgp --list-keys” command shows what keys exist on the local system.oIn this particular case we already have an Administrator keypair and wecreated the test-user keypair with our command.echo Testfile123 test-file.txt4 of 14
oThis is a Windows Command Prompt command that creates a file calledtest-file.txt and puts the text “Testfile123” in it.more test-file.txtoThis is a Windows Command Prompt command that prints out the data inthe test-file.txt file.oWe could use any file. We are creating this so we have some data toencrypt.pgp --encrypt test-file.txt --recipient test-user --passphrase test-user5 of 14
dir Note the encrypted file (.pgp extension)oAn encrypted file will be created from the test-file.txt file.oThe original file will also still be present in the directory.oThe output of the encrypt command should be “0”, meaning no errors.oThe file was encrypted to the test-user keypair we just created. You couldalso encrypt to the Administrator keypair or encrypt to any other key on thissystem or on searchable key servers.more test-file.txt.pgpoIf we take a look at this file we see that it is encrypted.oIt is protected with a binary form of encryption.6 of 14
oPGP also supports ASCII armored encryption if needed.pgp --decrypt test-file.txt.pgp --passphrase test-user --output test-file-decrypted.txtdiroNote the test-file.decrypted.txt file.oThis command creates a decrypted file from the encrypted test-file.txt.pgpfile.oThe encrypted file will still remain after decryption.oAlso, we specify a file name for the decrypted file. The default would be touse the original file name minus the .pgp.oWe also give the passphrase of the user’s private key.oAfter we run the command we get an output of zero again, which is good.oIf we run a directory listing we see the decrypted file.more test-file-decrypted.txto If we run a more command on the file we see the decrypted information inthe file.SUMMARY:oWhat you have done in this exercise is see how you can encrypt anddecrypt data manually using PGP Command Line. These same commandscan be included in your batch processes, your shell scripts, or evenintegrated into C code through our SDK capabilities.oEverything you saw today can be fully automated, including the keygeneration that we did at the beginning.oA lot of solutions don't have key generation that is scriptable but our PGPCommand Line technology does.7 of 14
Encrypt and Transfer a File Using FTPIn this lab you will create a batch file to automatically encrypt a file and transfer it with FTPto a backup location. After backing up the file Command Line will securely wipe theencrypted file on the local machine. So that we have a database file to encrypt move the ExampleDB file from the PGPCommand Line demo folder to the root of the Enforce VM C:\ drive.Move a plaintext file over with FTP so you can see the file being moved without encryption: Create a new text file by opening Notepad (Start AllPrograms Accessories Notepad). Enter the information shown in the following screenshot into the text document.Each entry requires its own line: Save the document to the root of the drive at “C:\” as “plain transfer”.Open a Windows command prompt.cd C:\ftp –s:plain transfer.txto This will move the ExampleDb.db file over to the local ftp directory. Open Windows Explorer and go to “C:\inetpub\ftproot\backup”. You will see theExampleDB.db file. This folder is the local “ftp” folder. Delete the backup folder.Encrypt the file and move it using FTP: Create a new text file by opening Notepad (Start AllPrograms Accessories Notepad).Enter the information shown in the following screenshot into the text document.Each entry requires its own line:8 of 14
Save the document to the root of the drive at “C:\” as “encrypt transfer.txt”.Next create a batch file with our encryption commands by opening Notepad andenter the information shown in the following screenshot using the same formatting: Click “File Save As” and change the name of the file to “encrypt.bat” and save it tothe root of the drive at “C:\”. When you save it make sure you use “all files” insteadof saving it as a “.txt” file.Open a Windows command prompt (there is a shortcut on the toolbar). cd C:\encrypto This will automatically encrypt the ExampleDB.db file to the recipient keyand transfer the file to an FTP location. After encrypting and transferring thefile, the original encrypted file on the local disk will be securely deleted byCommand Line.“C:\inetpub\ftproot\backup”. You will see the ExampleDB.db.pgp file. Note the .pgpextension as the file is now encrypted.9 of 14
Encrypt to a passwordDuring this lab section you will encrypt some data to a Self-Decrypting Archive, or SDA,which can then be decrypted on systems that do not have an encryption application bysimply double-clicking it and entering the password. Create a C:\temp folderOpen the DLP folder on the desktop and then browse to the Demo Data folder. Copy the Federal folder to the C:\temp folder. Open a Windows command prompt.cd c:\temppgp --encrypt Federal --sda --symmetric-passphrase joe --output fed.exedirooNote the fed.exe fileThis file can be placed on removable media or sent using other methods torecipients that don’t have their own encryption application. It could also bedecrypted using PGP Command Line (and a script if desired) if the recipienthas the product.10 of 14
Copy the fed.exe file to the host desktop.Using Windows Explorer double-click the fed.exe file and enter the passphrase“joe”.o A Federal folder is created with the extracted files.11 of 14
Use a Custom Application with PGP Command LineEncryptionIn this exercise you will see an example of a customized application written in Perl that willutilize PGP Command Line to encrypt or decrypt files as needed. This will demonstrate thepower of using PGP Command Line and some creative programming by showing a simpleapplication that can be used to create a folder where files can be dropped in and encryptedor decrypted automatically. Open the “PGP Command Line demo" folder on the host Windows Desktop.Copy the pgp-securebox-1.0.0.pl file to the “C:\temp\Federal” folder.Double-click the pgp-securebox-1.0.0.pl file.This application first creates a config file based on some questions that anadministrator would answer.Answer “y” or “yes” to question # 1. Answer “2” to question #2.test-user is the answer to #3.For question #4 answer “2”, just delete them.12 of 14
This will create a .conf file with our settings.oo Now we are ready to encrypt files using our custom application.If this application were being used in an actual environment, the examplescenario would be that end users have a folder on the file server where theycan place files that need to be encrypted, perhaps at the end of a project sothey can then be archived. The files can then be encrypted by our script atregular intervals using task scheduler or manually by an administrator.To encrypt the files, double-click the pgp-securebox-1.0.0.pl file (again).Once the application exits look at the files in the temp\Federal folder. They shouldhave a .pgp file extension, noting that they are encrypted.13 of 14
Now experiment with the decrypt option for our “securebox” application by deletingthe .conf file and going through the options again but selecting the decrypt option.Feel free to try out the other options in the application.If you would like to see how the “securebox” application was written you can rightclick on it and choose “Open With.” and “Wordpad”.There are notes at the top of the application that talk about what it does and how itcan be used.By doing a search for “pgp” and then going through the matches you can get anidea of how and when the PGP Command Line application is called.14 of 14
to a backup location. After backing up the file Command Line will securely wipe the encrypted file on the local machine. So that we have a database file to encrypt move the ExampleDB file from the PGP Command Line demo folder to the root of the Enforce VM C:\ drive.