I always wanted to set this up, but never got around to it because I a particular need never arised. I finally had some time to set up my GPG key so others can send me encrypted files and emails. Google “gpg” or “pgp” for more information about it.
I followed these instructions to set up GPG on my laptop; setup is pretty straightforward. Be sure to back up your public key, private key, and revocation key somewhere safe, like a CD locked up in a fireproof safe:
gpg --list-secret-keys ## Look for the line that starts something like "sec 1024D/". The part after the 1024D is the key_id. gpg -ao _something_-private.key --export-secret-keys key_id gpg -ao _something_-public.key --export key_id gpg --gen-revoke
Remember to import the key if you use multiple computers or got a new computer:
gpg --import _something_-public.key gpg --import _something_-private.key
Remember to place the following in
~/.bashrc so that GPG uses your key id as the default:
export GPGKEY=key id
Import trusted people’s public keys:
gpg --import public.key.file gpg --list-keys ## list to see who we have
gpg --encrypt MyFile ## optional (prior to --encrypt): --out OutFile ## select person from your public keys ring via key id or email address
Now send the encrypted file to the person. Only he/she can open it using his/her private key.
gpg --decrypt MyFile ## optional (prior to --decrypt): --output OutFile ## enter passphrase
Signing is used to let others (with your public key) know that the message/file was indeed from you and has not been tampered with while being transported to you. The content is not private but the origin is of concern.
Signing a file:
gpg -sat textfile ## clear sign a file (--sign --armored --text) so that the original text and content are in the same file ## enter passphrase gpg -sb binaryfile ## (--sign --detach-sign): a separate binary .sig file is generated to be delivered with the binary file ## enter passphrase gpg -sab binaryfile ## (--sign --armored --detach-sign): a separate armored text signature .asc file is generated to be delivered with the binary file ## enter passphrase ## sign and encrypt pgp -seat textfile "To User ID" pgp -se binaryfile "to recipient ID" pgp -sea binaryfile "to recipient ID"
Reading a file:
gpg gpgfile ## "This is used for all PGP files, be they encrypted, signed or a key file. PGP will handle it all automatically." gpg signaturefile signedfile ## detached signature file
Use with Email
Since I use gmail in the web browser primarily, I’m unable to integrate GPG with gmail since FireGPG is now discontinued. I have a feeling a chrome extension will come to fruition soon.
$ clearmime | gpg --verify # expects you to paste a raw email message $ clearmime < myemail.txt | gpg --verify # reads the raw email from a file
## gpg with mutt http://blogs.techrepublic.com.com/security/?p=413 ## following for debian only (location) source /usr/share/doc/mutt/examples/gpg.rc ## or paste content into .muttrc file
mutt in the command line, select mail, and compose. After composing the mail, type
p to select whether you want to sign, encrypt, etc. Note that I believe you have to be in the mutt program to access GPG options. I don’t think sending signed/encrypted email from the command line with mutt is an option.
Also, to open encrypted emails from my gmail in the web browser (I already covered how to verify a signature previously), I just download the attached encrypted message by copy and paste and type the following:
gpg EncryptedMail.asc ## enter passphrase
My public key is available on my personal website for others to use to send me encrypted emails and files. I’ve also uploaded to the keyservers. However, I have not had anyone verify me in the physical world, so you might get a WARNING message.
UPDATE 9/8/2011 Revoke Keys
I recently decided to revoke the keys I set up last year. Why? The passphrase was too short. The passphrase should be long in order to protect myself from a brute-force attack. According to this, the passphrase should be 22+ characters in length to be equivalent to a 128 bit key, and 42+ characters long to be equivalent to a 256 bit key. Thus I revoked my current key and will create a new one.
To revoke, I followed these instructions:
gpg --import revoke.asc ## I saved this file in a very secure place gpg --keyserver pgp.mit.edu --send-keys key_num
To delete the key from my computer, I followed these instructions:
gpg --delete-secret-keys key_num gpg --delete-keys key_num gpg --list-key