GPG II
-
If you are using a Mandrake release older than 7.2,
get the gnupg and the pgpgpg packages from one of M's cryptography servers
or get the sources from GnuPG.org.
Releases 7.2 and later come with the GnuPG package on the CD.
-
Install them. If you've used the RPM packages, run
rpm --verify gnupg
as a basic security check.
-
Now you have to generate your key pair with
gpg --gen-key
-
You will be asked some questions (kind of key, key
size, validity). Go with the defaults unless you know better.
-
Now you have to supply a user ID: your real name,
your email address and a (optional) comment.
-
Enter your passphrase (it will not show up). As
usual, you will be prompted to enter it again to prevent typos.
-
Now your key will be generated. To help the program
gather enough random data, move your mouse around and hit the CTRL, ALT or
SHIFT keys some times.
-
Ready! '~/.gnupg' should now contain these files:
'options' (configuration file), 'pubring.gpg' (your public key) and 'secring.gpg'
(your private key).
section index top
Before you distribute your key, you should do some testing:
-
gpg --list-keys will list your key
pair. The output will look like this:
pub [keylenght]/[key ID] [Creation date] [Real
name] [comment] [email address]
sub [keylenght]/[key ID] [Creation Date]
Write down or memorize the key ID number of your
public key. You will need it from time to time.
-
Encrypt and sign a file with gpg -es -r [first
part of your real name] [file] . This will generate an encrypted file
called '[file].gpg'.
-
Decrypt this file with gpg [file].gpg .
-
gpg --clearsign [file] will create
a signed but unencrypted file called '[file].asc'.
-
Verify this signature with gpg --verify [file].asc
-
Beginning with Mandrake 8.2, Mandrake's public key
was automatically imported into the root user's keyring when the gnupg package
was installed. All other users: add Mandrake's public key on the CD to your
keyring: gpg --import /mnt/cdrom/RPM-GPG-KEYS . A good example
of why a regular user might want to do this is if the user wants to build
rpms from source rpms. The user will want to verify that the source rpm
packages he has are bona fide Mandrake source rpm.
-
Check the GPG RPM: rpm --checksig gnupg-[...]mdk.rpm .
You should get gnupg-[...]mdk: md5 gpg OK .
-
Create a revocation certificate. You will need it
in case your secret key gets lost or is compromised: gpg -o revoke.asc
--gen-revoke [key ID] . Save the file 'revoke.asc' to a secure place.
The configuration file for GPG is '~/.gnupg/options'.
Usually you don't have to change anything here, my suggestions just make
using GPG a tiny bit more comfortable ;-):
-
Remove the leading hash (#) from no-greeting
(removes the copyright message) and default-recipient-self (lets
yourself be the default recipient).
-
Change the 'keyserver' line to keyserver search.keyserver.net
or use the default keyserver by removing the hash.
-
Add no-secmem-warning to get rid of
those pesky GPG warnings about using insecure memory.
Further options can be found in man gpg .
section index top
To distribute your public key by email or on your website,
you have to export your key to a text file first. To prevent GPG from using
the binary format, add the --armor option:
gpg --armor --export [key ID] -o mykey
Now you can send or post 'mykey' and people can add
the included key to their key rings with gpg --import mykey .
A more general approach lies in using a keyserver, e.g.
one of the keyserver.net family.
This way everyone can get your public key without having you to ask first.
He or she can just search the keyserver for your name, email address or key
ID, get the key and add it to his or her keyring.
To submit your public key to a keyserver, type:
gpg --keyserver search.keyserver.net --send-key
[key ID or your email address]
This might take a while. There's a list of alternative keyservers
at keyserver.net. Some keyservers also allow you to copy and paste your key
into a text entry field. In order to get a key from a keyserver, use
gpg --keyserver search.keyserver.net --recv-key
[key ID]
(You can leave out the --keyserver parameter,
if you've specified a keyserver in '~/.gnupg/options'). For this command
you will need the numerical key ID of the key you want. If you don't
know it (or if the server rejects your request), you can search for a key and
get it on keyserver.net.
You might want to make it easier for people by adding
the numerical key ID of your public key to your mail signature, maybe along
with the address of your favorite keyserver.
To verify keys, exchange encrypted messages containing the key fingerprints
(gpg --fingerprint [key ID] ). You should only use keys the fingerprints
of which you have verified by contacting the owner of the key.
section index top
Here are some mail programs currently supporting GPG:
- Arrow, a nice, lightweight
mail client for X.
- Exmh, X
front end for the MH mailing system.
- KMail,
KDE's standard mail client.
- Mew,
a MIME mail reader for (X)Emacs.
- Mutt, a very popular
console based mail reader.
- Pine,
another popular console based mail reader. You will need an add-on like pgp4pine.
- Postilion,
a next-ish mail application for X.
- Spruce,
a GTK+ mail client.
- XFMail, a
very powerful MUA for X.
Advanced MUAs like 'mutt' support the 'PGP/MIME' or
'application/pgp' MIME type. Others do not, which might lead to problems.
In this case configure your mail client to use the 'old-style' clear-text
format (pgp_create_traditional ask-yes in 'mutt').
If you are using a legacy mail reader like Netscape
Mail, you can still write your messages, encrypt them and send them as attachments.
Graphical GPG tools like Gpgp,
TkPGP
and Geheimnis will help you.
Might be better to get a decent mail client, though ;-).
And if you really want to get into the thick
of it, try the PGP Forwarding
Server. This server serves as an encryption / decryption relay for users
who either do not have GPG/PGP installed or don't want to use it.
section index top
|