11.05.2009 03:21

Application of the GNU Privacy Guard

Following the previous article on the GNU Privacy Guard you can (and should) read all about public-key cryptography and the web of trust on Wikipedia. In the context of this article it is important to know what is your public and what private key and how they are used. If you generated your keys following the previous article you now have two keys; one is called a public key and it will be used for encryption, while the other is a private key and it will be used for decryption. You can share your public key freely with anyone you wish, and they can use it to send you encrypted e-mail. E-mail which only you can decrypt and read being that you posses the private key - which should never be shared and stay private at all times. In a similar manner, if you wish to send secure e-mail to an associate you will need his public key and use it to encrypt your message. If you read the Wikipedia articles you know by this point that in a secure public-key cipher scheme, the private key should not be deducible from the public key. So rest at ease, by sharing your public key you are not placing the integrity of your private key in danger.

Besides encrypting your e-mails you can also just sign them. In which case they will not be encrypted, but they will guarantee the integrity of your message (that it was not tampered with on the way) and it will provide message authentication (guarantee that the e-mail really came from you). This is where the web of trust comes in. How does the recipient really know that it was you who sent the message, and that the key used for signing is really yours? A given public key can be digitally signed by a third party (i.e. a friend and his key) to attest to the association between you and the key.

Now, let's actually do something with our keys. First things first, if you want to receive secure e-mail you need to share your public key. You can export it either to a file, or directly to a Public Key Server (PKS) for other people to find and use:

$ gpg --armor --output user.asc --export user@host.tld
You can share the resulting file with your friends. Or you could publish it to a PKS right away, where everyone can find it. Servers mostly share keys between them and keep them in sync, so you don't need to publish your key to multiple servers:
$ gpg --keyserver keys.gnupg.net --send-key user@host.tld
In the same manner you can add public keys to your public keyring with the "--import" option:
$ gpg --import friend.asc
If you had enough of typing cryptic commands to your terminal emulator, it's a good time to mention that there are good graphical interfaces to GnuPG. With KDE you get Kgpg and with GNOME comes Seahorse. You can manage your keys and key rings, encrypt files, import/export keys and more...

Applying GnuPG to e-mail is easy these days. For Thunderbird there is Enigmail. For Gmail and other web-mail services there is FireGPG. Both Kmail and Knode (Usenet client) have built-in support. Text-based e-mail clients are also covered, mutt has native support while Pine (now Alpine) can easily be linked to GPG, but there are also wrappers such as PinePG that make things easier. Please note that some communities (i.e. some Usenet groups) are bothered by the "GPG trash" (as they call it) in messages. If for any reason you decide against signing your e-mail in certain cases, you could at least publish your GPG information in the headers of messages, but it's not a bad idea in any case. You can introduce two custom headers to your e-mail:
X-GPG-PUBLIC-KEY: http://some.host.tld/~user/user.asc
As I mentioned in the previous article, GPG doesn't limit you to e-mail only. Some IM clients (Gajim, Kopete and Pidgin are very popular) will allow you to use GPG for protecting all your instant messages. You can also protect personal and sensitive data or backups. I often use these two shell aliases for fast encryption and decryption of documents:
gpge='gpg -r "user <user@host.tld>" -e '
gpgd='gpg --decrypt'
To make things even easier and automatic you can use EasyPG for GNU Emacs and I'm sure a similar extension exists for Vim.

You don't necessarily need to use your key for encryption. You can also create simple passphrase protected archives:
Encrypt a file with a passphrase
$ gpg -c bank-account.txt

Decrypt with
$ gpg -d bank-account.txt.gpg
Last tip. One, easy, way to protect your backups would be to send your data trough GPG prior to compressing it:
$ tar -vcz dir1 dir2 file1 | gpg -er user@host.tld -o backup.tar.gz.gpg

$ gpg -o backup.tar.gz -d backup.tar.gz.gpg

Written by anrxc | Permalink | Filed under crypto