I am looking for info on using PHP to encrypt a form with PGP and then mail the form to a recipient. I would like this to be an automated feature (the user fills out the form presses submit, it gets encrypted and mailed). If anyone has any info on this type of procedure, I would greatly appreciate any help anyone could offer. The form would include personal user info and credit card info so it would need to be secure. Thanks for the help

I too will be looking into this but have not gotten that far yet. One thing to consider, you should be doing your form on an SSL encoded page since PHP is strictly server-side any form info is still sent over the wire in plaintext.
There is a pgp class at http://phpclasses.upperdesign.com. I downloaded but have not looked at it yet. Just thought I'd chip in my $0.02

Good tutorial and starting point is at http://hotwired.lycos.com/webmonkey/backend/security/tutorials/tutorial1.html

Rob

Thanks for the reply. The form will definitely be on a secure server using SSL. Thanks also for the link to phpclasses. I will check it out. I will post to the list once I've completed the project and or found out more info. Later!

Yes, thanks for the link. I tried it and it works great. I extended it a little bit but the general principle was handy to read about. My question is, do you think it would be feasible/smart to develop a system where people could submit their public keys to the system for use?
On another note, what are the permissions supposed to be for the mqueue directory? I locked it down a little so it wasn't world writable earlier but this system wouldn't work because the user of the web server is trying to send the mail and had no rights to that directory. Has anyone run this script in PHP Safe Mode? I got it to run but had to move my binaries to a different directory, simply because it was silly to run in safe mode and allow php to run anything in /usr/sbin(for sendmail) and /usr/bin(for pgp). I had some major trouble with having the script run with the permissions of whoever created the script. So, for example I created the script under my login ID so when the script ran I had trouble because it was trying to access files under the user ID of the web server. Any ideas?
Sorry for the mess of questions and comments I'm a bit confused at the moment, think I need my Ginko :-)

Do you know how I might be able to do convention encryption using PGP and PHP? I have tried passing:

<?
system("/usr/bin/pgp -c testdoc");
system("crap");
system("crap");
?>

but without much success. I get back:

Can't open key rings Encryption error For a usage summary, type: pgp -h For more detailed help, consult the PGP User's Guide. Error!!! insufficient random bits

Does PHP support interactive programs? It seemed from this http://www.php.net/manual/html/function.system.html that it did. I'm fairly new to PHP and am mainly evaluating it. It sounds as if conventional encryption should be strong enough for our purposes.

Thanks.

Check out the tutorial mentioned in the reply in this thread by Robert Jackson. An excellent tutorial on PGP and PHP. I had some trouble running the script with php's safe mode enabled but it did work eventually.
The key here is that you need a public and private keyring for the userid that your web server runs as. I think that's the error message you are getting, sounds like you did not create a keyring for your web server, or whatever ID your scripts run as.
I had some trouble getting the mail to send due to my web server not having write access to the mail directory but that is something I am looking into now. If you are only looking to do conventional encryption, like your example above. I don't think you should have any problems. Including running in safe mode since all you need to do is move the pgp binary to the safe executable directory.
Hope that helps, sorry to ramble. not enough sleep

That tutorial is actually where I started, and I've emailed Julie herself about it and asked her about it.

What I am trying to do is conventional encryption of a file. I just wanted to know if that was possible.

I am trying to do something similar to what she does in her tutorial, which is encrypt some files. It's just that I don't have extremely computer savvy users and they probably won't be able to handle public and private keyrings, and decrypting their messages.

If you guys have any other suggestions I'm open to them.

¿Is there any way of making a php/pgp script to extract
public key from a database instead of a keyring file?

The idea is not to use at all any file, just database and
redirecting I/O of pgp from/to the php script to compose,
crypt and send mail

thanks in advance

Just a quick answer now, and I'll return to this later since I'm working on the same problem.

If I understand you correctly, I think you want to avoid writing unencrypted data to the disk (I'm working on this problem this week). Julie Meloni's tutorial DOES write unencrypted data. I'm thinking that the 'popen' command will be one way to go.

As for having pgp get keys from a database, I don't think that is possible. However, we may be able to use 'exec' to create/add a new key to our keyring. That's another issue I'm thinking about.

More later.

Rob

My problem is not only writting unencrypted files to disk:
My web server runs as user "nobody" and anyone
with an account in the machine has access to every file user "nobody" does by mean of writting a simple php script. So cannot store any kind of key as user nobody

I use a little trick to bypass this problem when accessing to a database: Just use a directory-dependent environment variables DBUSER y DBPASSWD in my httpd.conf (owned by root, mode 400 ) file. Thus I can solve my problem by storeing the keyring in the database. So I'm looking for a db-oriented patch for management of the keyrings on PGP/GnuPG

I'm getting the "insufficient random bits" error when attempting to use pgp on NT Webserver. I can list the keyring no problem. I found a mention on the Network Associates page on the PGP sdk that pgp is looking to use human interaction on the machine (via keyboard and mouse) to generate random bits, and the webserver doesn't get much of that. There doesn't appear to be a parameter to override this (good in a way because the randomness ensures good security).

Did you manage to get going in your situation ?

Hi,

I am trying to use PGP with PHP in order to encrypt data via web, and actually it works, but it is extremely slow, it needs almost a minute to encrypt a message.

Any idea why it is so slow ??

What I do is:

============================================================
$msg="Text to encrypt";
$pp = popen("/opt/PGP/pgp -eaf $userID -o myfile.output", w);
fputs($pp, $msg,strlen($msg));
pclose($pp);

$fp = fopen("myfile.output", r);
while (!feof ($fp)) {
$msg_crypted .= fgets($fp, 512);
}

fclose($fp);

thanks

I want to do almost the same except that I want to write the encrypted message to a file and also email the message.
Where you able to speed up the encryption process ?

Thanx

Hello there,

I am facing the same problem as Sam. I get an error message that says that the server can't find my public key. Does this means that i have to export my public key which i have created into my server?? Please help. Thanks.

Maegan.

Hi Meagan,

If I understand you question correctly, you have created your keys on your local machine. Then, yes, you have to export these keys from your local keyring and ftp them to your server. The folder to save them in on your server is the folder specified by the line
putenv("PGPPATH=/homedir/of/PHP/user/.pgp");
in your PHP script (this line is copied from Julie Meloni's article at http://hotwired.lycos.com/webmonkey/00/20/index3a_page5.html?tw=programming).

Hope that helps. Getting pgp and php working can be nasty at times, eh?

Rob

Hi Rob,

Perhaps you can help me out a little.
I have followed Julie Meloni's example for enrcypting/emailing some data but haven't been able to get the encryption process to fire. I do receive an the email but it is empty. Can you see any obvious errors in my code ?
I checked the directory for file $clear, it exists and contains the data/variables to be encrypted.
I checked the directory for file $crypted, it exists but the file is empty.

Here is my test file running on Linux:
<?
$sender_name="Peter Sender";
$sender_email="vist@emi.net";
$secret_msg=" Secret message PGP test";

$time = time();
$msg = "Sender's Full Name:\t
$sender_name\n";
$msg .= "Sender's E-Mail:\t$sender_email\n";
$msg .= "Secret Message\t$secret_msg\n\n";

putenv("PGPPATH=/home/mydomain/.pgp/pubring.pgp");

$clear = "/home/mydomain/www/ecom/tmp/";
$clear .= "$time";

$crypted = "/home/mydomain/www/ecom/temp/";
$crypted .= "$time";

$fp = fopen("$clear", "w+");
fwrite($fp, "$msg");
fclose($fp);
//unlink("$clear");

/ This system() call gives me an error: Warning: fopen("/home/mydomain/www/ecom/temp/997460177","r") - No such file or directory
/
system("/usr/local/bin/pgpe -r 'MyKey <vista@emi.net>' -o $crypted -a $clear");

/ This one gives error:
Recipients' public key(s) will be used to encrypt. Preparing random session key...
Warning: fopen("/home/mydomain/www/ecom/temp/997464194","r") /
system("/usr/local/bin/pgp -e -a $clear 'MyKey' -o $crypted");

/ This does not give any error messages but the email is empty (no encrypted message) /
system("/usr/local/bin/pgp -feat $clear MyKey >$crypted");

$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);
//unlink("$crypted");

$recipient = "vista@emi.net";
$subject = "Secret Message";
$mailheaders = "From: My Web Site <\"\">\n";
$mailheaders .= "Reply-To: $sender_email\n\n";

mail("$recipient", "$subject", $mail_cont, $mailheaders);

echo "<H1 align=center>Thank You, $sender_name</h1>";
echo "<p align=center>Your secret message has been sent.</p>";

?>

Hi Peter,

I notice a couple of things, but I don't know if they solve the problem.

1. the path for $clear has /tmp instead of /temp.

2. $clear and $crypted seem to refer to the same file.

Try:
$clear = "/home/mydomain/www/ecom/temp/";
$clear .= "$time.data";

$crypted = "/home/mydomain/www/ecom/temp/";
$crypted .= "$time.pgpdata";
to solve both issues.

The other thing that might help your debugging is to echo $mail_cont and comment out the mailing (saves you having to always check your e-mail).

Try this and let me know.

Rob

Hi there,

sorry to bother you again. Is the command to extract the key from my machine to the server : pgp -kx <userID><keyfile><URL>??

i'm serving on apache, does this mean that i have to key in
http://localhost as my <URL>
and
/root/.pgp as my <keyfile>??

i have specified the folder as
putenv("PGPPATH=/root/.pgp");
and still i get an error that says cannot open key ring file. do i have to use the pgp -ka command as well?? i am so confused. thanks in advance.

Maegan.