Following
the previous
article on the GNU Privacy Guard you can (and should)
read all
about public-key
cryptography and
the web of
trust on Wikipedia. In the context of this article it is
important to know what is your public and what private
key and how they are used. If you generated your keys following the
previous article you now have two keys; one is called a public key and
it will be used for encryption, while the other is a private key and
it will be used for decryption. You can share your public key freely
with anyone you wish, and they can use it to send you encrypted
e-mail. E-mail which only you can decrypt and read being that you
posses the private key - which should never be shared and stay private
at all times. In a similar manner, if you wish to send secure e-mail
to an associate you will need his public key and use it to
encrypt your message. If you read the Wikipedia articles you know by
this point that in a secure public-key cipher scheme, the private key
should not be deducible from the public key. So rest at ease, by
sharing your public key you are not placing the integrity of your
private key in danger.
Besides encrypting your e-mails you can also just sign them. In
which case they will not be encrypted, but they will guarantee the
integrity of your message (that it was not tampered with on the way)
and it will provide message authentication (guarantee that the e-mail
really came from you). This is where the web of trust comes
in. How does the recipient really know that it was you who sent the
message, and that the key used for signing is really yours? A given
public key can be digitally signed by a third party (i.e. a friend and
his key) to attest to the association between you and the
key.
Now, let's actually do something with our keys. First things first, if
you want to receive secure e-mail you need to share your public
key. You can export it either to a file, or directly to a Public
Key Server (PKS) for other people to find and use:
$ gpg --armor --output user.asc --export user@host.tldYou can share the resulting file with your friends. Or you could publish it to a PKS right away, where everyone can find it. Servers mostly share keys between them and keep them in sync, so you don't need to publish your key to multiple servers:
$ gpg --keyserver keys.gnupg.net --send-key user@host.tldIn the same manner you can add public keys to your public keyring with the "--import" option:
$ gpg --import friend.ascIf you had enough of typing cryptic commands to your terminal emulator, it's a good time to mention that there are good graphical interfaces to GnuPG. With KDE you get Kgpg and with GNOME comes Seahorse. You can manage your keys and key rings, encrypt files, import/export keys and more...
X-GPG-PUBLIC-KEY: http://some.host.tld/~user/user.asc X-GPG-FINGERPRINT: XXXX YYYY ...As I mentioned in the previous article, GPG doesn't limit you to e-mail only. Some IM clients (Gajim, Kopete and Pidgin are very popular) will allow you to use GPG for protecting all your instant messages. You can also protect personal and sensitive data or backups. I often use these two shell aliases for fast encryption and decryption of documents:
gpge='gpg -r "user <user@host.tld>" -e 'To make things even easier and automatic you can use EasyPG for GNU Emacs and I'm sure a similar extension exists for Vim.
gpgd='gpg --decrypt'
Encrypt a file with a passphraseLast tip. One, easy, way to protect your backups would be to send your data trough GPG prior to compressing it:
$ gpg -c bank-account.txt
Decrypt with
$ gpg -d bank-account.txt.gpg
Encrypt
$ tar -vcz dir1 dir2 file1 | gpg -er user@host.tld -o backup.tar.gz.gpg
Decrypt
$ gpg -o backup.tar.gz -d backup.tar.gz.gpg