Saturday, August 7, 2010

Get started with GnuPG


GnuPG is an open replacement for PGP Corporation’s PGP (Pretty Good Privacy) encryption tool, and based on the OpenPGP standard. What GnuPG (or GPG for short) does is allow for the encryption and decryption of files using a public/private keypair. It can be used to encrypt regular files or e-mail, in either binary or ASCII format, and can also verify the integrity of files or e-mail via cryptographic signatures. GPG is a command-line tool and is available with every Linux distribution.
To begin using GPG, you must generate a public/private keypair. This keypair is generated with the –gen-key command:
$ gpg --gen-key
It will create the ~/.gnupg/ directory if it doesn’t already exist, where it will store its configuration file, gpg.conf, and the private and public keyrings where keys are stored, secring.gpg and pubring.gpg respectively, as well as the trust database.
When you generate the initial keypair, you will have to choose the key type. The default is “DSA and Elgamal,” which will allow you to sign and encrypt. You will then have to select a keysize for the key — anywhere between 1024 and 4096 bits. The default is 2048 bits and is sufficient. Next, you will need to determine whether or not the key will expire, and if so, when. A non-expiring key is most convenient, as neither you nor anyone using your public key will have to worry about new keys, however if the key is stolen or compromised, it can then be used indefinitely. Many individuals have keys that expire after one year and generate new keys at that time.
Finally, you will need to provide a user ID for the key which consists of your real name, e-mail address, and an optional comment. The user ID will then end up being “Real Name (Comment)
When the key generation is complete — which may be immediate or may take some time depending on the amount of entropy your system has collected in order to generate random bytes — you can list the keys by executing:
$ gpg --list-keys; gpg --list-secret-keys
You can also view the key’s fingerprint, a unique identifier to the key, with the command:
$ gpg --fingerprint user@domain.org
pub  1024D/9B1386E2 2007-12-01 Real Name (Comment) 
Key fingerprint = 88A9 166B 13E6 516A 87C8  F127 5CA9 2D9E 9B13 86E2
sub  2048g/7F72A50F 2007-12-01
Be sure to keep your fingerprint handy. When people are attempting to use or import your key, they can ensure they have the right key if you provide them with the fingerprint.
At this point, you can start using GPG to encrypt and decrypt files. For instance, if you have a text document, and you want to ensure that no one tampers with it, you can sign it with the –clearsign command. To keep the file readable, specify the ASCII armor format with -a. After providing your passphrase, the contents of the file will be wrapped in a digital signature and a new file will be created with the new contents. If even one space is added to the file, the signature verification will fail. For instance:
$ echo "Test file" >test.txt
$ gpg --clearsign -a test.txt
You need a passphrase to unlock the secret key for
user: "Real Name (Comment) "
1024-bit DSA key, ID 9B1386E2, created 2007-12-01
Enter passphrase:
$ cat test.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Test file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHUh3VJnj1HnfyJpYRAjn7AKCI5DYTvvQ2J6pALyMYp26oGuZKaQCcCSZ7
O6dBveVjOgzC4HL5k8rFFHM=
=SxSW
-----END PGP SIGNATURE-----
$ gpg --verify test.txt.asc
gpg: Signature made Sat Dec  1 19:52:05 2007 MST using DSA key ID 9B1386E2
gpg: Good signature from "Real Name (Comment) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 88A9 166B 13E6 516A 87C8  F127 5CA9 2D9E 9B13 86E2
$ perl -pi -e 's|file|files|' test.txt.asc
$ gpg --verify test.txt.asc
gpg: Signature made Sat Dec  1 19:52:05 2007 MST using DSA key ID 9B1386E2
gpg: BAD signature from "Real Name (Comment) "
As you can see from the above, changing the word “file” to “files” causes the verification of the ASCII-armored text file to fail. You can also see that GPG created a new file called test.txt.asc; GPG will attach either an .asc extension to the original file name for an ASCII-armored text file, or a .gpg extension in the case of a GPG-encrypted file.
GnuPG is extremely useful and next week, we’ll see what else it can do.