Getting Started with GnuPG

GnuPG stands for GNU Privacy Guard. It is a free, open-source GNU program used for encrypting, decrypting, and authenticating data, for example, e-mail messages. See the GnuPG website for more information.

The following steps are for the impatient user (like me) who wants to set up GnuPG, start using it, and ask questions later or never

1. Check and Install GnuPG

   To check if GnuPG is already installed on your system:

   # gpg --version

   If GnuPG is not installed, you may download and install the binary for your particular system. For debian user, you can simply:

   # apt-get update 
   # apt-get install gnupg

   Make sure you have the latest version before you proceed

2. Generate Your Public/Private Keypair

   To generate your keypair:

   $ gpg --gen-key

   Once you generated your keypair, you may want to configure GnuPG to trust your own public key. To trust your own public key:

   $ gpg --edit-key YOUR_EMAIL_ADDRESS Command

   Replace YOUR_EMAIL_ADDRESS . Type trust at prompt and select 5 = I trust ultimately .

3. Generate Your Revocation Certificate

   Once you have created your keypair, you should create a revocation certificate for your public key. This is useful in the events that your private key cannot be used anymore, for example, you have forgotten your passphrase, you have changed your ISP, or your key has been compromised. In such events, you can publish your revocation certificate to inform users that your public key should no longer be trusted or used.

   To generate a revocation certificate:

   $ gpg --output revoke.asc --gen-revoke YOUR_EMAIL_ADDRESS

   Put your revocation certificate and your keypair in a safe place, e.g, a read-only media .

4. Configure a Public Key Server/b

   Your ~/.gnupg/gpg.conf should contain a valid public keyserver. For example:

   $ keyserver x-hkp://www.keyserver.net

   The following command can help you to find a keyserver .

   $ host -l pgp.net | grep www

5. Export your Public Key

   You can export your public key to either a file or a public key server.

   • To export your key to a file:

     $ gpg --armor  --export YOUR_EMAIL_ADDRESS  mykey.asc

   • To export your key to a public key-server:

     $ gpg --send-key YOUR_EMAIL_ADDRESS

     The above command assumes you have specified your public key server in ~/.gnupg/gpg.conf . Otherwise, you can specify a keyserver at the command line:

     $ gpg --keyserver www.keyserver.net --send-key YOUR_EMAIL_ADDRESS

     Alternately, you can also export your public key from your web broswer. Goto http://www.keyserver.net and follow the instructions to add your own PGP public key.

     You may want to export your public key to a file and a public key server.

6. Configure Your Mail Reader to use GnuPG

   Mutt is a mail reader that I used to read my emails. If you want to configure Mutt to use GnuPG, insert the following into your ~/.muttrc

   source dir_path_to/gpg.rc
   set pgp_sign_as = hex_number_of_your_public_key

   You can download gpg.rc from Roland Rosenfeld . When you have finished composing your e-mail, enter the PGP menu (i.e., type p) and sign or encrypt your message.

   This article explains how to use GnuPG with Pine .

Useful GnuPG Commands

For the following commands, replace file and someonekey.asc .

• To import a public key: gpg --import someonekey.asc
• To list available public keys: gpg --list-public-keys
• To sign a file: gpg --sign file
• To verify a file: gpg --verify file.sig
• To encrypt a file: gpg --encrypt file
• To decrypt a file: gpg --decrypt file
• To edit key related tasks: gpg --edit-key someonekey.asc

Other common key tasks:

• If someonekey.asc is your own key:
  • adduid - add a userid
  • deluid - delete all selected userids
  • passwd - change the key passphrase
• If not you may want to:
  • sign - sign this person's key (generally having done appropriate fingerprint checking). The signature that will be created is marked as exportable, and unless uids are selected, you'll only sign the primary uid. Otherwise you'll sign all that are selected.
  • lsign - as above, but the signature will never be exported.
  • revsig - create a certificate of revocation for your signatures on these keys.
• If you've set your key to expire what will actually happen is that the main key (the signing key) stays valid for ever, but the encryption subkey is the part that expires. When it expires, you'll need to add a new subkey signed with your main key, with the new expiry date on it.
  • key <n> - select the subkey n (n will almost always be 1, for the main subkey)
  • delkey - this will delete the currently selected subkey, prompting you to confirm
  • addkey - prompt for creation of a new subkey, with the full options. You'll almost certainly want a type '3' key as the subkey is normally used for encryption.

To know more about the above commands, you may want to read the GnuPG Manual . For other information, you most probably want to read these HOWTOs

Arcticles

• Everything You Need To Know To Start Using GnuPG with Mutt , Justin R. Miller
• Using GnuPG with Pine for Secure E-Mail , Ryan W. Maple
• GnuPG Manual , The Free Software Foundation.
• GnuPGP HOWTos , a collection of GnuPG MiniHowTOs, The Free Software Foundation.
• GPG and mutt , Kevin Lyda

Public Key Servers

Some well know public key servers:

• OpenPGP Public Key Server, http://www.keyserver.net/en/
• MIT PGP Public Key Server, http://pgp.mit.edu/
• Marc Horowitz Public Key Server, http://wwwkeys.pgp.net/

Open Source PGP Home Page

• OpenPGP Home Page, http://www.openpgp.org/
• GnuPGP Home Page, http://www.gnupg.org/
• The International PGP Home Page, http://www.pgpi.org/

Disclaimer

This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Use at your own risk.