GNU Privacy Guard
GnuPG is a tool for secure communication. It is used to encrypt and/or sign data using public-key cryptography. In the public-key system, each user has a pair of keys consisting of a private-key and a public-key. The private-key is kept secret and the public-key can be given to the person with whom the user wants to communicate.
Generating your keypair
The command for using GnuPG is "gpg". This command has a lot of command line options. Key generation can be accomplished by using the option --gen-key.
host$ gpg --gen-key
This command will ask the type of key you want; select default - this will create a DSA keypair and an ElGamal keypair. DSA is used for signing a document and ElGamal is used for encryption. The system will then ask you the key size. The longer the key the more secure it is, but encryption and decryption will slow down as the key size is increased. The default key size (1024) is an optimal choice. Once selected, the key size cannot be changed. Then you must choose an expiration date. In the last step the system will ask for your user id and passphrase. User id is of the form: name, comment and email address. For e.g.
"Pankaj Jangid (Debian/User) <pankaj_jangid@yahoo.com>"
The passphrase is meant to protect your private-key. If someone gets your private-key the only protection is the passphrase.
Exchanging public-keys
Exchange public-keys with whomever you want to communicate. To list keys you have "gpg" with the --list-keys option. For exporting your public key, use --export option like this:
host$ gpg --armor -export pankaj_jangid@yahoo.com > my-key.gpg
Replace the above email id with the one you used during key creation. Without the --armor option, output will be in binary format which is not easy to send using email or for publishing on the web.
Importing others keys is simpler:
host$ gpg --import your-key.gpg
However we should check the fingerprint and then verify the keys sent by others. Using the --edit-key option with the id of the person will give you a shell to view the fingerprint and to sign (i.e. verify) it (requires passphrase).
host$ gpg --edit-key yourname@yourdomain.org
This will display some information related to the above key holder, and then a prompt similar to that given below will appear.
command> fpr
The fingerprint will be displayed.
command> sign
The "fpr" command is for viewing the fingerprint. And the "sign" command for signing it. The sign command will ask for your passphrase. Key import is complete now.
Encrypting and signing a document
A document can be encrypted and decrypted using the keypair generated as above. Encryption is done using the public key of the receiver and decryption using the corresponding private key. To encrypt use the option --encrypt and to decrypt --decrypt. On the sending side:
host$ gpg --output doc.gpg -encrypt --recipient you@host.org doc
Here "doc.gpg" is the resultant encrypted version of "doc". For decryption on the receiver's side you need the corresponding private key. The command is:
host$ gpg --output doc --decrypt doc.gpg
This will ask for the passphrase. "doc" is the decrypted document.
Similarly, for signing the document, use the command:
host$ gpg --output doc.sig --sign doc
The document is compressed before being signed. The signed document is in binary format. On the receiver's side, you can check the signature using the --verify option and you can check and extract the document using the --decrypt option as given below:
host$ gpg --output doc --decrypt doc.sig
Applications supporting GnuPG
Ximian's "evolution" (for GUI users) and "mutt" (for text only users) are ready-to-use email clients with GnuPG support. KMail for KDE also supports GnuPG, and a lot of other free email clients are available supporting GnuPG.
References
- http://www.gnupg.org
- man gpg
