cm0s

couldn't login few days ago but thought maybe i entered my pass wrong logged in ok on second attempt i don't use the chat much for several reasons one, the scroll back, not needed and should be removed two, otr is out dated big time and not easy for most folks to use nor handled well by a lot of apps, even on linux three, xmpp itself, nuff said four, whether any customers use the 'free chat service' by airvpn or not whether or not they 'login' is not the flaw here, the flaw is that every customer's account, billing login account information is linked up to an xmpp chat server, that's the problem and you should maybe disconnect that is my suggestion you have threads on your forum that whether legit or not 'other vpn companies review' basically you already know how that can be a problem magnet so a vpn competitor might open an account here, use it for x amount of days then decide to hammer on the xmpp server maybe go after all the billing login information the other thing is this, as you stated down below, none of us have to use our login information right? so then by that principle alone, why even connect our financial primary billing account login information up to the xmpp server it also tells me something else: that xmpp is not the only thing goin on on that server then right? if you got account billing customer database connected to that xmpp server you probably got other stuff on that platter that might be of interest either way, no matter what, shit is an easy fix, disconnect the database and don't require any login at all if needed, move the xmpp chat far away from any business accounts / boxes /network

check with others on how to do this with your operating system whatever it may be but set your local to static basically hard set your local dns to airvpns, set your router dns to 0.0.0.0 then each box set your dns config to static, assign your local ip addresses for each device this is a real world kill switch meaning you get no net/WAN without being encrypted, shut off dhcp on the router your ISP side will be dhcp auto config but your side on the router will be static this is not perfect, might brick some stuff you are doing or be a pain in the butt but the idea is this: keep the isp as far as you can out of your local iptables -F iptables -t nat -F iptables -t mangle -F # iptables -X iptables -t nat -X iptables -t mangle -X # iptables -P INPUT DROP iptables -P FORWARD DROP # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT # iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access # iptables -A OUTPUT -d 255.255.255.0 -j ACCEPT iptables -A INPUT -s 255.255.255.0 -j ACCEPT iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to 10.5.0.1 iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -A OUTPUT -o eth0 ! -d 127.0.0.1 -p tcp --dport 1413 -j DROP ############################### example netctl: Description='eth0 net' Interface=eth0 Connection=ethernet IP=static Address=('192.168.0.5/24') Gateway='192.168.0.1' DNS=('10.5.0.1') ################################ say for ddwrt in your services tab assign the ip addresses there set your lease time this means you don't have to worry about resolv.conf dns problems coz your local network is now airvpn dns only i'm human, make mistakes, forget stuff, brain fart etc so this protects me from myself, helps keep my ISP on the cable modem only, my router does nothing more than route nothing fancy, i got a beefy router, does more stupid shit than i know what to do i run it totally vanilla, a generic turd tbh, i don't even use wifi on it that isn't ideal or even practical for most, i get that, so mod for what works for you and your family config, set your boxes for when they boot up, they don't connect to anything run your iptables, start netctl and you are good so when my box as example boots up i run iptables sript .xinitrc has everything set to down then i run netctl start eth0 cd to my airvpn configs folder stunnel "airvpnserver.ssl" --auth-nocache then in other termina window: openvpn --config "airvpnserver.ovpn" --auth-nocache no network manager etc i get lost in that stuff anyway but nothing wrong with using a gui or using network manager or modding it so more 'user friendly' etc hope this helps

i'll play along... the thread is called: SERIOUS TIPS FOR SECURING MY COMPUTING DOMAIN AND ACTIVITIES the web browser is the one piece of software on all operating systems that is the most targeted quite often legally, it's simple, follow the money so to tell someone on a thread that it is 'overkill' when they can simply take a few minutes of their time, go to firefox's about:config page and manually tweak a few settings, which may in effect protect their privacy, family, loved ones, help secure their home network etc. and probably even in some cases, their safety, might be a decision they can choose to make for themselves and decide what is or is not overkill the logic presented that it is not overkill to install 8 additional firefox extensions, which in effect is 8 additional companys, 3rd partys etc. on a stock firefox config but again overkill to edit a few settings... btw, for anyone interested download the xpi file of any addon extension you are installing use this command to extract it: unzip yourxpifilename.xpi * -r that extracts all the files used to make your extension you can search for 'url' 'http' 'https' '.com' '.org' 'update' etc. and find out what it is doing if it calls out, some updates you want, some urls are safe say you find a url that you want to change, but often if you change it in one location only it can brick your extension, so you can bypass that say for example i wanted to block any callbacks to 'userstyles.org': grep -rl 'userstyles.org' ./ | xargs sed -i 's|userstyles.org|dummy_url.org|g' then to put all the files back into a xpi archive give it a different name so you know it's the one you edited: 7z a /path/to/directory/yourxpifilename.xpi * -r

double up on the meds and a quick safety tip: don't slip in the drool

i'm not a fanboy of routers running any vpn or iptables stuff my router can do that it has more capability than i'll ever use all i want from my router is for it to take the cat5 cable from my ISP and then stop my ISP's dns and other stuff at the plugin point then on my router i set my local to static airvpn config this is a real world killswitch, coz i'm human, forget stuff make mistakes, this protects my local network from me and it keeps my ISP off my local the best thing you can do with any router is leverage their vanilla config

one of the main resources i use is eli the computer guy on youtube and watch a lot of defcon / tech vids after a while everyone finds out what they need and like for their own situation how i run arch is probably not good for most, flawed and completely different than the way someone else might run arch, i loaded up manjaro the other day for a looksy and got lost in it, straight up, got lost, way too much for me but to answer your question, i think the first thing to be identified is the actual concern, the term 'threat model' is often used but not too often given to real world terms, meaning 'conditions on the ground' application for most folks in my area, norhteast united states it's the ISP, Verizon, the major players that are the real threat, and that is generic, legal datamining this has nothing to do with ethics, morales etc. this is about money, big money these companies have 24 PHDs and a floor full of extremely talented programmers all backed up by big lobby and another room full of lawyers, for a real world grasp, shut off cookies and javascript, go to facebook's home page, right click on it, view page source, and what you will be looking at is code that is worth billions of dollars company i used to work for, i used to sell microsoft networks back in the day we were a certified dealer, had microsoft staff in the shop once in a while, we had some state contracts here in PA and lots of minor day to day floor traffic fixing Dell boxes etc. back then, before the merge between the cellular industry and internet, just like anyone else, if you would have said 'meta data' was going to be a game changer, well that would have not been too high on the list to say the least you got to remember, nobody had a phone in their hand that could chat, make a call, run a webcam, trade stocks in Europe and order donuts for the techs, the infrastructure wasn't there yet and that is to my poin: the operating systems back then were on the right track, they were lean, Windows 2000 was on the right track, i literally at that time built custom DAW workstations on that operating system, on those drivers, they were stable, solid, did nothing fancy so software in general, was not built with 3rd party involvement, no outgoing connections, all anyone had to do in microsoft land was take the best of Windows 2000, the best of Windows 7, lean it up a bit, get rid of any and all bloat, harden it and you would have had a super bad ass kill linux box operating system, and the gamers themselves would have taken it over at that point, software was still written with the business model that sales and license fees make the buck, income stream, once the cell industry and the ISPs merged, the dynamic, the motive really to how and why software gets coded, the purpose of design, changed dramatically linux is no better, it just got lucky because it held very little interest in the desktop market if linux would have traded spots with microsoft or apple, same problems, and you can actually see it starting already today, the pre rolled distros, first thing they want to do, connect, call out, even Kali, connect, call out and all the other pentest distros, if you have a live distro for pentesting well don't ya think thte first thing ya want shut off and down at boot is connecting to anything? see my point? meta data is the game changer, that simply translates, once scaled, into raw political force in any country and it goes all the way back to what a PHD dude from Cambridge Analytica stated, and the bruh was spot on: 'the problem with facebook aka social media, operating systems phones apps etc is the business model' ask yourself, why hasn't anyone taken the best of tor, maybe made it more wide, why is http even allowed still, and so on, coz of money, so what we see and view is almost 100% 'human hacking' what does this got to do with your orginal post? everything, coz now you know what is the primary target, where the payload goes to: me and you and we are the problem, the real world problem i'll back that up: you look at facebook, we literally give them all of our data, access to everything, for nothing we pay our ISP's bill to then give our friends, family, coworkers and on an on to a corporation built on a business model of this: the more they collect, the more they sell, the more they make ya got to remember the one advantage i may have, with anyone my age is perspective, i knew the net before the cell biz ISP merge i knew Microsoft and worked indirectly for them before the merge if you sugar coat the poison is the human hack here i'm not different, if iwas a programmer and the boss walked up to me and said 'build this OS or app and if we make xyz deadline or meet xyz approval you will make xyz amount of additional income, i'm in' same deal with a website database, if i build a shithole that does xyz but also gets really popular and i collect the right data that is sought after by the ad industry, you walk up to me and go 'i'll give you x amount of dollars' i'm probably gonna sell hit the about:config url in mozilla and search 'url' search 'social' search 'wifi' search 'remote' search 'update' then extract all your plugins and extensions etc you will see how much of what you do is collected and piped to 3rd partys just look at google ssafe search as example, can you really get any more full of shit so going back the purpose of design, the motive, that's the threat, that's the flaw, that's what needs to be hardened linux in genearl isn't popular, malware authors code exploits to make money, bot authors want their networks running smooth so most of that 'financial targeted' exploits is aimed at the popular stuff gentoo and arch is even less popular, and the thing is if you have your own repo, roll your own kernel, just by modding your stuff 'your way' coz i say 'fuck the arch way', your on linux to do it the way you want, you just left shit operating system closed source where someone else told you how to roll' case in point in legal datamining, almost all of the linux community is on that shit data mined irc server freenode even the tor developers don't run an onion server well at least listed anyway harden the browser, harden your linux, best ya can, biggest threat to my local to my box is me, the monkey at the keyboard and i'll say this in Mark Zucerberg's favor and any social media business with any kind of voting system, coz that is and has been the multibillion dollar click, just beautiful all the way to the bank: those companies saw and applied a value metric to our data, to our click, they applied a value to what we think and do and who with and that right there is a very serious tough pill to swallow Mark Zuckerberg has a jet in his driveway not because he even exploited my data, or was unethical with it but mainly because he offered me a like button that i could click on to give a voice on his platform so the real problem that Cambridge Analytica was talking about, coz for them that was business as usual is until the internet as a whole gets together and decides that their network traffic is theirs, should be protected like a utility world wide, such as water, gas, electric, coz today it is exactly that, my ISP Comcast is a utility without the correct use of government regulation, at the federal level, why shit gets wild west treatment still, same flaw as when Enron went in to California and manipulated the power grid i'm no diff, you put me as a day trader behind a business model i can exploit to make x million in 3 hours i'm in, i'll smash that like button all the way to the bank

this is my opinion only but i stay away from ipv6 i shut it down at the kernel via grub edit: GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="Arch" GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 pnpbios=off acpi=off" GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:cryptroot ipv6.disable=1 bluetooth.blacklist=yes"

what i like about ricochet is the fact it can use tor alpha 3 torrc on arch. meaning you can set your torrc say you want to chroot it also, to strictmode, avoid any servers that have been known to inject anything, i chatted with a couple of folks on ricochet on hope they move it forward with next gen onion, so for example right now i have it running, i got tor alpha from the AUR, got ricochet, themed it, tor runs in chroot via arch linux wiki instructions, again, this is all layers, the local repo chat laptop is basically stand alone, meaning it's not doin anything else and behind airvpn stunnel openvpn, that's basically just my tor box, it hosts my tokzco onion site version 3 and my local arch repo i don't browse tor sites on that box or much of anything else, it's a lazy way of compartmentalization also qubes and whonix etc are all cool and all but yeah i'm not into the work load of switching everything over and straight up, i don't trust the tor browser version at all reason is you look through it it is serious bloat shit and call out to google etc and mozilla big time the browser is the most targeted app and why i don't like to load anything up to chat through it either online irc in general has become shit, almost every chat url you can find online via clearnet search engines is all shit links to sicko shit, imho a deliberate campaign, there is more sick shit on facebook just by sheer volume there are family friendly spots on the onion and decent places to chat clearnet and often tor 'search engines' don't do much to help reason is this, it's about ad revenue, about money, google and everyone else wants us to think that if we all of a sudden get 'anon' that we lose our minds and load up negative content or get into bad stuff it's psychological warfare 101 and they do it well i'm more or less 'squeamish' there is a lot of stuff on youtube i can't handle today anyway my point is, ricochet is a solid so far to me because it does nothing else you check it on github you will see a lot of folks involved with it in the issues tab that's a good sign i sent staff an apology, goin back through fixing some posts long story short, my family got involved in hijacking my inheritance and the banks knew, law enforcement has also been involved in covering some things up, mail intercepts and forging courthouse legal docs i'm not making this shit up, wish i were, i'm sick to my gut me, i just wrapped up a decade of probation for getting stupid, shitfaced, went for a joy ride in a truck and yeah, so not cool there so last thing i want is any correspondence or attention from law enforcement or any courthouse, goin on 50, i just want left alone more than that, my 'family' absolutely had no reason to go behind my back plan anything out ahead to get money, if they had wanted it all or just had talked straight up to me, i'd most likely have agreed to whatever they want simply to just be left alone, coz my dad was not a good man, at all so yeah, i have been under some mental strain, real world heavy surveillance i'm naive in a lot of ways, i believe in the good of people tor, privacy, openvpn, i'm just like anyone else, i don't think about it much till i don't have it airvpn has been good to me, better than i deserve, i can't buy that or even earn that

in no way am i putting your OS down or you used to sell Microsoft networks for a living one of the best things you can do is move to linux it's just not as popular and that's the inherit privacy leverage thingy you can group hug in

that's a box i'd like to build myself and test on for a while need to put a pfsense box on the local maybe go from the cable modem to the ddwrt then to the pfsense box add some nics or extend with another router in switch mode basically see what i can come up with

consider what purpose of config is gonna be towards meaning if you are building ecom site or proxy server or need offshore or aiming towards onion/tor vps ability the other thing to look at is who owns who coz a lof of 'standard' web hosting companies out there share databases, even email traffic i know, i've 'tested' this for real it does come down to what you really need, your threath model and what you can afford to pay for other factors are domain naming laws and where you are from where your business might be incorporated in and so forth so if i invest in a vps provider 'off shore' or in a country with far better privacy laws but name my site xyz that might null the money i invested in a better location etc.

cool but yeah if you can do that take that skill set you got and roll over to gentoo or arch, plop out a distro of your flavor and then pipe it back to here with some screenshots but a sincere congrats on what you did that is cool roll up an opensource dooby....

they are most likely removing stuff that isn't needed for the community keeps the forum lean/clean

serverbox is 192.168.1.103 clientbox is 192.168.1.100 if you have a current ssh install back files up and do a new install: # systemctl stop sshd # mv /etc/ssh ~/sshbkup # mv ~/.ssh ~/.sshbkup # pacman -S --noconfirm openssh nmap check the files in /etc/ssh: # ls /etc/ssh moduli ssh_config sshd_config # cp /etc/ssh/sshd_config ~/sshd_configbkup # cp /etc/ssh/ssh_config ~/ssh_configbkup on the serverbox create user servz: # useradd -m -g users -G wheel -s /bin/bash servz # passwd servz enter new password twice on the clientbox create user clyz: # useradd -m -g users -G wheel -s /bin/bash clyz # passwd clyz enter new password twice on the serverbox create ssh directory: # mkdir /home/servz/.ssh # touch /home/servz/.ssh/authorized_keys # chown -R servz:wheel authorized_keys # ls -l /home/servz/.ssh/authorized_keys -rw-r--r-- 1 servz wheel 735 Jul 30 15:10 authorized_keys # mkdir /home/servz/sshfilez # chown -R servz:wheel /home/servz/sshfilez on the clientbox create ssh directory: # mkdir /home/clyz/.ssh # touch /home/clyz/.ssh/authorized_keys # chown -R clyz:wheel authorized_keys # ls -l /home/clyz/.ssh/authorized_keys -rw-r--r-- 1 clyz wheel 735 Jul 30 15:10 authorized_keys # mkdir /home/clyz/sshfilez # chown -R clyz:wheel /home/clyz/sshfilez check yer local and destination... # nmap -sS -O -p22 IPHERE # iptables -nL | grep 22 nmap should show this on both boxes: PORT STATE SERVICE 22/tcp open ssh since the serverbox is 192.168.1.103 and the clientbox is 192.168.1.100 set iptables for each box accordingly this allows only xyz ip to port 22 # iptables -I INPUT -p tcp --dport 22 -s IPHERE -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j REJECT verify: # iptables -nL | grep 22 ACCEPT tcp -- 192.168.1.103 0.0.0.0/0 tcp dpt:22 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable start ssh on both boxes: # systemctl start sshd verify: # systemctl status sshd Active: active (running) do a login from the clientbox: # ssh -p 22 servz@192.168.1.103 type yes and enter the password root > ssh -p 22 servz@192.168.1.103 The authenticity of host '192.168.1.103 (192.168.1.103)' can't be established. ECDSA key fingerprint is SHA256:nTXLL8Z/i7sumshitcodekeystuffherebruhright. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.103' (ECDSA) to the list of known hosts. servz@192.168.1.103's password: [servz@h0stm0st ~]$ exit logout Connection to 192.168.1.103 closed. repeat for the serverbox: # ssh -p 22 clyz@192.168.1.100 the previous was a basic login password only without key authentication/non-root using a stock ssh config if you need root type su or use sudo after login for wan/vps access if needed to remove a user account: # userdel username # rm -r /home/username for key authentication only login from the clientbox: # ssh -p 22 servz@192.168.1.103 enter the password for the user servz [servz@h0stm0st ~]$ gen the key with sudo and no password: # sudo ssh-keygen -t rsa -b 4096 -P '' again enter the password for the user servz hit enter for default location [servz@h0stm0st ~]$ sudo ssh-keygen -t rsa -b 4096 -P '' We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for servz: Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:sumkeystuffshowzherebruhFmdYX2XpGpD8lsVRIfs root@h0stm0st The key's randomart image is: +---[RSA 4096]----+ | =BX..o@| | ..@.=o* | | . o O.* | | o . . O.. | | nofuxway. . oE | | . = = + . | | + . + + | | . . + o | | . o | +----[SHA256]-----+ [servz@h0stm0st ~]$ exit banner for serverbox: # cat <<-EOF > /home/servz/.ssh/servz.motd Welcome 2 serverbox we all float down here EOF banner for clientbox: # cat <<-EOF > /home/clyz/.ssh/clyz.motd Welcome 2 clientbox we all float down here EOF from serverbox: # cat ~/.ssh/id_rsa.pub | ssh clyz@192.168.1.100 'cat >> /home/clyz/.ssh/authorized_keys && echo "key copied to clientbox"' root > cat ~/.ssh/id_rsa.pub | ssh clyz@192.168.1.100 'cat >> /home/clyz/.ssh/authorized_keys && echo "key copied to clientbox"' servz@192.168.1.100's password: key copied to clientbox root > from clientbox: # cat ~/.ssh/id_rsa.pub | ssh servz@192.168.1.103 'cat >> /home/servz/.ssh/authorized_keys && echo "key copied to serverbox"' root > cat ~/.ssh/id_rsa.pub | ssh servz@192.168.1.103 'cat >> /home/servz/.ssh/authorized_keys && echo "key copied to serverbox"' servz@192.168.1.103's password: key copied to serverbox root > stop sshd on both boxes: # systemctl stop sshd set banner on serverbox: # grep --null -lr "#Banner none" /etc/ssh/sshd_config | xargs --null sed -i 's|#Banner none|Banner /home/servz/.ssh/servz.motd|g' /etc/ssh/sshd_config set banner on clientbox: # grep --null -lr "#Banner none" /etc/ssh/sshd_config | xargs --null sed -i 's|#Banner none|Banner /home/clyz/.ssh/clyz.motd|g' /etc/ssh/sshd_config set key only each box: # grep --null -lr "#PubkeyAuthentication yes" /etc/ssh/sshd_config | xargs --null sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config on each box disable passwords for the ssh client: # grep --null -lr "# PasswordAuthentication yes" /etc/ssh/ssh_config | xargs --null sed -i 's/# PasswordAuthentication yes/# PasswordAuthentication no/g' /etc/ssh/ssh_config on serverbox: # chown -R servz:wheel /home/servz/.ssh/servz.motd on clientbox: # chown -R clyz:wheel /home/clyz/.ssh/clyz.motd start sshd on both boxes: # systemctl start sshd verify: # systemctl status sshd Active: active (running) login key only custom banner from clientbox with example gaining root with root password: root > ssh -p 22 servz@192.168.1.103 Welcome 2 serverbox we all float down here Last login: Sun Jul 30 15:47:26 2017 from 192.168.1.100 [servz@h0stm0st ~]$ su Password: root > pwd /home/servz root > exit exit [servz@h0stm0st ~]$ exit logout Connection to 192.168.1.103 closed. create a test file on the clientbox: # cat <<-EOF > /home/clyz/sshfilez/file2server.md this is a text document to transfer to the server EOF transfer the file to the serverbox: # scp /home/clyz/sshfilez/file2server.md servz@192.168.1.103:/home/servz/sshfilez from the clientbox you should see this: root > pwd /home/clyz/sshfilez root > cat <<-EOF > /home/clyz/sshfilez/file2server.md > this is a text document to > transfer to the server > EOF root > scp /home/clyz/sshfilez/file2server.md servz@192.168.1.103:/home/servz/sshfilez Welcome 2 serverbox we all float down here file2server.md 100% 61 79.7KB/s 00:00 root > to send a directory located on the clientbox to the serverbox: # scp -r /home/clyz/sshfilez/files4server servz@192.168.1.103:/home/servz/sshfilez output: root > pwd /home/clyz/sshfilez root > ls files4server root > scp -r /home/clyz/sshfilez/files4server servz@192.168.1.103:/home/servz/sshfilez Welcome 2 serverbox we all float down here file2server.md 100% 61 75.6KB/s 00:00 root > delete the files4server directory from the clientbox: # rm -r files4server to send a directory located on the serverbox back to the clientbox: # scp -r servz@192.168.1.103:/home/servz/sshfilez/files4server /home/clyz/sshfilez output: root > pwd /home/clyz/sshfilez root > ls root > scp -r servz@192.168.1.103:/home/servz/sshfilez/files4server /home/clyz/sshfilez Welcome 2 serverbox we all float down here file2server.md 100% 61 73.3KB/s 00:00 root > ls files4server root >

make a directory... # mkdir ~/emailstuff # cd emailstuff make a file... # touch email2bob.md # nano email2bob.md write your email to bob then... # ctrl+o, ctrl+x, enter backup out of the directory then compress it... # cd .. # tar -zcvf emailstuff.tar.gz emailstuff gen yer sha... # sha256sum emailstuff.tar.gz copy sha numbers then sign the email... # gpg --armor --detach-sign emailstuff.tar.gz now to encrypt the email then give that password and sha numbers to bob... # gpg -o emailstuff.tar.gz.gpg --symmetric --cipher-algo aes256 emailstuff.tar.gz bob now decrypts your email and enters the password... # gpg -o emailstuff.tar.gz -d emailstuff.tar.gz.gpg bob imports your public key... # gpg --import yourkey.asc then checks if signature good... # gpg --verify emailstuff.tar.gz.asc emailstuff.tar.gz bob might get a 'warning not verified' important part is 'good signature' bob verifies the sha make sure the numbers match... # sha256sum emailstuff.tar.gz bob then uncompresses the email... # tar -zxvf emailstuff.tar.gz