Operating systems

Using OpenPGP on UNIX/Linux systems with GnuPG


PGP is the name of an encryption program created in 1991 by Philip Zimmerman. Since then, PGP has become the dominant model for personal privacy encryption software.

In July 1998, PGP Inc. proposed an OpenPGP standard to the IETF. This standard would provide guidance for creating personal privacy encryption software, and the term OpenPGP could then be applied to any software that complied with the standard. The IETF accepted the proposal and formed the OpenPGP Working Group to develop the standard.

RFC 2440 describes the current OpenPGP specification; the successor is RFC 4880 and has been made the proposed OpenPGP standard.

The most popular open source software implementation of the OpenPGP specification is GnuPG. It is available for Linux-based systems, open source UNIX systems such as BSD UNIX OSes, and most modern commercial UNIX systems. GnuPG (also commonly referred to as GPG) has even been ported to Mac OS X and Microsoft Windows.

Basic installation and use of GnuPG on open source UNIX and Linux systems is easy. FreeBSD and Debian GNU/Linux will be used as examples below.

Installing GnuPG

Open source UNIX and Linux systems generally employ convenient, comprehensive software management systems that make acquiring, installing, and updating most software easier than on any other class of operating system. In fact, most such systems even provide more than one way to install software using the native software management system of the OS, including GUI front-ends.

I will address only the most common command-line interface installation procedures for FreeBSD and Debian GNU/Linux here, however. Some of these instructions assume you have an Internet connection.

On FreeBSD

Installing GnuPG from ports on FreeBSD can be achieved by finding the gnupg port, navigating to that location in the ports tree hierarchy, and issuing a make command to download the software from the FreeBSD online ports archive, then compile and install it:

  # cd `whereis -q gnupg|sed s/gnupg//`; make install clean

The part surrounded by backticks should execute first and return a result like /usr/ports/security/, which is the actual location of the gnupg port. Thus, after that part is executed, the command looks to your shell something like this:

  # cd /usr/ports/security/; make install clean

If you have already installed portupgrade, there are some convenience utilities that make working with the ports system quicker and easier for most purposes. With portupgrade installed, the gnupg port can be installed with a much shorter, simpler command:

  # portinstall gnupg

Both of these installation options compile GnuPG from source. FreeBSD offers other front-ends to the ports system, both GUI- and CLI-oriented, as well as tools for installing precompiled binary packages.

On Debian GNU/Linux

Among Linux distributions, Debian's software management system is legendary for its stability and ease of use. This is thanks in part to the APT utilities, which come standard with any normal Debian GNU/Linux install:

  # apt-get install gnupg

A more recent development is an alternative front-end to APT functionality called Aptitude:

  # aptitude install gnupg

Like FreeBSD, Debian offers additional methods for installing software from centrally maintained software archives. Among these are GUI tools and an APT-based system for installing software by compiling from source.

Using GnuPG

Once it is installed, you need to know how to use the GnuPG tools. There is, of course, the GnuPG Web site's documentation, as well as a command syntax summary for the gpg tool:

  $ gpg --help
The following is a quick rundown on basic functionality, however. For more detail on how to accomplish these tasks, check out my GnuPG Quickstart/Howto.

Generate a private key

The first thing you need when using GnuPG is a private key. OpenPGP is a public key cryptography system, which makes use of both public and private keys for data encryption and decryption. Any time you wish to decrypt something, you need to have your private key to do so.

The private key is little more than a password of sorts -- but it is a password so long and complex that the average human being will never memorize it. Private keys are generally stored on a computer where a user may wish to be able to decrypt messages sent to him or her that have been encrypted using his or her public key. A GnuPG "keyring," part of the standard GnuPG toolset, keeps track of any public and private keys on the system.

Generate and share a public key

In order for others to be able to encrypt something for you -- and you alone -- to be able to decrypt, they need access to your public key. In addition to giving it to anyone that asks for it, I have uploaded my own to a keyserver maintained by the PGP Corporation and also have it available on one of my Web sites.

Import keys into your GnuPG keyring

The gpg toolset includes a "keyring" that can be used to manage your private and public encryption keys. When you need to encrypt a file for another recipient, you will need that person's public key and should import it into your GnuPG keyring.

Encrypting and decrypting files

Once you have everything set up, encrypting and decrypting files is only a matter of simple shell commands. For more specifics on these commands, and those used to accomplish the tasks described above, see the sources of information already mentioned -- the GnuPG Web site, GnuPG's help information, and my GnuPG Quickstart/Howto.

Use it today

Since it's Valentine's Day today, you can use GnuPG to send virtual "whispers" to your loved ones, encrypted so that nobody else can read them.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

2 comments
michael_orton
michael_orton

Its on the suse disk as a .rpm, so all you have to do is to click on itt and then "Install with YAST". I have been using the dos/windows versions since the early 90s. pgp2.6.2 with various windows front ends. I had one serious problem, I was attacked using a keyboard sniffer. In the windows C:\pgp file I found a file something like ax4rtf.par It was a hidden systems file. I watched it grow. I used CHATT a dos util to unhide and un system it, changed it to ax4rtf.rap and the PC was still OK, so it couldn't have been a partition file. I then used Nortons wipefile to exterminate it. I presume that a similar attack could be mounted in Linux/UNIX. I now run pgp from a pen drive in both windows and Linux. Note this isn't a fault with PGP. ANY Encryption system will be defeated by a hardware or software key logger. The hardware ones are now available for under 50 quid and the software ones are free!

doug
doug

But if I encrypt an email and send it to myself it doesn't work. Seems awfully complex.

Editor's Picks