Pretty Good Privacy (PGP): Introduction to Daily Use

Pretty Good Privacy (PGP)

INTRODUCTION

Check the GnuPG web page for documentation on the GnuPG package:

http://www.gnupg.org/

In particular, look at the documentation, and the "Mini HOWTO" for lots of good information:

PUBLIC KEY CRYPTOGRAPHY

We'll use pkg_add to install GNUPG. A local copy is on our noc box:

# pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/8.0-RELEASE/packages/All/gnupg-1.4.10.tbz

CREATING A PUBLIC/PRIVATE KEY PAIR

Now that GnuPG is installed you can use the gpg command to use the Gnu version of PGP. In these steps you should do this as your user on your system (i.e. afnog), not as the root user!:

$ gpg --gen-key

Here is what the key generation session looks like. We have indicated in bold and red reasonable responses to the questions you will be asked:

--------------------------------------------------------------------
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/home/afnog/.gnupg/secring.gpg' created
gpg: keyring `/home/afnog/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048

Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 4y

Key expires at Sun May 25 22:40:46 2014 CAT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: AfNOG User
Email address: afnog@pcX.sae.ws.afnog.org
Comment: 
You selected this USER-ID:
    "AfNOG User "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.

Enter your afnog user password here

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
+++++

gpg: /home/afnog/.gnupg/trustdb.gpg: trustdb created
gpg: key FD738CC0 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2014-05-25
pub   2048R/FD738CC0 2010-05-26 [expires: 2014-05-25]
      Key fingerprint = 9F27 8A7D 17B2 559E E525  1DF1 2D3D 8A4A FD73 8CC0
uid   AfNOG User 
sub   2048R/8AF8279C 2010-05-26 [expires: 2014-05-25]
--------------------------------------------------------------------

At this point your PGP public and private keys have been created. Your PGP information will be stored in your user's account home directory under the ".gnupg" directory.

EXTRACTING YOUR PUBLIC KEY

To extract your public key as text do:

$ gpg -a --export <your key id>

Note: "your key id" is probably your email address in this case.

To see what public keys you have installed, you can always type

$ gpg --list-keys

To place your newly generated public key on the MIT (Massachussetts Institute of Technology in Boston, Massachussetts, United States) PGP server do the following:

$ gpg --list-keys yourUserid

Look for the line that says "pub" - the second set of numbers after the "/" is your key-id. A sample such line is:

pub 1024D/E947C3B4 2012-11-28 [expires: 2012-11-28]

The string "E947C3B4" is the key-id in this case.

Only send this newly generated pgp key to the MIT keyserver if the key you have generated is one you plan on using in the future. Your instructor should discuss this before you do these exercises. If not, remind your instructor to do this now. :-)

So, to send your newly created public key to a keyserver you would do:

$ gpg --keyserver pgp.mit.edu --send-keys key-id

That's it! Your public key is now available to anyone who goes to the MIT PGP server and searches on your name, email address, etc. Your key information will propagate to all the pgp key-servers worldwide within a few hours.

GENERATING YOUR PUBLIC KEY'S FINGERPRINT

You calculate the fingerprint for a local copy of a public key like this:

$ gpg --fingerprint <key id>

IMPORTING SOMEONE ELSE'S PUBLIC KEY

Once you have obtained a public key, you can import it to your local keyring so that you can use it like this:

$ gpg --import <filename>

SIGNING A PUBLIC KEY

If you have a copy of someone else's public key on your keyring and you have decided that you trust it (e.g. by verifying the fingerprint with the key's owner) and you have also decided that you trust the identity of the key's owner (e.g. by checking a passport) you can sign it.

To sign a key:

$ gpg --sign-key <key id>

This does several things:

Creates a ring of trust between you and the person who's key you have signed.
If someone else trusts your judgement, then they may be more likely to trust content signed by a key that is signed by you.

MORE INFORMATION

There are many more things you can do with GnuPG than those described in these notes. For more information, see:

http://www.gnupg.org/

Last update by Hervey Allen on: Thu May 27 00:59:52 CEST 2010