MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*DocIndex - Security

GPG II

* Installation
* Testing And Configuration
* Public Key Distribution
* GPG And Mail Programs

Related Resources:

GNU Privacy Handbook
List Of Related Applications
man gpg

Revision / Modified: Mar. 21, 2002
Author: Tom Berger, Todd Lyons

 

GPG II

* Installation

  1. If you are using a Mandrake release older than 7.2, get the gnupg and the pgpgpg packages from one of M's cryptography servers or get the sources from GnuPG.org. Releases 7.2 and later come with the GnuPG package on the CD.

  2. Install them. If you've used the RPM packages, run

    rpm --verify gnupg

    as a basic security check.

  3. Now you have to generate your key pair with

    gpg --gen-key

  4. You will be asked some questions (kind of key, key size, validity). Go with the defaults unless you know better.

  5. Now you have to supply a user ID: your real name, your email address and a (optional) comment.

  6. Enter your passphrase (it will not show up). As usual, you will be prompted to enter it again to prevent typos.

  7. Now your key will be generated. To help the program gather enough random data, move your mouse around and hit the CTRL, ALT or SHIFT keys some times.

  8. Ready! '~/.gnupg' should now contain these files: 'options' (configuration file), 'pubring.gpg' (your public key) and 'secring.gpg' (your private key).

* section index * top

* Testing And Configuration

Before you distribute your key, you should do some testing:

  • gpg --list-keys will list your key pair. The output will look like this:

    pub [keylenght]/[key ID] [Creation date] [Real name] [comment] [email address]
    sub [keylenght]/[key ID] [Creation Date]

    Write down or memorize the key ID number of your public key. You will need it from time to time.

  • Encrypt and sign a file with gpg -es -r [first part of your real name] [file]. This will generate an encrypted file called '[file].gpg'.

  • Decrypt this file with gpg [file].gpg.

  • gpg --clearsign [file] will create a signed but unencrypted file called '[file].asc'.

  • Verify this signature with gpg --verify [file].asc

  • Beginning with Mandrake 8.2, Mandrake's public key was automatically imported into the root user's keyring when the gnupg package was installed. All other users: add Mandrake's public key on the CD to your keyring: gpg --import /mnt/cdrom/RPM-GPG-KEYS. A good example of why a regular user might want to do this is if the user wants to build rpms from source rpms. The user will want to verify that the source rpm packages he has are bona fide Mandrake source rpm.

  • Check the GPG RPM: rpm --checksig gnupg-[...]mdk.rpm. You should get gnupg-[...]mdk: md5 gpg OK.

  • Create a revocation certificate. You will need it in case your secret key gets lost or is compromised: gpg -o revoke.asc --gen-revoke [key ID]. Save the file 'revoke.asc' to a secure place.

The configuration file for GPG is '~/.gnupg/options'. Usually you don't have to change anything here, my suggestions just make using GPG a tiny bit more comfortable ;-):

  • Remove the leading hash (#) from no-greeting (removes the copyright message) and default-recipient-self (lets yourself be the default recipient).

  • Change the 'keyserver' line to keyserver search.keyserver.net or use the default keyserver by removing the hash.

  • Add no-secmem-warning to get rid of those pesky GPG warnings about using insecure memory.

Further options can be found in man gpg.

* section index * top

* Public Key Distribution

To distribute your public key by email or on your website, you have to export your key to a text file first. To prevent GPG from using the binary format, add the --armor option:

gpg --armor --export [key ID] -o mykey

Now you can send or post 'mykey' and people can add the included key to their key rings with gpg --import mykey.

A more general approach lies in using a keyserver, e.g. one of the keyserver.net family. This way everyone can get your public key without having you to ask first. He or she can just search the keyserver for your name, email address or key ID, get the key and add it to his or her keyring.

To submit your public key to a keyserver, type:

gpg --keyserver search.keyserver.net --send-key [key ID or your email address]

This might take a while. There's a list of alternative keyservers at keyserver.net. Some keyservers also allow you to copy and paste your key into a text entry field. In order to get a key from a keyserver, use

gpg --keyserver search.keyserver.net --recv-key [key ID]

(You can leave out the --keyserver parameter, if you've specified a keyserver in '~/.gnupg/options'). For this command you will need the numerical key ID of the key you want. If you don't know it (or if the server rejects your request), you can search for a key and get it on keyserver.net.

You might want to make it easier for people by adding the numerical key ID of your public key to your mail signature, maybe along with the address of your favorite keyserver.
To verify keys, exchange encrypted messages containing the key fingerprints (gpg --fingerprint [key ID]). You should only use keys the fingerprints of which you have verified by contacting the owner of the key.

* section index * top

* GPG And Mail Programs

Here are some mail programs currently supporting GPG:

  • Arrow, a nice, lightweight mail client for X.
  • Exmh, X front end for the MH mailing system.
  • KMail, KDE's standard mail client.
  • Mew, a MIME mail reader for (X)Emacs.
  • Mutt, a very popular console based mail reader.
  • Pine, another popular console based mail reader. You will need an add-on like pgp4pine.
  • Postilion, a next-ish mail application for X.
  • Spruce, a GTK+ mail client.
  • XFMail, a very powerful MUA for X.

Advanced MUAs like 'mutt' support the 'PGP/MIME' or 'application/pgp' MIME type. Others do not, which might lead to problems. In this case configure your mail client to use the 'old-style' clear-text format (pgp_create_traditional ask-yes in 'mutt').

If you are using a legacy mail reader like Netscape Mail, you can still write your messages, encrypt them and send them as attachments. Graphical GPG tools like Gpgp, TkPGP and Geheimnis will help you. Might be better to get a decent mail client, though ;-).

And if you really want to get into the thick of it, try the PGP Forwarding Server. This server serves as an encryption / decryption relay for users who either do not have GPG/PGP installed or don't want to use it.

* section index * top

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.