As previously noted, I don’t anticipate actually needing encrypted communications for myself. However, some of you may see a need, or other folks may come into my world feeling the need.
Encryption is touted as primarily a means of digital privacy. If you worry about people intercepting you communications and seeing what’s in them, then encryption reduces the risk. I maintain that my bigger concern is not so much snooping as that someone might change my message. It turns out that encryption can support that in some contexts, since a message that can’t be read also cannot be changed.
To be honest, the best security doesn’t require a computer, but few of us are ready to dig into things like one-time pads. So we rely on software designed to make it more convenient. These days, it can be downright transparent. That is, you can set things up on most computers to do it all automatically and stop giving it so much thought.
The most widely used system for ordinary folks like us is Pretty Good Privacy (PGP), a system designed some years ago. These days the version easiest to get for free is Gnu Privacy Guard (GnuPG) which uses the same basic concept as PGP, but is free and maintained as Open Source software. It’s a standard feature on Linux and Unix computers, but is also available for Windows and Mac.
The Windows version is here and it’s a complete package with everything you need. The Mac version is here and you’ll need to study a bit, because I don’t deal with Macs enough to be of much help. If you use Linux, there are lots of GUI tools and the simplicity of operation varies widely. You could also learn how to run it all from the command line, if you prefer.
The whole point is that the first thing you do is create your own encryption key. It has to be tied to an email address. This means you consider carefully and decide whether you might want to dedicate some email account just for this purpose. For reasons that aren’t obvious, this would be a huge boondoggle if your account is webmail only. That would mean encrypting a message as a file, then sending the file as an attachment in the email. It’s a whole lot easier to simply use an email client that is designed to handle it directly, but that means selecting an account that you can run from your computer directly, not webmail. There are lots of free ones out there that provide you direct access from a standard email client (using POP and SMTP protocols), and many ISPs will allow you to hold more than one as part of the service. This is not about free email accounts, so we presume here that you have one selected for this purpose, one that is not used for much of anything else.
I will note in passing that you can do it with Gmail, because they allow that kind of usage, and you can do it with the IMAP protocol for any service that permits it. If you use Windows Live Mail, so far no plugin exists, so it’s like webmail in that respect. If you use Outlook, developers are working on it, but it’s a ton of work for the user to integrate and may not work anyway. Keep those for your regular email, and get something like Thunderbird just for your encrypted email traffic. There is also something called Claws for Windows that does it, but Claws is a little challenging to use due to lack of automation in configuring it. With Thunderbird, it’s a simple as installing an extension made for it, called Enigmail.
Here is one of the best guides for Windows users, and it happens to include illustrations on how to do it with Claws, if you prefer. I highly recommend you create your key first using the simplified GUI tools included in the GPG4Win package. I recommend you use 2048 as the minimum key size. Passwords are discussed elsewhere on this blog, so use the search function. You can use an entire sentence if you know you can remember it and type it precisely every time; spaces are acceptable in this case.
There are two ways to share your key with other folks. I export mine to the default GPG keyserver — hkp://keys.gnupg.net. You can find me as
“Ed Hurst <email@example.com> 0223AD6F” if you use the GUI to search for and import keys. Make sure you don’t pick up on some old key I may have used before and lost. I forgot to make a revocation certificate the first few times I played with this, so make sure you create one and save it somewhere. That way, if you decide to change to a new key for any reason, folks will know the old one is no longer valid. (Disregard; I lost that key and can’t recover it. I’ll post a new one in a new message later.)
Please note that you must exchange your public key with someone else in order to use encryption with them. You need a copy of my key and I need a copy of yours. I don’t have room to explain how this works in detail, but your public key is not the same as your private encryption key, but it still enables folks to encrypt messages to you that only you can open. Using their public key, you can do the same. In the lingo of GPG, you have to have my key on your keyring to use it, and I have to have your key on mine. We each have to mark the keys as trusted. Ideally you would exchange these keys face to face using a jump drive or something like that. However, the keyserver concept will do well enough for the level of security we might need. From all anyone can tell, the NSA struggles (generally cannot and keeps trying) with breaking this PGP style of encryption.
Once you’ve done all of that, fire up Thunderbird and set up the account you’ll be using for this. Then install the Enigmail extension as explained in the linked tutorial and it should walk you through a simple automated process of setting itself up for encryption. It knows where to find the keys most of the time.
The other way to get hold of me with a fair degree of security is to get a free account at Unseen, which is hosted in Iceland and wholly unlikely to let any outside law enforcement or spy agencies to see your mail. My address there is “broken” — if you log onto their webmail and send a message to my account there, it never leaves their server.
Well, that was a real disappointment.
Just when I thought I had everything as I wanted it, Debian began puking on me. Wifi wouldn’t work consistently and the machine crashed three times in one day. In other words, it wasn’t working well enough on this peculiar machine. I really was hoping to settle down on that issue, but it was not to be. So I reinstalled CentOS 7. At least it is consistent with wifi and other hardware drivers.
Part of the whole thing was the sheer convenience of having WINE on which to run my old MS Office 2000. It matters because when I publish my books, they have to be in Word format and LibreOffice does things differently, even when exporting to the Word format. The result is simply not good. Further, while my grammar is just fine, I do commit typos and simple human errors of leaving out words, or leaving in words from edits, and I rely on Word to catch that stuff. LibreOffice does not have anything comparable.
WINE is not available for CentOS to run 32-bit Windows apps. A virtual machine is possible, but it runs dog slow on this laptop. This thing is specced for long battery life, which means a slower processor speed, which means it takes forever to get the VM open and then to do much in it.
Turns out that Microsoft has been offering a cheaper version of MS Office online for free. I already had an account with their Outlook online service, so the same login works without a hitch. From what I can see, it’s adequate for the demands of my book publisher.
It won’t matter too much whether you trust the cloud services. More and more, it becomes the necessity of life. Got an Android device? You have to have a Google account. That account comes with access to all of Google’s services: Docs, their version of Facebook, the free cloud storage, etc. I’m using the cloud because I don’t have a lot of choice.
I’m not a purist; this is just a tool. A major tool worthy of an awful lot of time and effort, but still just a tool. Running Windows 8 (which came with the laptop) is simply not an option because I can’t control the things I find it necessary to control for my mission. And because the hardware is so new, there’s not many Linux distros that will work and I’m sick of the distro sampling lifestyle of most Linux users. It’s not a religion for me, so I’m not chasing the holy grail of Linux perfection, which is no more real than the grail. Choosing CentOS and running it properly means accepting the limitations of software choices.
I can live with this.
Folks, this is how it’s done.
Oracle may not be our favorite company, but this is one thing you will not want to miss: Oracle’s Virtual Box VM. It’s free.
You will need to install the
kernel-devel package and all the dependencies. You’ll also need the
dkms from EPEL, so be sure to enable that respository. What
dkms does is allow kernel modules to follow updates to newer kernels.
Download the correct version of Virtual Box; it will list CentOS 7 with a link to the RPM. You’ll need your root credentials to install using Yum on the CLI. What happens is that the package builds itself on your machine and creates several kernel modules. It will take a good long while as the system is quite busy in the background.
I got errors from SELinux about attempts by ldconfig to write to some directory. You’ll have them show up in little GUI popups and on the console after it’s installed you’ll see this:
Trying to register the VirtualBox kernel modules using DKMSldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied ldconfig exited ungracefully ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied ldconfig exited ungracefully ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied ldconfig exited ungracefully
So far as I can tell, it has no effect on the outcomes, so just be aware that this represents how strongly SELinux protects you from unwanted changes to your system.
Also notice the message about adding your user account to the
vboxusers group. While still logged in as root, simply edit the file
/etc/group. Scroll down to the last item on the list, which should be
vboxusers and simply add your user account name at the end of the line.
Launch from the main menu: System > Oracle VM Virtual Box. Upon first running the thing you’ll discover this is a very intelligent tool and much easier to use than Qemu.
You create the machine first and get it running before you install. I didn’t think 192MB was enough RAM for Windows XP. Depending on your system, you may not be able to give your VM multiple cores on the CPU. If you can’t, you’ll get errors about not having AMD-V enabled in the BIOS. My Win8 laptop was like that. However, I was able to link the machine to my own home folders right from the start; I selected the automount option and browsed to a Projects folder where I need to use MS Office. You really need to take your time and explore the various options in this manager window.
The display is considerably less laggy than Qemu. Once you install the Guest Additions, it becomes even less so. You can fix a lot of niggling issues like display, making your VM respond automatically to window resizing and such. Under the VM menu, see “Devices” and select the last item at the bottom to automatically mount the virtual ISO image and get those extra drivers so that everything can be smooth and unified in use.
A very handy feature is the row of icons across the lower right side of the window when the VM is running. You can connect and disconnect from the host USB, CD/DVD drives, etc. with ease. From the menu, you can elect to connect or disconnect things like the network connection. So you can, for example, keep your vulnerable XP VM from the Internet.
It’s pretty easy to export your VMs and reimport them on other machines running Virtual Box.
Install a Windows VM on CentOS/RHEL 7 using QEMU — this is the hard way.
VMware won’t build properly on CentOS 7 and all of the suggest fixes failed. The simplest answer is using the included virtual machine, QEMU.
See this quickstart guide first. Sadly, they don’t tell you to install libvirt:
yum install libvirt
Then, turn on the libvirt service:
systemctl enable libvirtd.service
systemctl start libvirtd.service
It still won’t run properly, so reboot!
Whatever OS you wish to install, extract an ISO image from CD/DVD. This way you won’t have to fight permissions. This is true of everything you want to use with your VM. There are various ways to pull off the CD/DVD into an ISO.
Sine I’m running KDE, it’s simplest to use K3B. Select the option to copy your CD/DVD and on the “Options” tab, check the box for “Only create image.” Also, click the “Image” tab because you may want to move the image from the default location up in the
/tmp/ directory. Click the folder icon button and select someplace like your home folder.
When you open the Qemu manager (in the main menu under “System > Virtual Machine Manager”) you’ll be prompted for root credentials. It won’t run in user mode.
I didn’t have much luck installing XP; it kept hanging and entering a race condition. Win2K worked fine for this experiment.
Click the button for a new machine. Give it a name like “win2k”. Select to install from “Local install media” then on the next tab choose “ISO image” and navigate to where you had K3B save it. Select OS type and version. I had to tell Qemu to show me all the options for Windows before it listed “Windows 2000″.
The defaults for RAM and CPU are okay, but you can double the CPU if your machine actually has two or more cores and you think you’ll need it. The defaults for storage are probably fine unless you know you need a big storage space.
The rest is a matter of having installed Windows a time or two. There may be some errors flash on the screen at times, but unless they persist, they don’t mean anything. Play with the settings; I found the Cirrus display gave me a lot more screen real estate.
Qemu is downright cranky and sometimes cryptic. I had to manually tell it to add a USB passthrough option so I could connect a jump drive to the VM. Unlike other VMs, Qemu will not make it easy to link the VM to your host file system. You’d have to run a file server (Samba for Windows VMs) and connect through the virtual network link. Worst of all, it takes lots of system resources to run any 32-bit VM and it’s quite laggy, so if you intend to use it a lot, you’ll have to be ready for that. I don’t recommend Qemu for Windows VMs.
CentOS is a lot smarter than you might expect. It knows when it is connected to a home router. The new firewall quickly adjusts and generally does the right thing.
However, it won’t automatically allow you to link to the other computers on your home network. It’s defensive by nature and pretty tight. Once you tell the firewall things are okay for this or that, it will relax just a bit.
Let’s say that you have at least one other computer on your home network running Windows. This is not about Windows, so you’ll have to research how, but your Winbox can share files and any peripherals attached to it with your CentOS 7 machine (start by reading this for XP/Vist and this for Win7). The nickname for the protocol Linux uses to talk to Windows is called “Samba” which is taken from the abbreviation SMB (server message block). By default, it’s likely your CentOS machine is running a Samba client. It simply needs permission from the firewall to use it on the home network.
In your main menu, find the system administration tool for the firewall. It will demand your root credentials. The window that will open is pretty complicated, but we only need to worry about one thing: In the window pane on the left, select “home” — it’s the zone of operations CentOS knows comes from home networking traffic. In the window pane on the right, scroll down to find “samba-client” and select that box. The firewall immediately opens that channel for traffic only inside the router network.
Now test it by opening your file browser window. Look for something that indicates the Network connections and click that. Find the icon for Samba shares. Click and it should offer you a list of the Windows networks. By default, Windows computers will be set up to use “workgroup” as the name for this. Click that icon and you should find a list of Windows computers within that default workgroup. If you attempt to connect to any Windows “host” listed there with whatever name you gave it when you set it up (like “winbox”), you’ll need a name and password for any of the accounts on that machine. You can have your file browser window remember the password so you can log on at will. Once logged in, you can browse the file system as if it were your own on CentOS.
I’m not going to detail here the chase to find printer drivers for Linux; it’s pretty complicated. CentOS 7 comes with most of those available. You can find more at this page. Also, note that several major printer manufacturers have begun offering their own special Linux drivers, so do your own research. So let’s assume for now you know you have a Linux driver for a printer connected to your Winbox.
When you run the printer setup tool on CentOS, one of the options is a network printer using Samba (SMB). Click that option and fill in the information as required for your Windows Samba share. This assumes you’ve set up things on your Winbox to share and have given the printer share a simple name — I used “winprint.” Thus, it was a simple matter of
smb://winbox/winprint for me. Then I chose the appropriate driver and set it up using the tool on CentOS. I was able to print a test page in just a couple of minutes.
The key was simply getting the firewall to open up for the samba client.