[wellylug] gpg info
Klaatu
klaatu at straightedgelinux.com
Tue Feb 18 06:38:58 NZDT 2014
For the blokes who were curious about GPG, I have two resources I can
offer up. One is an article I wrote for 2600 magazine (at 2600.net) on
getting started with GPG. I'm attaching the article in .txt format to
this email.
The other is a reference post online:
http://straightedgelinux.com/blog/howto/setupgnupg.html
which I don't think is good as an intro but it's handy to have around
when you're trying to remember how to do things like import keys and
search for keys and so on.
Hope these are useful.
-klaatu
-------------- next part --------------
Pretty Good Privacy
by Klaatu
Not that it probably came as much of a surprise to most regular 2600
readers, but the revelations that the NSA have been monitoring nearly
all internet communications with the acquiescence of some of the
largest and most popular service providers does reinforce the
importance of encrypting web traffic.
Obviously there are no guarantees with any method of
encryption; any encryption could theoretically be broken. However,
using the openPGP protocol to encrypt files and emails can be made
basically transparent to the user, so there's hardly an argument
against using it since at worst it adds at least a temporary layer of
obfuscation to online communication.
History of OpenPGP
The back story of openPGP is well documented online, but here's a
brief summary. Phil Zimmerman developed PGP and distributed it amongst
friends so that they could encrypt communication. Once PGP left the US
borders, Zimmerman was accused of exporting munitions and was brought
to trial by the US Government. He won the battle in the end, and PGP
itself has since been owned by a few different corporations and has
also become an open standard.
The theory of OpenPGP involves key pairs. Each party involved in
communication has a public and a private key. Each message is
encrypted using the sender's private and the recipient's public keys,
and then decrypted using the recipient's private and the sender's
public key.
It might help to think of it in simplified algebra.
For instance, a very simple formula such as:
x + 2 = y + 1
is fairly easily solved, or at least it is easy to iterate through
many possible solutions). However, a more complex example such as:
(private_x * 2) * e = (private_y / 4) * e
is quite a lot more difficult and in fact mostly impossible without at
least one of the private values.
The actual algorith for openPGP would be quite a bit more complex with
far longer numbers involved.
The most common implementation of OpenPGP is GnuPG (Gnu Privacy
Guard). This is available built-in on Linux, and is freely
downloadable for Windows and OS X.n
Basics of GnuPG
Once you have installed GPG, you must create a key pair for
yourself. There are probably GUI programmes to help with this, but it
is easily done via a UNIX or UNIX-like shell (such as cygwin or Power
Shell on Windows). This article provides instructions for BASH or ZSH.
In a UNIX terminal, type this:
gpg --gen-key
A text menu pops up, giving you a choice of encryption methods, and
how many bits you want your key to use. The defaults are always safe.
You then must choose if and when you'd like this key to expire. The
default is Never (0) and for personal use that's probably what you
want. Confirm all of your choices, and then assign a user, email
address, and an optional comment to that key. GPG prompts you for each
of these, so enter the email account information you wish to use with
this key.
Once your key pair is generated, you can try a test encryption. Since
you have no one else's public key incorporated into GPG yet, this test
will encrypt and decrypt a simple message for yourself:
echo "hello world" | gpg --encrypt > ~/hello.gpg
Now a fully encrypted file called hello.gpg exists on your hard
drive. Were you to attempt to open the file, you would see naught but
gibberish.
To decrypt it:
gpg --decrypt ~/hello.gpg
These examples have used GPG directly. You are free to do this for
files or even tarred and zipped directories as an alternative to
something like Truecrypt, and on Linux most of the popular file
managers feature full GPG integration so that when you attempt to open
an encrypted file, you will be prompted for your key
passphrase. Likewise, for email, it's usually convenient to let your
email client do the work. There may be PGP plugins for the email
client of your choice. This article covers Enigmail, a plugin for
Thunderbird.
Distributing Public Keys
Before you can encrypt an email message for someone, you must import
their public key and they, in turn, must have access to yours. The
easiest way to distribute your public key is to send it to a
keyserver.
First, determine your key's ID:
gpg --list-keys | grep pub
This returns, for example, 1024D/BC9AE666 2009-09-11
The number following the slash is your key ID.
Push it to a key server thusly:
gpg --send-keys --keyserver keys.fedoraproject.org BC9AE666
There are many keyservers on the internet and they reguarly duplicate
one another's list of keys, so you need only to pick one at random and
use it. Keys.fedoraproject.org is as good as any other, but there are
lists online.
To import someone else's key into your own GPG keychain, use the
search function of GPG. You can search by name or email address.
gpg --search-keys klaatu
This will return a list of keys that seem to match your search; import
the one that you feel is appropriate.
Encrypting Email
Using GPG with Thunderbird is made possible by the Enigmail
add-on. Install the Enigmail add-on via Thunderbird's Add-On menu
option.
Once Enigmail is installed, your Thunderbird client will have a new
menu option for OpenPGP, and a new button or two. If you are adverse
to the shell-based interface of GPG, the openPGP menu allows you to do
most everything already covered in this article. Assuming you have
already generated your keys, however, all you need to do to set up
Enigmail is to confirm your key via the OpenPGP Menu > Key
Management. Once this exists, you can either sign or encrypt (or both)
your emails any time you enter an email address that matches a public
key contained in your GPG keychain.
When composing a new email, use the OpenPGP button to tell Thunderbird
to sign (use your key as a digital signature) or encrypt your
message. The default behaviour for this can be set in the Preferences
submenu of the OpenPGP menu.
When encrypting email, you will be prompted for your GPG
password. This gives Enigmail access to your private key for the
encryption process, and then sends a fully encrypted message to the
recipient. If someone responds to your email with an encrypted
message, Enigmail will automatically detect the need for decryption
and display the message for you.
Encrypt All the Things
Increasing the usage of encryption for even casual, everyday
communication will also help draw less attention to the traffic that,
for whatever reason, needs to be encrypted. It just reduces the
signal-to-noise ratio, making the pool of information murkier for
anyone trying to take an uninvited sample.
A Note to Pittsburgh
For any readers in Pittsburgh: I am attempting to revitalize the 2600
meetings. Check the meeting list in the back of this issue for time
and location.
More information about the wellylug
mailing list