first created: 14.06.2005
Contents
At the beginning of this HOWTO, few words of introduction are needed. If you want more information about OpenPGP or GPG, see section 1.1 and 1.2 of this article. I would be grateful for any feedback concerning this document or even bug corrects.
“OpenPGP is the most widely used email encryption standard in the world. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 2440. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991” – source www.openpgp.org
Generally GPG is a free commandline tool for encrypting files and emails. It is fully RFC2440 compliant and is a complete replacement for the PGP program.
It has many features, like:
Almost all distributions provide GPG, but if you want to install the very new version of it from scratch, you have to obtain sources from www.gnupg.org. This is not some “from scratch” howto for linux newbies so i won’t write that part.
As every tool, gpg has its own manpage, as well as gpg –help option. Of coarse you can exec gpg –help to see all the options, but if read that HOWTO, i assume you are too lazy to do that.
First thing to do is to generate pair of the keys. One is public (the one you give trusted people, so they can identify your emails by signature), and the another is secret (which should be stored and never shown to others), used for decrypting encrypted messages. To generate your own pair of keys, do:
gpg --gen-key
You will be then asked some questions about the cryptography algorithm (if you do not know what to do - choose defaults), your name, email and password (which should be quite complicated. After issuing this command you will have pair of keys and the fingerprint, which is a hash used for confirming your public key.
Now if you want to export your public key to a file, to for example put it on your webpage or blog or just to have it and stare at it, you have to issue:
gpg --export --armor <yourmail> > file.asc
This will put your public key for <youremail> to file.asc
. You can
freely distribute that file among people who would like to confirm
your identity.
You can also export your public key to key server, which is a good
idea :
gpg --send-keys (~/.gnupg/gpg.conf stores which server to use)
You can analogically receive or search for keys on the server :
gpg --recv-keys and gpg --search-keys <emailhere>
You can sign now your emails and files. Many mail clients use gpg automagically, what will be discussed in section 3 of this document. If you prefer to sign some file, issue :
gpg --sign file
A file.gpg
will be generated, which is your signature for that file.
If you like you can sign files with a clear text signature :
gpg --clearsign file
Again file.asc will be generated, for file with content:
~ Foo Bar Foo Bar ~ Foo Bar Foo Bar
Will look similar to this :
—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA1
Foo Bar Foo Bar Foo Bar Foo Bar —–BEGIN PGP SIGNATURE—– Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCr09b1Zs59WqqS18RAvzuAJ45RotP1lGo0BGjlE03mVGC2RJHngCgtqUq GA5XqrjgzSpeOUaFN4O+Je4= =fl3F —–END PGP SIGNATURE—–
If you have some top-secret data to be sent, you can also encypt the file :
gpg --encrypt file
or decrypt it :
gpg --decrypt file
If you received sombody’s public key and would like to identify him by it, first ask him to confirm the fingerprint, to do so you have to import the key. Let’s assume we got key from John Foo with johnfoo@bar.com mail.
gpg --import john.asc
Now check the fingerprint:
gpg --fingerprint johnfoo@bar.com
and ask john to confirm it is really his fingerprint. Do it by phone, or IM, just be sure John is really John. If John appears to be himself, sign his key:
gpg --edit-key johnfoo@bar.com
You will be prompted to issue commands:
> sign
> save
There is more commands available by typig help. Next export john’s public key signed by you to a file :
gpg --armor --export johnfoo@bar.com > johns-pub-new
Now John has his own key signed by your key. He can now import it and increase the web-of-trust keyring. Of coarse the same procedure should be done by John with ypur key. Do not forget to update your public key afterwards on your webpage.
Sylpheed-claws needs plugin mimepgp accessible from sylpheed-claws.sf.net. It enables signatures and encrypting. There is also a plugin for viewing pgp inline messages called : pgpinline.
Check also : GNU Privacy Guard Site - www.gnupg.org OpenPGP Site - www.openpgpg.org