GPG/PGP: sign or encrypt emails or files

I always wanted to set this up, but never got around to it because I a particular need never arised. I finally had some time to set up my GPG key so others can send me encrypted files and emails. Google “gpg” or “pgp” for more information about it.

Setup

I followed these instructions to set up GPG on my laptop; setup is pretty straightforward. Be sure to back up your public key, private key, and revocation key somewhere safe, like a CD locked up in a fireproof safe:

gpg --list-secret-keys ## Look for the line that starts something like "sec 1024D/". The part after the 1024D is the key_id.
gpg -ao _something_-private.key --export-secret-keys key_id
gpg -ao _something_-public.key --export key_id
gpg --gen-revoke

Remember to import the key if you use multiple computers or got a new computer:

gpg --import _something_-public.key
gpg --import _something_-private.key

Use

This is a good beginner’s reference for GPG. Some parts are also based on this page, although it is for the pgp command as opposed to the gpg command.

Remember to place the following in ~/.bashrc so that GPG uses your key id as the default:

export GPGKEY=key id

Import trusted people’s public keys:

gpg --import public.key.file
gpg --list-keys ## list to see who we have

Encrypt file:

gpg --encrypt MyFile ## optional (prior to --encrypt): --out OutFile
## select person from your public keys ring via key id or email address

Now send the encrypted file to the person. Only he/she can open it using his/her private key.

Decrypt file:

gpg --decrypt MyFile ## optional (prior to --decrypt): --output OutFile
## enter passphrase

Signing is used to let others (with your public key) know that the message/file was indeed from you and has not been tampered with while being transported to you. The content is not private but the origin is of concern.

Signing a file:

gpg -sat textfile ## clear sign a file (--sign --armored --text) so that the original text and content are in the same file
## enter passphrase

gpg -sb binaryfile ## (--sign --detach-sign): a separate binary .sig file is generated to be delivered with the binary file
## enter passphrase

gpg -sab binaryfile ## (--sign --armored --detach-sign): a separate armored text signature .asc file is generated to be delivered with the binary file
## enter passphrase

## sign and encrypt
pgp -seat textfile "To User ID"
pgp -se binaryfile "to recipient ID"
pgp -sea binaryfile "to recipient ID"

Reading a file:

gpg gpgfile ## "This is used for all PGP files, be they encrypted, signed or a key file. PGP will handle it all automatically."
gpg signaturefile signedfile ## detached signature file

Use with Email

Since I use gmail in the web browser primarily, I’m unable to integrate GPG with gmail since FireGPG is now discontinued. I have a feeling a chrome extension will come to fruition soon.

Currently, if I want to send signed emails, I do so in Evolution Mail per the setup instructions. I will update this post on how to do it using mutt or emacs soon.

To check on signatures sent to my email, what I do is open using “Show original” and pasting the content into a text file on my computer. I use the clearmime script as follow:

$ clearmime | gpg --verify # expects you to paste a raw email message
$ clearmime < myemail.txt | gpg --verify # reads the raw email from a file

UPDATE 9/29/2010: Using GPG with mutt is actually quite easy. I followed these instructions. Basically, after mutt is set up to be able to send mail, I added the following to my ~/.muttrc file:

## gpg with mutt http://blogs.techrepublic.com.com/security/?p=413
## following for debian only (location)
source /usr/share/doc/mutt/examples/gpg.rc
## or paste content into .muttrc file

Now, type mutt in the command line, select mail, and compose. After composing the mail, type p to select whether you want to sign, encrypt, etc. Note that I believe you have to be in the mutt program to access GPG options. I don’t think sending signed/encrypted email from the command line with mutt is an option.

Also, to open encrypted emails from my gmail in the web browser (I already covered how to verify a signature previously), I just download the attached encrypted message by copy and paste and type the following:

gpg EncryptedMail.asc
## enter passphrase

Conclusions

My public key is available on my personal website for others to use to send me encrypted emails and files. I’ve also uploaded to the keyservers. However, I have not had anyone verify me in the physical world, so you might get a WARNING message.

UPDATE 9/8/2011 Revoke Keys

I recently decided to revoke the keys I set up last year. Why? The passphrase was too short. The passphrase should be long in order to protect myself from a brute-force attack. According to this, the passphrase should be 22+ characters in length to be equivalent to a 128 bit key, and 42+ characters long to be equivalent to a 256 bit key. Thus I revoked my current key and will create a new one.

To revoke, I followed these instructions:

gpg --import revoke.asc ## I saved this file in a very secure place
gpg --keyserver pgp.mit.edu --send-keys key_num

To delete the key from my computer, I followed these instructions:

gpg --delete-secret-keys key_num
gpg --delete-keys key_num
gpg --list-key

how to set up sending mail from the command line

Often times I want to send emails to myself when a job is done or when something happens on the computer/server. Using the command line is the most portable and obvious as most software I run (eg, R) can execute from it.

This site shows how to use mail and mutt to send emails from the command line, but does not show how to set things up. Setting up actually took me a long time to figure out, as I wasn’t familiar with Mail User Agent (MUA), Mail Transfer Agent (MTA), etc. This site can help clear things up regarding those issue.

Now, down to business. We’ll need to install some software:

<pre class="src src-sh">sudo apt-get install mutt msmtp bsd-mailx <span style="color: #ff4500;">## </span><span style="color: #ff4500;">mailutils</span>

mailutils contain the mail command, which allows one to send mail but not attach files. mutt is an MUA that allows one to send mail from the command line and attach files. msmtp is an MTA that we can use with mail and mutt (mutt v1.5.x and above has it’s own built in smtp capabilities).

~/.msmtprc:

<pre class="src src-sh">account default

host smtp.gmail.com port 587 from my.email.address tls on #tls_starttls on tls_trust_file /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt auth on user my.username (email address for gmail) password my.password logfile ~/.msmtp.log

Need to execute chmod 600 .msmrprc (user read/write only )or it won’t work.

~/.mailrc:

<pre class="src src-sh"><span style="color: #b0c4de;">set</span> <span style="color: #eedd82;">sendmail</span>=<span style="color: #ffa07a;">"/usr/bin/msmtp"</span>

~/.muttrc:

<pre class="src src-sh"><span style="color: #ff4500;">## </span><span style="color: #ff4500;">following if want to use msmtp to send mail</span>

set sendmail = “/usr/bin/msmtp” ## set realname = “vqn laptop” set from = my.email.address set use_from=yes set envelope_from=yes ## uncomment following and comment above sendmail line if want to use ## mutt’s built-in smtp ##set smtp_url=”smtp://username@smtp.gmail.com:587″ ##set smtp_pass=”my.password”

chmod 600 .muttrc since it contains password.

Note that to use TLS with msmpt, you need to set the certificate file. On a debian-basd system, you can find it in the /usr/share/ca-certificates/ directory, which has many. See below for references.

This site shows how to set up mutt with msmtp. This site shows how to set things up, along with the certificate stuff. More on certificate here. This will tell more on how to use the built-in smtp of mutt. The wiki of course has more information.

UPDATE 8/24/2011: From this post, use mail from bsd-mailx instead of mailutils to have the mail command working instead of the error msmtp: no recipients found.

UPDATE 11/13/2011: If you want to be able to email as the root user, make sure these instructions are set up for the root user’s home directory, /root/.