GPG II

Summary:

• Installation
• Testing And Configuration
• Public Key Distribution
• GPG And Mail Programs

GPG II

Installation

• If you are using a Mandrake release older than 7.2, get the gnupg and the pgpgpg packages from one of M's cryptography servers or get the sources from ~GnuPG.org. Releases 7.2 and later come with the ~GnuPG package on the CD.
• Install them. If you've used the RPM packages, run

rpm ––verify gnupg

as a basic security check.

• Now you have to generate your key pair with

gpg ––gen-key

• You will be asked some questions (kind of key, key size, validity). Go with the defaults unless you know better.
• Now you have to supply a user ID: your real name, your email address and a (optional) comment.
• Enter your passphrase (it will not show up). As usual, you will be prompted to enter it again to prevent typos.
• Now your key will be generated. To help the program gather enough random data, move your mouse around and hit the CTRL, ALT or SHIFT keys some times.
• Ready1.1 '~/.gnupg' should now contain these files: 'options' (configuration file), 'pubring.gpg' (your public key) and 'secring.gpg' (your private key).

Testing And Configuration

Before you distribute your key, you should do some testing:

• gpg ––list-keys

  will list your key pair. The output will look like this:

pub {keylenght}/{key ID} {Creation date} [Expiration date] {Real name} {comment} {email address}
sub {keylenght}/{key ID} {Creation Date} [Expiration date]

Write down or memorize the key ID number of your public key. You will need it from time to time.

• Encrypt and sign a file with

  gpg -es -r {first part of your real name} {file}

  . This will generate an encrypted file called '{file}.gpg'.
• Decrypt this file with

  gpg {file}.gpg

  .

• gpg ––clearsign {file}

  will create a signed but unencrypted file called '{file}.asc'.
• Verify this signature with

  gpg ––verify {file}.asc

• Beginning with Mandrake 8.2, Mandrake's public key was automatically imported into the root user's keyring when the gnupg package was installed. All other users: add Mandrake's public key on the CD to your keyring:

  gpg ––import /mnt/cdrom/RPM-GPG-KEYS

  . A good example of why a regular user might want to do this is if the user wants to build rpms from source rpms. The user will want to verify that the source rpm packages he has are bona fide Mandrake source rpm.
• Check the GPG RPM:

  rpm ––checksig gnupg-{...}mdk.rpm

  . You should get

  gnupg-{...}mdk: md5 gpg OK

  .
• Create a revocation certificate. You will need it in case your secret key gets lost or is compromised:

  gpg -o revoke.asc ––gen-revoke {key ID}

  . Save the file 'revoke.asc' to a secure place.

• Remove the leading hash (#) from

  no-greeting

  (removes the copyright message) and

  default-recipient-self

  (lets yourself be the default recipient).
• Change the 'keyserver' line to

  keyserver search.keyserver.net

  or use the default keyserver by removing the hash.
• Add

  no-secmem-warning

  to get rid of those pesky GPG warnings about using insecure memory.

man gpg

section index

Public Key Distribution

To distribute your public key by email or on your website, you have to export your key to a text file first. To prevent GPG from using the binary format, add the

––armor

gpg ––armor ––export {key ID} -o mykey

Now you can send or post 'mykey' and people can add the included key to their key rings with

gpg ––import mykey

A more general approach lies in using a keyserver, e.g. one of the keyserver.net family. This way everyone can get your public key without having you to ask first. He or she can just search the keyserver for your name, email address or key ID, get the key and add it to his or her keyring.

To submit your public key to a keyserver, type:

gpg ––keyserver search.keyserver.net ––send-key {key ID or your email address}

This might take a while. There's a list of alternative keyservers at keyserver.net. Some keyservers also allow you to copy and paste your key into a text entry field. In order to get a key from a keyserver, use

gpg ––keyserver search.keyserver.net ––recv-key {key ID}

(You can leave out the

––keyserver

You might want to make it easier for people by adding the numerical key ID of your public key to your mail signature, maybe along with the address of your favorite keyserver.
To verify keys, exchange encrypted messages containing the key fingerprints (

gpg ––fingerprint {key ID}

section index

GPG And Mail Programs

Here are some mail programs currently supporting GPG:

• Arrow, a nice, lightweight mail client for X.
• Exmh, X front end for the MH mailing system.
• KMail, KDE's standard mail client.
• Mew, a MIME mail reader for (X)Emacs.
• Mutt, a very popular console based mail reader.
• Pine, another popular console based mail reader. You will need an add-on like pgp4pine.
• Postilion, a next-ish mail application for X.
• Spruce, a GTK+ mail client.
• XFMail, a very powerful MUA for X.

pgp_create_traditional ask-yes

If you are using a legacy mail reader like Netscape Mail, you can still write your messages, encrypt them and send them as attachments. Graphical GPG tools like Gpgp, ~TkPGP and Geheimnis will help you. Might be better to get a decent mail client, though ;-).

And if you really want to get into the thick of it, try the PGP Forwarding Server. This server serves as an encryption / decryption relay for users who either do not have GPG/PGP installed or don't want to use it.

section index

Related Resources:

GNU Privacy Handbook
List Of Related Applications

man gpg

Revision / Modified: Mar. 21, 2002
Author: Tom Berger, Todd Lyons

Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.