Chapter 16. PGP

From open-support.info

Jump to: navigation, search

OTRS has the capability to sign or encrypt outgoing messages with PGP. Further, encrypted incoming messages can be decrypted. Encryption and decryption are done with the GPL tool GnuPG. To setup GnuPG for OTRS, the following steps have to be performed:

  1. Install GnuPG, via the package manager of your operating system.

  2. Configure GnuPG for use with OTRS. The necessary directories for GnuPG and a private key have to be created. The command shown in Script 16.1 has to be executed as user 'otrs' from a shell.
        linux:~# su otrs
        linux:/root$ cd
        linux:~$ pwd
        /opt/otrs
        linux:~$ gpg --gen-key
        gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc.
        This program comes with ABSOLUTELY NO WARRANTY.
        This is free software, and you are welcome to redistribute it
        under certain conditions. See the file COPYING for details.
    
        gpg: directory `/opt/otrs/.gnupg' created
        gpg: new configuration file `/opt/otrs/.gnupg/gpg.conf' created
        gpg: WARNING: options in `/opt/otrs/.gnupg/gpg.conf' are not yet active during t
        his run
        gpg: keyring `/opt/otrs/.gnupg/secring.gpg' created
        gpg: keyring `/opt/otrs/.gnupg/pubring.gpg' created
        Please select what kind of key you want:
           (1) DSA and Elgamal (default)
           (2) DSA (sign only)
           (5) RSA (sign only)
        Your selection? 1
        DSA keypair will have 1024 bits.
        ELG-E keys may be between 1024 and 4096 bits long.
        What keysize do you want? (2048)
        Requested keysize is 2048 bits
        Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
        Key is valid for? (0)
        Key does not expire at all
        Is this correct? (y/N) y
    
        You need a user ID to identify your key; the software constructs the user ID
        from the Real Name, Comment and Email Address in this form:
            "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
    
        Real name: Ticket System
        Email address: support@example.com
        Comment: Private PGP Key for the ticket system with address support@example.com
        You selected this USER-ID:
        "Ticket System (Private PGP Key for the ticket system with address support@examp
        le.com) <support@example.com>"
    
        Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
        You need a Passphrase to protect your secret key.
    
        Passphrase: secret
        Repeat passphrase: secret
    
        We need to generate a lot of random bytes. It is a good idea to perform
        some other action (type on the keyboard, move the mouse, utilize the
        disks) during the prime generation; this gives the random number
        generator a better chance to gain enough entropy.
        ++++++++++.+++++++++++++++++++++++++....+++++.+++++...+++++++++++++++++++++++++.
        +++++++++++++++++++++++++.+++++.+++++.+++++++++++++++++++++++++>++++++++++>+++++
        .......>+++++<+++++................................+++++
    
        Not enough random bytes available.  Please do some other work to give
        the OS a chance to collect more entropy! (Need 280 more bytes)
    
        ++++++++++.+++++..++++++++++..+++++....++++++++++++++++++++.+++++++++++++++.++++
        ++++++++++++++++++++++++++.++++++++++.+++++++++++++++.++++++++++.+++++++++++++++
        ..+++++>.+++++....>+++++........................................................
        ...........................................................>+++++<+++++.........
        .............+++++^^^
        gpg: /opt/otrs/.gnupg/trustdb.gpg: trustdb created
        gpg: key 7245A970 marked as ultimately trusted
        public and secret key created and signed.
    
        gpg: checking the trustdb
        gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
        gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
        pub   1024D/7245A970 2006-02-03
              Key fingerprint = 2ED5 BC36 D2B6 B055 7EE1  5833 1D7B F967 7245 A970
         uid                  Ticket System (Private pgp key for ticket system with addre
        ss support@example.com) <support@example.com>
        sub   2048g/52B97069 2006-02-03
    
        linux:~$
    
    Script 16.1. Configuring GnuPG.


    As shown in Script 16.1, the default settings can be applied for most of the required parameters. Only the values for the key owner have to be entered correctly, with a proper password specified for the key.

  3. Now OTRS has to be made ready to use PGP. From the Admin console, open the SysConfig interface and search for "PGP". Select the sub group Crypt::PGP from the search results. In the screen for the PGP settings, PGP should be activated for OTRS (first option). Also, the path to the gpg program should be set and checked. The next config setting (PGP::Options) may also require changing. Via this config setting, the parameters that are used for every execution of gpg by the 'otrs' user can be specified. In particular, the directory of the config files for GnuPG of the 'otrs' user is important. In the example /opt/otrs/.gnupg is used. This directory was created earlier during the PGP configuration. Via the next config option (PGP::Key::Password) it is possible to specify the pairs of key IDs and their passwords for own private keys. Because communication partners from outside write to the ticket system with their messages encrypted with your public key, OTRS can decrypt these messages with the ID/passwords specified here. How to get the id of your own private key? The ID of your own private key is already shown during the key generation (see step 1 from above). It is also possible to get the ID if the command specified in Script 16.2 is executed as user 'otrs':
        linux:~# su otrs
        linux:/root$ cd
        linux:~$ pwd
        /opt/otrs
        linux:~$ gpg --list-keys
        /opt/otrs/.gnupg/pubring.gpg
        ----------------------------
        pub   1024D/7245A970 2006-02-03
        uid                  Ticket System (Private pgp key for ticket system with
        address support@example.com) <support@example.com>
        sub   2048g/52B97069 2006-02-03
    
        linux:~$
    
    Script 16.2. Getting the ID of your own private key.


    The ID of the private key can be found in the line that starts with "sub". It is a hexadecimal string that is eight characters long, in the example above it is "52B97069". The password you have to specify for this key in the ticket system is the same that was given during key generation.

    After this data is inserted, the "Update" button can be used to save the settings. OTRS is ready to receive and decrypt encoded messages now.

  4. Finally, import a customer's public key. This ensures that encrypted messages can be sent out to this customer. There are two ways to import a public key of a customer. The first way is to specify the public key of a customer in the customer management interface. The second way is to specify the key via the PGP settings, reachable from the Admin page. On the right section of this screen, all already imported public keys of customers are displayed. After PGP has been activated and configured for OTRS, your own public key should also be listed there. In the left area of the PGP setting screen it is possible to search for keys. Also, a new public key can be uploaded into the system from a file. The files with the public key that need to be imported into OTRS have to be GnuPGP compatible key files. In most cases, the key stored in a file is an "ASCII armored key". OTRS can deal with this format.

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox