Setting up OpenPGP
Posted by notKlaatu , 04 March 2008 · 141 views
To spare myself from going into great technical detail of how it all works, this article assumes you're ready to set up an OpenPGP key so that you can encrypt your email and files, and also ensure that the people you think you are emailing are really the people you are emailing. The way that this is done is to create for yourself a Public Key. The person on the other end also creates a Public Key. You trade Public Keys with one another. When you encrypt email destined for that other person, your system encrypts it in such a way that only that person's system, with their special Private Key, can decrypt it. This is all made possible by OpenPGP, specifically on most Linux systems with a Gnu software program called GPG. So, here's how you set up an OpenPGP system on your system: ''Note that % means a regular user and # means root.'' __Create your Public and Private Key__ In your terminal, type this: ^% gpg --gen-key^ A text menu pops up, giving you a choice of encryption methods or something like that; I used the default by typing in 1 You are then asked how many bits you'd like in your key. The default is 2048. You can go lower or higher. You then must choose if and when you'd like this key to expire. The default is Never (0) but you can do anything you feel necessary. Confirm all of these choices with "y", and then you'll need to assign a user, email address, and an optional comment to that key. It prompts you for each of these, so enter the email account information you wish to use with this key. We will go over adding more accounts to this key later in this article. Your system then sets about generating a random number -- and at least in the case of a long key it may literally ask you to do something else on the computer so that the random number generator has data to work off of. Eventually, it will generate enough bits for your key, and returns this information: ^gpg: /home/klaatu/.gnupg/trustdb.gpg: trustdb created gpg: key 12345678 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 4 marginal(s) needed, 3 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0p, 0m, 0r, 0f pub 2034D/12345678 2007-12-25 Key fingerprint = 4C72 DEAD E45F F314 8929 FD67 EF23 6B33 3779 2739 uid Klaatu (thebadapples) <email@example.com> sub 2368g/DF66E34E 2007-12-25^ Note, on the second line, the key "12345678". That is your Key ID, which you'll use to configure your system. (It is not your public key that you will send to friends with whom you wish to have encrypted conversations.) __To Add Users and Accounts to Your Key__ I have at least three email accounts in my desktop email client, and I hardly want to have a separate key for each account, so I need to add these accounts to my key. To do this, simply type % gpg --edit-key 12345678 You will be given a prompt, at which you'll need to type "adduid" and then you simply have to follow the prompts. You can do this as many times as you need. This is what it looks like, with some content edited out for readability: ^% gpg --edit-key 12345678 gpg (GnuPG) 1.4.7; Copyright © 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. [content edited out for readability] Command> adduid Real name: Gort Email address: firstname.lastname@example.org Comment: thebadapples You selected this USER-ID: "Gort (thebadapples) <email@example.com>" Change (N)ame, ©omment, (E)mail or (O)kay/(Q)uit? O [edited for readability; your key password will be required here] Command> quit Save changes? (y/N) Y^ __Exporting Your Public Key__ Now you've set up the GPG system. Note that the GPG information that your system uses and refers to has been saved to your home folder, in a hidden directory called .gnupg ^/home/username/.gnupg^ Now you need to extract your Public Key from this information so that you can have the key as a physical file that you can send to your friends. ^% gpg --armor --output klaatukey.asc --export^ This creates a file called klaatukey.asc, which I can attach to emails that I send to people. If they are also GPG users, they will import this key into their trusteddb file and from then on you can email back and forth with encrypted messages that will be able to be read by you both, but no-one in between. You can set Evolution and Thunderbird to encrypt your messages automatically as well as attach the actual klaatukey.asc file, but if you're using webmail you'll probably have to attach it manually, so you may want to either upload this to your own server or put it on a USB drive or your Nokia N800 or something that you keep on you. __To Import Someone Else's Key to Your Trusted Database__ If someone has attached their key in their email, you can download it and then run this in your terminal: ^% gpg --import pubkeyfile.asc^ In Evolution or Thunderbird, you can simply choose to import the key to your trusteddb from menu options. There's also a way to go get public keys from key servers, but you need to know the address of the keyserver. You can go to the keyserver, search for the person's email address, and download their Public Key. You are then able to encrypt your email using their Public Key so that only they will be able to decrypt it. ^% gpg --keyserver http://www.KeyServerUrl.com --keyserver-options honor-http-proxy --search-keys Email@Address.com^ __Transporting Your GPG Information to Another Computer__ The days of one computer per person are in the past. In the past, I have had up to 6 active computers at a time. Now I am down to 3 or 4 (2 personal laptops, 1 work laptop, another work laptop, and a fixer-up soon to be donated to someone who needs a computer). Anyway, the point is that if I set up GPG on one system, I probably have at least two other environments I'll want that GPG infrastructure installed. Luckily, all you'll need is the .gnupg directory from your $HOME. So, either copy this directory to a USB drive and sneakernet it over to your other system, or send it over your LAN, or whatever, but it really is as simple as that. ^ user@desktop: % cp -r ~/.gnupg /media/jumpdrive/ user@laptop: % cp -r /media/jumpdrive/.gnupg ~/ ^ Once you've copied the .gnupg directory to the other system (in the example above, from one's desktop to one's laptop), the GPG system on the second computer detects the .gnupg information and now it's automagically configured. Nice, huh? If you don't have GPG installed on the second computer, you should be using Linux. __HOWTO set this all up in Evolution__ On my Fedora iBook, I use Evolution as my mail client. Setting up GPG is simple: ^Edit > Preferences > Accounts^ I have three accounts set up here, so for each account I would do this: - Click on the account you wish to add the GPG key to. - Click EDIT - The last tab in the new menu that appears is "Security"; click on this - In the SECURITY tab, the top selection is OpenGPG, so enter into the KEY ID field your key ID...that's the 8 number thing that you were given earlier. - Click on whatever selections you want; I usually have the automatic options turned on so that my emails are always signed. - Click OK, and then either repeat these steps for other accounts or click OK to leave preferences. That's it. __Setting This Up in Thunderbird__ On my Ubuntu and Slackware laptop, I use Thunderbird. First you must install the [https://addons.mozil...on/71|EnigMail] Add-on for Thunderbird. ''Note: When I did this, I had not yet set my system environment to recognize Thunderbird as its default mail reader, so Firefox didn't know what to do with the install file and kept trying to install Enigmail into itself. To get around this, I did this: '' ^% wget https://addons.mozil....95.5-tb sm.xpi ^ ''I think I had to send an option along with wget to bypass a secure connection, or something, in order for mozilla.org to let me get the file...although I just tried it again and it worked with a normal wget. Anyway, the point is, get the .xpi file onto your computer, then go to Thunderbird > Tools > Add-ons > Install and select the .xpi file. Thunderbird installs it and offers to restart. '' Restart Thunderbird. Now there will be an OpenPGP menu available to you in the main window of Thunderbird. There's not much to do here, although I do go into OpenPGP > Preferences > Show Advanced Options. As long as you've imported your .gnupg folder, frankly EnigMail seems to just pick it up without any further settings from you. It's fairly transparent. __Revoking a Key__ So what happens when your arch-enemy's robotic minions discover your Private Key? Well, you'll need to revoke that key and get a new one. And be more careful next time ED-209 comes knocking at your door asking to see your Private OpenPGP Key. ^% gpg --output revoke.asc --gen-revoke 12345678^ You will be asked why are revoking the key, and then it will generate a revoke certificate. Now, what do you do with this? I have no idea, because I've never had to revoke one before. I reckon I'll cross that bridge when we get to it.