TechLife Australia

Better living through GPG

On Linux the Swiss Army knife of encryption is Werner Koch’s Gnu Privacy Guard (GnuPG) suite. Its core applicatio­n’s command ( gpg ) conjures memories of Pretty Good Privacy (PGP), a crypto tool originally released in 1991 by Phil Zimmermann. Nowadays OpenPGP is a standard specifying how encrypted messages and the bits associated with them should be stored and GnuPG fully implements this standard. GnuPG works from the command line and has a reputation of being complicate­d and unfriendly (see https://moxie.org/blog/gpg-and-me). It avails the user of all the modern private and public key algorithms, as well as all manner of other knobs to twiddle. As a result, there are a huge number of command-line options and the man pages make for some lengthy reading. Most distros will install GnuPG as standard, so we shouldn’t need to install anything for this tutorial.

Traditiona­l, symmetric encryption (where two parties share a secret key or password) is all very well, but it relies on the communicat­ing parties having a secure channel to share the key in the first place. Typically, this would involve a dodgy meeting in a shady carpark, possibly an exchange of briefcases and ideally destroying any written record of the key or passphrase. One never knows who’s lurking in the shadows in such locales, and ideally one would rather avoid such situations. So let’s generate a keypair and see how public key encryption works. Enter $ gpg –fullgen-key .

Accept the defaults for the first three questions. We’ll generate an 2048-bit RSA key with an RSA subkey and that key will never expire. Then answer yes to ‘Is this correct?’. You are asked for a name and email address. This informatio­n will be stored with the public key, which it is good practice to make as public as possible, so don’t use your real name or primary email address if you don’t want those things being public. The email address you use here doesn’t have to agree with the one from which you’ll actually send your encrypted mail. You’ll then be asked for a passphrase to protect the key. Key generation requires entropy (random data) so you’ll then be asked to mash your keyboard and move the mouse while the key is generated.

Once that happens you can check that everything worked with gpg --list-keys . GnuPG keeps all keys it generates safely in a keyring. They can be imported and exported as required, but the utmost caution should be exercised when moving private keys around. Since you’ll want to share your public key, export the key with $ gpg --output lxfpublic.key --armor –export replacing with the email address you have used during key generation. The resulting file can be emailed to your co-conspirato­rs who can import it using the following:

$ gpg --import lxfpublic.key

Alternativ­ely it can be uploaded to a key server so that anyone can find you. To send you an encrypted message, say instructio­ns.txt, your colleague would do

$ gpg --recipient --encrypt instructio­ns.txt and send the resulting instructio­ns.txt. gpg file your way. They should also securely delete (eg using shred ) the original file, as should you when you receive it. And that was a very quick intro to GPG, not too painful at all. If you prefer though, there’s a graphical front-end called GPA (Gnu Privacy Assistant) and also the excellent Enigmail plugin for the Thunderbir­d email client.