Small GNU Privacy Guard HOWTO

first created: 14.06.2005

Introduction

At the beginning of this HOWTO, few words of introduction are needed. If you want more information about OpenPGP or GPG, see section 1.1 and 1.2 of this article. I would be grateful for any feedback concerning this document or even bug corrects.

What is Open PGP ?

“OpenPGP is the most widely used email encryption standard in the world. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 2440. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991” – source www.openpgp.org

What is GNU Privacy Guard ?

Generally GPG is a free commandline tool for encrypting files and emails. It is fully RFC2440 compliant and is a complete replacement for the PGP program.

It has many features, like:

  • GPL licence (you can use it for free)
  • supports many encrypting algoithms like (ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER.Unterstützt ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 und TIGER.)
  • multilaguage support
  • online support
  • and many more, which can be found on www.gnupg.org
  • works on GNU/Linux,MacOS-X, NetBSD, FreeBSD, OpenBSD, Windows

Using GPG

Installation

Almost all distributions provide GPG, but if you want to install the very new version of it from scratch, you have to obtain sources from www.gnupg.org. This is not some “from scratch” howto for linux newbies so i won’t write that part.

Getting help for gpg

As every tool, gpg has its own manpage, as well as gpg –help option. Of coarse you can exec gpg –help to see all the options, but if read that HOWTO, i assume you are too lazy to do that.

Generating your keys

First thing to do is to generate pair of the keys. One is public (the one you give trusted people, so they can identify your emails by signature), and the another is secret (which should be stored and never shown to others), used for decrypting encrypted messages. To generate your own pair of keys, do:

gpg --gen-key

You will be then asked some questions about the cryptography algorithm (if you do not know what to do - choose defaults), your name, email and password (which should be quite complicated. After issuing this command you will have pair of keys and the fingerprint, which is a hash used for confirming your public key.

Exporting your public key

Now if you want to export your public key to a file, to for example put it on your webpage or blog or just to have it and stare at it, you have to issue:

gpg --export --armor <yourmail> > file.asc

This will put your public key for <youremail> to file.asc. You can freely distribute that file among people who would like to confirm your identity. You can also export your public key to key server, which is a good idea :

gpg --send-keys  (~/.gnupg/gpg.conf stores which server to use)

You can analogically receive or search for keys on the server :

gpg --recv-keys and gpg --search-keys <emailhere>

Signing and decrypting files

You can sign now your emails and files. Many mail clients use gpg automagically, what will be discussed in section 3 of this document. If you prefer to sign some file, issue :

gpg --sign file

A file.gpg will be generated, which is your signature for that file. If you like you can sign files with a clear text signature :

gpg --clearsign file

Again file.asc will be generated, for file with content:

~ Foo Bar Foo Bar ~ Foo Bar Foo Bar

Will look similar to this :

—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA1

Foo Bar Foo Bar Foo Bar Foo Bar —–BEGIN PGP SIGNATURE—– Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCr09b1Zs59WqqS18RAvzuAJ45RotP1lGo0BGjlE03mVGC2RJHngCgtqUq GA5XqrjgzSpeOUaFN4O+Je4= =fl3F —–END PGP SIGNATURE—–

If you have some top-secret data to be sent, you can also encypt the file :

gpg --encrypt file

or decrypt it :

gpg --decrypt file

Importing other people’s keys

If you received sombody’s public key and would like to identify him by it, first ask him to confirm the fingerprint, to do so you have to import the key. Let’s assume we got key from John Foo with johnfoo@bar.com mail.

gpg --import john.asc

Now check the fingerprint:

gpg --fingerprint johnfoo@bar.com

and ask john to confirm it is really his fingerprint. Do it by phone, or IM, just be sure John is really John. If John appears to be himself, sign his key:

gpg --edit-key johnfoo@bar.com

You will be prompted to issue commands:

> sign
> save

There is more commands available by typig help. Next export john’s public key signed by you to a file :

gpg --armor --export johnfoo@bar.com > johns-pub-new

Now John has his own key signed by your key. He can now import it and increase the web-of-trust keyring. Of coarse the same procedure should be done by John with ypur key. Do not forget to update your public key afterwards on your webpage.

Common clients configuration

Sylpheed/claws

Sylpheed-claws needs plugin mimepgp accessible from sylpheed-claws.sf.net. It enables signatures and encrypting. There is also a plugin for viewing pgp inline messages called : pgpinline.

Kmail

Kmail has built in plugin for communicationg with kgpg, GUI wrapper for gpg in KDE. This way configuring it is pretty easy and not worth writing about it.

Psi

Psi can encrypt messages. All you have to do is to choosse your key in the account setup. Then you can encrypt messages with the recipient’s key.

Credits

Thanks to antoszka from #gentoo-pl for helping me in understanding GPG.