/[gentoo]/xml/htdocs/doc/en/gnupg-user.xml
Gentoo

Contents of /xml/htdocs/doc/en/gnupg-user.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.31 - (show annotations) (download) (as text)
Tue Nov 29 21:57:36 2005 UTC (8 years, 9 months ago) by jkt
Branch: MAIN
Changes since 1.30: +7 -5 lines
File MIME type: application/xml
http://subkeys.pgp.net should use port 11371 for web interface, tx to enderson for pointing that out

1 <?xml version='1.0' encoding="UTF-8"?>
2 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
3
4 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/gnupg-user.xml,v 1.30 2005/11/08 12:41:58 flammie Exp $ -->
5
6 <guide link = "/doc/en/gnupg-user.xml">
7 <title>GnuPG Gentoo user guide</title>
8 <author title="Author">
9 <mail link="humpback@gentoo.org">Gustavo Felisberto</mail>
10 </author>
11 <author title="Editor">
12 <mail link="zhen@gentoo.org">John P. Davis</mail>
13 </author>
14 <author title="Editor">
15 <mail link="swift@gentoo.org">Sven Vermeulen</mail>
16 </author>
17
18 <abstract>
19 This small guide will teach you the basics of using GnuPG, a tool for secure
20 communication.
21 </abstract>
22
23 <!-- The content of this document is licensed under the CC-BY-SA license -->
24 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
25 <license/>
26
27 <version>1.2</version>
28 <date>2005-11-29</date>
29
30 <chapter>
31 <title>Introduction</title>
32 <section>
33 <title>What you will get in this guide</title>
34 <body>
35
36 <p>
37 This guide assumes that you are familiar with public-key cryptography,
38 encryption, and digital signatures. If this is not the case jump to <uri
39 link="#doc_chap6">Public Key Cryptography</uri> or take a look at the
40 <uri link="http://www.gnupg.org/(en)/documentation/guides.html">GnuPG
41 handbook</uri>, chapter 2, and then come back.
42 </p>
43
44 <p>
45 This guide will teach you how to install GnuPG, how to create your key pair, how
46 to add keys to your keyring, how to submit your public key to a key server and
47 how to sign, encrypt, verify or decode messages you send or receive. You will
48 also learn how to encrypt files on your local computer to prevent people from
49 reading their contents.
50 </p>
51
52 </body>
53 </section>
54 <section>
55 <title>Installation of required software</title>
56 <body>
57
58 <p>
59 At a very basic level you need to <c>emerge gnupg</c>. Many aplications today
60 have some sort of support for gpg, so having <e>crypt</e> in your USE variable
61 is probably a good idea. If you wish to have an email client capable of using
62 gnupg you can use pine (<c>emerge pinepgp</c>), mutt (<c>emerge mutt</c>),
63 Mozilla/Netscape Mail, evolution (evolution is a GNOME Microsoft Outlook work
64 alike) and KDE's own KMail (KMail is part of the kdepim package).
65 </p>
66
67 <p>
68 <c>Kgpg</c> might interest you if you use KDE. This small program allows you to
69 generate key pairs, import keys from ASCII files, sign imported keys, export
70 keys and a few more features.
71 </p>
72
73 </body>
74 </section>
75 </chapter>
76
77 <chapter>
78 <title>Generating your key and adding keys to your public keyring</title>
79 <section>
80 <title>Creating your key</title>
81 <body>
82
83 <p>
84 To create your key, just run <c>gpg --gen-key</c>. The first time you run it,
85 it will create some directories; run it again to create the keys:
86 </p>
87
88 <pre caption="key generation process" >
89 $ <i>gpg --gen-key</i>
90 gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
91 This program comes with ABSOLUTELY NO WARRANTY.
92 This is free software, and you are welcome to redistribute it
93 under certain conditions. See the file COPYING for details.
94
95 Please select what kind of key you want:
96 (1) DSA and ElGamal (default)
97 (2) DSA (sign only)
98 (4) ElGamal (sign and encrypt)
99 (5) RSA (sign only)
100 Your selection? <i>1</i>
101 </pre>
102
103 <p>
104 Here you can choose the type of key you want to use. Most users will go for the
105 default DSA and ElGamal. Next is the key size - remember that bigger is better
106 but don't use a size larger than 2048 with DSA/ElGamal keys. Generally 1024 is
107 more than enough for normal email.
108 </p>
109
110 <p>
111 After size comes the expiration date. Here smaller is better, but most users can
112 go for a key that never expires or to something like 2 or 3 years.
113 </p>
114
115 <pre caption="Choosing key size" >
116 DSA keypair will have 1024 bits.
117 About to generate a new ELG-E keypair.
118 minimum keysize is 768 bits
119 default keysize is 1024 bits
120 highest suggested keysize is 2048 bits
121 What keysize do you want? (1024) <i>2048</i>
122 Requested keysize is 2048 bits
123 Please specify how long the key should be valid.
124 0 = key does not expire
125 &lt;n&gt;= key expires in n days
126 &lt;n&gt;w = key expires in n weeks
127 &lt;n&gt;m = key expires in n months
128 &lt;n&gt;y = key expires in n years
129 Key is valid for? (0) <i>0</i>
130 Key does not expire at all
131 </pre>
132
133 <p>
134 Now it is time to enter some personal information about yourself. If you are
135 going to send your public key to other people you have to use your real email
136 address here.
137 </p>
138
139 <pre caption="Entering user information" >
140 Is this correct (y/n)? <i>y</i>
141
142 You need a User-ID to identify your key; the software constructs the user id
143 from Real Name, Comment and Email Address in this form:
144 "Heinrich Heine (Der Dichter) &lt;heinrichh@duesseldorf.de&gt;"
145
146 Real name: <i>John Doe</i>
147 Email address: <i>john@nowhere.someplace.flick</i>
148 Comment: <i>The Real John Doe</i>
149 You selected this USER-ID:
150 "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
151
152 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <i>O</i>
153 You need a Passphrase to protect your secret key.
154
155 Enter passphrase:
156 </pre>
157
158 <p>
159 Now enter your key passphrase twice. It is a good idea to use a strong password.
160 If someone ever gets hold of your private key and cracks your password, they
161 will be able to send messages signed by "you" making everyone believe the mails
162 were sent by you.
163 </p>
164
165 <p>
166 Then, GnuPG will generate your key. Moving the mouse or having a mp3 playing in
167 the background will help speed up the process because it generates random data.
168 </p>
169
170 </body>
171 </section>
172 <section>
173 <title>Generating a revocation certificate</title>
174 <body>
175
176 <impo>
177 This part is very important and you must do it <e>NOW</e>.
178 </impo>
179
180 <p>
181 After creating your keys you should create a revocation certificate. Doing this
182 allows you to revoke your key in case something nasty happens to your key
183 (someone gets hold of your key/passphrase).
184 </p>
185
186 <pre caption="Generating revoke certificate">
187 $ <i>gpg --list-keys</i>
188 /home/humpback/.gnupg/pubring.gpg
189 ---------------------------------
190 pub 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
191 sub 2048g/96D6CDAD 2002-12-08
192
193 $ <i>gpg --output revoke.asc --gen-revoke 75447B14</i>
194
195 sec 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
196
197 Create a revocation certificate for this key? <i>y</i>
198 Please select the reason for the revocation:
199 0 = No reason specified
200 1 = Key has been compromised
201 2 = Key is superseded
202 3 = Key is no longer used
203 Q = Cancel
204 (Probably you want to select 1 here)
205 Your decision? <i>1</i>
206 Enter an optional description; end it with an empty line:
207 &gt; <i>Someone cracked me and got my key and passphrase</i>
208 &gt;
209 Reason for revocation: Key has been compromised
210 Someone cracked me and got my key and passphrase
211 Is this okay? <i>y</i>
212
213 You need a passphrase to unlock the secret key for
214 user: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
215 1024-bit DSA key, ID 75447B14, created 2002-12-08
216
217 ASCII armored output forced.
218 Revocation certificate created.
219
220 Please move it to a medium which you can hide away; if Mallory gets
221 access to this certificate he can use it to make your key unusable.
222 It is smart to print this certificate and store it away, just in case
223 your media become unreadable. But have some caution: The print system of
224 your machine might store the data and make it available to others!
225 </pre>
226
227 <p>
228 The <c>gpg --list-keys</c> command lists keys in your public keyring. You may
229 use it to see the ID of your key so that you can create the revocation
230 certificate. Now it is a good idea to copy all the .gnupg directory and the
231 revocation certificate (in ASCII armor - <path>revoke.asc</path>) to some
232 secure medium (two floppy's or a CD-R you store in safe location). Remember
233 that <path>revoke.asc</path> can be used to revoke your keys and make them
234 unusable in the future.
235 </p>
236
237 <note>
238 If you have several email addresses that you would like to use with this
239 key, you can run <c>gpg --edit-key YOUR_ID</c> and then use the <c>adduid</c>
240 command. It will ask you for the name, email and comment of the second ID you
241 will be using.
242 </note>
243
244 </body>
245 </section>
246 <section>
247 <title>Exporting keys</title>
248 <body>
249
250 <p>
251 To export your key, you type <c>gpg --armor --output john.asc --export
252 john@nowhere.someplace.flick</c>. You can almost always use the key ID or
253 something that identifies the key (here we used an email address). John now has
254 a <path>john.asc</path> that he can send his friends, or place on his web page
255 so that people can communicate safely with him.
256 </p>
257
258 </body>
259 </section>
260 <section>
261 <title>Importing keys</title>
262 <body>
263
264 <p>
265 To add files to your public keyring, you must first import it, then check the
266 key fingerprint. After you have verified the fingerprint you should validate it.
267 </p>
268
269 <note>
270 You should be careful when verifying keys. This is one of the weak points of
271 public key cryptography.
272 </note>
273
274 <p>
275 Now we will be adding Luis Pinto's (a friend of mine) public key to our public
276 keyring. After giving him a call and asking him for his key fingerprint, I
277 compare the fingerprint with the output of the <c>fpr</c> command. As the key is
278 authentic, I add it to the public keyring. In this particular case, Luis's key
279 will expire in 2003-12-01 so I am asked if I want my signature on his key to
280 expire at the same time.
281 </p>
282
283 <pre caption="Importing and signing keys">
284 $ <i>gpg --import luis.asc</i>
285 gpg: key 462405BB: public key imported
286 gpg: Total number processed: 1
287 gpg: imported: 1
288 $ <i>gpg --list-keys</i>
289 /home/humpback/.gnupg/pubring.gpg
290 ---------------------------------
291 pub 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
292 sub 2048g/96D6CDAD 2002-12-08
293
294 pub 1024D/462405BB 2002-12-01 Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
295 uid Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
296 sub 4096g/922175B3 2002-12-01 [expires: 2003-12-01]
297
298 $ <i>gpg --edit-key lmpinto@dei.uc.pt</i>
299 gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
300 This program comes with ABSOLUTELY NO WARRANTY.
301 This is free software, and you are welcome to redistribute it
302 under certain conditions. See the file COPYING for details.
303
304
305 gpg: checking the trustdb
306 gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
307 pub 1024D/462405BB created: 2002-12-01 expires: 2003-12-01 trust: -/-
308 sub 4096g/922175B3 created: 2002-12-01 expires: 2003-12-01
309 (1) Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
310 (2). Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
311
312 Command> <i>fpr</i>
313 pub 1024D/462405BB 2002-12-01 Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
314 Fingerprint: F056 3697 ADE3 CF98 B80B 8494 0AD3 E57B 4624 05BB
315
316 Command> <i>sign</i>
317 Really sign all user IDs? <i>y</i>
318
319 pub 1024D/462405BB created: 2002-12-01 expires: 2003-12-01 trust: -/-
320 Fingerprint: F056 3697 ADE3 CF98 B80B 8494 0AD3 E57B 4624 05BB
321
322 Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
323 Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
324
325 This key is due to expire on 2003-12-01.
326 Do you want your signature to expire at the same time? (Y/n) <i>Y</i>
327 How carefully have you verified the key you are about to sign actually belongs
328 to the person named above? If you don't know what to answer, enter "0".
329
330 (0) I will not answer. (default)
331 (1) I have not checked at all.
332 (2) I have done casual checking.
333 (3) I have done very careful checking.
334
335 Your selection? <i>3</i>
336 Are you really sure that you want to sign this key
337 with your key: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
338
339 I have checked this key very carefully.
340
341 Really sign? <i>y</i>
342
343 You need a passphrase to unlock the secret key for
344 user: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
345 1024-bit DSA key, ID 75447B14, created 2002-12-08
346
347 Command> <i>check</i>
348 uid Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
349 sig!3 462405BB 2002-12-01 [self-signature]
350 sig!3 75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhe
351 uid Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
352 sig!3 462405BB 2002-12-01 [self-signature]
353 sig!3 75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhe
354 </pre>
355
356 </body>
357 </section>
358 </chapter>
359
360 <chapter>
361 <title>Exchanging keys with keyservers</title>
362 <section>
363 <title>Sending keys to keyservers</title>
364 <body>
365
366 <p>
367 Now that you have your key, it is probably a good idea to send it to the world
368 key server. There are a lot of keyservers in the world and most of them exchange
369 keys between them. Here we are going to send Luis's key to the subkeys.pgp.net
370 server. This uses HTTP, so if you need to use a proxy for HTTP traffic don't
371 forget to set it (<c>export http_proxy=http://proxy_host:port/</c>). The command
372 for sending the key is: <c>gpg --keyserver subkeys.pgp.net --keyserver-options
373 honor-http-proxy --send-key 75447B14</c> where <c>75447B14</c> is the key ID.
374 If you don't need a HTTP proxy you can remove the <e>--keyserver-options
375 honor-http-proxy</e>.
376 </p>
377
378 <p>
379 You can also send other people's keys that you have signed to the keyserver. We
380 could send Luis Pinto's key to the keyserver. This way someone who trusts
381 your key can use the signature that you have placed there to trust Luis' key.
382 </p>
383
384 </body>
385 </section>
386 <section>
387 <title>Getting Keys from keyservers</title>
388 <body>
389
390 <p>
391 Now we are going to search for Gustavo Felisberto's key and add it to the
392 keyring of John Doe (just in case you did not notice Gustavo Felisberto is the
393 author this guide :) ).
394 </p>
395
396 <pre caption="Searching keys from keyservers">
397 $ <i>gpg --keyserver subkeys.pgp.net --keyserver-options honor-http-proxy --search-keys humpback@felisberto.net</i>
398 gpg: searching for "humpback@felisberto.net" from HKP server subkeys.pgp.net
399 Keys 1-5 of 5 for "humpback@felisberto.net"
400 (1)Gustavo Felisberto (apt-get install anarchy) &lt;humpback@felisberto.net&gt; 1024
401 created 2002-12-06, key B9F2D52A
402 (2)Gustavo Felisberto &lt;humpback@altavista.net&gt; 1024
403 created 1999-08-03, key E97E0B46
404 (3)Gustavo A.S.R. Felisberto &lt;humpback@altavista.net&gt; 1024
405 created 1998-12-10, key B59AB043
406 (4)Gustavo Adolfo Silva Ribeiro Felisberto &lt;humpback@altavista.net&gt; 1024
407 created 1998-08-26, key 39EB133D
408 (5)Gustavo Adolfo Silva Ribeiro Felisberto &lt;humpback@altavista.net&gt; 1024
409 created 1998-06-14, key AE02AF87
410 Enter number(s), N)ext, or Q)uit &gt;<i>1</i>
411 gpg: requesting key B9F2D52A from HKP keyserver subkeys.pgp.net
412 gpg: key B9F2D52A: public key imported
413 gpg: Total number processed: 1
414 gpg: imported: 1
415 </pre>
416
417 <p>
418 As you can see from the server response I have a few keys submitted to the key
419 server, but I currently only use <e>B9F2D52A</e>. Now John Doe can get it and
420 sign it if he trusts it.
421 </p>
422
423 </body>
424 </section>
425 </chapter>
426
427 <chapter id="gpg-agent">
428 <title>Using a GPG Agent</title>
429 <section>
430 <title>What is a GPG Agent?</title>
431 <body>
432
433 <p>
434 There are cases, when working with certain applications, where you use your GPG
435 key very frequently, which means that you have to type your passphrase a lot of
436 times. Several applications used to support a passphrase caching mechanism to
437 make life easier for users, this however disallowed sharing this cache across
438 programs (how secure would that be?) and forced applications to reinvent the
439 wheel over and over again.
440 </p>
441
442 <p>
443 A GPG agent is a separate application that GPG uses to cache the passphrase in
444 a standard and secure way. It allows applications to use GPG concurrently: if
445 you enter your passphrase while working in one application, the other
446 application can work with GPG without reiterating the request for the
447 passphrase to unlock the key - if the GPG agent is configured to allow so, of
448 course.
449 </p>
450
451 <p>
452 Gentoo provides a few GPG agent applications. <c>app-crypt/gpg-agent</c> can be
453 considered the reference one, and will be the one we'll use in this document.
454 </p>
455
456 </body>
457 </section>
458 <section>
459 <title>Installing and Configuring gpg-agent and pinentry</title>
460 <body>
461
462 <p>
463 You should install <c>gpg-agent</c>, obviously, and also <c>pinentry</c>, which
464 is the helper application that gpg-agent uses to request the passphrase in a
465 graphical window. It comes in three flavors: it can popup a window using the
466 gtk+, Qt, or curses library (depending on the USE flag you set when emerging
467 it).
468 </p>
469
470 <pre caption="Installing gpg-agent and pinentry">
471 # <i>emerge gpg-agent pinentry</i>
472 </pre>
473
474 <p>
475 Next, create a file called <path>~/.gnupg/gpg-agent.conf</path> and enter the
476 following lines which define the default timeout of the passphrase (e.g. 30
477 minutes) and the application to be called for when the passphrase should be
478 retrieved the first time (e.g. the Qt version of pinentry).
479 </p>
480
481 <pre caption="Editing ~/.gnupg/gpg-agent.conf">
482 pinentry-program /usr/bin/pinentry-qt
483 no-grab
484 default-cache-ttl 1800
485 </pre>
486
487 <p>
488 Now configure GnuPG to use an agent when appropriate. Edit
489 <path>~/.gnupg/gpg.conf</path> and add the following line:
490 </p>
491
492 <pre caption="Configuring GnuPG to use a GPG Agent">
493 use-agent
494 </pre>
495
496 <p>
497 Now your system is (almost) set to use the GPG agent.
498 </p>
499
500 </body>
501 </section>
502 <section>
503 <title>Automatically Starting the GPG Agent</title>
504 <body>
505
506 <p>
507 If you use KDE as graphical environment, edit
508 <path>/usr/kde/3.x/env/agent-startup.sh</path> (system-wide) or
509 <path>~/.kde/env/gpgagent.sh</path> (local user) and add the following command
510 to it to have KDE automatically starting the GPG agent:
511 </p>
512
513 <pre caption="Make KDE automatically start the GPG agent">
514 eval "$(gpg-agent --daemon)"
515 </pre>
516
517 <p>
518 If you use a different graphical environment, put that line (the same one as
519 mentioned above) in <path>~/.xinitrc</path> (if you use <c>startx</c>) or
520 <path>~/.xsession</path> (if you use XDM/GDM/KDM/...).
521 </p>
522
523 </body>
524 </section>
525 </chapter>
526
527 <chapter>
528 <title>Working with documents</title>
529 <section>
530 <title>Encrypting and signing</title>
531 <body>
532
533 <p>
534 Let's say that you have a file that you wish to send Luis. You can encrypt
535 it, sign it, or encrypt it and sign it. Encrypting means that only Luis will be
536 able to open it. The signature tells Luis that it was really you who created the
537 file.
538 </p>
539
540 <p>
541 The next three commands will do just that, encrypt, sign and encrypt/sign.
542 </p>
543
544 <pre caption="Encrypting and Signing files">
545 $ <i>gpg --output doc.gpg --encrypt --recipient lmpinto@dei.uc.pt doc_to_encrypt</i>
546 $ <i>gpg --output doc.gpg --sign --recipient lmpinto@dei.uc.pt doc_to_sign</i>
547 $ <i>gpg --output doc.gpg --encrypt --sign --recipient lmpinto@dei.uc.pt doc_to_encrypt_and_sign</i>
548 </pre>
549
550 <p>
551 This will create binary files. If you wish to create ASCII files, just add a
552 <c>--clearsign</c> to the beginning of the command.
553 </p>
554
555 </body>
556 </section>
557 <section>
558 <title>Decrypting and verifying signatures</title>
559 <body>
560
561 <p>
562 Suppose that you have received a file which is encrypted to you. The command
563 to decrypt it is <c>gpg --output document --decrypt encrypted_doc.gpg</c>. This
564 will decrypt the document and verify the signature (if there is one).
565 </p>
566
567 </body>
568 </section>
569 <section>
570 <title>Advanced Features</title>
571 <body>
572
573 <p>
574 There are some nice advanced features in GnuPG. To find them, open the
575 <path>~/.gnupg/gpg.conf</path> file.
576 </p>
577
578 <pre caption="~/.gnupg/gpg.conf">
579 #keyserver x-hkp://subkeys.pgp.net
580 #keyserver-options auto-key-retrieve include-disabled include-revoked
581 </pre>
582
583 <p>
584 Search for the above two lines and uncomment them. With this any time GnuPG
585 needs to check a signature and it does not find the public key on the local
586 keyring it will contact the key server at <uri
587 link="http://subkeys.pgp.net:11371/">subkeys.pgp.net</uri> and will try to fetch
588 it from there.
589 </p>
590
591 <p>
592 Another nice command is <c>gpg --refresh-keys</c>. This will contact the
593 keyserver defined in the options file and refresh public keys in your local key
594 ring from there, searching for revoked keys, new id's, new signatures on keys.
595 You should probably run this once or twice a month so that if someone revokes
596 his key you will be notified.
597 </p>
598
599 </body>
600 </section>
601 </chapter>
602
603 <chapter>
604 <title>GnuPG interfaces</title>
605 <section>
606 <title>About email signatures</title>
607 <body>
608
609 <p>
610 95% of the time you will use GnuPG with email, signing/encrypting your outgoing
611 messages and reading signed/encrypted messages. So it is only fair that i talk
612 about that first.
613 </p>
614
615 <p>
616 There are two ways two sign/encrypt a email with GnuPG, the old way and the new
617 way :). In the old way messages would appear in plain text, with no possible
618 formatting and attached files would be unsigned/unencrypted, here is an example
619 of a message signed the old way:
620 </p>
621
622 <pre caption="A plain text signature">
623 -----BEGIN PGP SIGNED MESSAGE-----
624 Hash: SHA1
625
626 Test message
627
628 -----BEGIN PGP SIGNATURE-----
629 Version: PGPfreeware 6.5.8 for non-commercial use
630
631 iQA/AwUBP8461jMX0745gR7AEQIEOwCg011GbufXO3ED3FkLWXmfzg7xm1cAoJD0
632 0EU3Kd2EKNCqataEqM5qjpPs
633 =LchZ
634 -----END PGP SIGNATURE-----
635 </pre>
636
637 <p>
638 Messages this way are no good in todays world, where we have nice GUI's and
639 email readers that understand html.
640 </p>
641
642 <p>
643 To solve this an addition to the MIME (Multipurpose Internet Mail Extensions)
644 was created. This adds a field to the email that tells the mail reader that the
645 full content of the message is signed and/or encrypted. The problem with this
646 is that not all mail readers support this. And some even mess the content,
647 Microsoft's Outlook is famous for not working with this.
648 </p>
649
650 </body>
651 </section>
652 <section>
653 <title>Kgpg</title>
654 <body>
655
656 <p>
657 Kgpg is a nice GUI for GnuPG. In the main screen you can paste the text that
658 you wish to sign or encrypt, and you can also paste the ASCII armored text that
659 you which to decrypt.
660 </p>
661
662 <figure link="/images/kgpg1.png" short="kgpg main window"/>
663
664 <p>
665 In this image you can see the Kgpg main window with ASCII armored and encrypted
666 text pasted into it. From here you can decrypt it (you will have to provide your
667 password), encrypt other files, paste new text to sign....
668 </p>
669
670 <figure link="/images/kgpg2.png" short="kgpg key manage window"/>
671
672 <p>
673 Now you can see the key managing window. From here we see our good key for John
674 Doe. The two trusted keys for Gustavo and Luis, and the untrusted key for Daniel
675 Robbins ( I still have not given him a call to check his fingerprint :) ).
676 </p>
677
678 </body>
679 </section>
680 <section>
681 <title>Seahorse</title>
682 <body>
683
684 <p>
685 Seahorse aims to be a GnuPG GUI interface for the Gnome desktop. The software
686 has been evolving fast, but it still lacks many important features that can be
687 found in Kgpg or the command line version.
688 </p>
689
690 </body>
691 </section>
692 <section>
693 <title>Mozilla Enigmail</title>
694 <body>
695
696 <p>
697 Mozilla's version from 1.0 or above comes with Enigmail, a plug-in for the
698 email client that is pretty simple to configure. You just go to Preferences
699 -&gt; Privacy &amp; Security -&gt; Enigmail. There you enter your key email and
700 thats it.
701 </p>
702
703 <p>
704 Mails that come with an untrusted pgp or gpg signature will be marked with a
705 broken pen. Others that have good signatures will appear with a nice straight
706 pen. Enigmail even comes with the ability to get keys from keyservers, but if it
707 has problems it will print some very weird messages (but you still remember how
708 to use the command line, right?).
709 </p>
710
711 </body>
712 </section>
713 <section>
714 <title>KMail</title>
715 <body>
716
717 <p>
718 If you have the <c>crypt</c> USE flag set, KMail will be compiled with gpg
719 support, and will be able to encrypt and decrypt inline PGP mails automatically
720 as well as encrypting OpenPGP/MIME mails. If you want to decrypt OpenPGP/MIME
721 mails as well (which you probably want) you need to have a running GPG agent
722 (see <uri link="#gpg-agent">Using a GPG Agent</uri>).
723 </p>
724
725 <p>
726 You can verify if KMail is properly configured by going to <c>Settings</c>,
727 <c>Configure KMail</c>, <c>Security</c>, <c>Crypto Backends</c>. You should see
728 a GpgME-based backend listed and you should be able to fill the OpenPGP
729 checkbox. If it is listed but grayed out, click on <c>Rescan</c>. If the
730 GpgME-based backend remains grayed out, KMail is not working properly.
731 </p>
732
733 </body>
734 </section>
735 <section>
736 <title>Sylpheed-Claws</title>
737 <body>
738
739 <p>
740 This is my email reader of choice. It is <e>very</e> fast with big mailboxes,
741 has all the nice features one wants in mail readers and works pretty well with
742 gpg. The only problem is that it does not work with the old PGP signatures, so
743 when you receive those kind of mails you have to hand check the signatures.
744 </p>
745
746 <p>
747 To use your gpg key with Sylpheed-Claws just go to the acount configuration and
748 select the privacy tab. Once there just choose which key to use, probably most
749 users will go with the default key.
750 </p>
751
752 </body>
753 </section>
754 </chapter>
755
756 <chapter>
757 <title>Public Key Cryptography</title>
758 <section>
759 <title>Basic Public Key Cryptography</title>
760 <body>
761
762 <p>
763 The concept of public key cryptography was originally devised by Whitfield
764 Diffie and Martin Hellman in 1976. When I first heard the words "public key" and
765 "cryptography" in the same sentence back in '93 I tought to myself that it would
766 be impossible to do such a thing. In those days there was no Internet (well
767 there was, but not for me) so I went to the public library and asked for books
768 on Cryptography. I must say that I was 16 at the time so the clerk there looked
769 to me in astonishment and brought me a book for children on substitution cyphers
770 (those where you change a letter for another like the famous Caesar Cypher or
771 ROT-13 (Tragbb Ebpxf, naq lbh xabj vg vf tbbq orpnhfr lbh ner ernqvat guvf
772 qbp.), (emerge rotix if you cannot read the preceding text)). I was very upset
773 with this and started to search for more info. It is good to have mathematicians
774 in the family, because as soon as I talked to one of them I was introduced to a
775 new world.
776 </p>
777
778 <p>
779 And now a bit of mathematics:
780 </p>
781
782 <pre caption="Mathematical Concepts">
783 Definitions:
784
785 1- A prime number is a positive integer number that is only divisible by 1 and
786 itself (the reminder of the division is 0).
787 The first 8 prime numbers are 1,2,3,5,7,11,13,17
788
789 Theorem (No proof here)
790 1- For any non prime positive integer it is possible to break it as the product
791 of prime numbers, and that product is unique.
792 4=2*2
793 6=2*3
794 8=2*4=2*2*2
795 10=2*5
796 12=2*6=2*2*3
797
798 "Facts":
799 1- It is mathematically easy to multiply two large integers
800 2- It is hard to find the prime factors of a given positive integer.
801 </pre>
802
803 <p>
804 If I give you the number 35 and I tell you that this number is the product of
805 two prime numbers it is easy to find that it was 5 and 7. But if I tell you the
806 same for 1588522601 you will spend alot of time (or CPU cycles) to find it was
807 49811*31891. And if this number is really really big this task becomes
808 "impossible". So now if I give the world my large number that is the product of
809 two primes I know something about that number that no one else knows.
810 </p>
811
812 <p>
813 This is the basis for Public Key Cryptography (PKC) implementations today. As an
814 (unrealistic) example, I give anyone my number and that someone will use if for
815 cyphering a message to me. Anyone can see the cyphered message, because I am
816 the only one who knows a shortcut to read it, anyone else will first have to
817 "split" that big number to be able to read the message, and it is a "fact"
818 that it is impossible to do that in a short amount of time (todays methods and
819 the fastest computers in the world would take thousands of years to do that).
820 In this setup the two large prime numbers would be called the PRIVATE KEY, and
821 the large non prime number is the PUBLIC KEY.
822 </p>
823
824 <p>
825 In practice this is not 100% accurate with reality, but will give a good idea to
826 the newcomer. For more information check hack.gr on the <uri
827 link="http://www.hack.gr/users/dij/crypto/overview/diffie.html">Diffie-Hellman</uri>
828 protocol. For even more info go to the public library and grab a copy of the
829 <uri link="http://www.cacr.math.uwaterloo.ca/hac/">"Handbook of Applied
830 Cryptography"</uri> by Alfred J. Menezes, Paul C. van Oorschot and Scott A.
831 Vanstone, also this book is available online for free at the above site.
832 </p>
833
834 <p>
835 One consequence of the above is that if you cypher a message to me, and you
836 loose the original uncypherd message you will no longer be able to retrieve it
837 from the cyphered version.
838 </p>
839
840 </body>
841 </section>
842 <section>
843 <title>Signatures</title>
844 <body>
845
846 <p>
847 We already saw how someone can send us a cyphered message if they have our
848 public key. But how do we know that the author of the message is really who he
849 claims to be? Or in other words: If I receive an email from you how do I really
850 know it was you and not someone else claiming to be you?
851 </p>
852
853 <p>
854 Remember me saying that PKC was not as simple as I had said? The idea is that
855 when you cypher a message to me you sign it with your private key so that, when
856 I receive it, I can first use your public key to check your signature and then
857 use my private key to decypher the message. As you can see we could not do
858 that in the setup i described before.
859 </p>
860
861 <p>
862 Also very important, to sign messages you don't have to cypher them before. So
863 like that you can create messages that can be read by anyone, but that come with
864 your "branding". And if any single character is changed in the message it can
865 (and will) be detected.
866 </p>
867
868 </body>
869 </section>
870 <section>
871 <title>Key Servers and Signed Keys</title>
872 <body>
873
874 <p>
875 But lets say that I have no previous contact with you until you send me a
876 message, how do I get your public key, and how do I really know it is yours?
877 </p>
878
879 <p>
880 To solve this problem public Key Servers were created. When you create your key
881 pair (Public and Private key) you send your public key to the key server. After
882 this everyone can retrieve your key from there. This solves the problem of
883 finding the key. But how do I really know that that key is the author's key? For
884 this another concept must be introduced, and that is key signing:
885 </p>
886
887 <p>
888 Key signing means that, if I have the public key of another person, and I know
889 <e>for sure</e> that it is really that persons key (it is my personal friend,
890 someone I know in real life, etc.) I can sign that public key and send it to
891 keyservers, that way I am telling the world: "This key really belongs to the
892 person it claims to belong.". That way persons that have my public key and
893 trust me can use that trust to trust other keys.
894 </p>
895
896 <p>
897 This can sometimes be confusing so lets see a real world situation
898 </p>
899
900 <p>
901 Let's imagine a 3 person situation: John, Mary, and Lisa. John is a good
902 friend of Mary but does not know Lisa; Lisa is a good friend of Mary but
903 does not know John. One day Lisa sends John a signed email. John will fetch
904 Lisa's Public Key from the keyserver and test the message, if all went ok he
905 will see that whoever wrote that message also created that key. But how do I
906 know it was really the person it claims to be?
907 </p>
908
909 <p>
910 He then see's that it is signed by Mary, which he can check because he already
911 has Mary's key and he trusts that key. With this ring of trust he continues to
912 conclude that the email he received was really written by Lisa.
913 </p>
914
915 <p>
916 You are now ready to use this guide, you can go back to chapter 1 and learn how
917 to use gpg.
918 </p>
919
920 </body>
921 </section>
922 </chapter>
923
924 <chapter>
925 <title>Final thoughts and Credits</title>
926 <section>
927 <title>Some problems</title>
928 <body>
929
930 <p>
931 I had some problems with photos in keys. Check the version you are using. If
932 you have GnuPG 1.2.1-r1 and up you are probably OK, older versions may have
933 problems. Also most keyservers don't like keys with photos, so you are better
934 if you dont add photos.
935 </p>
936
937 <p>
938 The latest versions of gnupg don't seem to work with the <c>gpg
939 --send-keys</c> that was used so send all keys in your keyring to the public
940 server.
941 </p>
942
943 </body>
944 </section>
945 <section>
946 <title>What is not here</title>
947 <body>
948
949 <p>
950 <c>gpg</c> is a very complex tool, it lets you do much more than what I have
951 covered here. This document is for the user who is new to GnuPG. For more
952 information, you should check the <uri link="http://www.gnupg.org">GnuPG
953 Website</uri>.
954 </p>
955
956 <p>
957 I did not write about other tools like <c>pgp4pine</c>, <c>gpgpine</c>,
958 <c>evolution</c> and maybe Windows tools, but I will probably extend this
959 document in the future.
960 </p>
961
962 </body>
963 </section>
964 <section>
965 <title>Credits</title>
966 <body>
967
968 <p>
969 John Michael Ashley's <uri link="http://www.gnupg.org">GnuPG Handbook</uri>
970 it is a very good book for beginners.
971 </p>
972
973 <p>
974 Swift (Sven Vermeulen) for pushing me to re-write this.
975 </p>
976
977 <p>
978 Everyone in the #gentoo-doc team you guys rock.
979 </p>
980
981 <p>
982 Tiago Serra for getting me back to the privacy track.
983 </p>
984
985 </body>
986 </section>
987 </chapter>
988 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20