X-Cart:PGP/GnuPG
Contents
How you can use PGP encryption with X-Cart
To ensure security of mail traveling over the Internet from the store to the orders department, X-Cart allows you to use PGP encryption for orders department email notifications. A program providing PGP-type encryption (GnuPG or its commercial analog PGP) has to be obtained and installed separately.
Detailed information on PGP and GnuPG is available here:
PGP:
GnuPG:
Setting up X-Cart to use PGP or GnuPG
To adjust X-Cart to use PGP encryption for email messages sent to the Orders department, do the following:
- Adjust the option 'Order emails encryption method' in the 'General security options' section of General settings->Security options (Select PGP or GnuPG).
- Configure the selected method using the appropriate section of General settings->Security options ('PGP options' or 'GnuPG options').
- Use the section 'Test data encryption' of General settings->Security options to test whether PGP/GnuPG encryption is working correctly:
- Use the link 'Click here to test data encryption by GnuPG/PGP' to access the 'Testing data encryption by PGP/GnuPG methods' page.
- Use the 'Text to encrypt' field of the 'Test PGP/GnuPG' dialog box to provide a message that the application will try to encrypt. The message can be any piece of text.
- If you wish the encrypted message to be sent by email, enter a valid email address into the 'Send encrypted data to email' field.
- Select the 'Show GnuPG/PGP errors and warnings' check box.
- Click the Submit button.
X-Cart will try to encrypt the submitted message using the PGP software installed on the server. If PGP encryption turns out successful, the 'Encrypted data' box, that will appear below the 'Test PGP/GnuPG' box, will contain something like this:
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.0 (FreeBSD) hQIOAyCcQA65n/mrEAf+IY3PPIu6xymwppEDt9dz26NCjnB2uOZU8uEtPXDyw8wT I9SNXtKcntFJVf6Y01FbHfDe1ddUYeY/vqTlI9Um+DrSak5k1oNzwvYxR6AViqV8 XlYVzyLMtVuy3c0f8dZfXTxw0qDftBTvA66ERJZeOY19VFlYK/RRSCAqGCgitHPY atRukC93953FPM12U1bEHITV7F6lDPKCcVyBnbQIgWgI2rS2PLBNpCkVy4uN4ZuH w+obtB1KQpwXuxwgiLak6wPLrn6FPWoNL2Yw8ZxMz862Nc4HinZtACkw+AT0dhIU lFsL38LlfAu5iC7dkSGe5D80tgrV1VEx9D6LOiw64QgA2NgUUgEQeuoB4xR2x7Za 2hz5AUyOu15fqyV01veg7EUFohGa4hHxjxegUrSkCPRk4mpIEZJ9gh7j+h+o8otA +9Z3YzEsrQbdJKeuK/SH8he6qjohO9KzpEhqomVcrgwR6+AhpjXNpdcl8xKVOevn Phwed7oFSyJCRih2Q3EwJMd7rB+vaAWtLgeG9jgjS5njld3QdfcvL8dDGXW6HjrV Og3LjH7N2I/2p70AFhMJYNBedqvymRBb5SKu7DRjwzt4pAuh3ebEZydqqWxWoW8A FSKN4qsT0sHkoEbWgF9JpBB9SUkqJ/okuyrtOzaNmcTstM7T4L81j01WjANbaDEr JtJLASoyjVvmyxyEtr6dWaBIA5rdL4MypQWEDhUkRuaCwh567GMyq4/ml1gS3UZq 1I6Oibfa1JjHz5eyDNrCoTpw42LS7u24duTnqXuu =Cbm1 -----END PGP MESSAGE-----
If the attempt to encrypt the message is unsuccessful, in the 'Encrypted data' box you will see exactly the same text you entered into the 'Text to encrypt' field.
Using PGP/GnuPG keys
GnuPG
First, you need to create your keys. Here is what the process of generating keys might look like (In our example we are using a fake name and email address - John Smith <john.smith@example.com>):
$ gpg --gen-key gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1m Key expires at Fri Jun 10 14:39:04 2005 MSD Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: John Smith Email address: john.smith@example.com Comment: You selected this USER-ID: "John Smith <john.smith@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. You don't want a passphrase - this is probably a *bad* idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .+++++++++++++++.+++++++++++++++.+++++++++++++++.+++++.+++++..++++++++++++++++++++..++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ...++++++++++.++++++++++..++++++++++...+++++.+++++.+++++++++++++++++++++++++++++++++++++++++++++++ gpg: /home/john/.gpg/trustdb.gpg: trustdb created gpg: key FEE11881 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2005-06-10 pub 1024D/FEE11881 2005-05-11 [expires: 2005-06-10] Key fingerprint = A966 6E03 36E8 B539 1BD6 3E42 853D 077C FEE1 1881 uid John Smith <john.smith@example.com> sub 2048g/B99FF9AB 2005-05-11 [expires: 2005-06-10]
Then you need to obtain a list of keys:
$ gpg --list-keys gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information -------------------------------- pub 1024D/FEE11881 2005-05-11 [expires: 2005-06-10] uid John Smith <john.smith@example.com> sub 2048g/B99FF9AB 2005-05-11 [expires: 2005-06-10]
Then you need to export the keys so that later you will be able to complete the 'GnuPG public key' field in the 'GnuPG options' section of the General settings->Security options page:
$ gpg -a --export john.smith@example.com gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.0 (FreeBSD) mQGiBEKB4RMRBADEA1mSy+zABeoW+jF5hHdhfQpEP3YTkvkWO78a/EGpIoEnL8Ck WUcADwR1ilRr0BDNuamfpFwNPU58d1vFLPXn14FHJ0rfa8eIty50eV6puA61oANn XNaoJ2cAaxC6cYC+N7PDkTbnRbMZArc3p9T6gKJeGyc1Ty1dhUS7JJ/G/wCg27fn FYWLmAF9yT8EhMk7p5oa6k8D/j8T8YahBrXSZouahp8VsmCr8/TTYfoVTTcCFW6a 1ECgv4M1Es1h9pTAmIzxmu4yGLzU9EOovi3511OLOxoq6GhpR9n+VKzB2qUxWdqv LJpXYty+DjtI7o9OIh9w0bDkkVgmblyJIRF0gMk3nluYYiqrd8udkYOYfGJeSnf+ MB0rBACc7Q4LrCdElee3/ZI7uDugYcgNyPRwtb/IGzY0VNF+1tkYxwHOIy7yJUuM a8CngJQlMC9xjX3jSyOeFjIj8ldmLWh5TIqEZGOQP7RYfO8XtJyZRIWgl2sRSq0a yTZW+oRLL6QLjMDQTvy4YrMA5eGFmGx9C8sxFhQPASNq1Bu+hLQjSm9obiBTbWl0 aCA8am9obi5zbWl0aEBleGFtcGxlLmNvbT6IZAQTEQIAJAUCQoHhEwIbAwUJACeN AAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRCFPQd8/uEYgTXHAJ0Y33tia6tnUHpm o/qhRalpXm+5/wCfRpxiQ1SI8FQYOtJP4ZNtlh5ESHa5Ag0EQoHhGRAIAON902gU dsoDyNV+nVZQdwntqNiDfifOpNP+gGHQsYzH5cu0YC3mxFGjZK2s3/0GPq9+5AYW lkkYlvompmmKTF8rYTXT7vnSizFiUSf4V+63XzSxnY3NexIyjj94Lvpz66SOJXq3 K3P/jax1lb8tQxKU/gl0HuynKlRI1YuEXIDx4xfXqtnFHbF+a+GqERz9MlCpq3Zt lHq/4becsx9zfWVxsduzRn/3J+bRLmXYOCQNMOm9kNmzH8RMyZ96q4J5Q8+b+GDO V0swG3xcy3OZpTwtqPQ84LmqcCmMVUfi7tN1EH++J+ClnCx2u6eOb/2kPUON03BP WHfwANCn+LniEb8AAwUIAM64Cx2ryhHtjJtizFAsU3V4tH256cHdPaijSRoNcy9L YJinDgDl90CEvcF9ME7E3Ly6+aWBBcCw3ghXQQUFO/Xc7DN1hvcWN5dDWf4lPt2Z Xo/dYjwHjD+PaOQoxeZ6SDmXWxGwoF83ygLDVVX9b8gaHW0GI588v+62h0RVKrIa caivXdDTqh80lh8N9CVGoIFS3uA8nRxDG1jjWawcHdN14wyRqdX1z+a4/RK+ZlUx oJ2dIQOkiQEEhohMzmvd/lXXjCzKnQjpEs5HUTgL/3HmgCyAM7tAzcUJccAI3iHw nM1m9m+mEQW1IX6zi1lOo/IsV2GOJ/EJlhDjRD2yyX6ITwQYEQIADwUCQoHhGQIb DAUJACeNAAAKCRCFPQd8/uEYgVazAJ9DreCt0WFKyGwRhyifIeSGTHFUKwCgzShE V17tla6xCz7L+RArsXjrsVk= =ow2K -----END PGP PUBLIC KEY BLOCK-----
PGP
The process of creating and using keys for PGP is similar to that for GnuPG. You need to create a key and then export it with armor (--armor or -a for GnuPG, or its analog for PGP).