GPG

De Wiki de Calcul Québec
Aller à : Navigation, rechercher
Cette page est une traduction de la page GPG et la traduction est complétée à 100 % et à jour.

Autres langues :anglais 100% • ‎français 100%

GnuPG (or GPG, for GNU Privacy Guard) is a suite of cryptographic software that conforms to the OpenPGP standard and distributed under the terms of the GNU GPL. Hence it can be freely used and obtained. Just like SSH, it works using a pair of keys, one private and one public.

Sommaire

What are GPG keys used for

Using GPG keys you can do the following things:

  • sign a message or file to confirm that it really comes from you and has not been modified by somebody else;
  • encrypt a message or file so that it can only be read by the intended recipient.

Installation

Under Linux, GPG is probably already installed or can easily be installed using a package manager. You can also visit the site http://www.gnupg.org/, download the sources and install it yourself, with a bit more effort.

Creating a pair of GPG keys

The command

[name@server $] gpg --list-keys


initializes GPG the first time you use it. After that, it will show you the existing keys.

After this you must create a key pair (one public and one private). You should run the command hereunder giving the following information:

key type
choose 1 which will generate all keys you need;
the length of ELG-E keys
use the default value;
key duration
choose the option "the key does not expire" (you risk exasperating your correspondents if you change the key too often);
real name
first and last names;
email
comment
a character string identifying your key, to distinguish it from other if you have multiple keys;
pass phrase
password used to keep your key private
[name@server $] gpg --gen-key 
 gpg (GnuPG) 1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Firstname Lastname
Email address: address@domain
Comment: comment
You selected this USER-ID:
    "Firstname Lastname (comment) <address@domain>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Enter passphrase: xxxxxxx
Repeat passphrase: xxxxxxx

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B8F271C6 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/B8F271C6 2006-04-06
      Key fingerprint = 72A9 E308 5F2E 3BA5 CB53 A7BF F92C 0859 B8F2 71C6
uid                  Firstname Lastname (comment) <address@domain>
sub   2048g/3E2FA1C7 2006-04-06


Having created the GPG key, you can now use it. Hereafter, please define an environment variable that contains the key ID that was given on the line starting with "pub" above:

[name@server $] export KEYID=B8F271C6


Exporting your public key

To use a GPG key pair, you should know the public key. One way of doing this is to export it in ASCII format:


[name@server $] gpg --export -a $KEYID > gpg-pub.asc


You can then put it on your web page or send it via email, for example.

Sending your public key to a PGP key server

You can also export your public key to a key server such as [pgp.mit.edu]. You would just need to go to the web page and paste the contents of the file gpg-pub.asc into the "submit" box, or you could run the following command:

[name@server $] gpg --keyserver pgp.mit.edu --send-keys $KEYID


Importing a public key

To retrieve public keys belonging to other people, you can do a search on the same key server:

[name@server $] gpg --keyserver pgp.mit.edu --search-key name_to_search


By choosing a number from the list that is displayed, the corresponding key is imported into the user's key chain.

Deleting a key from the key chain

To delete a key you should first find the key number within the chain:

[name@server $] gpg --gen-key 
 /home/user/.gnupg/pubring.gpg
-------------------------------
pub   1024D/6FC6E67E 2013-06-17
uid                  Firstname Lastname (comment) <address@domain>
sub   2048g/F8A81AE4 2013-06-17

pub   1024D/135EA668 2001-03-05
uid                  Richard Stallman (Chief GNUisance) <rms@gnu.org>
sub   1024g/B1B10ED6 2001-03-05


To delete Richard Stallman's public key from the key chain, you must type the following:

[name@server $] gpg --delete-key 135EA668


and confirm.

Signing a message or document

As mentioned before, the signature is used to identify the person who sends the message or has created a file. There are two types of signature: binary and ascii. We only describe ascii signatures here, which are used most often. To sign a message or document, you use:

[name@server $] gpg --default-key $KEYID --clearsign message.txt


You should then enter your pass phrase to be able to use the private key. This command creates the file "message.txt.asc" which contains "message.txt" together with the signature. If you would instead want the signature in a seperate file, please use the following command:

[name@server $] gpg --default-key $KEYID --armor --detach-sign message.txt


This creates a "message.txt.asc" file which only contains the signature.

Verifying a signed message

To verify a signed message, you should of course have the signer's public key (see above how to retrieve a key). If the message and the signature come in different files, you do:

[name@server $] gpg --verify message.txt.asc message.txt
 gpg: Signature made Fri 18 Oct 2002 02:45:58 PM CEST using DSA key ID B60335AE
gpg: Good signature from "Firstname Lastname (comment) <address@domain>"


If the message and signature come in the same file:

[name@server $] gpg --verify message.txt.asc
 gpg: Signature made Fri 18 Oct 2002 02:45:58 PM CEST using DSA key ID B60335AE
gpg: Good signature from "Firstname Lastname (comment) <address@domain>"


Of course if the signature is not good, GPG's message will be different.

Encrypting a message or document

Here too there exist two types of encryption: binary and ascii. Here we also stay with the ASCII format because it is most widely used and it can be used directly inside email clients.

[name@server $] gpg --recipient recipient --armor --encrypt message.txt


This will also create a file named "message.txt.asc". The option "--recipient" specifies the name of the person to whom we want to send the message so that it can be encrypted using his or her public key and it can then be decrypted using his or her private key.

Decrypting a message or a document

Here is a simple command for decrypting a message:

[name@server $] gpg --decrypt message.txt.asc
 You need a passphrase to unlock the secret key for
user: "Firstname Lastname (comment) <address@domain>"
2048-bit ELG-E key, ID 3E2FA1C7, created 2006-04-06 (main key ID B60335AE)

Enter passphrase: xxxxxxx


Generating a revocation certificate

To generate a revocation certificate, please type the following command:

[nom@serveur $] gpg --gen-revoke address@domain


and copy the output to a safe place. Using this certificate one can revoke the key pair if it is compromised or if the pass phrase is forgotten. As it is necessary to use your pass phrase to successfully run this command, it is recommended to do this soon after the keys have been generated.

GPG in Thunderbird

To use GPG directly in Thunderbird, you should install the Enigmail extension. Once this is done and after starting this email client, an openPGP menu should have been created.

Thunderbird gpgconfig1.jpg

After that, just choose the preferences menu and configure your module as shown in the following images.

Thunderbird configuration stage #2 (the image for this stage is missing...)

Here is the complete line of Keyserver(s):

pgp.mit.edu, random.sks.keyserver.penguin.de, ldap://certserver.pgp.com, subkeys.pgp.net

Thunderbird gpgconfig3.jpg
Thunderbird gpgconfig4.jpg
Thunderbird gpgconfig5.jpg
Thunderbird gpgconfig6.jpg
Thunderbird gpgconfig7.jpg

And after this Thunderbird should normally find the key that you have previously created and it should automatically decrypt any encrypted messages you receive. To do this you should import the key, and otherwise Thunderbird will ask you if you wish that it looks for the key on the key servers.

GPG in Pine

For fans of Pine under Linux there also exist a method for integrating GPG's command line in Pine. The means writing a small script to decrypt the message that was received, and then placing an incoming filter which redirects GPG messages that are received to this script.

First make sure that the command line utility "gpg" is installed on your Linux computer.

Then create a script named "~/.gnupg/gpg.checksig" which contains the following:

#!/bin/sh
/usr/bin/gpg && echo "[ PGP Signature ok - `date` ]" || echo "[ PGP Signature check FAILED - `date` ]"

and add the following line to your ".pinerc" file:

display-filters=_LEADING("-----BEGIN PGP SIGNED MESSAGE")_ ~/.gnupg/gpg.checksig,_LEADING("-----BEGIN PGP MESSAGE")_ ~/.gnupg/gpg.checksig

And now you are able to read GPG-encoded emails.

GPG in vi/vim

You can use GPG in combination with vi/vim so you can edit encryped files without having to write the decrypted file on your hard disk. To do this, use output redirection to send gpg<tt>'s output to <tt>vim, as follows

[name@server $] gpg -d myfile.gpg | vim -


The option - tells vim to read standard input instead of a file. Then edit your file, and use the following vim command to send the output to gpg, which encrypts the result:

:w !gpg -e -o myfile.gpg

gpg then asks you for the list of recipients for whom to encrypt the contents, and directly writes your file encrypted on the hard disk.

Outils personnels
Espaces de noms

Variantes
Actions
Navigation
Ressources de Calcul Québec
Outils
Partager