GnuPG Gentoo user guide

1. Introduction

What you will get in this guide 

This guide assumes that you are familiar with public-key cryptography, encryption, and digital signatures. If this is not the case take a look at the GnuPG handbook chapter 2.

This guide will teach you how to install GnuPG, how to create your keypair, how to add keys to your keyring, how to submit your public key to keyserver, and how to (sign/encrypt)/(verify/decode) messages you send/receive. You will also learn how to encrypt files in your local computer to prevent people from reading their contents.

Installation of required software 

At a very basic level you need to emerge gnupg, if you wish to have an e-mail client using gnupg you can use pine (emerge pinepgp), mutt (emerge mutt), Mozilla/Netscape Mail, evolution (evolution is a GNOME Microsoft Outlook work alike) and KDE's own KMail (KMail is part of the kdenetwork package).

Kgpg might interest you if you use KDE. This small program allows you to generate keypairs, import keys from ASCII files, sign imported keys, export keys, and a few more features (it lacks importing keys from keyservers, but you will learn how to that from the command line).

2. Generating your key and adding keys to your public keyring

Creating your key 

To create your key, just run gpg --gen-key. The first time you run it, it will create some directories; run it again to create the keys:

# gpg --gen-key
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
 (1) DSA and ElGamal (default)
 (2) DSA (sign only)
 (4) ElGamal (sign and encrypt)
 (5) RSA (sign only)
 Your selection? 1

Here you have chance to choose the type of key you want to use. Most users will go for the default DSA and ElGamal. Next is the key size, remember that bigger is better, but don't use larger than 2048 with DSA/ElGamal keys. Normally 1024 is more than enough for normal e-mail.

After size comes the expiration date. Here smaller is better, but most users can go for a key that never expires or to something like 1 or 2 years.

DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
            minimum keysize is  768 bits
            default keysize is 1024 bits
  highest suggested keysize is 2048 bits
  What keysize do you want? (1024) 2048
Requested keysize is 2048 bits       
Please specify how long the key should be valid.
       0 = key does not expire
       <n>= key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
       Key is valid for? (0) 0
Key does not expire at all

Now it is time to enter some personal information about yourself. If you are going to send your public key to other people you have to use your real address here.

Is this correct (y/n)? y
                      
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: John Doe
Email address: john@nowhere.someplace.flick
Comment: The Real John Doe
You selected this USER-ID:
"John Doe (The Real John Doe) <john@nowhere.someplace.flick>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O 
You need a Passphrase to protect your secret key.    

Enter passphrase: 

Now enter your key password two times. It is a good idea to use a strong password. If someone ever gets hold of your private key and cracks your password, he will be able to send messages signed by "you" that everyone will think that were sent by you.

Then, GnuPG will generate your key. Moving the mouse or having a mp3 playing in the background will help speed up the process because it generates random data.

Generating a revocation certificate 

After creating your keys you should create a revocation certificate. Doing this allows you to revoke your key in case something nasty happens to your key (someone gets hold of your key/passphrase).

# gpg --list-keys
/home/humpback/.gnupg/pubring.gpg
---------------------------------
pub  1024D/75447B14 2002-12-08 John Doe (The Real John Doe) <john@nowhere.someplace.flick>
sub  2048g/96D6CDAD 2002-12-08

# gpg --output revoke.asc --gen-revoke 75447B14

sec  1024D/75447B14 2002-12-08   John Doe (The Real John Doe) <john@nowhere.someplace.flick>

Create a revocation certificate for this key? y
Please select the reason for the revocation:   
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
Someone cracked me and got my key and passphrase

Reason for revocation: Key has been compromised
Someone cracked me and got my key and passphrase
Is this okay? y

You need a passphrase to unlock the secret key for
user: "John Doe (The Real John Doe) <john@nowhere.someplace.flick>"
1024-bit DSA key, ID 75447B14, created 2002-12-08

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

The gpg --list-keys command lists keys in your public keyring. You may use it to see the ID of your key so that you can create the revoke certificate. Now it is a good idea to copy all the .gnupg directory and the revocation ASCII armor (revoke.asc) to some secure medium (two floppy's or a CD-R you store in safe location). Remember that revoke.asc can be used to revoke your keys and make them unusable in the future.

Exporting keys 

To export your key, you type gpg --armor --output john.asc --export john@nowhere.someplace.flick. You can almost always use the key ID or something that identifies the key (here we used an e-mail address). He now has a john.asc that he can send his friends, or place in his web page so that people can communicate safely with him.

Importing keys 

To add files to your public keyring, you must first import it, then check the key fingerprint. After you verify the fingerprint you should validate it.

Now we will be adding Luis Pinto's (a friend of mine) public key to our public keyring. After giving him a call and asking him for his key fingerprint, I compare the fingerprint to the output of the fpr command. As the key is authentic, i add it to the public keyring. In this particular case, Luis's key will expire in 2003-12-01 so i am asked if I want my signature to expire at the same time.

# gpg --import luis.asc
gpg: key 462405BB: public key imported
gpg: Total number processed: 1
gpg:               imported: 1
# gpg --list-keys
/home/humpback/.gnupg/pubring.gpg
---------------------------------
pub  1024D/75447B14 2002-12-08 John Doe (The Real John Doe) <john@nowhere.someplace.flick>
sub  2048g/96D6CDAD 2002-12-08

pub  1024D/462405BB 2002-12-01 Luis Pinto <lmpinto@student.dei.uc.pt>
      uid                            Luis Pinto <lmpinto@dei.uc.pt>
sub  4096g/922175B3 2002-12-01 [expires: 2003-12-01]

# gpg --edit-key lmpinto@dei.uc.pt
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.


gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
pub  1024D/462405BB  created: 2002-12-01 expires: 2003-12-01 trust: -/-
sub  4096g/922175B3  created: 2002-12-01 expires: 2003-12-01
(1)  Luis Pinto <lmpinto@dei.uc.pt>
(2). Luis Pinto <lmpinto@student.dei.uc.pt>

Command> fpr
pub  1024D/462405BB 2002-12-01 Luis Pinto <lmpinto@dei.uc.pt>
           Fingerprint: F056 3697 ADE3 CF98 B80B  8494 0AD3 E57B 4624 05BB
           
Command> sign
Really sign all user IDs? y
                         
pub  1024D/462405BB  created: 2002-12-01 expires: 2003-12-01 trust: -/-
           Fingerprint: F056 3697 ADE3 CF98 B80B  8494 0AD3 E57B 4624 05BB

           Luis Pinto <lmpinto@dei.uc.pt>
           Luis Pinto <lmpinto@student.dei.uc.pt>

This key is due to expire on 2003-12-01.
Do you want your signature to expire at the same time? (Y/n) Y
How carefully have you verified the key you are about to sign actually belongs
to the person named above?  If you don't know what to answer, enter "0".

 (0) I will not answer. (default)
 (1) I have not checked at all.
 (2) I have done casual checking.
 (3) I have done very careful checking.

 Your selection? 3
Are you really sure that you want to sign this key
with your key: "John Doe (The Real John Doe) <john@nowhere.someplace.flick>"

I have checked this key very carefully.

Really sign? y
            
You need a passphrase to unlock the secret key for
user: "John Doe (The Real John Doe) <john@nowhere.someplace.flick>"
1024-bit DSA key, ID 75447B14, created 2002-12-08

Command> check
uid  Luis Pinto <lmpinto@dei.uc.pt>
sig!3       462405BB 2002-12-01   [self-signature]
sig!3       75447B14 2002-12-08   John Doe (The Real John Doe) <john@nowhe
uid  Luis Pinto <lmpinto@student.dei.uc.pt>
sig!3       462405BB 2002-12-01   [self-signature]
sig!3       75447B14 2002-12-08   John Doe (The Real John Doe) <john@nowhe

3. Exchanging keys with keyservers

Sending keys to keyservers 

Now that you have your key, it is probably a good idea to send it to the world keyserver. There are a lot of keyservers in the world and most of them exchange keys between them. Here we are going to send Luis's key to the pgp.mit.edu server. This uses HTTP, so if you need to use a proxy for HTTP traffic don't forget to set it (export http_proxy=http://proxy_host:port/). The command for sending the key is: gpg --keyserver pgp.mit.edu --keyserver-options honor-http-proxy --send-key john@nowhere.someplace.flick . If you don't need a HTTP proxy you can remove the --keyserver-options honor-http-proxy.

You can also send other people's keys that you have signed to the keyserver. We could send Luis Pinto's key to the keyserver. In this way someone that trusts your key can use the signature that you have placed there to trust Luis's key.

Getting Keys from keyservers 

Now we are going to search for Gustavo Felisberto's key and add it to the keyring of John Doe (just in case you did not notice Gustavo Felisberto is the person writing this guide :) ).

# gpg --keyserver pgp.mit.edu --keyserver-options honor-http-proxy --search-keys humpback@felisberto.net
gpg: searching for "humpback@felisberto.net" from HKP server pgp.mit.edu
Keys 1-5 of 5 for "humpback@felisberto.net"
(1)	Gustavo Felisberto (apt-get install anarchy) <humpback@felisberto.net> 1024
        created 2002-12-06, key B9F2D52A
(2)	Gustavo Felisberto <humpback@altavista.net> 1024
        created 1999-08-03, key E97E0B46
(3)	Gustavo A.S.R. Felisberto <humpback@altavista.net> 1024
        created 1998-12-10, key B59AB043
(4)	Gustavo Adolfo Silva Ribeiro Felisberto <humpback@altavista.net> 1024
        created 1998-08-26, key 39EB133D
(5)	Gustavo Adolfo Silva Ribeiro Felisberto <humpback@altavista.net> 1024
        created 1998-06-14, key AE02AF87
        Enter number(s), N)ext, or Q)uit >1
gpg: requesting key B9F2D52A from HKP keyserver pgp.mit.edu
gpg: key B9F2D52A: public key imported
gpg: Total number processed: 1
gpg:               imported: 1

As you can see from the server response I have a few keys submited to the key server, but i currently only use B9F2D52A. Now John Doe could get it and sign it if he trusts it.

4. Working with documents

Encrypting and signing 

Let's say that you have a file that you wish to send Luis now. You can encrypt it, sign it, or encrypt it and sign it. Encypting means that only Luis will be able to open it. The signature tells Luis that it was really you who created the file.

The next three comands will do just that, encrypt, sign and encrypt/sign.

# gpg --output doc.gpg --encrypt --recipient lmpinto@dei.uc.pt doc_to_encrypt
# gpg --output doc.gpg --sign --recipient lmpinto@dei.uc.pt doc_to_sign
# gpg --output doc.gpg --encrypt --sign --recipient lmpinto@dei.uc.pt doc_to_encrypt_and_sign

This will create binary files. If you wish to create ascii files, just add a --clearsign to the begining of the command.

Decrypting and verifying signatures 

Suppose that you have received a file which is encrypted to you. The command to decrypt it is gpg --output document --decrypt encrypted_doc.gpg. This will decrypt the document and verify the signature (if there is one).

5. GnuPG interfaces

kgpg 

kgpg is a nice GUI for GNUPG. In the main screen you can paste the text that you wish to sign or encrypt, and you can also paste the ASCII armored text that you wich to decrypt.

Figure 5.1

In this image you can see the kgpg main window with ASCII armored and encrypted text pasted into it. From here you can decrypt it (you will have to provide your password), encrypt other files, past new text to sign....

Figure 5.2

Now you can see the keymanaging window. From here we see our good key for John Doe. The two trusted keys for Gustavo and Luis, and the untrusted key for Daniel Robbins ( I still have not given him a call to check his fingerprint :) ).

Figure 5.3

Figure 5.4

Mozilla Enigmail 

Mozilla's version from 1.0 or above comes with Enigmail, a plugin for the mail client that is pretty simple to configure. You just go to Preferences -> Privacy & Security -> Enigmail. There you enter your key e-mail and thats it.

Mails that come with an untrusted pgp or gpg signature will be marked with a broken pen. Others that have good signatures will appear with a nice straight pen. Enigmail even comes with the ability to get keys from keyservers, but if it has problems it will print some very weird messages (but you still remember how to use the command line, right?).

KMail 

Kmail is also pretty easy to setup. I will just post a few pictures on how to set it up. Basically you have to tell KMail to use GPG and then which key to sign with.

6. Final thoughts, Credits and Copyrights

Some problems 

I had some problems with photos in keys. Check the version you are using. If you have GnuPG 1.2.1-r1 and up you are probably ok, older versions may have problems. Also most keyservers dont like keys with photos.

What is not here 

Gpg is a very complex tool, it lets you do much more than what I have covered here. This document is for the user that is new to GnuPG. For more information, you should check the GnuPG Website.

I don't talk of other tools like pgp4pine, gpgpine, evolution and maybe Windows tools, I will probably extend this document in the future.

Credits 

John Michael Ashley's GnuPG Handbook is simply wonderful. It is a very good book for beginners.

Everyone in the #gentoo-doc team you guys rock.

Tiago Serra for getting me back to the privacy track.

Copyright 

Copyright by Gustavo Felisberto. Gentoo Technologies Inc. is allowed to publish this document as it sees fit.

  The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.