You are here: Foswiki>Sysadmin Web>GnuPG (18 Jun 2007, AlsteR)Edit Attach

Introduction to OpenPGP

25 years ago all encryption was based on some form of shared secret - since all parties using encryption had to have the same key to decode it the code could be broken simply by getting ahold of one of those keys.

Then came along the concept of public key-secret key encryption. In brief, a public key is something you can send copies of to literally everyone because it only allows them to encrypt content that can be decrypted by your secret key. Public keys encrypt, secret keys decrypt.

You can also "sign" documents with your secret key, meaning you create an encrypted checksum of that document which others can check against to ensure that you did indeed create the document and that it's unmodified.

A detailed overview of the key pair based encryption is in GnuPGIntroduction.

Security Issues

The easiest (and most used) way to "break" this encryption is called "Man In the Middle", that is, if person A is trying to send an encrypted document to person B a third person, person C, can stand in between and make person A believe that he (C) is person B and vice versa. It's simple trickery, but it works well if people don't pay attention.

There are a few ways to combat these impersonation attacks. First, and the most direct, is to give people your public key's fingerprint. For DSA keys made by GnuPG it's a 40 digit hexidecimal (base 16) number, the last 8 digits being your keyid. While several keys could potentially share the same fingerprint, the number of keys one would have to generate to find one that matched is simply astronomical.

The second way, which is often used when you're contacting the person for the first time, is to verify their public key's signatures. Just like the signatures on files, friends can use their secret keys to sign your public key. Unlike signing documents, however, signing keys doesn't indicate ownership- it indicates first-hand face to face knowledge that the key is in fact owned by the person it claims to be owned by. If you get a key for the first time and you find a friend's signature on it, hopefully you can trust that friend's judgement enough to trust in the new person's key as well. If you don't recogise any signatures on a key you could even go the next step and check all the signatures of the new key's signers. This is called a web of trust. By the fact that most IMC'ers know eachother through one or two people we should be able to verify someone new through contacts with their local IMC or someone involved with another IMC who may have met them.

Every time you add a bit you double the amount of possible key combinations. Considering that computer speed doubles every 18 months, it would take several times your lifetime to break a 1024bit key. It would be far easier for them to break into your home when you're away and get a copy of your secret key from your hard drive. This is why we use a passphrase to encrypt/decrypt our secret keys only when we use them. If you feel the need to be really secure, use a long, non-word, alphanumeric with both lowercase and caps, random passphrase and keep your keyrings on a carefully hidden floppy instead of your hard drive.

Getting Started

If you haven't done so already, go to and download the software. From a shell (Windows Users: shell = DOS) run the following line twice:

gpg --gen-key

The first time it should tell you it's created your keyrings, the second time it'll enter the key generation menu. Use the defaults except for Real Name, Email, and Passphrase. You could toss in an expiration time of 1y since this is your first key, don't enter a comment unless you're making more than one key for yourself (ie, seperate home/work keys). Move the mouse around, type random garble on the keyboard, etc while it's trying to generate entropy - if it doesn't get enough keep going.

At this point you should have finished generating it, so try this:

gpg --fingerprint

It should show you your key along with it's fingerprint and possibly some other data such as a subkey, etc. Now, very important, before you do anything else get a NEW FLOPPY and copy the *.gpg files onto it for backup purposes. With your secret key you always have the power to sign a new key for yourself and generate a revocation certificate for the old, or simply add a new email address to it (and delete old ones), but without the secret key you loose all power over it until it expires.

Now it's time to send your key to an IMC keyserver. It really doesn't matter which one, since they're all networked together, just pick one thats close to you and use it. If it stops working use another one. Type this to send your key to the server, for example:

gpg --keyserver --send-key <your keyid>

When you pulled up your fingerprint you got your keyid, it's listed after 1024D/ and is also the last 8 digits of your fingerprint. Once you've completed this step, you're key is out there for others to start using. You can receive friend's keys or get an updated copy of your own that a friend has signed with the following command:

gpg --keyserver --recv-key <keyid>

To assign a trust level and sign a friend's key (friend as in someone you've met in person and have verified that their key is legit):

gpg --edit-key <keyid>

Then use the menu to "trust" and "sign", then "save". One final tip before usage, to prevent having to type --keyserver all the time you can edit the GnuPG options file and put keyserver in it.

Using It

The most common place to use GnuPG is with your mail client. Look under Frontends on to see how to get your client to work. Of course if you're using standard web-based mail you'll have to do it the hard way, or you could just get yourself a real email service.

To encrypt something "manually" save it as a text file and type:

gpg --armor --encrypt <filename> -r <keyid>

an alternative, shorthand, way of doing this is to do:

gpg -ea <filename> -r <keyid>

[ -e = --encrypt ; -a = --armor ; -r = recipient ]

This will make a new encrypted file .asc - to decrypt something encrypted to your key (encrypt something to your own key for testing purposes) type this:

gpg --decrypt <filename>

or, alternatively,

gpg -d <filename>

[ here: -d = --decrypt ]

You can use a > redirect (or --output) to put the decrypted data in a file vs scrolling it out to your shell.

There's thousands of other uses, but I'll let you read the manual that came with GnuPG to figure them out. smile Have fun, and please, don't let all my technobabble discourage you. It really is quite easy to use and the benefits in using it are well worth the time to learn.


Setting or extending key expiry

If your key has already expired, you may need to set your computers' system (BIOS) date to a date earlier than the date the key expired as a first step, and make sure you are not running an NTP client which will quickly update the date from the Internet - or try disconnecting from the Internet (unplug network cable) completely, then change the date.

gpg --list-secret-keys
and note down (or copy) the ID of the key whose key expiry you would like to edit (e.g. '277FF772'). Then pass the key ID to gpg and enter its console mode:
gpg --edit-key 277FF772
Now select the first sub key (subkey 0):
Command> key 0
and edit the expiry options:
Command> expire

You can now set the expiry for this subkey (usually this is the public key part of the private/public key pair).
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 1y
Key expires at Di 17 Jun 2008 13:26:24 CEST
Is this correct? (y/N) y

GPG will then show the updated key data.

Repeat the above steps for all sub keys. Start by selecting the second subkey:
Command> key 1

Finally, quit the GPG console and save any changes:
Command> quit


For more information, see the KeyServer working group page.


-- SilvioRhatto - 28 Mar 2006 - added link to GnuPGIntroduction.
Topic revision: r8 - 18 Jun 2007, AlsteR
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback