GPG Quickstart Guide

Sunday, October 23

This is a quickstart, so let’s not waste any time. The first thing your going to need is a GPG Key, so fire up the terminal and from the command line, type:

$ gpg --gen-key

This will launch the GPG key-generation program. First you’ll be asked to select what kind of key you want: (1) DSA and Elgamal (default), (2) DSA (sign only), (5) RSA (sign only). If you want to sign and encrypt messages, DSA and Elgamal is what you want and is the default, so we’ll use that.

Next you’ll be asked to choose a keysize. A large keysize is more secure than a small one, but also takes longer for your computer to encrypt/decrypt data. The default value of 1024 is adequate, so we’ll use that. If you’re really paranoid, you can use 2048, which is currently gpg’s maximum.

You’ll then be asked to set an expiry date for your key. While expiry dates can be used for stronger security, you probably want your key to be valid indefinitely. Choose 0 (the default) to create a key that never expires and confirm your selection.

You need a user ID to identify your key. You’ll be asked for your Real Name, Comment and Email Address which will result in a user ID in this form: “Real Name (comment) <email@example.com>”. Go ahead an type in your user ID details and confirm your entry.

Finally you have to enter a passphrase. A passphrase is like a password, but is longer, can contain spaces, and is supposed to be impossible to guess. Think of a passphrase as a super-password. Use a long sentence, or a line from one of your favorite songs, spaces and punctuation included. Oh, and if you ever forget your passphrase, there is NO way to get it back.

All done? Congratulations! You now have a public and secret key in your keyring. To see all your keys, use the list-keys command:

$ gpg --list-keys

Create a revocation certificate

If you ever need to revoke this key (because, say, you forgot your long and difficult-to-guess passphrase), it helps to have a revocation certificate prepared. Right after creating a key is a good time to prepare a revocation, so let’s do it now.

$ gpg --gen-revoke packagethief > ~/revcert.asc

You’ll have to answer a few questions (the default answers are fine) and enter the passphrase you chose for your key. The above command will create your revocation certificate in the file revcert.asc. Now, keep in mind that if someone gets a hold of this revcert, they’ll be able to revoke your key and render all your encrypted messages unreadable. You probably don’t want this, so it’s a good idea to hide this somewhere OFF your computer. You could put it on another volume, save it to a disk and keep in somewhere safe, or just print it and keep it locked away in your filing cabinet. At the very least, you want to make sure that nobody except you can read it, so let’s change the permissions:

$ chmod u-w,go-r ~/revcert.asc
$ ls -l ~/revcert.asc
-r--------   1 packaget  packaget  260 Oct 23 10:30 revcert.asc

Now you (the owner) are the only one who can read the file. Note that we’ve even removed write permissions for the owner.

Using your key from within your mail program

Since most folks use a GUI-based email client like Thunderbird or Mail.app, here are some add-ins that you can use with your mail client to provide GPG functionality. These make it really easy to use GPG with your mail, adding sign/encrypt options to the Compose window and automatic decryption for encrypted messages.

  • Enigmail is an extension for Mozilla Thunderbird. If you use Thunderbird or Mozilla/Netscape, this is the cheese.
  • GPGMail is a plug-in for Apple’s Mail.app. Although its authors claim that “GPGMail is a complete hack, relying on Mail’s internal private API,” I’ve been using it for several months without issue. The latest version even has an installer.

The difference between signing and encrypting

Signing an email message using your key helps prove that the message came from you. This isn’t the same as encrypting the message, but is a common way to assert the authenticity of the sender. Your message is still sent in plain text and anyone can read it, but they can also use your GPG signature to verify your identity. I tend to sign most of the messages I send.

Encrypting is another story. To encrypt a message, you need the public key of the person to whom you are sending the encrypted message. When you use someone’s public key to encrypt a message, only the person who has the corresponding secret key can decrypt it. So, if I wanted to send an encrypted message to ‘John’, I would need his public key.

Obtaining your public key

To obtain your public key (a big block of ASCII characters that looks like garbage text), use gpg -a --export from the command line:

$ gpg -a --export packagethief

This will print your key to the screen (the -a option tells GPG to output in ASCII text). Sometimes it’s more useful to have this in a text file so you don’t have to copy/paste it. To do so, just redirect the output to a file:

$ gpg -a --export packagethief > ~/pubkey.txt

This will save your key in the file pubkey.txt in your home directory. You can now publish your key (say, on your website), so that others can use it to send you encrypted messages.

Changing your passphrase

Until today, I didn’t even know you could do this. You change the passphrase for a key by editing it. Not everything is editable (for example, you can’t change your user ID), but changing your passphrase is the kind of thing you might want to do from time to time.

$ gpg --edit-key packagethief
Command> passwd

You’ll be asked for your existing passphrase before you’ll be able to type a new one. To exit and save your changes, type quit at the prompt.

Related resources

My public key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (Darwin)

mQGiBENbnh4RBAC7s8cQhyDkow6IgfIYpkflFQ5lmK8Hlcm8AR3Jcg2IsltBY+ZG
jU/GyEwBJEsyyYxSZjy3/DVOsHMg2MGNNXE6TH0FQhpHnwgMgz2WQuyupSOnWz3o
5AI5ozBLS8+8CO8yufez6VNDsMr2nSJpwDgqCb2AN82nCkXJwtVWmZkPXwCgiOSN
fldP3ZtF6QyQXnrsCNxNUskD/jpLeCOk/VrZI2UJ8jKGMeyNZP7p/2CSo78ZpcYF
uu6Jtgtnrm2+F77ST7F5FGKTlioqeEi7Fw7j1Ve318bKfIn3hHB9E643mf6oD8FC
wb6ATIIsv2u50yqFt6k9F/oHnc6gddunTcM5ulX4+56dJXlFVL7c+PPsdkFsjLZY
kOmAA/4iQ5kmt8Fuwsep2Gs7fCQ+Wn6GmiGNwLjj/AC1IWwHdhHygPtS4xGshzvu
L5VEuxeA0/zwoEh1gNqAIe2SGFKysbXSmD8vnW+wvWJ0a9aAaCag8WiMQ4dYwKTy
NYtHjcQBwON6uGzwslyawO5WfF0zQwNGgun/0t58P0rghs7YZrQ1SmVmZnJleSBI
YXJkeSAoUGFja2FnZXRoaWVmKSA8cGFja2FnZXRoaWVmQGdtYWlsLmNvbT6IXgQT
EQIAHgUCQ1ueHgIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRCwvVj9bv2rJl/b
AJ9M2QEdxTgRj/kgg4OreczVyBMeiACfb1llQoLM0n/dp0Cb9hGbNvrHpi+5Ag0E
Q1ueJhAIAM6oQqDqkijWVSdl86PPWmV560yKUJ/hX1/OjOYKtVdbbNL6zXSTnu9Y
oB0t4RUq7E3bFHXYYOv+ndHCONE8IKv8LD58KLaO9TshyUHHH5uE1qEy0WfsBV/I
axNTETv8JYUr/kdgLMu2M/chpBmFgQEyXJBzN+iYNKmS6Py2th3xhAWmnNMtP4af
sDK/CLbf+TXkOrTn8312SuRDBVs/M95DtUEBVp0WoYhj8OPAe5uOXld2j731y4A0
fnsnldaV+prHjIwmHECHelDgti7H1lI7UkyPr92zYLU2akKgmQ+TIszn+XeNcOI+
aimSKetADgGTy+A8iuI7t6RP/rOerPsAAwUH/2jNqxWexpvH5ZGwsWI2qBl5bghz
ofzTp4yxa/dj6LuU6rLfO4Rvob0avWjy8d2+b5ABvXfRM2BkZWjGP4s8sKJ1lRUM
pGfCw9N9ouraQMXyoG+R7/ZKQhECQipBRpm1l7T0VazQ/36RUEFBj2uEOoyv8H5H
uQ/s0/FQBZX2YU49vQ7ujBiutbRdedomx3dYw3kPpI9axagjGfJBgMhMOxZa0Dt8
pXico+KYFsXu26L3bacl73vSvCiqVRZfkDC06TvelR6yx/OGzxHPo6kFtjcUYGV1
wAHwdphcKd8Fy3+Xmi/Onpq4sXlBSL9IG1EW+eBISurCNOzsT2It8OVhun6ISQQY
EQIACQUCQ1ueJgIbDAAKCRCwvVj9bv2rJha9AJ4/FxF/ECoRvlV7w5MLVHnFv3PG
tACff4IWVTIMlABOm+o6aVfYliUUHb4=
=sLot
-----END PGP PUBLIC KEY BLOCK-----
Comments

Leave a response