-------------------------------------------------------------------------- GPG (Gnu Privacy Guard) is a free replacement of PGP (Pretty Good Privacy) -------------------------------------------------------------------------- By: Ventz Petkov Note: You can skip to section III. If you don't care about what cryptography and public/private keys are, or the very basics of how it all works. Legal Stuff ----------- All of the information in sections I. and II. has been taken from the "Cryptography" paper published at http://www.pgpi.org/doc/pgpintro/. The information has not been changed in any way, it has simply been re-arranged in smaller, more concise sections. Everything in section III. has been references from http://aplawrence.com/Basics/gpg.html which provides a very good tutorial. Another website worth checking out is http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html You may take anything/everything freely from this tutorial, but please obide by the author's rules if you are taking something that's referenced. I. Basic Information about Cryptography --------------------------------------- Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography enables you to store sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient. A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and decryption process. A cryptographic algorithm works in combination with a key - a word, number, or phrase - to encrypt the plaintext. The same plaintext encrypts to different ciphertext with different keys. The security of encrypted data is entirely dependent on two things: the strength of the cryptographic algorithm and the secrecy of the key. A cryptographic algorithm, plus all possible keys and all the protocols that make it work comprise a cryptosystem. PGP is a cryptosystem. II. Information about Public/Private Key ---------------------------------------- GPG/PGP use a public/private key cryptosystem. Public key cryptography is an asymmetric scheme that uses a pair of keys for encryption: a public key, which encrypts data, and a corresponding private, or secret key for decryption. Youpublishyour public keytotheworldwhile keeping your private key secret. Anyone with a copy of your public key can then encrypt information that only you can read. Even people you have never met. It is computationally infeasible to deduce the private key from the public key. Anyone who has a public key can encrypt information but cannot decrypt it. Only the person who has the corresponding private key can decrypt the information. The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely. The need for sender and receiver to share secret keys via some secure channel is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared. A diagram worth checking out: http://www.pgpi.org/images/figures/fig1-3.gif III. How to Create a GPG Key ---------------------------- Note: user@domain.com can be the person's email or their UID. 1.) Run "gpg --gen-key" to create a key a.) Choose a "DSA and Elgamal" for the kind of key (default) b.) Choose a "2048" bit long ELG-E key (default on some) You may go with a 1024 bit key, but the longer the key is, the more secure it is. If you are on a slow machine, or a machine with no users, you might want to consider a 1024 bit key in order to be able to build it from the enthropy gathered. c.) Choose a "0" day expiration - doesn't expire key. Note: If you choose to never expire your key, make sure you retain the revocation key later! (step #3). Some people consider never letting your key expire a bad idea. Note that if you lose/have your private key stollen AND you lose the revocation key, there is *NO WAY* to get control of your key or expire it. d.) Enter your "First Last" name for Real Name. e.) Enter a valid email you check for"Email address. f.) Enter a comment if you wish - alias to your name g.) Enter a *very* strong password. At least 8 characters, which contains capital letters, numbers, and symbols. Make sure you remember this password. If someone finds it, they can act (sign and encrypt/decrypt) things as *you*. If you lose the password, your two hopes are: 1. having your key expire (step 1-c.), or 2. having a revocation key (step #3) ... wait while entropy is gathered ... (you can think of entropy as randomness from your computer which is unique to you and is used to create your individual key) You will be given your public key "1024D/XXXXXXXX", and the key fingerprint! You can also find them later using step #2. h.) Please go into your .gnupg directory, and create a "gpg.conf" file which should contain: ### gpg.conf ### armor default-key YOUR-KEY-HERE keyserver hkp://subkeys.pgp.net keyserver-options no-include-revoked ### gpg.conf ### Note: replace "YOUR-KEY-HERE" with the portion of the "XXXXXXXX" above; you don't need the "1024D/" before it. 2.) Public Key and Fingerprint a.) Run "gpg --list-keys" to get your public key. b.) Run "gpg --fingerprint" to get your fingerprint. It is important to have your fingerprint (you might even want to print it out on a little card) because it's the only way that people can verify that the key they have obtained/are adding is really *your* key. After your identity is confirmed at a key-signing party, you should read off your key and fingerprint to the person adding your key, and they in term should verify it with "fpr" (step #6-a). 3.) Run "gpg --gen-revoke --output revoke.gpg.asc user@domain.com" to generate a revoke key in "revoke.gpg.asc". As mentioned in step #1-g, and step #2, a revoke key is the *only* backup solution if your private key is stolen or compromisded. You should keep it in a safe place. When creating it, choose "1 = Key has been compromised". Remember to store it in a file like "revoke.gpg.asc" and chmod it to 600. Keep it in a *very* safe place. Printing it sometimes might be a good idea. Also, remember to save the password for the revoke key, since that is the only way you will be able to revoke it. To actually revoke a key, take a look at step #6-d. 4.) Run "gpg --armor --export user@domain.com > key.gpg.asc" to dump your public key to a file called "key.gpg.asc". You should put this on your website and/or make it available in a public place. This is the file that others will need when they want to import your public key into their ring of keys. 5.) Run "gpg --import key.gpg.asc" to import *someone else's* key. If you do "gpg --list-keys" after this, you should see your key and the other person's key. If you are importing someone's key from a server, do: "gpg --search-keys user@domain.com" 6.) Run "gpg --edit-key user@domain.com" a.) Command: "fpr" -> prints out the key and the finger print. Make sure the fingerprint of the public key you have is the *same one* as the one read to you by the person who owns the key. b.) Command: "sign" -> sings the key you imported with your key. c.) Command: "trust" -> sets the trust on the key. NEVER trust anyone other than *yourself* with "5 = I trust ultimately". If you trust them completly., always use "4 = I trust fully". d.) Command: "revkey" -> revokes your key. It will prompt you for the password to your *revoke* key. Thus if you forget the password to your private key, you can still revoke it. e.) Command: "check" -> Usefull to make sure all is okay when revoking keys, before saving. f.) Command: "quit" -> Quits. When prompted to save, make sure you 7.) Run "gpg --delete-key user@domain.com" if you want to delete a key. 8.) To publish your key to a key server (make sure you have the gpg.conf mentioned in step #1), run "gpg --send-key user@domain.com" 9.) To update all of your keys that you have, run "gpg --refresh-keys". What that does is it updates *all* of your keys using the keyserver in your configs. AT LAST, Official tutorial can be found at http://www.gnupg.org/gph/en/manual.html