GnuPG (or GPG, for GNU Privacy Guard) is a suite of cryptographic software that conforms to the OpenPGP standard and distributed under the terms of the GNU GPL. Hence it can be freely used and obtained. Just like SSH, it works using a pair of keys, one private and one public.
What are GPG keys used for
Using GPG keys you can do the following things:
- sign a message or file to confirm that it really comes from you and has not been modified by somebody else;
- encrypt a message or file so that it can only be read by the intended recipient.
Under Linux, GPG is probably already installed or can easily be installed using a package manager. You can also visit the site http://www.gnupg.org/, download the sources and install it yourself, with a bit more effort.
Creating a pair of GPG keys
[name@server $] gpg --list-keys
initializes GPG the first time you use it. After that, it will show you the existing keys.
After this you must create a key pair (one public and one private). You should run the command hereunder giving the following information:
- key type
- choose 1 which will generate all keys you need;
- the length of ELG-E keys
- use the default value;
- key duration
- choose the option "the key does not expire" (you risk exasperating your correspondents if you change the key too often);
- real name
- first and last names;
- a character string identifying your key, to distinguish it from other if you have multiple keys;
- pass phrase
- password used to keep your key private
[name@server $] gpg --gen-key gpg (GnuPG) 220.127.116.11; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <firstname.lastname@example.org>" Real name: Firstname Lastname Email address: address@domain Comment: comment You selected this USER-ID: "Firstname Lastname (comment) <address@domain>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. Enter passphrase: xxxxxxx Repeat passphrase: xxxxxxx We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key B8F271C6 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/B8F271C6 2006-04-06 Key fingerprint = 72A9 E308 5F2E 3BA5 CB53 A7BF F92C 0859 B8F2 71C6 uid Firstname Lastname (comment) <address@domain> sub 2048g/3E2FA1C7 2006-04-06
Having created the GPG key, you can now use it. Hereafter, please define an environment variable that contains the key ID that was given on the line starting with "pub" above:
[name@server $] export KEYID=B8F271C6
Exporting your public key
To use a GPG key pair, you should know the public key. One way of doing this is to export it in ASCII format:
[name@server $] gpg --export -a $KEYID > gpg-pub.asc
You can then put it on your web page or send it via email, for example.
Sending your public key to a PGP key server
You can also export your public key to a key server such as [pgp.mit.edu]. You would just need to go to the web page and paste the contents of the file gpg-pub.asc into the "submit" box, or you could run the following command:
[name@server $] gpg --keyserver pgp.mit.edu --send-keys $KEYID
Importing a public key
To retrieve public keys belonging to other people, you can do a search on the same key server:
[name@server $] gpg --keyserver pgp.mit.edu --search-key name_to_search
By choosing a number from the list that is displayed, the corresponding key is imported into the user's key chain.
Deleting a key from the key chain
To delete a key you should first find the key number within the chain:
[name@server $] gpg --gen-key /home/user/.gnupg/pubring.gpg ------------------------------- pub 1024D/6FC6E67E 2013-06-17 uid Firstname Lastname (comment) <address@domain> sub 2048g/F8A81AE4 2013-06-17 pub 1024D/135EA668 2001-03-05 uid Richard Stallman (Chief GNUisance) <email@example.com> sub 1024g/B1B10ED6 2001-03-05
To delete Richard Stallman's public key from the key chain, you must type the following:
[name@server $] gpg --delete-key 135EA668
Signing a message or document
As mentioned before, the signature is used to identify the person who sends the message or has created a file. There are two types of signature: binary and ascii. We only describe ascii signatures here, which are used most often. To sign a message or document, you use:
[name@server $] gpg --default-key $KEYID --clearsign message.txt
You should then enter your pass phrase to be able to use the private key. This command creates the file "message.txt.asc" which contains "message.txt" together with the signature. If you would instead want the signature in a seperate file, please use the following command:
[name@server $] gpg --default-key $KEYID --armor --detach-sign message.txt
This creates a "message.txt.asc" file which only contains the signature.
Verifying a signed message
To verify a signed message, you should of course have the signer's public key (see above how to retrieve a key). If the message and the signature come in different files, you do:
[name@server $] gpg --verify message.txt.asc message.txt gpg: Signature made Fri 18 Oct 2002 02:45:58 PM CEST using DSA key ID B60335AE gpg: Good signature from "Firstname Lastname (comment) <address@domain>"
If the message and signature come in the same file:
[name@server $] gpg --verify message.txt.asc gpg: Signature made Fri 18 Oct 2002 02:45:58 PM CEST using DSA key ID B60335AE gpg: Good signature from "Firstname Lastname (comment) <address@domain>"
Of course if the signature is not good, GPG's message will be different.
Encrypting a message or document
Here too there exist two types of encryption: binary and ascii. Here we also stay with the ASCII format because it is most widely used and it can be used directly inside email clients.
[name@server $] gpg --recipient recipient --armor --encrypt message.txt
This will also create a file named "message.txt.asc". The option "--recipient" specifies the name of the person to whom we want to send the message so that it can be encrypted using his or her public key and it can then be decrypted using his or her private key.
Decrypting a message or a document
Here is a simple command for decrypting a message:
[name@server $] gpg --decrypt message.txt.asc You need a passphrase to unlock the secret key for user: "Firstname Lastname (comment) <address@domain>" 2048-bit ELG-E key, ID 3E2FA1C7, created 2006-04-06 (main key ID B60335AE) Enter passphrase: xxxxxxx
Generating a revocation certificate
To generate a revocation certificate, please type the following command:
[nom@serveur $] gpg --gen-revoke address@domain
and copy the output to a safe place. Using this certificate one can revoke the key pair if it is compromised or if the pass phrase is forgotten. As it is necessary to use your pass phrase to successfully run this command, it is recommended to do this soon after the keys have been generated.
GPG in Thunderbird
To use GPG directly in Thunderbird, you should install the Enigmail extension. Once this is done and after starting this email client, an openPGP menu should have been created.
After that, just choose the preferences menu and configure your module as shown in the following images.
Thunderbird configuration stage #2 (the image for this stage is missing...)
Here is the complete line of Keyserver(s):
pgp.mit.edu, random.sks.keyserver.penguin.de, ldap://certserver.pgp.com, subkeys.pgp.net
And after this Thunderbird should normally find the key that you have previously created and it should automatically decrypt any encrypted messages you receive. To do this you should import the key, and otherwise Thunderbird will ask you if you wish that it looks for the key on the key servers.
GPG in Pine
For fans of Pine under Linux there also exist a method for integrating GPG's command line in Pine. The means writing a small script to decrypt the message that was received, and then placing an incoming filter which redirects GPG messages that are received to this script.
First make sure that the command line utility "gpg" is installed on your Linux computer.
Then create a script named "~/.gnupg/gpg.checksig" which contains the following:
#!/bin/sh /usr/bin/gpg && echo "[ PGP Signature ok - `date` ]" || echo "[ PGP Signature check FAILED - `date` ]"
and add the following line to your ".pinerc" file:
display-filters=_LEADING("-----BEGIN PGP SIGNED MESSAGE")_ ~/.gnupg/gpg.checksig,_LEADING("-----BEGIN PGP MESSAGE")_ ~/.gnupg/gpg.checksig
And now you are able to read GPG-encoded emails.
GPG in vi/vim
You can use GPG in combination with vi/vim so you can edit encryped files without having to write the decrypted file on your hard disk. To do this, use output redirection to send gpg<tt>'s output to <tt>vim, as follows
[name@server $] gpg -d myfile.gpg | vim -
The option - tells vim to read standard input instead of a file. Then edit your file, and use the following vim command to send the output to gpg, which encrypts the result:
:w !gpg -e -o myfile.gpg
gpg then asks you for the list of recipients for whom to encrypt the contents, and directly writes your file encrypted on the hard disk.