Gnupg

GNU Privacy Guard (https://www.gnupg.org/ )is an implementation of OpenPG. It can be used to:

  1. sign files to make sure it come from a trusted source

  2. encrypt/decript files to exchange information between users

The program gpg is used for it, see man gpg.

The package gnupg is used.

Keys

The keys need to be identified, the documentation about this is a bit confusing.

For the following the Key ID is a 8 hex digit identifier from the 40 hex digit long (Primary) Key Fingerprint and is therefore more handy as dealing with the 40 hex digits.

There are creation, expiration and revocation dates.

Keys contain Real name, e-mail address and Comment, those elements can also be used to find the Key ID. The key can hold lots of other stuff as preferred key server, photo and many more.

Key servers

To work with gpg, the public keys need to be exchanged and imported into the local PC. This can be done using files, an other way is using key servers.

Note

If the keys are once uploaded to a key server, then they stay there, forever (also when expired or revoked)

The name of the key server can often be passed to the command using a command line option as --keyserver subkeys.pgp.net but the default keyservers can be configured in the file ~/.gnupg/gpg.conf.

Keys can be found on the keyserver when an e-mail address or the User Name (=Real name) is known. This is because the user ID composes from Real name, e-mail and comment and is inside the key:

gpg --search-keys <e-mail address>

gpg --search-keys Urs Lindegger

Getting public keys

The Key ID must be published somewhere or can be found using:

gpg --search-keys <e-mail address>

When found simply pressing the corresponding number imports it.

Alternatively it can be imported using:

gpg --keyserver subkeys.pgp.net --recv-keys <Key ID> the public key (or keys) can be imported. This can be verified using gpg --list-keys

Gnupg creates the directory ~/.gnupg where all keys reside. The file ~/.gnupg/gpg.conf holds the configuration.

Produce your keys

gpg --gen-key produces the two keys belonging to you. You should limit the time the key is valid.

Select the default encryption settings. Important is the passphrase to be entered. The passphrase will be used as a password to perform all later actions.

You need to enter Real name, Email address and comment.

This forms then the USER_ID: "<Real name> (<Comment>) <<e-mail address>>"

gpg --list-keys to see the key you have got.

gpg --list-secret-keys lists the secret keys you have

Important

When created the keys it is wise to think about when you loose your keys or when somebody would get a hold of your keys. Therefore create a revocation certificate as compromise (For normal speaking people this means create a file that you need to make the key invalid).

gpg --output revoke.asc --gen-revoke <Key ID>

It wants to know a reasons why such a certificate has to be created select 1 = Key has been compromised for the reason for the revocation.

Important

You have to enter the passphrase from above.

Backup the contains of ~/.gnupg on a memory medium. Also move the revocation file revoke.asc to this media and delete it from the computer (or move it int a encrypted place) and store it in a safe place.

The keys can sent to a key server gpg --send-keys <Key ID>

To get it out of the keyserver goes usually in two steps:

gpg --import my-revocation.asc

gpg --keyserver certserver.pgp.com --send-keys <Key ID>

Modifying keys

Keys can be exported gpg --export the output goes to the screen in binary format. So better to use gpg --armor --export to get ASCII. Or put it into a file gpg --armor --export --output <filename> or just one user gpg --armor --output <filename> --export <users e-mail>

They can also be imported gpg -import <filename>

gpg --delete-key <Key ID> deletes them from the local PC but not from the key server, since you are probably not the owner.

Type gpg --edit-key<Key ID> brings you in a interactive loop, where you can type commands as help. As you can see all kinds of modifications can be done.

  1. To see what you have showpref

  2. The expire date can be modified with expire

  3. A keyserver could be added with keyserver so when signed emails arrive, the receiver knows where the get the public key, however the major keyserver exchange the public keys among each others. keyserver none deletes it

  4. Add a photo with addphoto

Refresh the keys: gpg --refresh-keys

List the keys showing the fingerprint: gpg --fingerprint

Cryptographic signature

Textfiles (but also binary files) can be signed. There are different options.

gpg --sign <filename> adds a signature to the file but converts all to be unreadable

gpg --clearsign <filename> adds a signature but stays readable

gpg --detach-sign <filename> creates a separate file that is not readable containing the signature

gpg --armor --detach-sign <filename> creates a separate file that is readable containing the signature

After importing the Key from the author (e.g. using its Key ID), the file can be verified using a command as gpg --verify <filename>

Encryption and decryption

gpg --encrypt <filename> to encrypt (destination user must be specified)

gpg --recipient "Urs Lindegger" --encrypt <filename> to encrypt it for a destination user

gpg --decrypt <filename> to decrypt (passphrase is required)

Gui tools

Evolution can sign the e-mail it sends, all it needs is adding the Key ID into the mails account configuration data under security and enabling it. The first time it asks for the passphrase, but then it can use its internal authentication methods to get rid of continuously asking for it.

Gpg Agent

When working with gpg encryption decryption you often have to type in the passphrase. You can set a gpg agent to reduce this.

Network Information Service

Network Information Service (former yellow pages) is used to share information among a small network. it allows to have user names and passwords consistent over a network. Since this information does not pass encrypted over the network LDAP and Kerberos are recommended.


Linurs Servernest startpage