Monday, October 30, 2006

PGP, especially GnuPG

You're a paranoid freak that thinks that everyone is out to get you. Good, because they are if you live in the freedom-loving US of A. Therefore, you need to somehow encrypt your messages to make sure that only yourself and the intended recipient see the message. GnuPG to the rescue!

Very Short Intro to PGP:
PGP (Pretty Good Protection) uses public key encryption. Public key encryption uses a public key and a private key. A key generated by person A has both a public and a private component. Person A can distribute his public key freely, but his private key is protected by a passphrase that he and only he knows (hopefully) that was given at the time of the creation of the key. Others can use this public key to encrypt messages that only he can decrypt and read with the corresponding private key. Digital signatures work in the opposite direction. Person A can sign messages with his private key and others can authenticate that it was person A that sent it by decrypting the message with the corresponding public key. GnuPG is an implementation of this security scheme.

  • gpg --gen-key Create a key (all the default settings are fine); it will prompt for type of encryption algorithm (merits of each: DH vs RSA FAQ), keysize, key expiration date, name, comment and email, and finally, the passphrase used to protect your private key -- DO NOT FORGET OR GIVE OUT OR INSECURELY TRANSMIT YOUR PASSPHRASE!!! it will then generate some random bytes and ask you to play around with the mouse/keyboard while doing so to create more entropy
  • gpg --export -- export a key to a file (if you don't specify -o and a filename, it might corrupt the output on your terminal... just a warning); publish this for people to get your public key in order to be able to encrypt messages that you can decrypt with your private key
  • gpg -s <Data> to sign a document; this will create a <Data>.gpg file
  • gpg -se <Data> to both sign and encrypt a document; this will create a <Data>.gpg file
  • gpg -d <data> to decrypt the data; you can also specify a path with -o to redirect it to somewhere besides stdout

Utilities already installed on Ubuntu Dapper (6.06):
  • gpg -- Command line tool
  • gpgv -- Used to verify signatures against a trusted keyring
  • gpgsplit -- Split OpenPGP messages or keyrings into their component packets

No comments: