GPG Quickstart Guide

Sunday, October 23

This is a quickstart, so let’s not waste any time. The first thing your going to need is a GPG Key, so fire up the terminal and from the command line, type:

$ gpg --gen-key

This will launch the GPG key-generation program. First you’ll be asked to select what kind of key you want: (1) DSA and Elgamal (default), (2) DSA (sign only), (5) RSA (sign only). If you want to sign and encrypt messages, DSA and Elgamal is what you want and is the default, so we’ll use that.

Next you’ll be asked to choose a keysize. A large keysize is more secure than a small one, but also takes longer for your computer to encrypt/decrypt data. The default value of 1024 is adequate, so we’ll use that. If you’re really paranoid, you can use 2048, which is currently gpg’s maximum.

You’ll then be asked to set an expiry date for your key. While expiry dates can be used for stronger security, you probably want your key to be valid indefinitely. Choose 0 (the default) to create a key that never expires and confirm your selection.

You need a user ID to identify your key. You’ll be asked for your Real Name, Comment and Email Address which will result in a user ID in this form: “Real Name (comment) <>”. Go ahead an type in your user ID details and confirm your entry.

Finally you have to enter a passphrase. A passphrase is like a password, but is longer, can contain spaces, and is supposed to be impossible to guess. Think of a passphrase as a super-password. Use a long sentence, or a line from one of your favorite songs, spaces and punctuation included. Oh, and if you ever forget your passphrase, there is NO way to get it back.

All done? Congratulations! You now have a public and secret key in your keyring. To see all your keys, use the list-keys command:

$ gpg --list-keys

Create a revocation certificate

If you ever need to revoke this key (because, say, you forgot your long and difficult-to-guess passphrase), it helps to have a revocation certificate prepared. Right after creating a key is a good time to prepare a revocation, so let’s do it now.

$ gpg --gen-revoke packagethief > ~/revcert.asc

You’ll have to answer a few questions (the default answers are fine) and enter the passphrase you chose for your key. The above command will create your revocation certificate in the file revcert.asc. Now, keep in mind that if someone gets a hold of this revcert, they’ll be able to revoke your key and render all your encrypted messages unreadable. You probably don’t want this, so it’s a good idea to hide this somewhere OFF your computer. You could put it on another volume, save it to a disk and keep in somewhere safe, or just print it and keep it locked away in your filing cabinet. At the very least, you want to make sure that nobody except you can read it, so let’s change the permissions:

$ chmod u-w,go-r ~/revcert.asc
$ ls -l ~/revcert.asc
-r--------   1 packaget  packaget  260 Oct 23 10:30 revcert.asc

Now you (the owner) are the only one who can read the file. Note that we’ve even removed write permissions for the owner.

Using your key from within your mail program

Since most folks use a GUI-based email client like Thunderbird or, here are some add-ins that you can use with your mail client to provide GPG functionality. These make it really easy to use GPG with your mail, adding sign/encrypt options to the Compose window and automatic decryption for encrypted messages.

  • Enigmail is an extension for Mozilla Thunderbird. If you use Thunderbird or Mozilla/Netscape, this is the cheese.
  • GPGMail is a plug-in for Apple’s Although its authors claim that “GPGMail is a complete hack, relying on Mail’s internal private API,” I’ve been using it for several months without issue. The latest version even has an installer.

The difference between signing and encrypting

Signing an email message using your key helps prove that the message came from you. This isn’t the same as encrypting the message, but is a common way to assert the authenticity of the sender. Your message is still sent in plain text and anyone can read it, but they can also use your GPG signature to verify your identity. I tend to sign most of the messages I send.

Encrypting is another story. To encrypt a message, you need the public key of the person to whom you are sending the encrypted message. When you use someone’s public key to encrypt a message, only the person who has the corresponding secret key can decrypt it. So, if I wanted to send an encrypted message to ‘John’, I would need his public key.

Obtaining your public key

To obtain your public key (a big block of ASCII characters that looks like garbage text), use gpg -a --export from the command line:

$ gpg -a --export packagethief

This will print your key to the screen (the -a option tells GPG to output in ASCII text). Sometimes it’s more useful to have this in a text file so you don’t have to copy/paste it. To do so, just redirect the output to a file:

$ gpg -a --export packagethief > ~/pubkey.txt

This will save your key in the file pubkey.txt in your home directory. You can now publish your key (say, on your website), so that others can use it to send you encrypted messages.

Changing your passphrase

Until today, I didn’t even know you could do this. You change the passphrase for a key by editing it. Not everything is editable (for example, you can’t change your user ID), but changing your passphrase is the kind of thing you might want to do from time to time.

$ gpg --edit-key packagethief
Command> passwd

You’ll be asked for your existing passphrase before you’ll be able to type a new one. To exit and save your changes, type quit at the prompt.

Related resources

My public key

Version: GnuPG v1.4.1 (Darwin)


Leave a response