Contents of /xml/htdocs/doc/en/gnupg-user.xml

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.41 - (show annotations) (download) (as text)
Tue Feb 20 22:07:04 2007 UTC (11 years, 3 months ago) by nightmorph
Branch: MAIN
Changes since 1.40: +13 -10 lines
File MIME type: application/xml
removed references to mozilla in current docs due to its masking for removal

1 <?xml version='1.0' encoding="UTF-8"?>
2 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/gnupg-user.xml,v 1.40 2006/11/29 15:48:57 nightmorph Exp $ -->
6 <guide link = "/doc/en/gnupg-user.xml">
7 <title>GnuPG Gentoo user guide</title>
8 <author title="Author">
9 <mail link="humpback@gentoo.org">Gustavo Felisberto</mail>
10 </author>
11 <author title="Editor">
12 <mail link="zhen@gentoo.org">John P. Davis</mail>
13 </author>
14 <author title="Editor">
15 <mail link="swift@gentoo.org">Sven Vermeulen</mail>
16 </author>
18 <abstract>
19 This small guide will teach you the basics of using GnuPG, a tool for secure
20 communication.
21 </abstract>
23 <!-- The content of this document is licensed under the CC-BY-SA license -->
24 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
25 <license/>
27 <version>1.8</version>
28 <date>2007-02-20</date>
30 <chapter>
31 <title>Introduction</title>
32 <section>
33 <title>What you will get in this guide</title>
34 <body>
36 <p>
37 This guide assumes that you are familiar with public-key cryptography,
38 encryption, and digital signatures. If this is not the case jump to <uri
39 link="#doc_chap6">Public Key Cryptography</uri> or take a look at the
40 <uri link="http://www.gnupg.org/(en)/documentation/guides.html">GnuPG
41 handbook</uri>, chapter 2, and then come back.
42 </p>
44 <p>
45 This guide will teach you how to install GnuPG, how to create your key pair, how
46 to add keys to your keyring, how to submit your public key to a key server and
47 how to sign, encrypt, verify or decode messages you send or receive. You will
48 also learn how to encrypt files on your local computer to prevent people from
49 reading their contents.
50 </p>
52 </body>
53 </section>
54 <section>
55 <title>Installation of required software</title>
56 <body>
58 <p>
59 At a very basic level you need to <c>emerge gnupg</c>. Many aplications today
60 have some sort of support for gpg, so having <e>crypt</e> in your USE variable
61 is probably a good idea. If you wish to have an email client capable of using
62 gnupg you can use pine (<c>emerge pinepgp</c>), mutt (<c>emerge mutt</c>),
63 Mozilla Thunderbird (<c>emerge mozilla-thunderbird</c>), evolution (evolution is
64 a GNOME Microsoft Outlook work alike) and KDE's own KMail (KMail is part of the
65 kdepim package).
66 </p>
68 <p>
69 <c>Kgpg</c> might interest you if you use KDE. This small program allows you to
70 generate key pairs, import keys from ASCII files, sign imported keys, export
71 keys and a few more features.
72 </p>
74 </body>
75 </section>
76 </chapter>
78 <chapter>
79 <title>Generating your key and adding keys to your public keyring</title>
80 <section>
81 <title>Creating your key</title>
82 <body>
84 <p>
85 To create your key, just run <c>gpg --gen-key</c>. The first time you run it,
86 it will create some directories; run it again to create the keys:
87 </p>
89 <pre caption="key generation process" >
90 $ <i>gpg --gen-key</i>
91 gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
92 This program comes with ABSOLUTELY NO WARRANTY.
93 This is free software, and you are welcome to redistribute it
94 under certain conditions. See the file COPYING for details.
96 Please select what kind of key you want:
97 (1) DSA and ElGamal (default)
98 (2) DSA (sign only)
99 (4) ElGamal (sign and encrypt)
100 (5) RSA (sign only)
101 Your selection? <i>1</i>
102 </pre>
104 <p>
105 Here you can choose the type of key you want to use. Most users will go for the
106 default DSA and ElGamal. Next is the key size - remember that bigger is better
107 but don't use a size larger than 2048 with DSA/ElGamal keys. Generally 1024 is
108 more than enough for normal email.
109 </p>
111 <p>
112 After size comes the expiration date. Here smaller is better, but most users can
113 go for a key that never expires or to something like 2 or 3 years.
114 </p>
116 <pre caption="Choosing key size" >
117 DSA keypair will have 1024 bits.
118 About to generate a new ELG-E keypair.
119 minimum keysize is 768 bits
120 default keysize is 1024 bits
121 highest suggested keysize is 2048 bits
122 What keysize do you want? (1024) <i>2048</i>
123 Requested keysize is 2048 bits
124 Please specify how long the key should be valid.
125 0 = key does not expire
126 &lt;n&gt;= key expires in n days
127 &lt;n&gt;w = key expires in n weeks
128 &lt;n&gt;m = key expires in n months
129 &lt;n&gt;y = key expires in n years
130 Key is valid for? (0) <i>0</i>
131 Key does not expire at all
132 </pre>
134 <p>
135 Now it is time to enter some personal information about yourself. If you are
136 going to send your public key to other people you have to use your real email
137 address here.
138 </p>
140 <pre caption="Entering user information" >
141 Is this correct (y/n)? <i>y</i>
143 You need a User-ID to identify your key; the software constructs the user id
144 from Real Name, Comment and Email Address in this form:
145 "Heinrich Heine (Der Dichter) &lt;heinrichh@duesseldorf.de&gt;"
147 Real name: <i>John Doe</i>
148 Email address: <i>john@nowhere.someplace.flick</i>
149 Comment: <i>The Real John Doe</i>
150 You selected this USER-ID:
151 "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
153 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <i>O</i>
154 You need a Passphrase to protect your secret key.
156 Enter passphrase:
157 </pre>
159 <p>
160 Now enter your key passphrase twice. It is a good idea to use a strong password.
161 If someone ever gets hold of your private key and cracks your password, they
162 will be able to send messages signed by "you" making everyone believe the mails
163 were sent by you.
164 </p>
166 <p>
167 Then, GnuPG will generate your key. Moving the mouse or having a mp3 playing in
168 the background will help speed up the process because it generates random data.
169 </p>
171 </body>
172 </section>
173 <section>
174 <title>Generating a revocation certificate</title>
175 <body>
177 <impo>
178 This part is very important and you must do it <e>NOW</e>.
179 </impo>
181 <p>
182 After creating your keys you should create a revocation certificate. Doing this
183 allows you to revoke your key in case something nasty happens to your key
184 (someone gets hold of your key/passphrase).
185 </p>
187 <pre caption="Generating revoke certificate">
188 $ <i>gpg --list-keys</i>
189 /home/humpback/.gnupg/pubring.gpg
190 ---------------------------------
191 pub 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
192 sub 2048g/96D6CDAD 2002-12-08
194 $ <i>gpg --output revoke.asc --gen-revoke 75447B14</i>
196 sec 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
198 Create a revocation certificate for this key? <i>y</i>
199 Please select the reason for the revocation:
200 0 = No reason specified
201 1 = Key has been compromised
202 2 = Key is superseded
203 3 = Key is no longer used
204 Q = Cancel
205 (Probably you want to select 1 here)
206 Your decision? <i>1</i>
207 Enter an optional description; end it with an empty line:
208 &gt; <i>Someone cracked me and got my key and passphrase</i>
209 &gt;
210 Reason for revocation: Key has been compromised
211 Someone cracked me and got my key and passphrase
212 Is this okay? <i>y</i>
214 You need a passphrase to unlock the secret key for
215 user: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
216 1024-bit DSA key, ID 75447B14, created 2002-12-08
218 ASCII armored output forced.
219 Revocation certificate created.
221 Please move it to a medium which you can hide away; if Mallory gets
222 access to this certificate he can use it to make your key unusable.
223 It is smart to print this certificate and store it away, just in case
224 your media become unreadable. But have some caution: The print system of
225 your machine might store the data and make it available to others!
226 </pre>
228 <p>
229 The <c>gpg --list-keys</c> command lists keys in your public keyring. You may
230 use it to see the ID of your key so that you can create the revocation
231 certificate. Now it is a good idea to copy all the .gnupg directory and the
232 revocation certificate (in ASCII armor - <path>revoke.asc</path>) to some
233 secure medium (two floppy's or a CD-R you store in safe location). Remember
234 that <path>revoke.asc</path> can be used to revoke your keys and make them
235 unusable in the future.
236 </p>
238 <note>
239 If you have several email addresses that you would like to use with this
240 key, you can run <c>gpg --edit-key YOUR_ID</c> and then use the <c>adduid</c>
241 command. It will ask you for the name, email and comment of the second ID you
242 will be using.
243 </note>
245 </body>
246 </section>
247 <section>
248 <title>Exporting keys</title>
249 <body>
251 <p>
252 To export your key, you type <c>gpg --armor --output john.asc --export
253 john@nowhere.someplace.flick</c>. You can almost always use the key ID or
254 something that identifies the key (here we used an email address). John now has
255 a <path>john.asc</path> that he can send his friends, or place on his web page
256 so that people can communicate safely with him.
257 </p>
259 </body>
260 </section>
261 <section>
262 <title>Importing keys</title>
263 <body>
265 <p>
266 To add files to your public keyring, you must first import it, then check the
267 key fingerprint. After you have verified the fingerprint you should validate it.
268 </p>
270 <note>
271 You should be careful when verifying keys. This is one of the weak points of
272 public key cryptography.
273 </note>
275 <p>
276 Now we will be adding Luis Pinto's (a friend of mine) public key to our public
277 keyring. After giving him a call and asking him for his key fingerprint, I
278 compare the fingerprint with the output of the <c>fpr</c> command. As the key is
279 authentic, I add it to the public keyring. In this particular case, Luis's key
280 will expire in 2003-12-01 so I am asked if I want my signature on his key to
281 expire at the same time.
282 </p>
284 <pre caption="Importing and signing keys">
285 $ <i>gpg --import luis.asc</i>
286 gpg: key 462405BB: public key imported
287 gpg: Total number processed: 1
288 gpg: imported: 1
289 $ <i>gpg --list-keys</i>
290 /home/humpback/.gnupg/pubring.gpg
291 ---------------------------------
292 pub 1024D/75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;
293 sub 2048g/96D6CDAD 2002-12-08
295 pub 1024D/462405BB 2002-12-01 Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
296 uid Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
297 sub 4096g/922175B3 2002-12-01 [expires: 2003-12-01]
299 $ <i>gpg --edit-key lmpinto@dei.uc.pt</i>
300 gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
301 This program comes with ABSOLUTELY NO WARRANTY.
302 This is free software, and you are welcome to redistribute it
303 under certain conditions. See the file COPYING for details.
306 gpg: checking the trustdb
307 gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
308 pub 1024D/462405BB created: 2002-12-01 expires: 2003-12-01 trust: -/-
309 sub 4096g/922175B3 created: 2002-12-01 expires: 2003-12-01
310 (1) Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
311 (2). Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
313 Command> <i>fpr</i>
314 pub 1024D/462405BB 2002-12-01 Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
315 Fingerprint: F056 3697 ADE3 CF98 B80B 8494 0AD3 E57B 4624 05BB
317 Command> <i>sign</i>
318 Really sign all user IDs? <i>y</i>
320 pub 1024D/462405BB created: 2002-12-01 expires: 2003-12-01 trust: -/-
321 Fingerprint: F056 3697 ADE3 CF98 B80B 8494 0AD3 E57B 4624 05BB
323 Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
324 Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
326 This key is due to expire on 2003-12-01.
327 Do you want your signature to expire at the same time? (Y/n) <i>Y</i>
328 How carefully have you verified the key you are about to sign actually belongs
329 to the person named above? If you don't know what to answer, enter "0".
331 (0) I will not answer. (default)
332 (1) I have not checked at all.
333 (2) I have done casual checking.
334 (3) I have done very careful checking.
336 Your selection? <i>3</i>
337 Are you really sure that you want to sign this key
338 with your key: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
340 I have checked this key very carefully.
342 Really sign? <i>y</i>
344 You need a passphrase to unlock the secret key for
345 user: "John Doe (The Real John Doe) &lt;john@nowhere.someplace.flick&gt;"
346 1024-bit DSA key, ID 75447B14, created 2002-12-08
348 Command> <i>check</i>
349 uid Luis Pinto &lt;lmpinto@dei.uc.pt&gt;
350 sig!3 462405BB 2002-12-01 [self-signature]
351 sig!3 75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhe
352 uid Luis Pinto &lt;lmpinto@student.dei.uc.pt&gt;
353 sig!3 462405BB 2002-12-01 [self-signature]
354 sig!3 75447B14 2002-12-08 John Doe (The Real John Doe) &lt;john@nowhe
355 </pre>
357 </body>
358 </section>
359 </chapter>
361 <chapter>
362 <title>Exchanging keys with keyservers</title>
363 <section>
364 <title>Sending keys to keyservers</title>
365 <body>
367 <p>
368 Now that you have your key, it is probably a good idea to send it to the world
369 key server. There are a lot of keyservers in the world and most of them exchange
370 keys between them. Here we are going to send Luis's key to the subkeys.pgp.net
371 server. This uses HTTP, so if you need to use a proxy for HTTP traffic don't
372 forget to set it (<c>export http_proxy=http://proxy_host:port/</c>). The command
373 for sending the key is: <c>gpg --keyserver subkeys.pgp.net --keyserver-options
374 honor-http-proxy --send-key 75447B14</c> where <c>75447B14</c> is the key ID.
375 If you don't need a HTTP proxy you can remove the <e>--keyserver-options
376 honor-http-proxy</e>.
377 </p>
379 <p>
380 You can also send other people's keys that you have signed to the keyserver. We
381 could send Luis Pinto's key to the keyserver. This way someone who trusts
382 your key can use the signature that you have placed there to trust Luis' key.
383 </p>
385 </body>
386 </section>
387 <section>
388 <title>Getting Keys from keyservers</title>
389 <body>
391 <p>
392 Now we are going to search for Gustavo Felisberto's key and add it to the
393 keyring of John Doe (just in case you did not notice Gustavo Felisberto is the
394 author this guide :) ).
395 </p>
397 <pre caption="Searching keys from keyservers">
398 $ <i>gpg --keyserver subkeys.pgp.net --keyserver-options honor-http-proxy --search-keys humpback@felisberto.net</i>
399 gpg: searching for "humpback@felisberto.net" from HKP server subkeys.pgp.net
400 Keys 1-5 of 5 for "humpback@felisberto.net"
401 (1)Gustavo Felisberto (apt-get install anarchy) &lt;humpback@felisberto.net&gt; 1024
402 created 2002-12-06, key B9F2D52A
403 (2)Gustavo Felisberto &lt;humpback@altavista.net&gt; 1024
404 created 1999-08-03, key E97E0B46
405 (3)Gustavo A.S.R. Felisberto &lt;humpback@altavista.net&gt; 1024
406 created 1998-12-10, key B59AB043
407 (4)Gustavo Adolfo Silva Ribeiro Felisberto &lt;humpback@altavista.net&gt; 1024
408 created 1998-08-26, key 39EB133D
409 (5)Gustavo Adolfo Silva Ribeiro Felisberto &lt;humpback@altavista.net&gt; 1024
410 created 1998-06-14, key AE02AF87
411 Enter number(s), N)ext, or Q)uit &gt;<i>1</i>
412 gpg: requesting key B9F2D52A from HKP keyserver subkeys.pgp.net
413 gpg: key B9F2D52A: public key imported
414 gpg: Total number processed: 1
415 gpg: imported: 1
416 </pre>
418 <p>
419 As you can see from the server response I have a few keys submitted to the key
420 server, but I currently only use <e>B9F2D52A</e>. Now John Doe can get it and
421 sign it if he trusts it.
422 </p>
424 </body>
425 </section>
426 </chapter>
428 <chapter id="gpg-agent">
429 <title>Using a GPG Agent</title>
430 <section>
431 <title>What is a GPG Agent?</title>
432 <body>
434 <p>
435 There are cases, when working with certain applications, where you use your GPG
436 key very frequently, which means that you have to type your passphrase a lot of
437 times. Several applications used to support a passphrase caching mechanism to
438 make life easier for users, this however disallowed sharing this cache across
439 programs (how secure would that be?) and forced applications to reinvent the
440 wheel over and over again.
441 </p>
443 <p>
444 A GPG agent is a separate application that GPG uses to cache the passphrase in
445 a standard and secure way. It allows applications to use GPG concurrently: if
446 you enter your passphrase while working in one application, the other
447 application can work with GPG without reiterating the request for the
448 passphrase to unlock the key - if the GPG agent is configured to allow so, of
449 course.
450 </p>
452 <p>
453 Gentoo provides a few GPG agent applications. The <c>app-crypt/gnupg-1.9.*</c>
454 package contains what could be considered the reference one, and will be the
455 one we'll use in this document.
456 </p>
458 </body>
459 </section>
460 <section>
461 <title>Installing and Configuring gpg-agent and pinentry</title>
462 <body>
464 <p>
465 You should install <c>gnupg-1.9.*</c>, which includes <c>gpg-agent</c>, and
466 <c>pinentry</c>. <c>pinentry</c> is the helper application that gpg-agent uses
467 to request the passphrase in a graphical window. It comes in three flavors: it
468 can popup a window using the gtk+, Qt, or curses library (depending on the USE
469 flag you set when emerging it).
470 </p>
472 <pre caption="Installing gpg-agent and pinentry">
473 # <i>emerge \>=gnupg-1.9.20 pinentry</i>
474 </pre>
476 <p>
477 Next, create a file called <path>~/.gnupg/gpg-agent.conf</path> and enter the
478 following lines which define the default timeout of the passphrase (e.g. 30
479 minutes) and the application to be called for when the passphrase should be
480 retrieved the first time (e.g. the Qt version of pinentry).
481 </p>
483 <pre caption="Editing ~/.gnupg/gpg-agent.conf">
484 pinentry-program /usr/bin/pinentry-qt
485 no-grab
486 default-cache-ttl 1800
487 </pre>
489 <p>
490 Now configure GnuPG to use an agent when appropriate. Edit
491 <path>~/.gnupg/gpg.conf</path> and add the following line:
492 </p>
494 <pre caption="Configuring GnuPG to use a GPG Agent">
495 use-agent
496 </pre>
498 <p>
499 Now your system is (almost) set to use the GPG agent.
500 </p>
502 </body>
503 </section>
504 <section>
505 <title>Automatically Starting the GPG Agent</title>
506 <body>
508 <p>
509 If you use KDE as graphical environment, edit
510 <path>/usr/kde/3.x/env/agent-startup.sh</path> (system-wide) or
511 <path>~/.kde/env/gpgagent.sh</path> (local user) and add the following command
512 to it to have KDE automatically starting the GPG agent:
513 </p>
515 <pre caption="Make KDE automatically start the GPG agent">
516 eval "$(gpg-agent --daemon)"
517 </pre>
519 <p>
520 If you use a different graphical environment, put that line (the same one as
521 mentioned above) in <path>~/.xinitrc</path> (if you use <c>startx</c>) or
522 <path>~/.xsession</path> (if you use XDM/GDM/KDM/...).
523 </p>
525 </body>
526 </section>
527 </chapter>
529 <chapter>
530 <title>Working with documents</title>
531 <section>
532 <title>Encrypting and signing</title>
533 <body>
535 <p>
536 Let's say that you have a file that you wish to send Luis. You can encrypt
537 it, sign it, or encrypt it and sign it. Encrypting means that only Luis will be
538 able to open it. The signature tells Luis that it was really you who created the
539 file.
540 </p>
542 <p>
543 The next three commands will do just that, encrypt, sign and encrypt/sign.
544 </p>
546 <pre caption="Encrypting and Signing files">
547 $ <i>gpg --output doc.gpg --encrypt --recipient lmpinto@dei.uc.pt doc_to_encrypt</i>
548 $ <i>gpg --output doc.gpg --sign --recipient lmpinto@dei.uc.pt doc_to_sign</i>
549 $ <i>gpg --output doc.gpg --encrypt --sign --recipient lmpinto@dei.uc.pt doc_to_encrypt_and_sign</i>
550 </pre>
552 <p>
553 This will create binary files. If you wish to create ASCII files, just add a
554 <c>--clearsign</c> to the beginning of the command.
555 </p>
557 </body>
558 </section>
559 <section>
560 <title>Decrypting and verifying signatures</title>
561 <body>
563 <p>
564 Suppose that you have received a file which is encrypted to you. The command
565 to decrypt it is <c>gpg --output document --decrypt encrypted_doc.gpg</c>. This
566 will decrypt the document and verify the signature (if there is one).
567 </p>
569 </body>
570 </section>
571 <section>
572 <title>Advanced Features</title>
573 <body>
575 <p>
576 There are some nice advanced features in GnuPG. To find them, open the
577 <path>~/.gnupg/gpg.conf</path> file.
578 </p>
580 <pre caption="~/.gnupg/gpg.conf">
581 #keyserver x-hkp://subkeys.pgp.net
582 #keyserver-options auto-key-retrieve include-disabled include-revoked
583 </pre>
585 <p>
586 Search for the above two lines and uncomment them. With this any time GnuPG
587 needs to check a signature and it does not find the public key on the local
588 keyring it will contact the key server at <uri
589 link="http://subkeys.pgp.net:11371/">subkeys.pgp.net</uri> and will try to fetch
590 it from there.
591 </p>
593 <p>
594 Another nice command is <c>gpg --refresh-keys</c>. This will contact the
595 keyserver defined in the options file and refresh public keys in your local key
596 ring from there, searching for revoked keys, new id's, new signatures on keys.
597 You should probably run this once or twice a month so that if someone revokes
598 his key you will be notified.
599 </p>
601 </body>
602 </section>
603 </chapter>
605 <chapter>
606 <title>GnuPG interfaces</title>
607 <section>
608 <title>About email signatures</title>
609 <body>
611 <p>
612 95% of the time you will use GnuPG with email, signing/encrypting your outgoing
613 messages and reading signed/encrypted messages. So it is only fair that i talk
614 about that first.
615 </p>
617 <p>
618 There are two ways two sign/encrypt a email with GnuPG, the old way and the new
619 way :). In the old way messages would appear in plain text, with no possible
620 formatting and attached files would be unsigned/unencrypted, here is an example
621 of a message signed the old way:
622 </p>
624 <pre caption="A plain text signature">
626 Hash: SHA1
628 Test message
631 Version: PGPfreeware 6.5.8 for non-commercial use
633 iQA/AwUBP8461jMX0745gR7AEQIEOwCg011GbufXO3ED3FkLWXmfzg7xm1cAoJD0
634 0EU3Kd2EKNCqataEqM5qjpPs
635 =LchZ
636 -----END PGP SIGNATURE-----
637 </pre>
639 <p>
640 Messages this way are no good in todays world, where we have nice GUI's and
641 email readers that understand html.
642 </p>
644 <p>
645 To solve this an addition to the MIME (Multipurpose Internet Mail Extensions)
646 was created. This adds a field to the email that tells the mail reader that the
647 full content of the message is signed and/or encrypted. The problem with this
648 is that not all mail readers support this. And some even mess the content,
649 Microsoft's Outlook is famous for not working with this.
650 </p>
652 </body>
653 </section>
654 <section>
655 <title>Kgpg</title>
656 <body>
658 <p>
659 Kgpg is a nice GUI for GnuPG. In the main screen you can paste the text that
660 you wish to sign or encrypt, and you can also paste the ASCII armored text that
661 you which to decrypt.
662 </p>
664 <figure link="/images/kgpg1.png" short="kgpg main window"/>
666 <p>
667 In this image you can see the Kgpg main window with ASCII armored and encrypted
668 text pasted into it. From here you can decrypt it (you will have to provide your
669 password), encrypt other files, paste new text to sign....
670 </p>
672 <figure link="/images/kgpg2.png" short="kgpg key manage window"/>
674 <p>
675 Now you can see the key managing window. From here we see our good key for John
676 Doe. The two trusted keys for Gustavo and Luis, and the untrusted key for Daniel
677 Robbins ( I still have not given him a call to check his fingerprint :) ).
678 </p>
680 </body>
681 </section>
682 <section>
683 <title>Seahorse</title>
684 <body>
686 <p>
687 Seahorse aims to be a GnuPG GUI interface for the Gnome desktop. The software
688 has been evolving fast, but it still lacks many important features that can be
689 found in Kgpg or the command line version.
690 </p>
692 </body>
693 </section>
694 <section>
695 <title>Enigmail</title>
696 <body>
698 <p>
699 Enigmail is a plug-in for Mozilla-based email clients (such as Thunderbird and
700 Seamonkey) that is pretty simple to configure. In Seamonkey, you just go to
701 Preferences -> Privacy &amp; Security -> Enigmail. There you enter your key
702 email and that's it. You must first <c>emerge enigmail</c> to use it with
703 Thunderbird. Then you can configure it by going to Edit -> Account Settings ->
704 OpenPGP Security.
705 </p>
707 <p>
708 Mails that come with an untrusted pgp or gpg signature will be marked with a
709 broken pen. Others that have good signatures will appear with a nice straight
710 pen. Enigmail even comes with the ability to get keys from keyservers, but if it
711 has problems it will print some very weird messages (but you still remember how
712 to use the command line, right?).
713 </p>
715 </body>
716 </section>
717 <section>
718 <title>KMail</title>
719 <body>
721 <p>
722 If you have the <c>crypt</c> USE flag set, KMail will be compiled with gpg
723 support, and will be able to encrypt and decrypt inline PGP mails automatically
724 as well as encrypting OpenPGP/MIME mails. If you want to decrypt OpenPGP/MIME
725 mails as well (which you probably want) you need to have a running GPG agent
726 (see <uri link="#gpg-agent">Using a GPG Agent</uri>).
727 </p>
729 <p>
730 You can verify if KMail is properly configured by going to <c>Settings</c>,
731 <c>Configure KMail</c>, <c>Security</c>, <c>Crypto Backends</c>. You should see
732 a GpgME-based backend listed and you should be able to fill the OpenPGP
733 checkbox. If it is listed but grayed out, click on <c>Rescan</c>. If the
734 GpgME-based backend remains grayed out, KMail is not working properly.
735 </p>
737 <p>
738 If you still are unable to get KMail to behave, please see the
739 <uri link="http://kmail.kde.org/kmail-pgpmime-howto.html">KMail PGP HowTo</uri>
740 page for more information.
741 </p>
743 </body>
744 </section>
745 <section>
746 <title>Sylpheed-Claws</title>
747 <body>
749 <p>
750 This is my email reader of choice. It is <e>very</e> fast with big mailboxes,
751 has all the nice features one wants in mail readers and works pretty well with
752 gpg. The only problem is that it does not work with the old PGP signatures, so
753 when you receive those kind of mails you have to hand check the signatures.
754 </p>
756 <p>
757 To use your gpg key with Sylpheed-Claws just go to the acount configuration and
758 select the privacy tab. Once there just choose which key to use, probably most
759 users will go with the default key.
760 </p>
762 </body>
763 </section>
764 </chapter>
766 <chapter>
767 <title>Public Key Cryptography</title>
768 <section>
769 <title>Basic Public Key Cryptography</title>
770 <body>
772 <p>
773 The concept of public key cryptography was originally devised by Whitfield
774 Diffie and Martin Hellman in 1976. When I first heard the words "public key" and
775 "cryptography" in the same sentence back in '93 I tought to myself that it would
776 be impossible to do such a thing. In those days there was no Internet (well
777 there was, but not for me) so I went to the public library and asked for books
778 on Cryptography. I must say that I was 16 at the time so the clerk there looked
779 to me in astonishment and brought me a book for children on substitution cyphers
780 (those where you change a letter for another like the famous Caesar Cypher or
781 ROT-13 (Tragbb Ebpxf, naq lbh xabj vg vf tbbq orpnhfr lbh ner ernqvat guvf
782 qbp.), (emerge rotix if you cannot read the preceding text)). I was very upset
783 with this and started to search for more info. It is good to have mathematicians
784 in the family, because as soon as I talked to one of them I was introduced to a
785 new world.
786 </p>
788 <p>
789 And now a bit of mathematics:
790 </p>
792 <pre caption="Mathematical Concepts">
793 Definitions:
795 1- A prime number is a positive integer number greater than one that is only
796 divisible by 1 and itself (the remainder of the division is 0).
797 The first 8 prime numbers are 2,3,5,7,11,13,17,19
799 Theorem (No proof here)
800 1- For any non prime positive integer it is possible to break it as the product
801 of prime numbers, and that product is unique.
802 4=2*2
803 6=2*3
804 8=2*4=2*2*2
805 10=2*5
806 12=2*6=2*2*3
808 "Facts":
809 1- It is mathematically easy to multiply two large integers
810 2- It is hard to find the prime factors of a given positive integer.
811 </pre>
813 <p>
814 If I give you the number 35 and I tell you that this number is the product of
815 two prime numbers it is easy to find that it was 5 and 7. But if I tell you the
816 same for 1588522601 you will spend alot of time (or CPU cycles) to find it was
817 49811*31891. And if this number is really really big this task becomes
818 "impossible". So now if I give the world my large number that is the product of
819 two primes I know something about that number that no one else knows.
820 </p>
822 <p>
823 This is the basis for Public Key Cryptography (PKC) implementations today. As an
824 (unrealistic) example, I give anyone my number and that someone will use if for
825 cyphering a message to me. Anyone can see the cyphered message, because I am
826 the only one who knows a shortcut to read it, anyone else will first have to
827 "split" that big number to be able to read the message, and it is a "fact"
828 that it is impossible to do that in a short amount of time (todays methods and
829 the fastest computers in the world would take thousands of years to do that).
830 In this setup the two large prime numbers would be called the PRIVATE KEY, and
831 the large non prime number is the PUBLIC KEY.
832 </p>
834 <p>
835 In practice this is not 100% accurate with reality, but will give a good idea to
836 the newcomer. For more information, check Wikipedia on the <uri
837 link="http://en.wikipedia.org/wiki/Diffie-Hellman">Diffie-Hellman</uri>
838 protocol. For even more info go to the public library and grab a copy of the
839 <uri link="http://www.cacr.math.uwaterloo.ca/hac/">"Handbook of Applied
840 Cryptography"</uri> by Alfred J. Menezes, Paul C. van Oorschot and Scott A.
841 Vanstone, also this book is available online for free at the above site.
842 </p>
844 <p>
845 One consequence of the above is that if you cypher a message to me, and you
846 loose the original uncypherd message you will no longer be able to retrieve it
847 from the cyphered version.
848 </p>
850 </body>
851 </section>
852 <section>
853 <title>Signatures</title>
854 <body>
856 <p>
857 We already saw how someone can send us a cyphered message if they have our
858 public key. But how do we know that the author of the message is really who he
859 claims to be? Or in other words: If I receive an email from you how do I really
860 know it was you and not someone else claiming to be you?
861 </p>
863 <p>
864 Remember me saying that PKC was not as simple as I had said? The idea is that
865 when you cypher a message to me you sign it with your private key so that, when
866 I receive it, I can first use your public key to check your signature and then
867 use my private key to decypher the message. As you can see we could not do
868 that in the setup i described before.
869 </p>
871 <p>
872 Also very important, to sign messages you don't have to cypher them before. So
873 like that you can create messages that can be read by anyone, but that come with
874 your "branding". And if any single character is changed in the message it can
875 (and will) be detected.
876 </p>
878 </body>
879 </section>
880 <section>
881 <title>Key Servers and Signed Keys</title>
882 <body>
884 <p>
885 But lets say that I have no previous contact with you until you send me a
886 message, how do I get your public key, and how do I really know it is yours?
887 </p>
889 <p>
890 To solve this problem public Key Servers were created. When you create your key
891 pair (Public and Private key) you send your public key to the key server. After
892 this everyone can retrieve your key from there. This solves the problem of
893 finding the key. But how do I really know that that key is the author's key? For
894 this another concept must be introduced, and that is key signing:
895 </p>
897 <p>
898 Key signing means that, if I have the public key of another person, and I know
899 <e>for sure</e> that it is really that persons key (it is my personal friend,
900 someone I know in real life, etc.) I can sign that public key and send it to
901 keyservers, that way I am telling the world: "This key really belongs to the
902 person it claims to belong.". That way persons that have my public key and
903 trust me can use that trust to trust other keys.
904 </p>
906 <p>
907 This can sometimes be confusing so lets see a real world situation
908 </p>
910 <p>
911 Let's imagine a 3 person situation: John, Mary, and Lisa. John is a good
912 friend of Mary but does not know Lisa; Lisa is a good friend of Mary but
913 does not know John. One day Lisa sends John a signed email. John will fetch
914 Lisa's Public Key from the keyserver and test the message, if all went ok he
915 will see that whoever wrote that message also created that key. But how do I
916 know it was really the person it claims to be?
917 </p>
919 <p>
920 He then see's that it is signed by Mary, which he can check because he already
921 has Mary's key and he trusts that key. With this ring of trust he continues to
922 conclude that the email he received was really written by Lisa.
923 </p>
925 <p>
926 You are now ready to use this guide, you can go back to chapter 1 and learn how
927 to use gpg.
928 </p>
930 </body>
931 </section>
932 </chapter>
934 <chapter>
935 <title>Final thoughts and Credits</title>
936 <section>
937 <title>Some problems</title>
938 <body>
940 <p>
941 I had some problems with photos in keys. Check the version you are using. If
942 you have GnuPG 1.2.1-r1 and up you are probably OK, older versions may have
943 problems. Also most keyservers don't like keys with photos, so you are better
944 if you don't add photos.
945 </p>
947 <p>
948 The latest versions of gnupg don't seem to work with the <c>gpg
949 --send-keys</c> that was used so send all keys in your keyring to the public
950 server.
951 </p>
953 </body>
954 </section>
955 <section>
956 <title>What is not here</title>
957 <body>
959 <p>
960 <c>gpg</c> is a very complex tool, it lets you do much more than what I have
961 covered here. This document is for the user who is new to GnuPG. For more
962 information, you should check the <uri link="http://www.gnupg.org">GnuPG
963 Website</uri>.
964 </p>
966 <p>
967 I did not write about other tools like <c>pgp4pine</c>, <c>gpgpine</c>,
968 <c>evolution</c> and maybe Windows tools, but I will probably extend this
969 document in the future.
970 </p>
972 </body>
973 </section>
974 <section>
975 <title>Credits</title>
976 <body>
978 <p>
979 John Michael Ashley's <uri link="http://www.gnupg.org">GnuPG Handbook</uri>
980 it is a very good book for beginners.
981 </p>
983 <p>
984 Swift (Sven Vermeulen) for pushing me to re-write this.
985 </p>
987 <p>
988 Everyone in the #gentoo-doc team you guys rock.
989 </p>
991 <p>
992 Tiago Serra for getting me back to the privacy track.
993 </p>
995 </body>
996 </section>
997 </chapter>
998 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20