GPG (Gnu Privacy Guard) is an encryption program which makes use of Public-key cryptography. It is commonly used for encrypting email between parties, but can also be used for plain files, as well as digitally signing things to ensure the sender's identity. It is highly secure, and based originally on PGP (Pretty Good Privacy) by Phil Zimmerman. It is installed by default on the Linux machines in the building, and you can install it on your own on just about anything (see below).
To start using GPG, you must generate a key pair. This is done with the command 'gpg --gen-key'.
- If you've never used GPG before, you'll see a couple messages about creating keyrings.
- These are the public and private keyrings where your keys, and keys of people you've imported into the program, are stored.
- You will then be asked what kind of key to generate.
- As of this writing, "DSA and Elgamal" is the default, which is fine.
- Next, how many bits should be in the key, from 1024 to 4096 with 2048 as the default (which is also fine).
- Select an expiration date for the key pair.
- This is a handy way to make sure that a key is not used beyond its useful life. By setting the expiration date in the key, you can make sure that someone who may have an old key for you knows your key is expired without you having to have issued (and they had to have received) a revocation certificate for it. You can choose any length of time, including never expire.
- Confirm the expiration of the key.
- Enter your real name, email address, and a comment for the key.
- This will construct the key's identity. After entering the items, you'll be asked if you wish to change any part, or if the result is okay.
- Enter a passphrase.
- You may be asked to do some things to generate "entropy" on the system. This is so the pseudo-random number generator has a good pool of random bytes to use for creating a key. Doing things such as moving the mouse around, typing in another window, or reading from the disks will help the system generate random numbers during this process.
Now you'll see output such as this:
gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2007-06-05 pub 1024D/71148581 2007-05-22 [expires: 2007-06-05] Key fingerprint = 92B7 4FB3 E80F C7DA E180 AD33 7964 9BD9 7114 8581 uid Foo Barr (FuBah) <email@example.com> sub 2048g/450A56ED 2007-05-22 [expires: 2007-06-05]
Your key pair has been generated. You can now send the public key on to others, or send it up to a key server, so that people can correspond with you.
Exporting your public key
If you wish to send your public key to someone, you must export it from the keyring. You can do this with the command 'gpg --armor --export <email address>'. The output will look something like:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.7 (GNU/Linux) mQGiBEZTIxARBACc+Ort932Nk31GVlIS9KI0Ta0vk2NSaTzSY2SmlCZYIDqr0jBY VPi6w/At9p20gZdjXgogDBBewBvaM6qOefTcuUwIDsrGzngj9DtT2VCs9R9YWr1D ueuBQr4RVK5VMIpaN0Zs1D45F2jIPiGs/K63T0tLf1x93+6j2VH41EYKQwCg0DGO /EkXZs3DRrneBlzpfSzsTYED/0jxDiQgRYjYbkbho5t2lttB6kh4D3NALlDdho85 lV9T5NjMCYtSn4uYK5YPvVs3Q9vMXLdyc2FyRGvk6VgcVxDrubGdEvHNXWGkKa+F ... EQIADwUCRlMjEAIbDAUJABJ1AAAKCRB5ZJvZcRSFgU4jAKDBoOsTnI13VZrdSpZk RHFhtsJZaQCfQL0JwsBM+fVyTg0GYWkuzSULBb4= =ZnSa -----END PGP PUBLIC KEY BLOCK-----
You can cut everything (including the "BEGIN" and "END" lines) from the terminal and paste it into an email to send to someone, or print it out. If your reasoning is to go to a key signing party, the key's ID and fingerprint is usually sufficient as it's shorter to print (and verify) on paper. Using 'gpg --fingerprint <email address>' will output the more friendly:
pub 1024D/71148581 2007-05-22 [expires: 2007-06-05] Key fingerprint = 92B7 4FB3 E80F C7DA E180 AD33 7964 9BD9 7114 8581 uid Foo Barr (FuBah) <firstname.lastname@example.org> sub 2048g/450A56ED 2007-05-22 [expires: 2007-06-05]
Sending your key to a key server
Another good way to disseminate your key is to send it to a key server. Key servers are repositories where public keys are held, and can be easily found. This is useful if you subscribe to a mailing list where many people sign their emails; you can query the key server for the signing key without having to ask the sender of the email directly (though, you shouldn't sign their key until you've verified the identity of the person). To send your key to a key server, use the command 'gpg --send-keys <key ID>'. The key ID is the hexadecimal string next to the public key type, seen in the fingerprint output above; for our example key, the ID is 0x71148581.
Importing a public key
If someone sends you their public key, you can import it into your keyring with 'gpg --import'. You can either write the public key to a file and specify the file on the command line, or you could enter the command just as above and paste the key into the terminal window (gpg will read the key from stdin).
Getting a key from a key server
Just like sending a key, you can retrieve keys from a key server as well. If you know the key's ID, then 'gpg --recv-keys <key ID>' will work fine. If you don't know the key ID, you can use 'gpg --search-keys <names>' to search for it. <names> could be the email address, or full name (or some part of it) of the person whose key you're trying to find. You'll be presented with a list of keys corresponding to the search criteria you entered, and selecting one (or more) of the keys will download those keys from the server and import them to your keyring.
Encrypting and signing
To encrypt something with GPG, use the '-e' option. You may also wish to add '--sign' to sign the encrypted message at the same time. If you wish to encrypt and sign a message for emailing, you probably want the options '--armor -e -s' so that the output is plain ASCII which can be emailed. Likewise, if you just want to sign a message for emailing, use the '--clearsign' option. This leaves the message viewable by anyone, and one only needs to use GPG (or some other OpenPGP compatible program) to verify the signature.
Decrypting and verifying
To decrypt something, use the option '-d'. If the data is also signed, the signature will be verified automatically.
Sometimes it's useful to sign something, but not alter the original file in any way (for example, binary files which you offer for download on a web site). If you alter the file in the signing process, then only people who have a way to verify the signature would be able to read the file. By performing a detached signature (with the option '--detach-sign'), you can sign a file and yet not alter it in any way.
You can use the option '--symmetric' if you wish to encrypt the data with a symmetric cypher. This will allow you to use a passphrase to encrypt the data, instead of only using a key. If you agree on a passphrase with a third party beforehand, you can then use GPG to encrypt messages and data to that person without them needing to generate a key pair. You can also combine the --symmetric option with --sign or --encrypt, so a message can be encrypted to both public key recipients as well as with a symmetric cypher.
A good program for graphically accessing your GPG keyrings, as well as signing/encrypting/decrypting, is 'kgpg'. Also, there's an extension to Thunderbird available which easily integrates GPG with your mail called Enigmail.