Privacy with GNU Privacy Guard
Use
General
There is a lot of documentation about GnuPG on the official web site.
<note> Just a few obvious rules… that apparently are not that obvious to everybody
- to encrypt a message (file) for your personal use, use your own public key
- to encrypt a message for a friend of yours, use his public key
- to sign a message: use your private key
- you should be sure that you can trust your public keys. The ideal thing is to organize key exchange parties with your friends or at least, to ask your friends to confirm that the key you have is valid (e.g. by comparing key fingerprint that you obtain from
gpg –list-keys –fingerprint
on the phone ).
</note>
Anyway, the very first thing to do is to create your own private/public key pair:\
# gpg --gen-key gpg (GnuPG/MacGPG2) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 2 DSA keys may be between 1024 and 3072 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 3 Key expires at Sat Sep 5 16:59:34 2009 CEST Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Flash Gordon Email address: flash.gordon@gmail.com Comment: this is another test key You selected this USER-ID: "Flash Gordon (this is another test key) <flash.gordon@gmail.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 48C7AF6A marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2009-09-03 pub 2048D/48C7AF6A 2009-09-02 [expires: 2009-09-05] Key fingerprint = 695D 354D E592 8677 50E5 5E62 DF8B 511A 48C7 AF6A uid Flash Gordon (this is another test key) <flash.gordon@gmail.ch> sub 2048g/E9BEF1D2 2009-09-02 [expires: 2009-09-05]
An handy way of sharing your public key is to upload it to a public key server like keys.gnupg.net
. This allows your friend to easily search and obtain your public key and vice-versa. To upload your public key, first decide which one to upload. Therefore list your keys
# gpg --list-keys /Users/cangiani/.gnupg/pubring.gpg ---------------------------------- pub 1024D/2D09619D 2009-09-02 [expires: 2009-09-03] uid Ciccio Pasticcio (this is a test key) <harmattan@gmail.com> sub 1024g/AF0BF493 2009-09-02 [expires: 2009-09-03] pub 2048D/48C7AF6A 2009-09-02 [expires: 2009-09-05] uid Flash Gordon (this is another test key) <flash.gordon@gmail.ch> sub 2048g/E9BEF1D2 2009-09-02 [expires: 2009-09-05]
and copy the key ID for the selected key from the list (e.g. 48C7AF6A
for Flash Gordon). Then upload it to one or more servers:
# gpg --keyserver keys.gnupg.net --send-keys 48C7AF6A gpg: sending key 48C7AF6A to hkp server keys.gnupg.net
In order to search and fetch the public key of a friend of yours using his mail address, do the following (for Damir's address for example):
gpg --keyserver keys.gnupg.net --search-keys damir.laurenzi@epfl.ch gpg: searching for "damir.laurenzi@epfl.ch" from hkp server keys.gnupg.net (1) Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch> 1024 bit DSA key 86134762, created: 2009-06-09 (2) damir laurenzi (no password) <damir.laurenzi@epfl.ch> 1024 bit DSA key B3AB018C, created: 2007-06-28 (revoked) Keys 1-2 of 2 for "damir.laurenzi@epfl.ch". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key 86134762 from hkp server keys.gnupg.net gpg: key 86134762: public key "Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch>" imported gpg: Total number processed: 1 gpg: imported: 1
or just fetch the key if you already know the key ID:
# gpg --keyserver keys.gnupg.net --recv-keys 86134762 gpg: requesting key 86134762 from hkp server keys.gnupg.net gpg: key 86134762: public key "Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch>" imported gpg: Total number processed: 1 gpg: imported: 1
You can check that the newly imported key is in your public keys wallet:
# gpg --list-keys /Users/cangiani/.gnupg/pubring.gpg ---------------------------------- pub 1024D/2D09619D 2009-09-02 [expires: 2009-09-03] uid Ciccio Pasticcio (this is a test key) <harmattan@gmail.com> sub 1024g/AF0BF493 2009-09-02 [expires: 2009-09-03] pub 2048D/48C7AF6A 2009-09-02 [expires: 2009-09-05] uid Flash Gordon (this is another test key) <flash.gordon@gmail.ch> sub 2048g/E9BEF1D2 2009-09-02 [expires: 2009-09-05] pub 1024D/86134762 2009-06-09 [expires: 2019-06-07] uid Damir Laurenzi (gpg key test) <damir.laurenzi@epfl.ch> sub 2048g/45397CF2 2009-06-09 [expires: 2019-06-07]