Software

Get started with GnuPG


GnuPG is an open replacement for PGP Corporation's PGP (Pretty Good Privacy) encryption tool, and based on the OpenPGP standard. What GnuPG (or GPG for short) does is allow for the encryption and decryption of files using a public/private keypair. It can be used to encrypt regular files or e-mail, in either binary or ASCII format, and can also verify the integrity of files or e-mail via cryptographic signatures. GPG is a command-line tool and is available with every Linux distribution.

To begin using GPG, you must generate a public/private keypair. This keypair is generated with the --gen-key command:

$ gpg --gen-key

It will create the ~/.gnupg/ directory if it doesn't already exist, where it will store its configuration file, gpg.conf, and the private and public keyrings where keys are stored, secring.gpg and pubring.gpg respectively, as well as the trust database.

When you generate the initial keypair, you will have to choose the key type. The default is "DSA and Elgamal," which will allow you to sign and encrypt. You will then have to select a keysize for the key -- anywhere between 1024 and 4096 bits. The default is 2048 bits and is sufficient. Next, you will need to determine whether or not the key will expire, and if so, when. A non-expiring key is most convenient, as neither you nor anyone using your public key will have to worry about new keys, however if the key is stolen or compromised, it can then be used indefinitely. Many individuals have keys that expire after one year and generate new keys at that time.

Finally, you will need to provide a user ID for the key which consists of your real name, e-mail address, and an optional comment. The user ID will then end up being "Real Name (Comment) <user@domain.org". Once this is complete, you need to choose a passphrase for the secret key; this should be a lengthy string consisting of both upper and lower-case letters, as well as numbers. It can be a single string or a sentence. Once this is done, the keypair will be generated.

When the key generation is complete -- which may be immediate or may take some time depending on the amount of entropy your system has collected in order to generate random bytes -- you can list the keys by executing:

$ gpg --list-keys; gpg --list-secret-keys

You can also view the key's fingerprint, a unique identifier to the key, with the command:

$ gpg --fingerprint user@domain.org
pub  1024D/9B1386E2 2007-12-01 Real Name (Comment) <user@domain.org>
     Key fingerprint = 88A9 166B 13E6 516A 87C8  F127 5CA9 2D9E 9B13 86E2
sub  2048g/7F72A50F 2007-12-01

Be sure to keep your fingerprint handy. When people are attempting to use or import your key, they can ensure they have the right key if you provide them with the fingerprint.

At this point, you can start using GPG to encrypt and decrypt files. For instance, if you have a text document, and you want to ensure that no one tampers with it, you can sign it with the --clearsign command. To keep the file readable, specify the ASCII armor format with -a. After providing your passphrase, the contents of the file will be wrapped in a digital signature and a new file will be created with the new contents. If even one space is added to the file, the signature verification will fail. For instance:

$ echo "Test file" >test.txt
$ gpg --clearsign -a test.txt

You need a passphrase to unlock the secret key for
user: "Real Name (Comment) <user@domain.org>"
1024-bit DSA key, ID 9B1386E2, created 2007-12-01

Enter passphrase:
$ cat test.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHUh3VJnj1HnfyJpYRAjn7AKCI5DYTvvQ2J6pALyMYp26oGuZKaQCcCSZ7
O6dBveVjOgzC4HL5k8rFFHM=
=SxSW
-----END PGP SIGNATURE-----
$ gpg --verify test.txt.asc
gpg: Signature made Sat Dec  1 19:52:05 2007 MST using DSA key ID 9B1386E2
gpg: Good signature from "Real Name (Comment) <user@domain.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 88A9 166B 13E6 516A 87C8  F127 5CA9 2D9E 9B13 86E2
$ perl -pi -e 's|file|files|' test.txt.asc
$ gpg --verify test.txt.asc
gpg: Signature made Sat Dec  1 19:52:05 2007 MST using DSA key ID 9B1386E2
gpg: BAD signature from "Real Name (Comment) <user@domain.org>"

As you can see from the above, changing the word "file" to "files" causes the verification of the ASCII-armored text file to fail. You can also see that GPG created a new file called test.txt.asc; GPG will attach either an .asc extension to the original file name for an ASCII-armored text file, or a .gpg extension in the case of a GPG-encrypted file.

GnuPG is extremely useful and next week, we'll see what else it can do.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

13 comments
Photogenic Memory
Photogenic Memory

I'm very ignorant when it comes to encryption. Is this only for email? Apologies for sounding dumb. This program doesn't seem good to implment unless the receiving email server or the MUA using the same key, right? Is that the purpose to keep the email dialog safe between the sender and reciever? Can this program be applied for other purposes? I'd appreciate any response or posted links to clarify? Thank you you all.

Jaqui
Jaqui

kind of says it all for the drawbacks to gpg. unless you get the signature to be carried by a trusted key server that warning will always show up for recipients of a signed email. [ or, if you delete the list of trusted Certificate authorities like I do, every ssl website and signed email throws the untrusted warning up. ] I see "untrusted good signature" in emails all the time, after I've imported the key from a keyserver. I don't mind the untrusted part, since unless you have known the person / company for a while, thee is no way you should trust them.

Alganon
Alganon

Well, thanks to this easy to understand article, I now have a set of keys. My next question is, how do I put these keys in the right place in Evolution for signing mail? When browsing for file locations in the utility in Evolution, I am unable to see the "dot" files. Also there are several keys in the .gnupg folder, which do I use for mail? What is a "key signing"? It seems to be some sort of physical authentication process, but how does it work?

T0nz
T0nz

I have been using GnuPG now for about 2 months, and I love it. I am using it with the enigmail add on in Thunderbird.

Roger Bamforth
Roger Bamforth

The keys come in pairs - a public key and a private key. When you want to send a message to someone you encrypt it with THEIR public key. They then decrpyt it with their private key, which no-one else has, so no-one else can decrypt it.

Absolutely
Absolutely

[i]I'm very ignorant when it comes to encryption. Is this only for email? Apologies for sounding dumb.[/i] Not to worry, you only look dumb; you don't sound like anything. Just kidding. Yes, you can encrypt any file, not just email. [i]This program doesn't seem good to implment unless the receiving email server or the MUA using the same key, right?[/i] Well, you create your own "private key" which only you know, and your own "public key" which you only share with people with whom you have secrets. Check some of the links at the top of the article for more info. I'm by no means an expert, so I won't say more about the technical details of encryption, and get half of them wrong for you.

cemery50
cemery50

I want to create a biometric usb flash drive with a keysafe and seamonkey(mozilla (mail,web,etc)). I also would like to i/f it with a LDAP server and apache to serve up an encrypted web. Any suggestions appreciated. Thank you Chris

catseverywhere
catseverywhere

enigmail. I was looking for the extension that handled gpg, but... Ever tried to search mozilla extensions for an extension you don't know the name of? I don't use encryption, but I have been asked to set it up for others. Thank goodness they've all used kmail up till now. But... time to get jiggy with enigmail. Now, theoretically speaking, what if the eyes you wish to block belong to a foreign or domestic government? I would imagine, especially thanks to Bill Clinton's restrictions on encryption, that to government's eyes there is in practice basically no encryption using gpg. gpg can keep the honest people honest, and thwart most other crackers, but as I understand it at least the US fedgov has the ability to decipher any publicly available encryption. Governments all over the planet are getting pretty scary these days, they've deviated farther from their proper role than ever in human history. It ain't paranoid to desire keeping their eyes out of your private affairs. I don't trust any of them, and I don't want them reading my mail. (though really have no particular reason, it's the principle) But they can and they do, and flippant tell you so anymore, and to my knowledge gpg isn't even a bump in the road. One can argue gpg and similar are valuable to companies or researchers working on potentially profitable ideas, and keeping them secret protects that potential profitability. Until one wakes up to the fact that the vast majority of government espionage is aimed at industrial/corporate targets. I have heard spying on other governments or individuals for whatever reason constitutes around 20% of the total efforts. I can't attest to the veracity of that figure, but it came from a fairly knowledgeable and well connected film maker. It may seem I'm drifting into a rant here, but I am trying to make the point that in some perspectives governments may indeed be legitimately viewed as counter to everyone's best interests. Who knows how much of 'what is,' in the context of technological and other advances, is where it's at (and in who's hands?) as a result of government industrial espionage? And again, they've reserved unto themselves the ability to decrypt just about anything. If I am Ford, gpg may keep my secrets out of GM's hands, but what about the goobermints of the world?

Photogenic Memory
Photogenic Memory

And thanks for having a good sense of humour about it. It's appreciated.

seanferd
seanferd

post that as a stand-alone Question in the Forums.

Absolutely
Absolutely

Low as they are, there are still standards, for surveillance of citizens. Using encryption at least increases the challenge to corrupt bureaucrats, and increases the likelihood that they'll have to enlist assistance of an honest co-worker. With each additional accomplice, the likelihood of an honest one who will blow the whistle increases. Like any other safety or security measure, the most you can do is make criminals' goals harder to achieve.

steve.smith
steve.smith

I think you'll want to read up on the concept of "threat modeling". Gpg/pgp is, imo, industrial-strength encryption and was classified as a non-exportable munition for quite some time. That doesn't make it a magic security solution, just very, very impractical to decrypt without the correct key info. If your encryption is good enough and someone wants your data badly enough, it becomes worthwhile to hack your box and install a keylogger, or send the MIB by with a rubber hose to politely ask for your encryption key - in those cases it doesn't really matter how strong your crypto is, no? Build a 40-foot wall and someone will dig under it, or walk around it. Security's such fun... Steve (Boo! hahahaha!)

Absolutely
Absolutely

[i]And thanks for having a good sense of humo[u]u[/u]r about it.[/i] You haven't lived in Imperial Beach, CA, very long, have you?

Editor's Picks