Gpg

From LQWiki
Jump to navigation Jump to search

GPG (GNU Privacy Guard) is a patent-free, GPL-licensed version of Pretty Good Privacy (PGP) used to encrypt and decrypt data. This program uses public key encryption technology to create a key pair, consisting of a secret key and a public key.

Overview

Using Gpg you can

For both you will need to create a private/public key pair using the command

gpg --gen-key

You should save your private key from getting lost or spied out. You can distribute your public key. And you can let others sign it to prove you really exist which will form a web of trust.

Digital Signatures

The concept of Digital Signatures was hatched to verify the authenticity of a message. As the name suggests, the message is digitally signed by the sender. A digital signature is made through a combination of the secret key and the text. Using the senders public key, the message can be verified. Just like a message encrypted using a public key can only be decrypted by the corresponding secret key, a message verified using your public key could only have been signed using your secret key. With the verification, the recipient (or the world) knows that the message came from the sender (or at least someone with access to the sender's private key) and has not been changed during the transportation process. The signature can either be packaged with the original file or sent separately (detached).

To create an ASCII detached signature for a file with your default key:

gpg -ab filename

To sign a binary file and attach a signature (encoded message/signature):

gpg -s filename

To sign an email (cleartext message with ASCII GPG signature attached):

gpg --clearsign filename

To verify the signature, enter the name of the detached signature file or the signed file:

gpg --verify filename

Encryption

gpg -e report.txt

Encrypts the specified file. You will be prompted for a destination user ID.

gpg --decrypt report.txt.gpg

Decrypts the specified file. You will be prompted for the passphrase.

Web of trust

A web of trust are a lot of persons who trust each other. To show their trust, they have signed each other's keys. The web of trust is extended in key signing parties that go like this:

  • you (me@home.org) meet John Foo (foo@bar.org) who is already a member of the web of trust
  • you install gpg and by that automatically set a default key server. However, if your default key server is missing, use the option --keyserver pgp.mit.edu
  • you have a private/public key pair or generate it with
gpg --gen-key

You keep your private key and are free to distribute your public key.

  • you find out your key's name
gpg --list-keys
/home/me/.gnupg/pubring.gpg
----------------------------------
pub   1024D/45E377BB 2008-02-03
[...]
  • you upload your public key to your key server
gpg --send-key
  • John downloads your key from the key server
gpg --search-key me@home
  • John controls your passport and signs your key
gpg --sign-key 45E377BB
  • John uploads your key again
gpg --send-key 45E377BB
  • You are now part of the web of trust and your public key is on the key server.

How to...

Find out your secret key

gpg --list-secret-keys

Import a key

If you re-setup your computer, you need to import your private key again from a backup like this:

cat secring.gpg|gpg --import

Then you have to set it as default key and trust it ultimately using kgpg.

Cryptographically encrypt mails

In order to get Kmail 1.6 to encrypt emails, you need to have [GnuPG] installed. With everything properly installed, you can go to the "Settings" menu, select "Configure KMail". Select "Security", and go to the "OpenPGP" tab. Select "GnuPG - Gnu Privacy Guard" from the "Encryption Tool" list, along with any options you would like enabled. Now go to "Identities" and "Modify" the identity you'd like to enable encryption for. Go to the "Advanced" tab and select the OpenPGP key corresponding to your key. Encryption should now work.

There is a howto available at the official KMail website.

External links