Mar 21, 2002
With increasingly important communications taking place using e-mail, the ability to verify the authenticity, and also
protect the contents, of such correspondence has become something that everyone should know. However, the tools created
to provide PGP security are generally cryptic and difficult to work with.
This how-to hopes to remove some of these barriers for those interested in using the open source Gnu Privacy Guard tool
(“GPG” or “GnuPG” for short), which is a popular PGP-compatible encryption software package. Most likely you already have GPG available on your Linux system, so we can get started immediately without
detailing any setup instructions first.
Before we begin, you should understand several terms that will be used throughout this document:
- Encrypt - Make a message unreadable except by those who have the “keys” to decrypt it.
- Public Key - This key is made publically available, and allows people to encrypt and verify
messages sent from you.
- Private Key - This key is critical to keep private, it is the key that GPG or PGP uses to
decrypt and “sign” documents.
- Key ring - The grouping of public and private keys you have at your disposal.
You should also keep in mind that in most cases
commands, denoted by their monospaced font, should
be followed by pressing the enter or return key on your keyboard.
Getting Started
- The first step to get started with GPG is to generate a new key.
To begin, launch your favorite terminal emulator (such as Konsole), and type
gpg —gen-key. The first time you do this, you will receive this message:
gpg (GnuPG) 1.0.6; Copyright © 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: /home/tbutler/.gnupg: directory created
gpg: /home/tbutler/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file
- After GPG finishes, simply type gpg —gen-key again to start the key generation
process. This time, GPG will present you with a choice of key-types:
gpg: /home/tbutler/.gnupg/secring.gpg: keyring created
gpg: /home/tbutler/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection?
Unless you have a reason to choose otherwise, go with the default option
(1) of DSA and ElGamal.
- Next you will receive another question asking what keysize you would like.
The higher the size, the “stronger” the key is, however you will
probably want to stick within the suggested range of 768-2048 bits. Most users
probably should once again follow the default suggestion of 1024.
- After choosing a keysize, you need to pick how long your key will be valid. Most likely,
you will want to choose the default option (0), which will make your key indefinitely valid.
This is good, unless you do not care about others signing your key (more on that later), since you will not
want to ask them repeatedly to sign new keys for you. After you select your expiration date (or lack there of),
GPG will ask you to confirm your selection by answering “y” to the next question.
- The next few steps will construct your “User-ID.” The first two prompts are very self-explanatory - just enter
your real name and e-mail address. The third question is a bit more confusing however, this question prompts you for
a comment. I generally recommend you ignore this field (by just pressing the enter key), but if you are so inclined,
you may wish to enter something like “Tim's Work GPG Key” in this field. Finally, in the next question you can
enter the first letter of a particular field if you wish to correct it; otherwise enter “O” to confirm your settings.
- Next, you will be prompted for a passphrase. Ideally, a passphrase should be at least eight characters in length,
with numbers and both lower and uppercase letters (like a really long password). For additional
security, you may find it helpful to enter an entire sentence like “This is my 100% Secure Passphrase.” The longer the phrase
the more secure your key will be. However, keep in mind, you will need to remember this passphrase to use the key, so
do not use anything you will not be able to remember.
- On the final step which starts working immediately after you enter your passphrase twice, GPG will start generating the key.
To give the “random number generator” a good chance of achieving a very random key, it is recommend that you quickly do some other
activity during this stage. You may want to move your mouse, type some gibberish onto the screen, or perhaps even read a floppy disk.
Congratulations! At this point you now have a basic key ready to go. However there are several more steps you should follow, which
I will highlight below.
Creating a Revoke Certificate
In a moment, we will want to upload your new key to the
MIT PGP/GPG key server so that others can easily download your
public key. However, first we should create a
revoke certificate. What this does is to insure that if you ever forget
your passphrase (or your key is compromised), you can send this certificate to the administrators of the
PGP key server so
that they will know your key should be revoked.
- The first step to creating a revoke certificate is to type gpg —output tim_revoke.asc —gen-revoke tim, where “tim” should be
the part of your name that GPG can use to detect which key you plan to generate the certificate for. GPG will then confirm you wish to create the
revoke certificate, and then prompt you to explain why you wish to revoke the key. Since you are creating this ahead of time,
just choose option 1 (“key has been compromised”).
- Next you can enter an optional description, which I recommend you leave blank by simply pressing the enter key.
After you press enter, you will be prompted to confirm your selection, enter “y.”
- Finally, you should enter your passphrase so that GPG knows that you have authorization to do this.
Once you have created the certificate, you may want to print out a hard copy (it is a block of text) or save it on to a CD
and put it same place
very safe. You may also want to remove the copy of the certificate from your hard drive if there
is any chance someone else might be using your computer.
Making Your Key Count
Now that you have your key generated, and your revoke certificate saved in a safe place (you do, don't you?), you should
follow two additional steps to make your key verifiable. The first step we should take is to upload your key to the MIT
PGP/GPG key server. This step will make your public key available to anyone who wants it, thus allowing people to conveniently
get what they need to decrypt your messages and to verify your signature identity. To do this, you will want to run the GPG
command line program again, by typing gpg —keyserver pgp.mit.edu —send-keys. If all goes well, you should receive
a message that says gpg: success sending to `pgp.mit.edu' (status=200).
Now, having your key available on a server is a good start, but obviously you did not have to prove your identity to upload
the key. As far as anyone can tell, while you can now prove that you are the same person that uploaded the key, you still may
not be the person you claim to be. This is where key signing comes in very handy.
The idea of signing your key is to create a “web of trust,” where if John trusts Jim's identity, and Jim trusts Nancy's identity,
then John knows he can trust the identity of Nancy too. Most often, signing is reciprocal, so John and Jim probably signed each other's
keys, and Jim and Nancy did the same. After updating their entries in the key server, anyone can see that Jim's key has been
signed by both John and Nancy - and thus, those who already know John or Nancy have good reason to believe Jim is not someone
simply posing as Jim. The effect goes further too, the more people that sign a key, the more apparent it becomes that the
key holder is not simply a fly-by-night identity stealer.
Now that you know why you want someone to sign your key, you just need to figure out who to ask.
- Once you do, you should
probably find out their key's hexadecimal ID by visiting pgp.mit.edu, and entering this person's
e-mail address into the form. That should bring up a list of their keys, from which you should select the most current one by clicking the
hyperlink for it. On the next page, the one that houses their public key, you will see a hexadecimal number
(something like 0x0FF00FF0), which you should jot down - we will need this again in just a moment.
- Next, we need to go back
to your shell window, and type something like gpg —keyserver pgp.mit.edu —recv-keys 0x0FF00FF0, which will download the key
with that hexadecimal ID into your GPG keyring. This has another benefit that we will touch on in a moment, but for now this
will allow you to sign that person's key. This is something that is a good idea to do when you plan on asking someone to sign your
key).
- After the download is complete, we now want to “edit” this person's key to add your signature (do not worry, none of your
changes will take effect unless the key holder wants them to). At this point we need to run GPG again, this time by
typing gpg —edit-key tim, where “tim” is enough of the name of the person whose key you wish to sign to uniquely
identify them (if you had multiple Tim's in your key ring, you might type “tim b” or “tim butler” rather than just “tim”).
- The last step will bring GPG into editing mode. Once you get to a prompt that says Command>, type
sign. You should then see a message that looks like this:
pub 1024D/CF602748 created: 2002-01-04 expires: never trust: -/q
Fingerprint: 031D 8E82 71E1 C720 4CFE 8FEF 2B7E C29E CF60 2748
John Q. Public
Are you really sure that you want to sign this key
with your key: “Timothy R. Butler “
Really sign?
You should confirm this question by answering with “y” again, and then entering your passphrase. Finally after this,
you should end your GPG session by typing quit. At this point you will need to confirm your changes one more
time, once again by entering “y.”
- Now that you have signed this person's key, you will need to export the updated key. You can do this by typing
gpg —output john_timsig.asc —export john where “john” should be part of the name of whomever this key
belongs to and tim most likely should be your name (i.e. to denote this is John's key signed by Tim).
- Next you should look up your key at pgp.mit.edu, much like you did a few moments
ago for the person who's key we just signed. Again, like before, write down the hexadecimal id for this key.
- Finally you will need to e-mail the person that you want to sign your key. In the message you will most likely
want to attach the copy of their key that you just signed, and also include the hexadecimal ID for your key so that they
can easily retrieve your key.
At this point there is not anything more you can do until you get a copy of your key back signed by the person you just got
done e-mailing. However once you do hear back from them, you will need to need to follow a few more simple steps to update
to your newly signed key.
- Now you will want to import the key you just received back into GPG by typing
gpg —import tim_johnsig.asc, where
tim_johnsig.asc is the name of the key that you want to import.
- As a final step to make your newly signed key “officially” available, we need to update your entry in the MIT
PGP/GPG key server by typing gpg —keyserver pgp.mit.edu —send-keys tbutler@uninetsolutions.com, where again
you should substitute the e-mail address for the e-mail address you registered with your key.
Using your key with KMail
While there are many excellent e-mail clients available for Linux, we have chosen to explain how to use KMail with GPG in this
tutorial since it is very good for both new and experienced users. If you are currently looking for an e-mail client,
we recommend that you consider this client.
The first thing we will want to do is insure that KMail's GPG support is turned on. To do this go ahead and launch
KMail, then click on the Settings menu, and finally Configure KMail. Once the Configure dialog has appeared,
click on the Security option, and then the PGP tab. Now, click the GPG - Gnu Privacy Guard
option from the list of versions of PGP/GPG software. Finally, to save your changes click on the OK button.
Now that KMail is properly configured to use your newly setup GPG keyring, you can access GPG functionality through
KMail's new message composer window. On the toolbar in that Window, there are two buttons that we will want to look at.
The first one, which looks like a pen writing “K,” is the icon you will want to click to sign a message.
A signed message is still a normal message in that anyone can read it, however, it contains the unique signature of
your GPG key. This will cause properly configured e-mail clients to acknowledge the authenticity of the message, if
the recipient has your public key.
The second icon on the tool bar that relates to GPG is a pad lock. Click the pad lock icon will cause your e-mail message
to be encrypted. The advantage of encrypted messages over messages that are just signed is that the data in the message
is unreadable to anyone except someone with the recipient's private key and your public key. The downside to encryption is
that you must import the recipient's public key to your key ring (much like we did prior to signing a key in the previous
section) before you will be able to send them an encrypted message.
Whether you choose to sign or encrypt a message to a recipient, if it has been more then a short amount of time since
the last time you used GPG, KMail will prompt you to enter your passphrase when you send the message. After you have
successfully done
such, you will be presented with the final message, which will be quite unreadable at this point if you chose to encrypt
your message. If you are satisfied with the result, just click the OK button, and your message will be sent
or placed in your outbox just like normal.
While this how-to only scratches the surface of GPG encryption, hopefully you will now have the basic information you need
to effectively use this powerful technology. If you would like more information on Gnu Privacy Guard, you may want to take
a look at the Documentation section of GnuPG.org, located at
http://www.gnupg.org/docs.html .
Timothy R. Butler is Editor-in-Chief of Open for Business. You can reach him at
tbutler@uninetsolutions. com. Tim would like
to thank OfB's associate editor, Steven Hatfield, for his assistance on this article.