GnuPrivacyGuardHowto

Differences between revisions 14 and 15
Revision 14 as of 2006-01-25 23:50:11
Size: 11557
Editor: ppp84-207
Comment:
Revision 15 as of 2006-02-04 02:05:31
Size: 11563
Editor: S0106000d88b9f3db
Comment: trivial edit
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate. -[http://www.gnupg.org/gph/en/manual.html GNUPG Manual] ''"GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate."'' -[http://www.gnupg.org/gph/en/manual.html GNUPG Manual]

"GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate." -[http://www.gnupg.org/gph/en/manual.html GNUPG Manual]

Topics Covered

The following topics will be covered by this article.

  • Generating a GPG key
  • Uploading key to keyserver
  • Keysigning
  • Signing Data
  • Configuring your mail clients to use GPG

Generating a GPG Key

The core package required to start using gpg is installed by default on Ubuntu systems.

There are several programs which provide a graphical interface to the gnupg system.

  • GNU Privacy Assistant (gpa) sudo apt-get install gpa

  • [http://seahorse.sourceforge.net/ Seahorse]  sudo apt-get install seahorse 

  • KGPG, for a KDE interface. sudo apt-get install kgpg

You can also generate keys using these programs and use the section below for recommendations.

Using GnuPG

gpg --gen-key

This will lead to a selection screen with the following options

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)

The default choice (1) is preferred, since the others cannot be used for encryption.

What keysize do you want? (2048)

A keysize of 2048 (which is the default) is also a good choice.

Key is valid for? (0)

Most people make their keys valid until infinity, which is the default option. If you do this don't forget to revoke the key when you no longer use it (see later). Hit Y and proceed.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Dennis Kaarsemaker
Email address: dennis@kaarsemaker.net
Comment: Tutorial key
You selected this USER-ID:
    "Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>"

Make sure that the name on the key matches the name in your passport, or other government issued photo-identification! You can add extra e-mailaddresses to the key later.

Type O to create your Key.

You need a Passphrase to protect your secret key.

You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. IMPORTANT - Forgetting your passphrase will result in your key being useless. Remember this password carefully, there is no way to recover it when it's lost. After you type your passphrase twice, the key will be generated. Please follow the instructions on the screen till you reach a screen similiar to the one below.

gpg: key D8FC66D2 marked as ultimately trusted
public and secret key created and signed.

pub   1024D/D8FC66D2 2005-09-08
      Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
uid                  Dennis Kaarsemaker (Tutorial key) <dennis@kaarsemaker.net>
sub   2048g/389AA63E 2005-09-08

The key-id is D8FC66D2(yours will be different).

Tip: It's probably a good idea to enter this in your .bashrc, so that it will be sourced during the next session.

export GPGKEY=D8FC66D2

Now restart the gpg-agent and source your .bashrc again:

killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc

Revocation Certificate

A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. You can create a revocation certificate by doing

gpg --output revoke.asc --gen-revoke <KEY-ID>

The key may be printed and stored carefully preventing access to it. Anybody having access to your revocation certificate can render the public key useless.

Uploading the Key

This section explains how to upload your key to a keyserver so that anyone can download it. When you have uploaded it to one keyserver, after a short time, all the keyservers will have it. You can help this process along by sending your key to several keyservers.

Using GnuPG:

gpg --send-keys --keyserver keyserver.ubuntu.com <KEY-ID>

Using a webbrowser:

  • Export your key by doing gpg --export -a "Key-ID" > public.key

  • Copy the content of public.key:

  • Open http://pgp.mit.edu in a browser window.

  • Paste the copied content in the box under the label, Submit a key

  • Click on Submit this key to the keyserver!

Getting your key signed

The whole point of all this GPG business is to create a web of trust. By signing someones key, you state that you have checked that the person that uses a certain key is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the Strongly connected set and information about it can be found at http://www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder/

In summary,

  • Locate someone that lives near you and can meet with you to verify your id. Sites like http://www.biglumber.com/ are useful for this purpose

  • Arrange for a meeting. Bring at least one ID with photo and printed fingerprint of your key, ask the same from the person you will be meeting with.
  • Meet, verify your IDs and exchange fingerprints
  • Sign the key of the person you've just met. Send him/her the key you've just signed.
  • Update your keys on the keyserver, the signature you've just created will be uploaded.

Keysigning Guidelines

Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:

  1. Keysigning is always done after meeting in person
  2. During this meeting you hand each other your key fingerprint and at least one government issued identification paper with a photograph. These fingerprints are usually distributed as fingerprint slips, crated by a script such as gpgkey2ps (package: signing-party)

  3. You check whether the name on the key corresponds with the name on the passport and whether the person in front of you is indeed who he says he is.
  4. Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. You need to create a file named .caffrc in your homedir (only once) with the following content:

    $CONFIG{owner} = q{Your full name here};
    $CONFIG{email} = q{The emailaddress used in your key here};
    $CONFIG{keyid} = [ qw{last 16 characters of your key fingerprint here} ];

    Now you can simply run the following command:

    caff key_id_of_other_persons_key
  5. When you receive signed keys from others, you get them as attachment, save these attachments and import them with gpg. You can then send this signature to the keyservers so other people can know about it.

    gpg --import filename_of_saved_signature
    gpg --send-keys $GPGKEY

Signing Data

Signing data is helpful in verifying if the data from a person is indeed from that person. A typical scenario is described below.

Launchpad Key Signing

When you've set up GPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member or Ubuntero. Signing is done in 3 easy steps:

  1. Download the code of conduct from https://launchpad.net/codeofconduct/1.0

  2. Run the command

    gpg --clearsign UbuntuCodeofConduct-1.0.txt
  3. Upload the contents of UbuntuCodeofConduct-1.0.txt.asc on https://launchpad.net/codeofconduct/1.0/+sign

GPG Keys and Launchpad You need to tell Launchpad about your GPG key(s) to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntite) and to build packages using HCT.

Visit the GPG Keys page once logged into launchpad. Paste your key fingerprint into the textbox:

gpg --fingerprint

Example: the key fingerprint would be something like "95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2"

Launchpad will send you and email which you will have to decrypt. You can save the text to a file and run

gpg --decrypt file.txt

You will need to enter your passphrase.

The message will be displayed along with the link you must follow to confirm your key in launchpad.

Follow it, enter your launchpad password as asked and you are done!

Signing and Encrypting Emails

This section addresses setting up your the Evolution and Thunderbird mail clients to sign and encrpyt your emails. Other email clients may be added to this list later.

Evolution

  • Open Evolution and go to Edit->Preferences.

  • Choose your email account, click on it, and then click Edit.

  • Click on the security tab.

  • In the PGP/GPG Key ID: box, paste the KEY-ID.

  • Click OK. Click Close.

If you want to use your key in any new email, simply click on the Security menu item in your new mail message, and then click on PGP Sign.

Mozilla Thunderbird

Install the Enigmail plugin either by:

sudo apt-get install mozilla-thunderbird-enigmail

or by downloading the plugin from [http://enigmail.mozdev.org/ here] and install it manually

Configure GPG in Thunderbird under: Enigmail->Preferences and add under GnuPG executable path the following path /usr/bin/gpg

Tips and Tricks

  • . Add your key to ~/.bashrc by adding the a line similiar to export GPGKEY=YOUR-KEY-ID

  • . gpg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. Open the file ~/.gnupg/gpg.conf in your favorite editor. Browse through it and change what you like. A few useful things to change are:

    • keyserver-options auto-key-retrieve
    • use-agent

The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time. Now create the file ~/.gnupg/gpg-agent.conf with the following content: {{{pinentry-program /usr/bin/pinentry-gtk-2 default-cache-ttl 86400 max-cache-ttl 86400}}}

This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours. pinentry-gtk2 is not available in hoary, a backported breezy package can be found on http://seveas.ubuntulinux.nl/

Related Articles

Resources


CategoryDocumentation

GnuPrivacyGuardHowto (last edited 2008-08-06 16:24:38 by localhost)