Encrypting cron emails with GPG

Introduction

You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.

 

Assumptions

  • You are familiar with GPG
  • You have root access to your linux web server
  • Your server runs on a recent Ubuntu
  • Cron is already configured to send emails

 

Encrypting

There are basically two ways of encrypting emails one is GPG and the other S/MIME. We will be using GPG. Further this article assumes you are familiar with GPG.

 

  1. Upload your public key (ending in .asc) to your server /home is a good place.
  2. That the key can actually be read by the command we will be using, it has to be slightly modified. To be precise the ASCII amor has to be removed we need the key in binary form. This is archived by the following command.
  3. Add this line at the top of your /etc/crontab just after MAILTO=you@example.de. You need to replace the email address and the public key path.
  4. For this command to work we need the program  ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying ifne  prevents this. To install it run.
  5. Now in /etc/crontab you can simply pipe the output to gpg and enjoy encrypted emails.

     

 

 

If you want to have a more in depth understanding of what is going on here I suggest you read this article as well. This is also where some of the inspiration for the exact parameters to gpg came from.

Server Authentication With Client Certificate X.509

Introduction

Basics of setting up certificate based authentication on Apache.

 

Assumptions

Your Server is already configured to use SSL/TLS. This is required because the browser refuses to use its certificate for authentication on an insecure connection.

 

Creating all the files we need

WARNING: Further investigation has to be made whether this is the optimal way.

WARNING: The key sizes and expiration dates must be adjusted to suite your need.

 

Create the CA

Create a signing request and signing it with the CA private key

Convert the alice.crt to alice.p12 so a browser knows what to do with it. (Note: On safari the .p12 file has to have a password for the import to work)

Convert the .p12 to .pam so tools like curl can use it

 

Configuring Apache

copy your CA.pem in a file readable by apache. In my case it is /home/CA.pem but this might differ for your server.

in your virtual hosts configuration file add  SSLCACertificateFile  and  SSLVerifyClient  like shown below.

 

 

Finally… we can use it

To use the certificate with curl

 

To install in Safari on a Mac just double click the .p12 file and follow the instructions

To install on iOS the file can be send by email (messengers don’t work) and installed by tapping on it and following the instructions. If the file is considered a production file it should NOT be send over the internet instead plug in a usb cord and transfer via iTunes.