Secure communications with SSL, PHP & gnuPG – Part 2

In Part 2 of the mission of the week, we look at how to set it all up on HostGator.  The chosen host, because that’s where I host my websites, you see.

HostGator SSL, gnuPG (GPG) and PHP how-to

As it took me the entire day to piece all of this together, I thought I would share the love and spare somebody else (maybe you) a lot of trouble.  It’s kind of HostGator specific (especially the paths) as they are my host.  I found other how-to’s didn’t work for me, because of different paths.

I’m assuming you’re going to use all the free features, like I did, so that’s what I’m explaining.

• To get a SSL going, determine the name of your server: open a terminal window on Linux or a command prompt in Windows and type telnet yourdomain.com 25. You can also use the IP address instead of yourdomain.com.  It will log on with some text and also reveal the name of your server – something like mohawk.websitewelcome.com.  Your secure files can thus be called by going to https://mohawk.websitewelcome.com/~username/thefile.php – where username is the name of your HostGator account user name.

I couldn’t Telnet from work.  They block the Telnet port, but leave LimeWire and MSN wide open.  Why? This I do not know. Anyway, from home on my private ADSL it worked a charm.  That’s all you need to do to enable the SSL – just call your web-form through https and you’re secure – you’ll see a little lock icon in the bottom righthand corner of your browser, and if you click on it you can get more information about the certificate issuer.

• You can generate a key pair through Cpanel under Manager openPGP key. Just fill in all the fields and click generate.  It can take a moment.  However, if you’re using Windows, you’ll have to download gpg4win, which as the name suggests, is GPG for Windows.  You can also generate the key pair here, and only upload the public key to Cpanel. The advantage is that your private key is not on the server, ensuring an extra step of security.
  
• The public key is what your PHP script will use to encode your form data and that’s why it needs to be on the server.  At first, HostGator said GPG is not installed by default, but I could see a .gnupg directory in my home directory, so I thought they might be wrong.  They emailed me some time later and said that it is in fact installed, and that it can be accessed through ‘usr/bin/gpg’.  I also had call the directory above, which was at ‘home/yourusername/.gnupg’.
• This little snippet of PHP, which I got from 1and1.com) will take whatever you feed it, use you public key which you loaded / created in Cpanel, run it through gnuPG and send an encrypted email to the address of your liking:

// replace this with the user name or e-mail address that you used for your PGP key pair
$pgpuser = “email.used@inyourkey.com” ; // The email used to generate your public key

// Recipient of the email
$testemail = “any.old@emailaddress.com”;

// Replace with your subject
$emailsubject = “Encrypted Email Subject”;

// The from field
$emailfrom = “From: yourwebsite@sentit.com”;

// Feed your text in here
$body = “To test if your decryption work, put some text here or feed in the variables from your submitted forms”;

// Tell gnupg where the public key is that is should use to encode your message
// This is usually in your home directory, below the public_html (mine is .gnupg)
// change this to the correct path of your web space. One hostgator: home/username/.gnupg
putenv(“GNUPGHOME=/home/username/.gnupg”);

// create a temporary, unique file name to work from
$infile = tempnam(“/tmp”, “PGP.asc”);
$outfile = $infile.”.asc”;

// we write the various bits and bobs into the temp file
$fp = fopen($infile, “w”);
fwrite($fp, $body);
fclose($fp);

// Call the other directory of gnuGP (this will work on hostgator) and run the command
// When you call this line, it will do set off the actuall encoding process
$command = “/usr/bin/gpg -a –always-trust –batch –no-secmem-warning -e -r $pgpuser -o $outfile $infile”;

// Call the line that will encrypt your temporary file
system($command, $result);

// The encryption is now loaded in the system, so delete the temp file
unlink($infile);

if ($result == 0) {
$fp = fopen($outfile, “r”);

if (!$fp || filesize($outfile) == 0) {
$result = -1;

} else {

// read the encrypted file
$contents = fread ($fp, filesize ($outfile));

// delete the encrypted file
unlink($outfile);

// send the email and write something nice if it was a success
// otherwise moan bitterly and wonder what went wrong
// Errors are usually either your username, or more like the paths to your gnuGP
// contact your Tech Support for your paths – the ones shown here works for hostgator.
mail ($testemail, $emailsubject, $contents, $emailfrom);

print “Thank you!! Your encrypted booking information has been sent.”;

}
}

if ( $result != 0) {

print “There was a problem processing the information.”;

}

}

When you call this script as is above, it will encode the hard coded text in the $body variable and send it to the email address specified in $testemail.  You will then have a lovely gnuPG encrypted email that you can do nothing with… unless you read on and complete the mission.