GNU PGP

 

GNU PGP


 

B.5. Export the Public Key

Before using public key cryptography, other people must have a copy of your public key. To send your key to correspondents or to a keyserver, export the key.

To export your key, so you can display it on a webpage or paste it in email, type the following command:

 gpg --armor --export <you@example.com> > mykey.asc

You will not see any output, because not only did you export your public key, you redirected the output to a file called, for example, mykey.asc. (Without the addition of > mykey.asc, the key would have been displayed as the standard output on the monitor screen.)

Now, the file mykey.asc can be inserted into email or exported to a keyserver. To see the key, type less mykey.asc to open the file in a pager (type [q] to quit the pager). It should look like the following:

 -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
 
mQGiBDkHP3URBACkWGsYh43pkXU9wj/X1G67K8/DSrl85r7dNtHNfLL/ewil10k2
q8saWJn26QZPsDVqdUJMOdHfJ6kQTAt9NzQbgcVrxLYNfgeBsvkHF/POtnYcZRgL
tZ6syBBWs8JB4xt5V09iJSGAMPUQE8Jpdn2aRXPApdoDw179LM8Rq6r+gwCg5ZZa
pGNlkgFu24WM5wC1zg4QTbMD/3MJCSxfL99Ek5HXcB3yhj+o0LmIrGAVBgoWdrRd
BIGjQQFhV1NSwC8YhN/4nGHWpaTxgEtnb4CI1wI/G3DK9olYMyRJinkGJ6XYfP3b
cCQmqATDF5ugIAmdditnw7deXqn/eavaMxRXJM/RQSgJJyVpbAO2OqKe6L6Inb5H
kjcZA/9obTm499dDMRQ/CNR92fA5pr0zriy/ziLUow+cqI59nt+bEb9nY1mfmUN6
SW0jCH+pIQH5lerV+EookyOyq3ocUdjeRYF/d2jl9xmeSyL2H3tDvnuE6vgqFU/N
sdvby4B2Iku7S/h06W6GPQAe+pzdyX9vS+Pnf8osu7W3j60WprQkUGF1bCBHYWxs
YWdoZXIgPHBhdWxnYWxsQHJlZGhhdC5jb20+iFYEExECABYFAjkHP3UECwoEAwMV
AwIDFgIBAheAAAoJEJECmvGCPSWpMjQAoNF2zvRgdR/8or9pBhu95zeSnkb7AKCm
/uXVS0a5KoN7J61/1vEwx11poLkBDQQ5Bz+MEAQA8ztcWRJjW8cHCgLaE402jyqQ
37gDT/n4VS66nU+YItzDFScVmgMuFRzhibLblfO9TpZzxEbSF3T6p9hLLnHCQ1bD
HRsKfh0eJYMMqB3+HyUpNeqCMEEd9AnWD9P4rQtO7Pes38sV0lX0OSvsTyMG9wEB vSNZk+Rl+phA55r1s8cAAwUEAJjqazvk0bgFrw1OPG9m7fEeDlvPSV6HSA0fvz4w
c7ckfpuxg/URQNf3TJA00Acprk8Gg8J2CtebAyR/sP5IsrK5l1luGdk+l0M85FpT
/cen2OdJtToAF/6fGnIkeCeP1O5aWTbDgdAUHBRykpdWU3GJ7NS6923fVg5khQWg
uwrAiEYEGBECAAYFAjkHP4wACgkQkQKa8YI9JamliwCfXox/HjlorMKnQRJkeBcZ
iLyPH1QAoI33Ft/0HBqLtqdtP4vWYQRbibjW
=BMEc
-----END PGP PUBLIC KEY BLOCK-----

 

B.5.1. Exporting to a Keyserver

If you are only writing to a few correspondents, you can export your public key and send it to them personally. If you correspond with many people, however, distribution of your key can be time consuming. Instead, you can use a keyserver.

A keyserver is a repository on the Internet which can store and distribute your public key to anyone who requests it. Many keyservers are available, and most try to remain synchronized with each other; sending your key to one keyserver is like distributing it to them all. A correspondent can request your public key from a from a keyserver, import that key to their keyring, and they are ready for secure correspondence with you.

Because most keyservers are synchronized, sending your public key to one keyserver is usually as good as sending it to them all. You can, however, locate different keyservers. One place to begin your search for keyservers and more information is Keyserver.Net available at http://www.keyserver.net.

You can send your public key from either the shell prompt or from a browser; of course, be online to send or receive keys from a keyserver.

Figure B-1. Copying Your Public Key

Note that if you are submitting your key to another Web-based keyserver, the above transaction will be essentially the same.

That is all you need to do. Regardless of whether you use the shell prompt or the Web, you will see a message that your key was successfully submitted — either at the shell prompt or at the keyserver's website. From now on, users who want to communicate securely with you can import your public key and add it to their keyring.

 

B.6. Importing a Public Key

The other end of key exchange is importing other people's public keys to your keyring — is just as simple as exporting keys. When you import someone's public key, you can decrypt their email and check their digital signature against their public key on your keyring.

One of the easiest ways to import a key is to download the key or save it from a website.

After downloading a key and saving it to the file key.asc, use the following command to add it to your keyring.

 gpg --import key.asc 

Another way to save a key is to use a browser's Save As feature. If you are using a browser such as Mozilla, and you locate a key at a keyserver, you can save the page as a text file (go to File => Save Page As). In the drop-down box next to Files of Type, choose Text Files (*.txt). Then, you can import the key — but remember the name of the file you saved. For example, if you saved a key as a text file called newkey.txt, to import the file, at a shell prompt, type the following command:

 gpg --import newkey.txt

The output will look similar to the following:

 gpg: key F78FFE84: public key imported
gpg: Total number processed: 1
gpg:               imported: 1

To check that the process was successful, use the gpg --list-keys command; you should see your newly imported key listed on your keyring.

When you import a public key, you add that key to your keyring (a file in which public and secret keys are kept). Then, when you download a document or file from that entity, you can check the validity of that document against the key you added to your keyring.

 

B.3. Generating a Keypair

To begin using GnuPG, first generate a new keypair: a public key and a private key.

To generate a keypair, at a shell prompt, type the following command:

 gpg --gen-key

Since you work with your user account most frequently, you should perform this action while logged in to your user account (not as root).

You will see an introductory screen, with key options, including one recommended option (the default), similar to the following:

 gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?

Most of the screens which require you to choose an option will list the default option, within parentheses. You can accept the default options by pressing [Enter].

In the first screen, you should accept the default option: (1) DSA and ElGamal. This option will allow you to create a digital signature and encrypt (and decrypt) with two types of technologies. Type 1 and then press [Enter].

Next, choose the key size, or how long the key should be. Generally, the longer the key, the more resistant against attacks your messages will be. The default size, 1024 bits, should be sufficiently strong for most users, so press [Enter].

The next option asks you to specify how long you want your key to be valid. Usually, the default ( 0 = key does not expire) is fine. If you do choose an expiration date, remember that anyone with whom you exchanged your public key will also have to be informed of its expiration and supplied with a new public key. If you do not choose an expiration date, you will be asked to confirm your decision. Press [y] to confirm your decision.

Your next task is to provide a user ID that consists of your name, your email address, and an optional comment. When you are finished, you will be presented with a summary of the information you entered.

Once you accept your choices, you will have to enter a passphrase.

Like your account passwords, a good passphrase is essential for optimal security in GnuPG. For example, mix your passphrase with uppercase and lowercase letters, use numbers, or punctuation marks.

Once you enter and verify your passphrase, your keys will be generated. You will see a message similar to the following:

 We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++.++++++++....++++++++++..+++++.+++++.+++++++.+++++++
+++.++++++++++++++++++++++++++++++++++++++..........................++++

When the activity on the screen ceases, your new keys will be made and placed in the directory .gnupg in your home directory. To list your keys, use the command:

 gpg --list-keys

You will see something similar to the following:

 /home/username/.gnupg/pubring.gpg
-----------------------------------------
pub  1024D/B7085C8A 2000-06-18 
 Your Name 
 <you@example.com>
sub  1024g/E12AF9C4 2000-06-18

If you created a GnuPG key with version 1.0.6 or lower, exported your private key, and imported it into a new one, you have to explicitly trust your own key to sign items with version 1.0.7 or higher. To trust your key, type the following command (replace <user-id>):

 gpg --edit-key <user-id>

At the Command> prompt type trust and select 5 = I trust ultimately to trust your own key.

 

B.4. Generating a Revocation Certificate

Once you have created your keypair, you should create a revocation certificate for your public key. If you forget your passphrase, or if it has been compromised, you can publish this certificate to inform users that your public key should no longer be used.

When you generate a revocation certificate, you are not revoking the key you just created. Instead, you are giving yourself a safe way to revoke your key from public use in case you forget your passphrase, switch ISPs (addresses), or suffer a hard drive crash. The revocation certificate can then be used to disqualify your public key.

Your signature will be valid to others who read your correspondence before your key is revoked, and you will be able to decrypt messages received prior to its revocation. To generate a revocation certificate, use the --gen-revoke option:

 gpg --output revoke.asc --gen-revoke  <you@example.com>

Note that if you omit the --output revoke.asc option from the above, your revocation certificate will be returned to the standard output, which is your monitor screen. While you can copy and paste the contents of the output into a file of your choice using a text editor, it is probably easier to send the output to a file in your login directory. That way, you can keep the certificate for use later, or move it to a diskette and store it someplace safe.

The output will look similar to the following:

 sec  1024D/823D25A9 2000-04-26  Your Name 
 <you@example.com>
 
Create a revocation certificate for this key?

Press [Y] to create a revocation certificate for the listed key. Next, you will be asked to select the reason for revocation and provide an optional description. After confirming the reason, enter the passphrase you used to generate the key.

Once your revocation certificate has been created ( revoke.asc), it will be located in your login directory. You should copy the certificate to a diskette and store it in a secure place. (If you do not know how to copy a file to a diskette in Red Hat Linux, see the Red Hat Linux Getting Started Guide.)

 

B.7. What Are Digital Signatures?

Digital signatures can be compared to your written signature. Unlike traditional correspondence, in which it might be possible to tamper with your written signature, digital signatures can not be forged. That is because the signature is created with your unique secret key and can be verified by your recipient using your public key.

A digital signature timestamps a document; essentially, that means that the time you signed the document is part of that signature. So if anyone tries to modify the document, the verification of the signature will fail. Some email applications, such as

Exmh

or KDE's KMail, include the ability to sign documents with GnuPG within the application's interface.

Two useful types of digital signatures are clearsigned documents and detached signatures. Both types of signatures incorporate the same security of authenticity, without requiring your recipient to decrypt your entire message.

In a clearsigned message, your signature appears as a text block within the context of your letter; a detached signature is sent as a separate file with your correspondence.

 

B.2. Warning Messages

When executing GnuPG commands, you will probably see the message:

 gpg: Warning: using insecure memory!

This warning is because non-root users can not lock memory pages. If users could lock memory pages, they could perform out-of-memory Denial of Service (DoS) attacks; thus, it is a possible security problem.

You might also see the following message:

 gpg: WARNING: unsafe permissions on configuration file "/home/username/.gnupg/gpg.conf"

This message is shown if the file permissions of your configuration file allows others to read it. If you see this warning, it is recommended that you execute the following command to change the file permissions:

 chmod 600 ~/.gnupg/gpg.conf

Another common warning messages is as follows:

 gpg: WARNING: unsafe enclosing directory permissions on configuration file 
"/home/
 username/.gnupg/gpg.conf"

This message is shown if the file permissions of the directory that contains the configuration file allows others to read its contents. If you see this warning, it is recommended that you execute the following command to change the file permissions:

 chmod 700 ~/.gnupg

If you upgraded from a previous version of GnuPG, you might see the message:

 gpg: /home/username/.gnupg/gpg.conf:82: deprecated option "honor-http-proxy" gpg: please use "keyserver-options honor-http-proxy" instead

This warning is because your ~/.gnupg/gpg.conf file contains the line:

 honor-http-proxy

Version 1.0.7 and higher prefers a different syntax. Change the line to the following:

 keyserver-options honor-http-proxy

 

Getting Started with Gnu Privacy Guard

Have you ever wondered if your email can be read during its transmission from you to other people, or from other people to you? Unfortunately, complete strangers could conceivably intercept or even tamper with your email.

In traditional (also known as "snail") mail, letters are usually sealed within envelopes, stamped and delivered from post office branch to branch until they reach their destination. But sending mail through the Internet is much less secure; email is usually transmitted as unencrypted text from server to server. No special steps are taken to protect your correspondence from being seen or tampered with by other people.

To help you protect your privacy, Red Hat Linux 9 includes GnuPG, the GNU Privacy Guard, which is installed by default during a typical Red Hat Linux installation. It is also referred to as GPG.

GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP (Pretty Good Privacy, a widely popular encryption application). Using GnuPG, you can encrypt your data and correspondence as well as authenticate your correspondence by digitally signing your work. GnuPG is also capable of decrypting and verifying PGP 5. x.

Because GnuPG is compatible with other encryption standards, your secure correspondence will probably be compatible with email applications on other operating systems, such as Windows and Macintosh.

GnuPG uses public key cryptography to provide users with a secure exchange of data. In a public key cryptography scheme, you generate two keys: a public key and a private key. You exchange your public key with correspondents or with a keyserver; you should never reveal your private key.

Encryption depends upon the use of keys. In conventional or symmetric cryptography, both ends of the transaction have the same key, which they use to decode each other's transmissions. In public key cryptography, two keys co-exist: a public key and a private key. A person or an organization keeps their private key a secret, and publishes their public key. Data encoded with the public key can only be decoded with the private key; data encoded with the private key can only be decoded with the public key.

Remember that your public key can be given to anyone with whom you want to communicate securely, but never give away your private key.

For the most part, cryptography is beyond the scope of this publication; volumes have been written about the subject. In this chapter, however, we hope you will gain enough understanding about GnuPG to begin using cryptography in your own correspondence. If you want to learn more about GnuPG, PGP and encryption technology, see Section B.8 Additional Resources.

 

B.1. Configuration File

The first time you run a GnuPG command, a .gnupg directory is created in your home directory. Starting with version 1.2, the configuration filename has change from .gnupg/options to .gnupg/gpg.conf. If .gnupg/gpg.conf is not found in your home directory, .gnupg/options will be used. If you only use version 1.2 or higher, it is recommended that you rename your configuration file with the following command:

 mv ~/.gnupg/options ~/.gnupg/gpg.conf

If you are upgrading from a version prior to 1.0.7, you can create signature caches in your keyring to decrease the keyring access time. To perform this operation, execute the following command once:

 gpg --rebuild-keydb-caches


 

Home