Page 1 of 4 123 ... LastLast
Results 1 to 10 of 38

Thread: Beginners Guide to GnuPG

  1. #1
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Lightbulb Beginners Guide to GnuPG

    A Beginner's Guide to GnuPG
    ░▒▓»§«▓▒░

    Introduction

    I am going to give a basic run down of how to use GnuPG to encrypt files, sign your messages, read encrypted messages from your friends and whatnot, along with some of useful commands and applications you can use in aiding you along the way

    First off, incase you don't understand completely (which is absolutely fine, as we are not expected to know everything), GPG is a key-based encryption method. You will be given a public key and a private key. The private key, as indicated, should remain private as to keep the entire idea of encryption secure.

    A person who holds your public key and wishes to send you an encrypted message, would encrypt the message with your public key. They can not decrypt their own message after they encrypt it. Only you, who holds the private key can decrypt the message.


    Applications

    There are two different GUI based applications which can assist you in setting up a GPG key. These two are GPA, which is a very simple application that does everything you need, as far as key managing, deleteing, adding, signing and adding a level of trust to another person's public key.

    The second one is seahorse. It is built for Gnome, and uses the gnome-keyring (if I am not mistaken) so it is a little bit more heavy than GPA, which is my favorite. (Note to the reader, I am not a KDE user, but I am sure there is a KDE GnuPG application suited for them. I am in no way discriminating them from this guide for any reason).

    Let's begin by installing GPA and seahorse (or you can choose one of the two if you wish).
    From the Terminal (Applications > Accessories > Terminal), run the following command:
    Code:
    sudo apt-get install gpa seahorse
    To launch GPA, from run dialog (ALT + F2) or the terminal:
    Code:
    gpa
    To launch seahorse, from the run dialog (ALT + F2) or the terminal:
    Code:
    seahorse
    Both of this GUI applications give you the opportunity to create a GPG key from their menus, and if you wish to do it that way, you may do so. It should be very simple and informational, so I will not explain how to do it from those applications (as it could also be subject to change over time).

    Another application worth mentioning would be FireGPG for Firefox. It can encrypt / decrypt / sign / verify / import and export with GPG. To install it for Firefox, please visit their website:
    http://firegpg.tuxfamily.org/?page=install&lang=en


    Key Generating

    As an alternative, you could create a GPG key from the command line of the terminal.
    To do so, launch your terminal (Applications > Accessories > Terminal) and run the following command, to get started:
    Code:
    gpg --gen-key
    You will then be prompted back with the following:
    Code:
    Please select what kind of key you want:
       (1) DSA and Elgamal (default)
       (2) DSA (sign only)
       (5) RSA (sign only)
    Your selection?
    You will want to select number 1, as it can be used for encryption and decryption, whereas the second and third choices are only allowed to sign messages. To do so, press the number 1, and then press enter.

    You then will be prompted with the following:
    Code:
    DSA keypair will have 1024 bits.
    ELG-E keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048)
    You will want to enter "2048" here, as recommended by gnupg.
    If you don't want your key to expire (for the next prompt, select 0).

    Answer yes if the information is correct, when prompted, and then enter your Real Name, Email address, and a comment (which is optional). If everything is correct, press "o" (for Ok) and then enter.

    You will then be asked to enter a passphrase. This process will be repeated. As always, make a strong password which would be difficult to crack. Do not enter a name / address / birthdate or word from a dictionary as your password. Take the usual precautions, and make it random and difficult to crack.

    After entering your passphrase, follow the instructions in the terminal:
    Code:
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.

    When you have successfully finished generating your key, you will see a message similar to the following:
    gpg: key 069C39A4 marked as ultimately trusted
    public and secret key created and signed.

    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u
    pub 1024D/069C39A4 2008-01-28
    Key fingerprint = 516E E759 94BA 0DC1 37BE 1074 E46C B27D 069C 39A4
    uid samplekey <samplekey@linux.org>
    sub 2048g/BC9EC4CB 2008-01-28
    Your KEY-ID would be the two keys (both identical) above which are in bold.
    The Key fingerprint is also listed there.


    Key Servers

    Key servers are used to distribute your public key to other key servers and so other users can easily look your name (or email up) in the database and find your public key to send encrypted messages to you. This eliminates the process of physically or unsecurely giving your friend your public key, and allows others to be able to find you on an online database.

    To upload your public key to the Ubuntu keyserver, there are 2 ways to do this.
    1. By pasting your ASCII Armored Public Key into the submission box at the Ubuntu Keyserver
    2. By using the terminal and gnupg to send your public key to the Ubuntu Keyserver.


    To accomplish method 1, you will need to open seahorse, select your key under "My Personal Keys" and click the "Export Public Key" in the toolbar. You can optionally choose the name and location of which it will be saved to. Proceed to open up:
    http://keyserver.ubuntu.com:11371
    while opening your newly exported public key with a text editor (gedit).

    Select and copy the entire contents of your public key file, and paste it into the "Submit a Key" text area on the Ubuntu Keyserver (link provided above). Submit it, and it should then proceed to submit the key to the keyserver.

    You should then be able to search for your email or name in the search string box on the Ubuntu Keyserver page, to find your public key on the internet. This is undoubtedly the Graphical way of doing it, but it can be somewhat longer.

    To do it by the means of method 2, you would first need to open up a terminal (Applications > Accessories > Terminal) and paste the following into it:
    Code:
    gpg --send-keys --keyserver keyserver.ubuntu.com <KEY-ID>
    Naturally, you would replace <KEY-ID> with your public key id, as stated before. It also helps to memorize it, like I have done
    If you forget what your keyid is, just run:
    Code:
    gpg --list-keys <EMAIL>
    That will list the keys registered with your email (and since there should only be one, it will only list your key.) Then you can obtain your KEY-ID and run the command above, to submit it to the keyservers.


    Importing Keys

    There are four different methods to importing a key, as stated below:
    1. FireGPG
    2. GPA
    3. Seahorse
    4. Terminal


    All are quite simple to do, but FireGPG is the easiest of all if you are importing a public key from a keyserver with Firefox. I will briefly explain all four.

    FireGPG
    If you have somebody's public key on a webpage while in Firefox and have installed FireGPG (as mentioned above under Applications), then simply highlight the Public key from beginning PGP comment to ending PGP comment, right click on it, select FireGPG and click the Import button. It's that simple!

    For your information, to solve confusion, the beginning and ending PGP comment tags look like the following:
    Code:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    -----END PGP PUBLIC KEY BLOCK-----

    GPA
    If someone has given you their public key as a file, simply launch GPA and select "Import" from the toolbar.


    Seahorse
    If someone has given you their public key as a file, you can do one of two things. First, you can open up Nautilus and double click this file, and it should automatically import the public key into your GnuPG, or open Seahorse and select "Key" from the menu and click "Import".


    Terminal
    Open up the terminal (Applications > Accessories > Terminal) and type:
    Code:
    gpg --import KEYFILE
    KEYFILE would be the filename of the public key in your home folder.
    (If it is not in your home folder, please cd to the proper directory first, and then run the above command.)


    Tips and Tricks

    Here is some more valuable information that can be useful when encrypting / decrypting files with GPG from the terminal.

    List Keys
    If you wish to see all of the keys you have imported into GnuPG, you can issue the following command:
    Code:
    gpg --list-keys

    Encrypt a File
    If you wish to encrypt a file for your friend with his Public Key, run the command in the following format:
    Code:
    gpg -o encrypted_file.gpg --encrypt -r <KEY-ID> original.file
    Explanation:
    -o encrypted_file.gpg = Output to the following filename.
    --encrypt = Duh, that's the encrypting part
    -r <KEY-ID> = Recipient. KEY-ID would be your friends KEY-ID here.
    original.file = The original file that you will be encrypting.


    Decrypt a File
    If someone has sent you a file that has been encrypted with your public key, you can decrypt it by the following:
    Code:
    gpg --decrypt filename.gpg

    Clearsign a Document
    Clearsigning is very similar to adding your signature to the bottom of a letter or important paper. It signifies that it actually came from you. By clearsigning, it generates a SHA1 hash of the entire file's contents and add's the SHA1 sum to the bottom of the signature. If the file has been tampered with, the signature verification will fail, which can be used to spot forgery.

    If the user has edited the file after it has been signed, the verification of the signature will also fail, because the SHA1 sum will not match that of the actual content.

    To clearsign a document / file, run the following:
    Code:
    gpg --clearsign filename.txt

    Exporting your Public Key
    To export your public key in ASCII Armored fashion, run the following command:
    Code:
    gpg --export -a <KEY-ID> > publickey.asc
    Replace <KEY-ID> with your Public Key ID, and it will create a file called "publickey.asc" which you can distribute to your friends and they can import.


    Symmetric Encryption
    GPG can also do a symmetric encrytion where you can encrypt a file with a passphrase (this is not keybased encryption). To encrypt a file with a passphrase, use this:
    Code:
    gpg -c filename.txt
    To decrypt this type of file, just use:
    Code:
    gpg filename.txt
    And you will be prompted for the passphrase and it will decrypt the file.


    Additional Links:
    GnuPG.org
    GnuPrivacyGuardHowto
    The GNU Privacy Handbook
    Wikipedia: GNU Privacy Guard

    Related Guides
    How To: Use GnuPG along with WHIRLPOOL Hash to Encrypt an Individual File
    Advanced GnuPG Concepts - Advanced Key Generation
    How To: Install a Port Knocker - FWKNOP




    Inspired by kevdog
    Last edited by Dr Small; November 12th, 2008 at 01:13 AM. Reason: Updated /Related Guides/
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  2. #2
    nikoPSK is offline I Ubuntu, Therefore, I Am
    Join Date
    Sep 2007
    Location
    Victoria, BC
    Beans
    2,265
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Beginners Guide to GnuPG

    very nice.

  3. #3
    Join Date
    Aug 2006
    Location
    Uruguay
    Beans
    1,645

    Re: Beginners Guide to GnuPG

    Very complete Dr. Small. I may start to build packages soon so I need to knwo how to use GPG

    Member of the UbuntuBeginnersTeam

    Member of the UnansweredPostsTeam

  4. #4
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Beginners Guide to GnuPG

    Thanks for the comments, guys

    Dr Small
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  5. #5
    nikoPSK is offline I Ubuntu, Therefore, I Am
    Join Date
    Sep 2007
    Location
    Victoria, BC
    Beans
    2,265
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Beginners Guide to GnuPG

    Quote Originally Posted by Dr Small View Post
    Thanks for the comments, guys

    Dr Small
    oop, forgot to give you your thanks.

  6. #6
    Join Date
    Aug 2007
    Beans
    16
    Distro
    Xubuntu 7.04 Feisty Fawn

    Smile Re: Beginners Guide to GnuPG

    Hello,

    thank you for this wonderful guide! There's still something not quite clear to me::

    gpg: key 069C39A4 marked as ultimately trusted
    public and secret key created and signed.

    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u
    pub 1024D/069C39A4 2008-01-28
    Key fingerprint = 516E E759 94BA 0DC1 37BE 1074 E46C B27D 069C 39A4
    uid samplekey <samplekey@linux.org>
    sub 2048g/BC9EC4CB 2008-01-28
    Your KEY-ID would be the two keys (both identical) above which are in bold.
    The Key fingerprint is also listed there.
    Which is the private key in this example?

  7. #7
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,958
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Beginners Guide to GnuPG

    The best way to display the private or public keys on your keyring are:

    Code:
    gpg --list-public-keys   <----List public keys
    gpg --list-secret-keys  <----Lists private keys
    gpg --list-keys <---List all keys

  8. #8
    Join Date
    Aug 2007
    Beans
    16
    Distro
    Xubuntu 7.04 Feisty Fawn

    Re: Beginners Guide to GnuPG

    Quote Originally Posted by kevdog View Post
    The best way to display the private or public keys on your keyring are:

    Code:
    gpg --list-public-keys   <----List public keys
    gpg --list-secret-keys  <----Lists private keys
    gpg --list-keys <---List all keys
    If I do:

    Code:
    gpg --list-secret-keys
    the result is (as x example):

    Code:
    sec   1024D/069C39A4 2008-01-28
    uid                  John Smith  <johnsmith@hismail.com>
    ssb   2048g/069C39A4 2008-01-28
    So it's showing me 069C39A4, but this is the key ID I use to public my key on keyring servers. It is a public key ID.

    I still don't get it. Which is my private key? How can I see it?

  9. #9
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,958
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Beginners Guide to GnuPG

    Im slightly confused. If you do

    gpg --list-secret-keys
    gpg --list-public-keys


    The results are different.
    Look at the results carefully. The secret keys have sec, ssb and the public keys have pub, sub.

    Why do you need to know the difference? I'm confused. When you create private encyption and signing keys, the public keys are also put on your key-ring. They have the same ID.

  10. #10
    Join Date
    Aug 2007
    Beans
    16
    Distro
    Xubuntu 7.04 Feisty Fawn

    Re: Beginners Guide to GnuPG

    Quote Originally Posted by kevdog View Post
    The results are different.
    Look at the results carefully. The secret keys have sec, ssb and the public keys have pub, sub.
    You're right, the results are different, it was my mistake when transcribing. This is what I mean:

    If I do <gpg --list-secret-keys> the result is:

    sec 1024D/069C39A4 2008-01-28
    uid John Smith <johnsmith@hismail.com>
    ssb 2048g/045D39H5 2008-01-28

    If I do <--list-public-keys> it gives me:

    pub 1024D/069C39A4 2008-01-28
    uid John Smith <johnsmith@hismail.com>
    sub 2048g/045D39H5 2008-01-28

    pub 1024D/123F301C4 2008-01-28
    uid My Friend <myfriend@hismail.com>
    sub 2048g/4565A71C8 2008-01-28

    So why are my sec and ssb identical to my pub
    and sub? Does that mean that also my friend's sec
    and ssb are identical to those I can see? So where
    is all the privacy? I'm sorry, I just don't seem to understand.

    Why do you need to know the difference? I'm confused.
    I'm just trying to understand how the whole thing works. I've read a lot of documentation out there but it is still not clear to me.

    When you create private encryption and signing keys, the public keys are also put on your key-ring. They have the same ID.
    Ok, so what I see out of those commands are not actually the keys but the keys ID. Does this mean I'm not allowed to actually see what my private key reads like? I mean, what's the actual sequence of numbers and letters for my private key?

    I've been trying to open my secring.gpg file but have not been able to do so yet, not even as root.
    Last edited by Arhuma; February 2nd, 2008 at 08:41 AM.

Page 1 of 4 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •