-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathquick-and-dirty-intro-to-openpgp-gpg.html
297 lines (230 loc) · 15.1 KB
/
quick-and-dirty-intro-to-openpgp-gpg.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Quick and Dirty intro to OpenPGP & GPG</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="Marina von Steinkirch">
<!-- Le styles -->
<link rel="stylesheet" href="./theme/css/bootstrap.dark.css" type="text/css" />
<style type="text/css">
body {
padding-top: 60px;
padding-bottom: 40px;
}
.tag-1 {
font-size: 13pt;
}
.tag-2 {
font-size: 11pt;
}
.tag-2 {
font-size: 10pt;
}
.tag-4 {
font-size: 8pt;
}
</style>
<link href="./theme/css/bootstrap-responsive.dark.css" rel="stylesheet">
<link href="./theme/css/font-awesome.css" rel="stylesheet">
<link href="./theme/css/pygments.css" rel="stylesheet">
<!-- Le fav and touch icons -->
<link rel="shortcut icon" href="./theme/images/favicon.ico">
<link rel="apple-touch-icon" href="./theme/images/apple-touch-icon.png">
<link rel="apple-touch-icon" sizes="72x72" href="./theme/images/apple-touch-icon-72x72.png">
<link rel="apple-touch-icon" sizes="114x114" href="./theme/images/apple-touch-icon-114x114.png">
<link href="./feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="chmod +x singularity.sh ATOM Feed" />
</head>
<body>
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container-fluid">
<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
<a class="brand" href="./index.html">chmod +x singularity.sh </a>
<div class="nav-collapse">
<ul class="nav">
<li class="divider-vertical"></li>
<ul class="nav pull-right">
<li><a href="./authors.html">About</a></li>
<li><a href="./archives.html"><b>Archives</b></a></li>
<li>
<a href="https://github.com/bt3gl">github
<!--<i class="icon-github-sign icon-large" ></i>-->
</a></li>
<li>
<a href="https://twitter.com/1bt337">
<!--<i class="icon-twitter-sign icon-large"></i> -->
twitter
</a></li>
<li><a href="http://bt3gl.github.io/projects_page/index.html">Bygone Playful Times
</a></li>
</ul>
</ul>
<!--<p class="navbar-text pull-right">Logged in as <a href="#">username</a></p>-->
</div><!--/.nav-collapse -->
</div>
</div>
</div>
<div class="container-fluid">
<div class="row">
<div class="span9" id="content">
<section id="content">
<article>
<header>
<h1>
<a href=""
rel="bookmark"
title="Permalink to Quick and Dirty intro to OpenPGP & GPG">
Quick and Dirty intro to OpenPGP & GPG
</a>
</h1>
</header>
<div class="entry-content">
<div class="well">
<footer class="post-info">
<abbr class="published" title="2014-10-28T05:20:00">
Tue 28 October 2014 </abbr>
<span class="label"> Category</span>
<a href="./category/cryptography.html"><i class="icon-folder-open"></i>Cryptography</a>
<span class="label">Tags</span>
<a href="./tag/pgp.html"><i class="icon-tag"></i>PGP</a>
<a href="./tag/gpg.html"><i class="icon-tag"></i>GPG</a>
</footer><!-- /.post-info --> </div>
<p><a href="http://en.wikipedia.org/wiki/Pretty_Good_Privacy">Pretty Good Privacy</a> (PGP) is a model that provides cryptographic privacy and authentication for data communication. It was created by <a href="http://en.wikipedia.org/wiki/Phil_Zimmermann">Phil Zimmermann</a> in 1991. Today, PGP is a <a href="http://en.wikipedia.org/wiki/PGP_Corporation">company</a> that sells a proprietary encryption program, <a href="http://www.openpgp.org/">OpenPGP</a> is the open protocol that defines how PGP encryption works, and <a href="https://www.gnupg.org/">GnuGP</a> is the free software.</p>
<p>The distribution of PGP keys can be done using the concept of <a href="http://en.wikipedia.org/wiki/Web_of_trust">web of trust</a>. This is a decentralized way of establishing the authenticity of a public key and its owner. If you want a cute (ludic) picture of the web of trust, check <a href="https://twitter.com/doctorow">Cory Doctorow</a>'s book <a href="http://craphound.com/littlebrother/">Little Brother</a>.</p>
<p>Almost 15 years after its creation, <a href="https://firstlook.org/theintercept/2014/10/28/smuggling-snowden-secrets/">PGP continues to be <em>pretty good</em></a>. But there is still a <a href="http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html">need for new solutions</a> (and they appear to be <a href="http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html">coming soon</a>). Perhaps the main issue with PGP is its persistence. If one key is compromised, any message from the past can be read. That's where the concept of <a href="http://en.wikipedia.org/wiki/Forward_secrecy">perfect forward secrecy </a> comes in play, but this is a subject to another post. Meanwhile, I wrote this tutorial and I hope you find it fun.</p>
<h3>I. Creating GPG keys</h3>
<p>Simply type the following in the terminal:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --gen-key
</pre></div>
<p>Chose <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA</a> with 4096 bits long and expiration up to 5 years. Use a <a href="https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices#passphrase">strong passphrase</a> (keep it safe since it cannot be recovered).</p>
<h3>II. Backup your Private Key</h3>
<p>Save it with your soul:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --export-secret-keys --armor YOUR_EMAIL > YOUR_NAME-privkey.asc
</pre></div>
<h3>III. Sharing your key</h3>
<p>There are several ways you can share or publish your public key:</p>
<h4>By sharing the key's fingerprint</h4>
<p>The key's fingerprint is the same as its signature. Each PGP key has a unique fingerprint that allows you to confirm to others that they have received your actual public key without tampering. A fingerprint is a more convenient way to uniquely represent a key.</p>
<p>To check the fingerprint of any key that you have in your keyring, type:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --fingerprint EMAIL
</pre></div>
<h4>By sending the ASCII file</h4>
<p>You can copy your key to an file to be shared:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --export --armor YOUR_EMAIL > YOUR_NAME-pubkey.asc
</pre></div>
<h4>By publishing it in a public key server</h4>
<p>You can export your key to the <a href="keys.gnupg.net">GnuPG public key server</a>. For this, use your key's name (the hexadecimal number in front of the key):</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --send-key KEY_NAME
</pre></div>
<p>You can also export it to <a href="pgp.mit.edu">pgp.mit.edu</a>:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --keyserver hkp://pgp.mit.edu --send-key KEY_NAME
</pre></div>
<h3>V. Importing Someone's Key</h3>
<p>There are many ways you can import someone's public key:</p>
<h4>By a shared file</h4>
<p>If you have the ASCII file, you can type:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --import PUBKEY_FILE
</pre></div>
<h4>By Public Key Server</h4>
<p>To search for someone's key in the public key server, type:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --search-keys NAME
</pre></div>
<p>Note: this is <strong>not</strong> very safe since you can't be sure of the key's authenticity.</p>
<h3>V. Signing a key: The Web of Trust</h3>
<p>Signing a key tells your software that you trust the key that you have been provided (you have verified that it is associated with the person in question).</p>
<p>To sign a key type:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --sign-key PERSON_EMAIL
</pre></div>
<p>You should allow the person whose key you are signing to enjoy the advantages of your trusted relationship. This is done by sending her back the signed key:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --export --armor PERSON_EMAIL
</pre></div>
<p>When you received similar <em>trusted</em> key, you can import it into your GPG database:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --import FILENAME
</pre></div>
<h3>VI. Other Useful Commands</h3>
<h4>To delete a key from your keyring:</h4>
<div class="highlight"><pre><span class="nv">$ </span>gpg --delete-key-name KEY_NAME
</pre></div>
<h4>To edit a key (for example, the expiration date):</h4>
<div class="highlight"><pre><span class="nv">$ </span> gpg --edit KEY_NAME
</pre></div>
<h4>If you have more than one key:</h4>
<p>Edit <code>~/.gnupg/gpg.conf</code> with your favorite key:</p>
<div class="highlight"><pre><span class="k">default</span><span class="o">-</span><span class="n">key</span> <span class="n">KEY_NAME</span>
</pre></div>
<h4>Keep your keys fresh:</h4>
<div class="highlight"><pre><span class="nv">$ </span>gpg --refresh-keys
</pre></div>
<h4>To list your keys:</h4>
<div class="highlight"><pre><span class="nv">$ </span>gpg --list-keys
</pre></div>
<h4>And of course:</h4>
<div class="highlight"><pre><span class="nv">$ </span>man gpg
</pre></div>
<h3>VII. Encrypting and Decryptying Messages</h3>
<p>With someone's <strong>public key</strong>, you can <strong>encrypt</strong> messages that can only be decrypted with her secret key. You can also <strong>verify signatures</strong> that were generated with her secret key.</p>
<p>In the other hand, with your secret key you can <strong>decrypt</strong> messages that were encrypted using your public key. You can also and <strong>sign messages</strong>.</p>
<p>With GPG, you encrypt messages using the <code>--encrypt</code> flag.</p>
<p>The command below encrypts the message signing with your private key (to guarantee that is coming from you). It also generates the message in a text format, instead of raw bytes:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --encrypt --sign --armor -r PERSON_EMAIL FILE_TO_BE_ENCRYPTED
</pre></div>
<p>If you want to be able to read this message with your own email address, you should add another recipient flag <code>-r</code> with your email address.</p>
<p>To decrypt a message, type:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg FILENAME
</pre></div>
<h3>VIII. Revoking a key</h3>
<p>Whenever you need to revoke a key (because it might be compromised, for example), you can generate a revocation certificate with:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --output my_revocation.asc --gen-revoke KEY_NAME
</pre></div>
<p>To import the revocation into your keyring:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --import my_revocation.asc
</pre></div>
<p>Finally, this command sends the revoked key to the public key server:</p>
<div class="highlight"><pre><span class="nv">$ </span>gpg --keyserver pgp.mit.edu --send-keys KEY_NAME
</pre></div>
<hr />
<h2>Final Comments</h2>
<p>If you prefer a GUI instead of the command line, I strongly recommend <a href="https://apps.fedoraproject.org/packages/seahorse/bugs">seahorse</a>. It makes really easy to manage all your keys (not only OpenPGP) and passwords.</p>
<p>Another nice (alpha) project is <a href="https://keybase.io/">keybase.io</a>. It's kind of a web of trust social network, where you can sign your key with your public profiles. Check <a href="https://keybase.io/bt3">mine here</a>. Encryption and decryption can be done in the command line with their <a href="https://keybase.io/docs/command_line">node.js</a> application. I don't trust uploading my private key anywhere, but I do think that the idea is better than a simple public key server.</p>
<p>Finally, a word about browser plugins. Although there are several of them to encrypt webmail with OpenPGP, such as <a href="https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba?hl=en-US">mymail-crypt</a> or <a href="https://www.mailvelope.com/">Mailvelope</a>, I particularly don't recommend this solution if your message is very sensitive.</p>
<p>If you are serious about ensuring your long-term privacy, the safest way to go is to use a text editor to write your email message, encrypting the message outside of the web browser, and then cutting and pasting into your webmail interface. This will guarantee that only the recipient will be able to read your email.</p>
<p>If you really need something in your browser, the creator of <a href="https://crypto.cat/">Cryptocat</a> recently released <a href="https://minilock.io/">minilock</a>. This tool uses <a href="http://en.wikipedia.org/wiki/Curve25519">Curve25519 elliptic curve cryptography</a> (the sames as in Cryptocat) so that the public keys are much shorter (and easier to share). Remember, it's a new app, so it might not yet be the best choice for high-stakes environment (but it's worth keeping tabs on this project).</p>
<hr />
<h2>Further Readings</h2>
<ul>
<li><a href="https://www.gnupg.org/gph/en/manual.html">The GNU Privacy Handbook</a></li>
</ul>
</div><!-- /.entry-content -->
<div class="comments">
<h2>Comments !</h2>
<div id="disqus_thread"></div>
<script type="text/javascript">
var disqus_identifier = "quick-and-dirty-intro-to-openpgp-gpg.html";
(function() {
var dsq = document.createElement('script');
dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = 'http://bt3gl.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] ||
document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
</div>
</article>
</section>
</div><!--/span-->
</div><!--/row-->
<footer>
<address id="about">
</address><!-- /#about -->
</footer>
</div><!--/.fluid-container-->
<script src="./theme/js/jquery-1.7.2.min.js"></script>
<script src="./theme/js/bootstrap.min.js"></script>
</body>
</html>