GPG/PGP: sign or encrypt emails or files

Linux
Author

Vinh Nguyen

Published

September 29, 2010

I always wanted to set this up, but never got around to it because I a particular need never arised. I finally had some time to set up my GPG key so others can send me encrypted files and emails. Google "gpg" or "pgp" for more information about it.

Setup

I followed these instructions to set up GPG on my laptop; setup is pretty straightforward. Be sure to back up your public key, private key, and revocation key somewhere safe, like a CD locked up in a fireproof safe:

gpg --list-secret-keys ## Look for the line that starts something like "sec 1024D/". The part after the 1024D is the key_id.
gpg -ao _something_-private.key --export-secret-keys key_id
gpg -ao _something_-public.key --export key_id
gpg --gen-revoke

Remember to import the key if you use multiple computers or got a new computer:

gpg --import _something_-public.key
gpg --import _something_-private.key

Use

This is a good beginner's reference for GPG. Some parts are also based on this page, although it is for the pgp command as opposed to the gpg command.

Remember to place the following in ~/.bashrc so that GPG uses your key id as the default:

export GPGKEY=key id

Import trusted people's public keys:

gpg --import public.key.file
gpg --list-keys ## list to see who we have

Encrypt file:

gpg --encrypt MyFile ## optional (prior to --encrypt): --out OutFile
## select person from your public keys ring via key id or email address

Now send the encrypted file to the person. Only he/she can open it using his/her private key.

Decrypt file:

gpg --decrypt MyFile ## optional (prior to --decrypt): --output OutFile
## enter passphrase

Signing is used to let others (with your public key) know that the message/file was indeed from you and has not been tampered with while being transported to you. The content is not private but the origin is of concern.

Signing a file:

gpg -sat textfile ## clear sign a file (--sign --armored --text) so that the original text and content are in the same file
## enter passphrase

gpg -sb binaryfile ## (--sign --detach-sign): a separate binary .sig file is generated to be delivered with the binary file
## enter passphrase

gpg -sab binaryfile ## (--sign --armored --detach-sign): a separate armored text signature .asc file is generated to be delivered with the binary file
## enter passphrase

## sign and encrypt
pgp -seat textfile "To User ID"
pgp -se binaryfile "to recipient ID"
pgp -sea binaryfile "to recipient ID"

Reading a file:

gpg gpgfile ## "This is used for all PGP files, be they encrypted, signed or a key file. PGP will handle it all automatically."
gpg signaturefile signedfile ## detached signature file

Use with Email

Since I use gmail in the web browser primarily, I'm unable to integrate GPG with gmail since FireGPG is now discontinued. I have a feeling a chrome extension will come to fruition soon.

Currently, if I want to send signed emails, I do so in Evolution Mail per the setup instructions. I will update this post on how to do it using mutt or emacs soon.

To check on signatures sent to my email, what I do is open using "Show original" and pasting the content into a text file on my computer. I use the clearmime script as follow:

$ clearmime | gpg --verify # expects you to paste a raw email message
$ clearmime < myemail.txt | gpg --verify # reads the raw email from a file

UPDATE 9/29/2010: Using GPG with mutt is actually quite easy. I followed these instructions. Basically, after mutt is set up to be able to send mail, I added the following to my ~/.muttrc file:

## gpg with mutt http://blogs.techrepublic.com.com/security/?p=413
## following for debian only (location)
source /usr/share/doc/mutt/examples/gpg.rc
## or paste content into .muttrc file

Now, type mutt in the command line, select mail, and compose. After composing the mail, type p to select whether you want to sign, encrypt, etc. Note that I believe you have to be in the mutt program to access GPG options. I don't think sending signed/encrypted email from the command line with mutt is an option.

Also, to open encrypted emails from my gmail in the web browser (I already covered how to verify a signature previously), I just download the attached encrypted message by copy and paste and type the following:

gpg EncryptedMail.asc
## enter passphrase

Conclusions

My public key is available on my personal website for others to use to send me encrypted emails and files. I've also uploaded to the keyservers. However, I have not had anyone verify me in the physical world, so you might get a WARNING message.

UPDATE 9/8/2011 Revoke Keys

I recently decided to revoke the keys I set up last year. Why? The passphrase was too short. The passphrase should be long in order to protect myself from a brute-force attack. According to this, the passphrase should be 22+ characters in length to be equivalent to a 128 bit key, and 42+ characters long to be equivalent to a 256 bit key. Thus I revoked my current key and will create a new one.

To revoke, I followed these instructions:

gpg --import revoke.asc ## I saved this file in a very secure place
gpg --keyserver pgp.mit.edu --send-keys key_num

To delete the key from my computer, I followed these instructions:

gpg --delete-secret-keys key_num
gpg --delete-keys key_num
gpg --list-key