User Tools

Site Tools


gnupg

Privacy with GNU Privacy Guard

Use

General

There is a lot of documentation about GnuPG on the official web site. For the impatient, I suggest to read a very nice and compact tutorial that can be found here. In particular, you should read the Concepts and the Using Keys chapters.

Just a few obvious rules… that apparently are not that obvious to everybody ;-)
  • to encrypt a message (file) for your personal use, use your own public key
  • to encrypt a message for a friend of yours, use his public key
  • to sign a message: use your private key
  • you should be sure that you can trust your public keys. The ideal thing is to organize key exchange parties with your friends or at least, to ask your friends to confirm that the key you have is valid (e.g. by comparing key fingerprint that you obtain from gpg –list-keys –fingerprint on the phone ).

Anyway, the very first thing to do is to create your own private/public key pair:\

# gpg --gen-key
gpg (GnuPG/MacGPG2) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 2
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3
Key expires at Sat Sep  5 16:59:34 2009 CEST
Is this correct? (y/N) y
                        
GnuPG needs to construct a user ID to identify your key.

Real name: Flash Gordon
Email address: flash.gordon@gmail.com 
Comment: this is another test key   
You selected this USER-ID:
    "Flash Gordon (this is another test key) <flash.gordon@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.    

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 48C7AF6A marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2009-09-03
pub   2048D/48C7AF6A 2009-09-02 [expires: 2009-09-05]
      Key fingerprint = 695D 354D E592 8677 50E5  5E62 DF8B 511A 48C7 AF6A
uid                  Flash Gordon (this is another test key) <flash.gordon@gmail.ch>
sub   2048g/E9BEF1D2 2009-09-02 [expires: 2009-09-05]

An handy way of sharing your public key is to upload it to a public key server like keys.gnupg.net. This allows your friend to easily search and obtain your public key and vice-versa. To upload your public key, first decide which one to upload. Therefore list your keys

# gpg --list-keys
/Users/cangiani/.gnupg/pubring.gpg
----------------------------------
pub   1024D/2D09619D 2009-09-02 [expires: 2009-09-03]
uid                  Ciccio Pasticcio (this is a test key) <harmattan@gmail.com>
sub   1024g/AF0BF493 2009-09-02 [expires: 2009-09-03]

pub   2048D/48C7AF6A 2009-09-02 [expires: 2009-09-05]
uid                  Flash Gordon (this is another test key) <flash.gordon@gmail.ch>
sub   2048g/E9BEF1D2 2009-09-02 [expires: 2009-09-05]

and copy the key ID for the selected key from the list (e.g. 48C7AF6A for Flash Gordon). Then upload it to one or more servers:

# gpg --keyserver keys.gnupg.net --send-keys 48C7AF6A
gpg: sending key 48C7AF6A to hkp server keys.gnupg.net

In order to search and fetch the public key of a friend of yours using his mail address, do the following (for Damir's address for example):

gpg --keyserver keys.gnupg.net --search-keys damir.laurenzi@epfl.ch
gpg: searching for "damir.laurenzi@epfl.ch" from hkp server keys.gnupg.net
(1)	Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch>
	  1024 bit DSA key 86134762, created: 2009-06-09
(2)	damir laurenzi (no password) <damir.laurenzi@epfl.ch>
	  1024 bit DSA key B3AB018C, created: 2007-06-28 (revoked)
Keys 1-2 of 2 for "damir.laurenzi@epfl.ch".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 86134762 from hkp server keys.gnupg.net
gpg: key 86134762: public key "Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch>" imported
gpg: Total number processed: 1
gpg:               imported: 1

or just fetch the key if you already know the key ID:

# gpg --keyserver keys.gnupg.net  --recv-keys 86134762
gpg: requesting key 86134762 from hkp server keys.gnupg.net
gpg: key 86134762: public key "Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch>" imported
gpg: Total number processed: 1
gpg:               imported: 1

You can check that the newly imported key is in your public keys wallet:

# gpg --list-keys
/Users/cangiani/.gnupg/pubring.gpg
----------------------------------
pub   1024D/2D09619D 2009-09-02 [expires: 2009-09-03]
uid                  Ciccio Pasticcio (this is a test key) <harmattan@gmail.com>
sub   1024g/AF0BF493 2009-09-02 [expires: 2009-09-03]

pub   2048D/48C7AF6A 2009-09-02 [expires: 2009-09-05]
uid                  Flash Gordon (this is another test key) <flash.gordon@gmail.ch>
sub   2048g/E9BEF1D2 2009-09-02 [expires: 2009-09-05]

pub   1024D/86134762 2009-06-09 [expires: 2019-06-07]
uid                  Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch>
sub   2048g/45397CF2 2009-06-09 [expires: 2019-06-07]

Mac

first dialog for GPG Keychain Access Setup your private key. Launch GPG Keychain Access. Normally, if you never used GnuPG before, you will probably be asked if you want to create or import your personal private/public key pair. Unless you already have a pair of keys (e.g. you generated it using command line gpg –gen-key, click on generate. Follow the process and accept all default values. You will also be asked to set a password for your private key: do not use something trivial to guess otherwise all this is useless!

GnuPG Mail preferencesYour newly generated key will appear also as default Personal Key in the Keys section of the PGP tab of Mail preferences. You are now ready for sending encrypted and/or digitally signed messages with Mail.

PGPMail is well documented in its official website. The interface is very simple and should be easy to understand.

Linux

TODO

Install

Mac (Leopard) + Apple Mail

  1. Download and install the latest version of Mac GNU Privacy Guard v2.x from here. It is an installer package. Just double click on it and follow the instructions.
  2. GnuPG preference pane Download and install (just click on GnuPG.prefPane) the latest version of GPGPreferences from here. You will have a new item in System Preferences. Open it and have a look to the configuration. Eventually change the Key Server to keys.gnupg.net.
  3. Download and install GPG Keychain Access also from here. To install just drag the .app bundle in your /Application folder.
  4. Download and install GPGMail. You can install it by running (double clicking) the Install GPGMail.app script, or by copying the GPGMail.mailbundle in the Mail/Bundles/ folder in your Library folder.

Linux

GnuPG is installed by default on most Linux machines. TODO

gnupg.txt · Last modified: 2009/09/02 15:59 by cangiani