Jeremys
Essential
- Joined
- 28.09.20
- Messages
- 75
- Reaction score
- 238
- Points
- 18
On Linux, the universal encryption tool is Werner Koch's Gnu Privacy Guard (GnuPG) package. Its main application command (gpg) brings back the memory of Pretty Good Privacy (PGP), an encryption tool released in 1991 by Phil Zimmermann. You can learn more about GPG in the article "GPG Encryption".
OpenPGP is now the standard that defines how encrypted messages and associated bits are stored, and GnuPG fully implements this standard.
GnuPG runs from the command line and has a reputation for being complex and awkward. It provides the user with all modern private and public key algorithms, as well as a variety of control levers that you can twist as you like.
As a result, you have a myriad of command line options and man pages to read for a long time. Most distributions have GnuPG installed by default, so we won't have to deal with installation for this tutorial.
How to use GnuPG on Linux
Traditional symmetric encryption (where two parties share a secret key or password) is fine, but it assumes that the communicating parties first shared the key over a secure channel. Typically, this would involve a seditious meeting in a dark parking lot, perhaps exchanging briefcases, and ideally destroying any key or password entry. No one knows what or who is hiding in the darkness in such places, and it would be better to avoid such situations altogether. So let's create a key pair and see how public key encryption works.
Creating keys in GnuPG
Enter
Code:
$ gpg -full-gen-key
Accept the default settings for the first three questions. We will create a 2048-bit RSA key with an RSA subkey and this key will not have an expiration date.
Then to the question "Is this correct?" you must answer "Yes".
How to use GnuPG
You will be asked for your name and email address. This information will be stored with a public key, and it is good practice to make this key as widely known as possible - so do not use your real name of the primary email address unless you want to make this data public. The email address used here does not have to be the same address from which you will send your encrypted messages.
You will then be asked for a passphrase to protect the key. Creating a key requires entropy (random data), so while creating a key, you will be asked to press the keyboard and fumble with the mouse.
After that, you can check that everything is done with
Code:
gpg --list-keys
GnuPG securely stores all generated keys in a keyring. They can be imported and exported if necessary; however, extreme care should be taken when moving the private key.
Since you need to share your public key, export the key with
Code:
$ gpg --output lxfpublic.key --armor --export
replacing it with the email address used to create the key.
The resulting file can be sent to your conspiracy comrades and they can import it using
Code:
$ gpg --import lxfpublic.key
Alternatively, it can be uploaded to a keyserver so anyone can find you.
Using GnuPG
To send you an encrypted message, say instructions.txt, your colleague must enter
Code:
$ gpg --recipient --encrypt instructions.txt
and send you the resulting instructions.txt.gpg file.
It should also delete the original file (with shred, for example) - just like you would after receiving it.
And that was a very short introduction to GPG on Linux, not that much painful. However, if you prefer a graphical interface, there is GPA (Gnu Privacy Assistant) for you, as well as the excellent Enigmail plugin for Thunderbird.
How to use GnuPG: GPA
Network of Trust and Key Signers
Earlier we mentioned uploading your key to a keyserver. If you have someone's public key, then you know that only the owner of the corresponding private key can read the encrypted messages sent to them.
The problem is that unless you have exchanged keys in person, there is no guarantee that the public key really belongs to who you think it should belong: it could just as well belong to an impostor. So it's worth promoting your key as much as possible: place it on multiple keyservers, on your website, in your email signature. Conversely, do a background check before trusting the random public key. All of these things are potentially hackable, so there is another way. If you have met a person in person or for any other reason are sure of the authenticity of his public key, you can sign him.
You can create these relationships to create a centralized structure known as the Web of Trust. Over time, people will see whose keys you signed, and if they trust you, they will trust those keys as well.
To kickstart this process, you can throw a key signing party where the participants - among other things - have fun - meet in person, authenticate the photo ID, and sign the keys and certificates. The fictional key signing party in Corey Doctorow's "Little Brother" takes place on a beach in California - where will yours be?
OpenPGP is now the standard that defines how encrypted messages and associated bits are stored, and GnuPG fully implements this standard.
GnuPG runs from the command line and has a reputation for being complex and awkward. It provides the user with all modern private and public key algorithms, as well as a variety of control levers that you can twist as you like.
As a result, you have a myriad of command line options and man pages to read for a long time. Most distributions have GnuPG installed by default, so we won't have to deal with installation for this tutorial.
How to use GnuPG on Linux
Traditional symmetric encryption (where two parties share a secret key or password) is fine, but it assumes that the communicating parties first shared the key over a secure channel. Typically, this would involve a seditious meeting in a dark parking lot, perhaps exchanging briefcases, and ideally destroying any key or password entry. No one knows what or who is hiding in the darkness in such places, and it would be better to avoid such situations altogether. So let's create a key pair and see how public key encryption works.
Creating keys in GnuPG
Enter
Code:
$ gpg -full-gen-key
Accept the default settings for the first three questions. We will create a 2048-bit RSA key with an RSA subkey and this key will not have an expiration date.
Then to the question "Is this correct?" you must answer "Yes".
How to use GnuPG
You will be asked for your name and email address. This information will be stored with a public key, and it is good practice to make this key as widely known as possible - so do not use your real name of the primary email address unless you want to make this data public. The email address used here does not have to be the same address from which you will send your encrypted messages.
You will then be asked for a passphrase to protect the key. Creating a key requires entropy (random data), so while creating a key, you will be asked to press the keyboard and fumble with the mouse.
After that, you can check that everything is done with
Code:
gpg --list-keys
GnuPG securely stores all generated keys in a keyring. They can be imported and exported if necessary; however, extreme care should be taken when moving the private key.
Since you need to share your public key, export the key with
Code:
$ gpg --output lxfpublic.key --armor --export
replacing it with the email address used to create the key.
The resulting file can be sent to your conspiracy comrades and they can import it using
Code:
$ gpg --import lxfpublic.key
Alternatively, it can be uploaded to a keyserver so anyone can find you.
Using GnuPG
To send you an encrypted message, say instructions.txt, your colleague must enter
Code:
$ gpg --recipient --encrypt instructions.txt
and send you the resulting instructions.txt.gpg file.
It should also delete the original file (with shred, for example) - just like you would after receiving it.
And that was a very short introduction to GPG on Linux, not that much painful. However, if you prefer a graphical interface, there is GPA (Gnu Privacy Assistant) for you, as well as the excellent Enigmail plugin for Thunderbird.
How to use GnuPG: GPA
Network of Trust and Key Signers
Earlier we mentioned uploading your key to a keyserver. If you have someone's public key, then you know that only the owner of the corresponding private key can read the encrypted messages sent to them.
The problem is that unless you have exchanged keys in person, there is no guarantee that the public key really belongs to who you think it should belong: it could just as well belong to an impostor. So it's worth promoting your key as much as possible: place it on multiple keyservers, on your website, in your email signature. Conversely, do a background check before trusting the random public key. All of these things are potentially hackable, so there is another way. If you have met a person in person or for any other reason are sure of the authenticity of his public key, you can sign him.
You can create these relationships to create a centralized structure known as the Web of Trust. Over time, people will see whose keys you signed, and if they trust you, they will trust those keys as well.
To kickstart this process, you can throw a key signing party where the participants - among other things - have fun - meet in person, authenticate the photo ID, and sign the keys and certificates. The fictional key signing party in Corey Doctorow's "Little Brother" takes place on a beach in California - where will yours be?