GPG is a widely unknown encryption and signing service for electronic mail. Its features can be handy: you can safely deliver banking information via e-mail when using GPG or verify the authenticity of the sender of a message. I wil describe the basic setup for a GPG key, GPG configuration and GPG key signing.
The Web Of Trust
A basic principle in GPG is the web of trust. The web of trust is build around the principle that you trust people and in turn they also trust people. If you write an e-mail to another user with GPG and three people you trust trust him, you automatically trust him too. Trust in this context means that you trust that the e-mail has come from him or her. When using GPG, every message gets a signature that helps to verify the authenticity of the sender. Signing in this context is meant to be the same as signing of a document by hand.
Creating A Configuration
While creating a configuration is the most boring step in using a new
piece of software, I will start with it nonetheless to save us some
typing on the command line. First create the hidden directory .gnupg
in your home directory, e.g. by typing on the command line:
mkdir -p ~/.gnupg
Then you can open the (most probably empty) file .gnupg/gpg.conf
in
your home directory. Enter the following text into it:
keyserver hkp://pgp.zdv.uni-mainz.de:11371
keyserver-options auto-key-retrieve
# security: newer algorithms:
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
key-server
-
Keyservers are directories of keys from users who chose to upload their keys. When you upload your key, people can sign your key (in order to say that they trust you) or even distrust you.\ You can choose any server you want, they are synchronized.
auto-retrieve
-
With this option, you are specifying that keys not in your key ring are automatically retrieved (e.g. when opening an e-mail). If this is missing, you always have to type
gpg --retrieve-key <id>
.
Generating A Key
Before anyone can trust you, you need to generate a private and a public key; the public key will be for everyone to encrypt messages send to you. The private key on the opposite is just for you which allows you to decrypt the messages again. Furthermore you can sign your -emails with the private key. You generate such a key using
gpg --gen-key
GPG will ask you a couple of questions. First of all, you select which key type you want, it is safe to answer "1" (for a RSA key). Afterwards, you can select the length of the key and the validity period. Then you enter your name, your e-mail address, the comment field may stay empty. The rest of the instructions is self-explanatory.
You should keep in mind that the private key must stay private, since it allows signing your e-mails with your name and decrypting your personal messages. The public key can be distributed, since with this key messages can be only encrypted for you.
For the web of trust it is required that you trust yourself ultimately, which is a good thing anyway. Do the following:
- Execute
gpg --list-keys
and note down your key id. The key id can be found after the key word pub, followed by the length; the characters after the / are your id. - Now you edit your key using
gpg --edit-key <yourid>
. You are now in a text-mode interface. - You can add e-mail aliases, if you have multiple mail addresses or a
provider with multiple names like gmail vs. googlemail. Use
adduid
and answer the questions. - Now use the command
uid
for selecting all user IDs. If you have two user IDs, useuid 1<return>uid 2
. - Finally, you should trust yourself ultimately using
trust 5
. - Type
save
to save the key. - After you have done the modifications, use
gpg --send-key <id>
to send the key to the configured server.
Exchange Finger Prints And Trust Other People
Each key has a finger print. It is like with real finger prints: you can use them to check whether the signature from an e-mail really belongs to the sender or whether the e-mail was caught or modified during its way to you. To get your finger print use
gpg --finger-print <id>
Check this finger print with the person which wants to trust you. For unknown people it might be even advisable to ask them for their identity card. You have to do the same on the foreign key: exchange the finger print with the person who you want to trust.
When you and your partner have exchanged the finger prints and you are sure that you trust him, run
gpg --edit-key <friend_id>
This of course assumes that the key is already in your llocal key ring.
Since you have configure auto-retrieve
for GPG, this should happen as
soon as you open a signed e-mail of the person.
The trust procedure is nearly the same except that you only trust other
people with level 4 and 3. Level 4 is for people which you saw from face
to face, level 3 for people whom you only trust marginally. For level 4,
you can also sign the key, using sign
(imagine you would sign the
identity card). Don't forget to safe and upload the key afterwards.
Using GPG In Real Life
I hope I have walked you through a basic setup of GPG. Now you should choose an e-mail-client which makes using GPG really easy. I have here a personal, not comprehensive list, sorted by preference. I am not suggesting Thunderbird. It is a choice, however the plugin Enigmail has some issues like old-style signatures or own configuration handling and therefore I would suggest Claws-Mail to those users.
- mutt
- This is a command-line client for GNU/Linux or UNIX which has great options for GPG like sending automatically encrypted e-mails to people who you trust. Scripts can also exclude people from receiving GPG signatures if their
mail program don't support signatures. Claws mail : A powerful e-mail
client with a graphical user interface. Unlike Thunderbird and friends,
claws mail has integrated GPG support and doesn't ignore your GPG
settings, but rather uses those which you have edited yourself in
.gnupg/gpg.conf
. K-9 Mail : K-9 Mail is a fork of the original Android
e-mail client which brings a lot of neat features for mail reading on a
telephone together with (optional) GPG support.
Comments