X-Cart:PGP/GnuPG

From X-Cart 4 Classic
Revision as of 17:51, 22 July 2020 by Mouse (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

How you can use PGP encryption with X-Cart

To ensure security of mail traveling over the Internet from the store to the orders department, X-Cart allows you to use PGP encryption for orders department email notifications. A program providing PGP-type encryption (GnuPG or its commercial analog PGP) has to be obtained and installed separately.

Note: PGP 6.0 or above is required.

Detailed information on PGP and GnuPG is available here:

PGP:

GnuPG:

Setting up X-Cart to use PGP or GnuPG

To adjust X-Cart to use PGP encryption for email messages sent to the Orders department, do the following:

  1. Adjust the option 'Order emails encryption method' in the 'General security options' section of General settings->Security options (Select PGP or GnuPG).
  2. Configure the selected method using the appropriate section of General settings->Security options ('PGP options' or 'GnuPG options').
  3. Use the section 'Test data encryption' of General settings->Security options to test whether PGP/GnuPG encryption is working correctly:
    1. Use the link 'Click here to test data encryption by GnuPG/PGP' to access the 'Testing data encryption by PGP/GnuPG methods' page.
    2. Use the 'Text to encrypt' field of the 'Test PGP/GnuPG' dialog box to provide a message that the application will try to encrypt. The message can be any piece of text.
    3. If you wish the encrypted message to be sent by email, enter a valid email address into the 'Send encrypted data to email' field.
    4. Select the 'Show GnuPG/PGP errors and warnings' check box.
    5. Click the Submit button.

X-Cart will try to encrypt the submitted message using the PGP software installed on the server. If PGP encryption turns out successful, the 'Encrypted data' box, that will appear below the 'Test PGP/GnuPG' box, will contain something like this:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.0 (FreeBSD)


hQIOAyCcQA65n/mrEAf+IY3PPIu6xymwppEDt9dz26NCjnB2uOZU8uEtPXDyw8wT
I9SNXtKcntFJVf6Y01FbHfDe1ddUYeY/vqTlI9Um+DrSak5k1oNzwvYxR6AViqV8
XlYVzyLMtVuy3c0f8dZfXTxw0qDftBTvA66ERJZeOY19VFlYK/RRSCAqGCgitHPY
atRukC93953FPM12U1bEHITV7F6lDPKCcVyBnbQIgWgI2rS2PLBNpCkVy4uN4ZuH
w+obtB1KQpwXuxwgiLak6wPLrn6FPWoNL2Yw8ZxMz862Nc4HinZtACkw+AT0dhIU
lFsL38LlfAu5iC7dkSGe5D80tgrV1VEx9D6LOiw64QgA2NgUUgEQeuoB4xR2x7Za
2hz5AUyOu15fqyV01veg7EUFohGa4hHxjxegUrSkCPRk4mpIEZJ9gh7j+h+o8otA
+9Z3YzEsrQbdJKeuK/SH8he6qjohO9KzpEhqomVcrgwR6+AhpjXNpdcl8xKVOevn
Phwed7oFSyJCRih2Q3EwJMd7rB+vaAWtLgeG9jgjS5njld3QdfcvL8dDGXW6HjrV
Og3LjH7N2I/2p70AFhMJYNBedqvymRBb5SKu7DRjwzt4pAuh3ebEZydqqWxWoW8A
FSKN4qsT0sHkoEbWgF9JpBB9SUkqJ/okuyrtOzaNmcTstM7T4L81j01WjANbaDEr
JtJLASoyjVvmyxyEtr6dWaBIA5rdL4MypQWEDhUkRuaCwh567GMyq4/ml1gS3UZq
1I6Oibfa1JjHz5eyDNrCoTpw42LS7u24duTnqXuu
=Cbm1
-----END PGP MESSAGE-----

If the attempt to encrypt the message is unsuccessful, in the 'Encrypted data' box you will see exactly the same text you entered into the 'Text to encrypt' field.

Using PGP/GnuPG keys

GnuPG

First, you need to create your keys. Here is what the process of generating keys might look like (In our example we are using a fake name and email address - John Smith <john.smith@example.com>):

$ gpg --gen-key

gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1m
Key expires at Fri Jun 10 14:39:04 2005 MSD
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID from the
Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: John Smith
Email address: john.smith@example.com
Comment:
You selected this USER-ID:
"John Smith <john.smith@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

.+++++++++++++++.+++++++++++++++.+++++++++++++++.+++++.+++++..++++++++++++++++++++..++++

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

...++++++++++.++++++++++..++++++++++...+++++.+++++.+++++++++++++++++++++++++++++++++++++++++++++++

gpg: /home/john/.gpg/trustdb.gpg: trustdb created
gpg: key FEE11881 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2005-06-10
pub   1024D/FEE11881 2005-05-11 [expires: 2005-06-10]
Key fingerprint = A966 6E03 36E8 B539 1BD6  3E42 853D 077C FEE1 1881
uid                  John Smith <john.smith@example.com>
sub   2048g/B99FF9AB 2005-05-11 [expires: 2005-06-10]

Then you need to obtain a list of keys:

$ gpg --list-keys

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
--------------------------------
pub   1024D/FEE11881 2005-05-11 [expires: 2005-06-10]
uid                  John Smith <john.smith@example.com>
sub   2048g/B99FF9AB 2005-05-11 [expires: 2005-06-10]

Then you need to export the keys so that later you will be able to complete the 'GnuPG public key' field in the 'GnuPG options' section of the General settings->Security options page:

$ gpg -a --export john.smith@example.com
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.4.0 (FreeBSD)

mQGiBEKB4RMRBADEA1mSy+zABeoW+jF5hHdhfQpEP3YTkvkWO78a/EGpIoEnL8Ck
WUcADwR1ilRr0BDNuamfpFwNPU58d1vFLPXn14FHJ0rfa8eIty50eV6puA61oANn
XNaoJ2cAaxC6cYC+N7PDkTbnRbMZArc3p9T6gKJeGyc1Ty1dhUS7JJ/G/wCg27fn
FYWLmAF9yT8EhMk7p5oa6k8D/j8T8YahBrXSZouahp8VsmCr8/TTYfoVTTcCFW6a
1ECgv4M1Es1h9pTAmIzxmu4yGLzU9EOovi3511OLOxoq6GhpR9n+VKzB2qUxWdqv
LJpXYty+DjtI7o9OIh9w0bDkkVgmblyJIRF0gMk3nluYYiqrd8udkYOYfGJeSnf+
MB0rBACc7Q4LrCdElee3/ZI7uDugYcgNyPRwtb/IGzY0VNF+1tkYxwHOIy7yJUuM
a8CngJQlMC9xjX3jSyOeFjIj8ldmLWh5TIqEZGOQP7RYfO8XtJyZRIWgl2sRSq0a
yTZW+oRLL6QLjMDQTvy4YrMA5eGFmGx9C8sxFhQPASNq1Bu+hLQjSm9obiBTbWl0
aCA8am9obi5zbWl0aEBleGFtcGxlLmNvbT6IZAQTEQIAJAUCQoHhEwIbAwUJACeN
AAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRCFPQd8/uEYgTXHAJ0Y33tia6tnUHpm
o/qhRalpXm+5/wCfRpxiQ1SI8FQYOtJP4ZNtlh5ESHa5Ag0EQoHhGRAIAON902gU
dsoDyNV+nVZQdwntqNiDfifOpNP+gGHQsYzH5cu0YC3mxFGjZK2s3/0GPq9+5AYW
lkkYlvompmmKTF8rYTXT7vnSizFiUSf4V+63XzSxnY3NexIyjj94Lvpz66SOJXq3
K3P/jax1lb8tQxKU/gl0HuynKlRI1YuEXIDx4xfXqtnFHbF+a+GqERz9MlCpq3Zt
lHq/4becsx9zfWVxsduzRn/3J+bRLmXYOCQNMOm9kNmzH8RMyZ96q4J5Q8+b+GDO
V0swG3xcy3OZpTwtqPQ84LmqcCmMVUfi7tN1EH++J+ClnCx2u6eOb/2kPUON03BP
WHfwANCn+LniEb8AAwUIAM64Cx2ryhHtjJtizFAsU3V4tH256cHdPaijSRoNcy9L
YJinDgDl90CEvcF9ME7E3Ly6+aWBBcCw3ghXQQUFO/Xc7DN1hvcWN5dDWf4lPt2Z
Xo/dYjwHjD+PaOQoxeZ6SDmXWxGwoF83ygLDVVX9b8gaHW0GI588v+62h0RVKrIa
caivXdDTqh80lh8N9CVGoIFS3uA8nRxDG1jjWawcHdN14wyRqdX1z+a4/RK+ZlUx
oJ2dIQOkiQEEhohMzmvd/lXXjCzKnQjpEs5HUTgL/3HmgCyAM7tAzcUJccAI3iHw
nM1m9m+mEQW1IX6zi1lOo/IsV2GOJ/EJlhDjRD2yyX6ITwQYEQIADwUCQoHhGQIb
DAUJACeNAAAKCRCFPQd8/uEYgVazAJ9DreCt0WFKyGwRhyifIeSGTHFUKwCgzShE
V17tla6xCz7L+RArsXjrsVk=
=ow2K

-----END PGP PUBLIC KEY BLOCK-----

PGP

The process of creating and using keys for PGP is similar to that for GnuPG. You need to create a key and then export it with armor (--armor or -a for GnuPG, or its analog for PGP).

See also