110.3 Securing Data with Encryption

Weight: 4

Goal: Use public-key tools to secure data and network traffic. Use SSH, OpenSSH, GPG, and basic features of SSL/TLS-based connections.

This is the largest security objective on the exam. Master SSH thoroughly — much of the material is about it.

1. Two Kinds of Cryptography

Type	Same key for encrypt and decrypt?	Examples
Symmetric	Yes — both sides share one secret.	AES, ChaCha20.
Asymmetric (public key)	No — a public key encrypts, a private key decrypts (and vice versa for signatures).	RSA, DSA, ECDSA, Ed25519.

Asymmetric crypto solves the key-distribution problem: you can publish your public key freely. Anyone can encrypt to you, but only your private key can decrypt.

The two main uses:

Encryption: anyone uses your public key to send you a secret; only you can read it.
Digital signatures: you sign with your private key; anyone verifies with your public key.

In practice SSH and TLS combine the two: asymmetric crypto authenticates the connection and exchanges a fresh symmetric key, then symmetric crypto encrypts the bulk traffic.

2. SSH: The Basics

SSH (Secure Shell) provides encrypted remote login, file copy, and tunneling. OpenSSH is the implementation on every Linux distribution. Default port: TCP 22.

Two halves:

sshd — the server, listens on the remote machine.
ssh — the client, runs on your machine.

Logging in

ssh user@host                       # log in as user@host
ssh -p 2222 user@host               # non-default port
ssh -i ~/.ssh/id_special user@host  # use a specific private key
ssh -v user@host                    # verbose (debugging)

The first time you connect to a host, the client shows the host key fingerprint and asks you to accept it. The fingerprint is then stored in ~/.ssh/known_hosts. On subsequent connections, the client refuses to continue if the key changes (the dreaded “REMOTE HOST IDENTIFICATION HAS CHANGED” warning).

3. SSH Configuration Files

On the server machine (where `sshd` runs)

File	Purpose
`/etc/ssh/sshd_config`	The server’s configuration.
`/etc/ssh/ssh_host_*_key`	Server private host keys (one per algorithm: rsa, ecdsa, ed25519). Mode 600, owned by root.
`/etc/ssh/ssh_host_*_key.pub`	Server public host keys. World-readable.

Important sshd_config directives for the exam:

Port 22
PermitRootLogin no                  # disallow direct root SSH login
PasswordAuthentication yes          # set to "no" once keys work
PubkeyAuthentication yes
PermitEmptyPasswords no
AllowUsers alice bob                # whitelist
AllowGroups admins
X11Forwarding yes                   # required for ssh -X

After editing, reload the daemon: systemctl reload sshd.

On the client machine

File	Purpose
`/etc/ssh/ssh_config`	System-wide client defaults.
`~/.ssh/config`	Per-user client configuration.
`~/.ssh/known_hosts`	Public host keys of servers you’ve previously connected to.
`~/.ssh/authorized_keys`	List of public keys that may log in to this user’s account. (Lives on the server side, in the target user’s home.)
`~/.ssh/id_rsa`, `id_ecdsa`, `id_ed25519`	The user’s private keys. Mode 600.
`~/.ssh/id_*.pub`	The user’s public keys. Mode 644.

~/.ssh itself must be mode 700, or the SSH server will refuse to use the files in it (“strict modes”).

`~/.ssh/config` shortcuts

Host work
    HostName srv.example.com
    User alice
    Port 2222
    IdentityFile ~/.ssh/work_key

Host *
    ServerAliveInterval 60

Now ssh work does the right thing automatically.

4. SSH Key-Based Authentication

The recommended way to authenticate — no passwords on the wire.

Step 1: generate a key pair

ssh-keygen                          # interactive, default RSA 3072 (modern openssh)
ssh-keygen -t ed25519                # modern, short, fast
ssh-keygen -t rsa -b 4096            # large RSA
ssh-keygen -f ~/.ssh/work_key        # custom location
ssh-keygen -p -f ~/.ssh/id_ed25519   # change/remove the passphrase later

Output: a private key (id_ed25519) and a public key (id_ed25519.pub).

Always set a passphrase on private keys. The passphrase encrypts the key on disk so a stolen file is useless without it.

Step 2: install the public key on the server

ssh-copy-id user@host                          # easiest way
ssh-copy-id -i ~/.ssh/work_key.pub user@host   # specific key

ssh-copy-id appends the public key to ~/.ssh/authorized_keys on the server and fixes permissions. You can do the same manually:

cat ~/.ssh/id_ed25519.pub | ssh user@host \
    'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

Step 3: log in

ssh user@host

If the key has a passphrase, you’ll be prompted for it on each use — solved by ssh-agent (next section).

`~/.ssh/authorized_keys` options

You can prefix a key with options to restrict what it can do:

no-port-forwarding,no-X11-forwarding,command="/usr/local/bin/backup-only" ssh-ed25519 AAAAC3... user@host

The exam doesn’t drill into this, but recognize the file’s format: one public key per line, optionally with options.

5. `ssh-agent` and `ssh-add`

Re-typing the passphrase for every connection is annoying. ssh-agent holds your decrypted private keys in memory for the duration of a session.

eval "$(ssh-agent -s)"              # start an agent, export env vars
ssh-add ~/.ssh/id_ed25519            # add a key (prompts once for passphrase)
ssh-add -l                          # list keys held by the agent
ssh-add -D                          # delete all keys from the agent
ssh-add -t 3600 ~/.ssh/key          # cache for one hour, then forget

Two important variables ssh-agent exports:

SSH_AGENT_PID — the agent’s PID.
SSH_AUTH_SOCK — path to the socket the client uses to talk to the agent.

When SSH starts a session, it consults these variables. Agent forwarding lets a session on a remote host use your local agent:

ssh -A user@host                    # forward the agent

This is convenient but risky on untrusted servers (whoever controls the remote machine can use your keys via the socket).

6. Host Keys and `known_hosts`

Every SSH server has long-lived host keys in /etc/ssh/ssh_host_*. When you connect, the server presents its public host key; the client verifies that it matches the one previously stored in ~/.ssh/known_hosts.

Inspecting and managing host keys

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub    # fingerprint of a key
ssh-keygen -F host                                  # search known_hosts
ssh-keygen -R host                                  # REMOVE a host's entry

Use ssh-keygen -R when you know the host’s keys legitimately changed (rebuilt server, new VM) and you need to clear the old fingerprint.

7. SSH Family of Commands

Tools that ride on top of SSH:

Command	Use
`ssh`	Remote shell or command execution.
`scp`	Copy files over SSH. `scp file user@host:/path`, `scp -r dir user@host:`.
`sftp`	Interactive file transfer over SSH (like FTP).
`ssh-copy-id`	Install a public key on a remote server.
`ssh-keygen`	Generate, manage, and inspect SSH keys.
`ssh-keyscan`	Fetch a host’s public keys (e.g. to pre-populate `known_hosts`).

8. SSH Port Forwarding (Tunneling)

SSH can forward arbitrary TCP traffic through its encrypted connection. There are three forms.

Local forwarding: `-L`

Make a local port reach a service through the SSH server.

ssh -L 8080:db.internal:5432 user@gateway

Now a program connecting to localhost:8080 on your machine actually talks to db.internal:5432, through gateway.

Format: -L LOCAL_PORT:TARGET_HOST:TARGET_PORT. TARGET_HOST is resolved from the SSH server’s point of view.

Remote forwarding: `-R`

Make a port on the remote server reach a service on your local side.

ssh -R 9000:localhost:80 user@public-host

Now anyone connecting to public-host:9000 is routed to your local localhost:80.

Dynamic forwarding (SOCKS proxy): `-D`

ssh -D 1080 user@gateway

This starts a local SOCKS proxy on port 1080. Configure a browser to use it, and your traffic is tunneled through gateway.

X11 forwarding

Already covered in 106.1, repeated here because it shows up in 110.3:

ssh -X user@host                    # X11 forwarding (untrusted mode)
ssh -Y user@host                    # X11 forwarding (trusted mode)

Server side must allow it: X11Forwarding yes in sshd_config.

9. GPG (GnuPG): Encrypting and Signing Files

GPG (GNU Privacy Guard) is an implementation of the OpenPGP standard for email and file encryption / signatures using public-key cryptography.

GPG and SSH solve different problems. Don’t confuse them.

	SSH	GPG
Purpose	Encrypt live connections (interactive sessions, file transfer).	Encrypt and sign data at rest (files, email).
Keys live in	`~/.ssh/`	`~/.gnupg/`
Identity	A key per host/user, no central trust model.	Keys with user IDs (name + email), trust web.

Key management

gpg --gen-key                       # interactive key generation
gpg --full-generate-key             # detailed key generation

gpg --list-keys                     # public keyring (~/.gnupg/pubring.kbx)
gpg --list-secret-keys              # private keys

gpg --export -a alice > alice.pub.asc           # export a public key
gpg --import alice.pub.asc                      # import someone's key

gpg --delete-key alice
gpg --delete-secret-key alice

gpg --fingerprint alice             # show the fingerprint

Encrypt and decrypt

# Encrypt for a recipient (using THEIR public key)
gpg -e -r alice@example.com file.txt
# Produces file.txt.gpg

# Decrypt (using YOUR private key)
gpg -d file.txt.gpg > file.txt

# Symmetric encryption with a passphrase (no key pair involved)
gpg -c file.txt
# Produces file.txt.gpg

# ASCII-armored output (text-safe, e.g. for email)
gpg -e -a -r alice file.txt
# Produces file.txt.asc

Sign and verify

gpg --sign file.txt                 # binary signed file (.gpg)
gpg --clearsign file.txt            # readable text + signature block (.asc)
gpg --detach-sign file.txt          # signature in a separate file (.sig)

gpg --verify file.txt.sig file.txt  # verify a detached signature
gpg --verify file.txt.gpg           # verify (and decrypt if applicable)

Combining encryption and signing:

gpg -s -e -r alice file.txt         # sign AND encrypt

Files in `~/.gnupg/`

pubring.kbx (or pubring.gpg on older versions) — public keyring.
private-keys-v1.d/ — private keys.
trustdb.gpg — trust database (who you’ve decided to trust).
gpg.conf — user configuration.

`gpg-agent`

Like ssh-agent, but for GPG. Caches your unlocked private-key passphrase so you don’t retype it for every operation. Started automatically by modern GPG.

10. Awareness: SSL / TLS

Full TLS isn’t tested deeply at 102 level, but you should recognize:

SSL (Secure Sockets Layer) is the old name. TLS (Transport Layer Security) is the modern, in-use protocol.
TLS provides encryption and identity for HTTPS, SMTPS, IMAPS, etc.
Uses X.509 certificates signed by a Certificate Authority (CA).
The handshake authenticates the server (and optionally the client), then negotiates a symmetric session key.
Common toolkit: OpenSSL (openssl command).

A few openssl recipes that come up:

openssl s_client -connect host:443           # talk TLS to a server, inspect cert
openssl x509 -in cert.pem -text -noout       # show certificate details
openssl genrsa -out key.pem 4096             # generate an RSA key
openssl req -new -key key.pem -out req.csr   # certificate signing request
openssl dgst -sha256 file                    # SHA-256 hash of a file

You should recognize that openssl exists and is the standard tool for handling TLS certificates and keys.

11. Quick Reference for the Exam

SSH files:

/etc/ssh/sshd_config, /etc/ssh/ssh_config
/etc/ssh/ssh_host_*_key (and .pub)
~/.ssh/config, ~/.ssh/known_hosts, ~/.ssh/authorized_keys
~/.ssh/id_rsa, id_ecdsa, id_ed25519 (and .pub)

SSH commands:

ssh, scp, sftp
ssh-keygen, ssh-copy-id, ssh-keyscan
ssh-agent, ssh-add
Port forwarding flags: -L, -R, -D
X11 forwarding: -X, -Y
Agent forwarding: -A

SSH environment variables:

SSH_AGENT_PID
SSH_AUTH_SOCK

GPG:

gpg with -e (encrypt), -d (decrypt), -s (sign), --clearsign, --verify, -a (armor), -c (symmetric)
gpg --list-keys, --gen-key, --export, --import
Keyring under ~/.gnupg/
gpg-agent

Concepts:

Public/private key pairs; what each is used for.
TLS / SSL awareness; OpenSSL is the tool.

12. Likely Exam Questions (Self-Check)

What port does SSH use by default, and over which protocol? TCP port 22.
What is the difference between /etc/ssh/sshd_config and /etc/ssh/ssh_config? sshd_config configures the SSH server. ssh_config is the system-wide default for the SSH client.
Where on the server does a user’s list of accepted public keys live? In the target user’s home directory: ~/.ssh/authorized_keys.
Where on the client are public keys of previously connected servers stored? ~/.ssh/known_hosts.
What command generates a new SSH key pair? ssh-keygen (optionally -t ed25519 to choose the algorithm).
What command copies your public key to a remote server’s authorized_keys? ssh-copy-id user@host.
What is ssh-agent and what does ssh-add do? ssh-agent holds decrypted private keys in memory during a session so you don’t retype the passphrase. ssh-add adds keys to the running agent.
What two environment variables does ssh-agent set? SSH_AGENT_PID and SSH_AUTH_SOCK.
What does ssh -L 8080:internal:80 user@gateway do? Forwards your local port 8080 through gateway to internal:80. Connecting to localhost:8080 reaches the internal service.
What does ssh -A user@host do? Forwards your local ssh-agent connection to the remote host, so commands there can use your keys.
Where does GPG store its keyrings? In ~/.gnupg/ (e.g. pubring.kbx, private-keys-v1.d/, trustdb.gpg).
What gpg command encrypts a file for a specific recipient? gpg -e -r alice@example.com file.txt.
What is the difference between gpg --sign, gpg --clearsign, and gpg --detach-sign? --sign produces a binary signed file. --clearsign keeps the original text readable with a signature block appended. --detach-sign produces a separate .sig file containing only the signature.
What gpg command verifies a detached signature? gpg --verify file.sig file.
What is the practical difference between SSH host keys and SSH user keys? Host keys identify the server to clients (/etc/ssh/ssh_host_*). User keys identify the user to servers (~/.ssh/id_*). Both are public/private pairs but serve different sides of the trust relationship.
You connect to a server you’ve used before and SSH refuses with “REMOTE HOST IDENTIFICATION HAS CHANGED”. What does this mean and how do you resolve it (assuming you know the change is legitimate)? The server’s host key in ~/.ssh/known_hosts no longer matches what the server presents — possibly a reinstall, possibly an attack. If you know it’s legitimate, run ssh-keygen -R hostname to remove the old entry and reconnect.
What is the standard command-line tool to manage TLS certificates and inspect HTTPS endpoints? openssl.