Help: GPG Encryption

Title: Configuring GPG under Gentoo Linux systems
Date: 30-OCT-07
Author: Greg Hasseler

Outline

  1. Software Used
  2. Conventions
  3. GPG Setup & Key Management
    1. Generating your Public & Private keys
    2. Extracting keys from your keyring
    3. Adding Keys to your keyring
    4. Viewing keys on your keyring
  4. Command Line Encryption/Decryption
    1. Encrypting Messages
    2. Decrypting Messages


Software Used for this demonstration:

	OS: Gentoo Linux (grey.cs.sunyit.edu)
	gpg (GnuPG) 1.4.7

Conventions:

	User input will be in this color.
	Output to the screen will be in this color

GPG Setup & Key Management:

Generating your Public & Private keys:

The first step to generating your keys is to run the appropriate command. 

	$ gpg --gen-key

You will be prompted to choose between the DSA and Elgamal algorithm, the DSA (sign only) algorithm, or the RSA (sign only) algorithm. For most cases, the default of the DSA and Elgamal algorithm will be sufficient.


	Please select what kind of key you want:
   	   (1) DSA and Elgamal (default)
           (2) DSA (sign only)
           (5) RSA (sign only)
	Your selection?	1

Choose a key size depending on the degree of security desired. Generally, a size of 2048 will be sufficient.

	DSA keypair will have 1024 bits.
	ELG-E keys may be between 1024 and 4096 bits long.
	What keysize do you want? (2048) 2048

You will be prompted for the number of days this key will be valid for. Enter 0 to make the key valid forever.

	Please specify how long the key should be valid.
	         0 = key does not expire
      	        = key expires in n days
              w = key expires in n weeks
      	      m = key expires in n months
              y = key expires in n years
	Key is valid for? (0) 0

You will then be prompted to confirm the expiration time of your key.

	Key does not expire at all
	Is this correct? (y/N) y

You will now be prompted to enter information such as your real name, email address, and any comments.

	You need a user ID to identify your key; the software constructs the user ID
	from the Real Name, Comment and Email Address in this form:
    	    "Heinrich Heine (Der Dichter) "

	Real name: Greg Hasseler
	Email address: hasselg@cs.sunyit.edu
	Comment:

You will then be prompted to confirm the information.

	You selected this USER-ID:
    	    "Greg Hasseler "

	Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You now must enter a pass phrase to protect your private key. Your pass phrase can be any sentence or phrase and may have as many words, spaces, punctuation, or any other printable characters as you would like. The longer and more complex this pass phrase is, the more secure it will be. Note: The stars are shown only to illustrate input, do not use them as your passphrase. When entering your passphrase, nothing will be echoed to the screen.

	You need a Passphrase to protect your secret key.

	Enter passphrase: ***************

You will then be prompted to reenter the pass phrase.

	Repeat passphrase: ***************

The system will now generate your GPG secret/public keypair. During this process, you may be prompted to perform some more tasks on the machine. This is to provide the key generator with enough entropy such that it may generate a sufficiently secure key.

	We need to generate a lot of random bytes. It is a good idea to perform
	some other action (type on the keyboard, move the mouse, utilize the
	disks) during the prime generation; this gives the random number
	generator a better chance to gain enough entropy.
	+++++.++++++++++..++++++++++++++++++++++++++++++.+++++++++++++++.+++++++++++++++.
	      +++++++++++++++++++++++++.+++++.+++++++++++++++.+++++..+++++.+++++...>+++++......
	      ...................>+++++.<+++++..>+++++..+++++
	We need to generate a lot of random bytes. It is a good idea to perform
	some other action (type on the keyboard, move the mouse, utilize the
	disks) during the prime generation; this gives the random number
	generator a better chance to gain enough entropy.
	++++++++++.+++++++++++++++...+++++..+++++++++++++++++++++++++++++++++++....
	      ++++++++++++++++++++++++++++++..+++++++++++++++++++++++++.+++++++++++++++.
	      ++++++++++>++++++++++>+++++.....>+++++.<+++++...........+++++^^^^^
	gpg: key F3A839A5 marked as ultimately trusted
	public and secret key created and signed.

	gpg: checking the trustdb
	gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
	gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
	pub   1024D/F3A839A5 2007-11-02
      	      Key fingerprint = 55FC 5A18 F271 FA28 7446  4C47 1E4B 52BB F3A8 39A5
	uid                  Greg Hasseler 
	sub   2048g/285A8F24 2007-11-02

If all goes well, your secret/public keypair will now be generated and put in the keyrings in the .gnupg directory.




Extracting keys from your keyring:

Now that you have your GPG keys created, it's time to distribute your public key for people to send you encrypted messages.

	$ gpg --armor --export 'Greg Hasseler'
	-----BEGIN PGP PUBLIC KEY BLOCK-----
	Version: GnuPG v1.4.7 (GNU/Linux)

	mQGiBEcowAwRBADydN2z/V4FrLrnbwGibJHPpWFWtBSa0dBRgVNm+nMFNQT6m+dn
	jo1k0Cjh0OvCVXW9BPupuObBwJHV18+yKnTbWzft2WFpwi9ZHVtv+PK/LenuGNMY
	6RLiE9X8XI8ACZwH70kZKlO3q43utBuoBFn4ffujY5nl7Ypr2hnjjcLVwwCg1heW
	3WWoYrr3sqWka9M2qfg1Ax8D/2r0Rrc3idgHsvD0KjvOwBPxodva76ncMlF9EZ5i
	G1BGuWObMZVfeZkCEXE1SKLkhxY/+gaMRSO6E32S1Kb2ovfMcLCTNLfbLjVPNiWL
	5mStrWSYA8Tedv2x9zgb8lCZc/3BiA7xPCIOIx3QNYgpnsJEUCOYhETEsro9SmFP
	ixWiA/9K8O4i8KeYnoXIiRjBfS63ksb1sXyLcJsCi/AFUYuVWNhce7AYOedQD1VZ
	fY9VrfGwwN2w+AtPYQVpCziMN42EVVTdlSUXYXQrqOtEotvT6Q4GLi0hflj1/haj
	RTIgvs1OjYzXYVwR/7cQD6TUeS6rMyQqXYoy08FB81ylrVQ1F7QlR3JlZyBIYXNz
	ZWxlciA8aGFzc2VsZ0Bjcy5zdW55aXQuZWR1PohgBBMRAgAgBQJHKMAMAhsDBgsJ
	CAcDAgQVAggDBBYCAwECHgECF4AACgkQZCMitJRSEPD7xgCgintiJ8YrZ91JZXpN
	8DR4rSb0aF0An1EepL6iEALbGWahmp9awIoxtwxquQINBEcowAwQCADPX8sGiAV6
	qlXUBUcMGIAgpVSsH30kNWR6+EQEhvWbXTWWaa7f8hV2a1uU7VheigG7i9CQBc9k
	scNSBS2bDEBby0ZRDLYvCrcDKnvUXdX8K61w/jSlsYAubinIasqchyzhgKqnPGrw
	yC+7iwr2uRdeI3USnUC+elmu06vr1gz80W4VspLc9nAAN6yqd0cFGYibYM/P1qLk
	IjB7yNoINdSdu2reaepX9+Qz6G8TWoQPozmBBfSFPVJPnDCk97vnt5JW8xwQVHi3
	8/VahhIgn8prQf4tWfMs1/yDCRGYQ6WvASBY6exUqV4d2yIqWtRQf1gVKsgbOl6I
	qXU4vxq37J8/AAMHB/481KoJO7XUgdol2sZ+fdJ8ABVbEX9nLgk+vgag6dlHbYhf
	lgcr/cZkfmadpfM1rAuWyJok84SF8+GCYnfrD3yb2QJ2tM++rBo2A/OalHK2TAZO
	x4MeCcdCzgnsA8tdGPBj4D79VPhm88I7o9oeCcJt0MtuHHxCbbebn5zl+VmHuXGH
	0LrlarVT988dcoVcLMZVdt0CnQh4Z1RCXGqjC9mod0WmAgnTAmytjRggdvENmceR
	2SgRbyKVP4FZ6Eu13jRhELo6CLigxbqiA3oTEfLcWB6Z8HkmnzRWD0fPLueJiHgb
	7iyNn9Is0StosrixaUOz5kAVsJV+mlzxkY3jpm1aiEkEGBECAAkFAkcowAwCGwwA
	CgkQZCMitJRSEPAEfACfdVEM3+W46t92RujF0RP1EiZr5v4Anio3Nr8TBdaZ5a6V
	j/GnAvhHgzRwmQGiBEcrjMMRBACYOGT79ark/QYTnOX3sR37iB4wbrmK9gWX0cpR
	8dqYkbwrkDZKIdbJ0n/PbwvJ9iYURyagnRE8TdAEccHzMcIdsmJ2XfE3okPmjFJR
	Wv9ALcGL4gI/LBLHdorZeB/q8nI7Qo7C37byMw74+S7y5EU7F/yRZbMKOnRxSG6w
	DgaxEwCgyo1w0b9pEhHmsaTsQIO85sOa7LsD/3Zz3ya09SqBArTAQXLB7nzWQv14
	/5IhH86/aNXCT2+h2qd0QFh5eUhUH1Jx3+IZfyh+RNLmaR5TDLFg7KMzVfkn5XUT
	wZ61lHChiZ5eNQyr/BwXo25MZm9ObTNUXirQd3Ujagfi2ZgRNH/ZiNzlbf1IBL/R
	iPONI+gk6Yg2VIs2A/4reK0UN/NduUn7ovZCSlwWnq6MmcajpCXJHkHpgfNjeQje
	cUJ6r6QxhIVLjIsQaP7U2N+HVaTysRKAbL2/G8DQmWXETW8UbsmNj6Chi3O2bxbf
	BRENLPyX5Jsxfj6ve9Lgs310/GyGMMQ+/cBLos5AvPSu7GUNzT12HPd64v74w7Ql
	R3JlZyBIYXNzZWxlciA8aGFzc2VsZ0Bjcy5zdW55aXQuZWR1PohgBBMRAgAgBQJH
	K4zDAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQHktSu/OoOaVTlgCeKna2
	1Gt4BHcNRvveLkB5JXUsCeP4Anj24IufT2/bvGFQktMtzbjerWlTKuQINBEcrjMMQ
	CACozcZY6zn/w8JAGec8ywr41sFVruaCc0nS+xBdVcADVt1ct8qKVOVBVMqI13JI
	Q1OVoQtJvFXzqThnNOS4jyDTBsrYf4TW+OtJzEL7MQZEQEiIv37VJ/Kv+JOUlOIV
	x8vheqUpz+2I9VQpPs66HKiJVe8i7NmvuMd18TLusgv4ze81IuYtUKPzwd8CJi9a
	36ialMYMmLqvSBLz4muVq22/JgqDkM0lbeEi7JXnmb0P4sM8yRCIQbuTUPJWUMYE
	XrT/2vVeksliRf9wddm79s1iGreHlD1bzVU83Yn1sA31VSlW8f7n6h7uAJoF8CIT
	oqbS3dkve4VDAIey+OYwY+bnAAMHCACmk7wq5CuefPS79n+TK1SrxtcpBFyblOzF
	QNrVBwLyb+f396gkyEGJG9y9f+1+MMqOuFwbrL/elBigRuvKQJc1qzpZT0K7+9sE
	zW4OcNRm9tmT2SAl4vjnznJ6TQJt5JSAVCJsOM8MODeFE/m7IBZ8f/L23xm030/i
	lZtQufOyAP/nMLpexdPJy+gLIZeEHh+JmHN+e8bRA4k6g411u6PG8DWvIPPCLGRX
	4rP56DQKzh182+B8O//9qA1oT298P7yEFo9ZGOr7BTBi/R0uLb9f38rWEc2+q8jk
	u56SnG/cwFfw/o3kSF97gB0UxKxDyY5knmVVCfT/SLkXaPYyNfsNiEkEGBECAAkF
	AkcrjMMCGwwACgkQHktSu/OoOaVmowCgsXdbJeKQYSA2GQOKww2ResVZadYAoK/e
	ynn/sPQp1gJIJADsC/pBRVus
	=/wWQ
	-----END PGP PUBLIC KEY BLOCK-----

The above output is an example of a public key, which should be distributed exactly as displayed. Your actual key may be much larger, depending upon the algorithm and key size you selected. The key displayed is for a 2048 bit DSA and Elgamal public key.




Adding Keys to your keyring:

In order to encrypt messages to others, you will need their public key on your keyring.

	$ gpg --import keyfile.txt

keyfile.txt contains the public key of someone you would like to send encrypted messages to. It will be similar to the key above.




Viewing keys on your keyring:

The following command may be used to view which public keys you have on your keyring.

	$ gpg --list-keys
	/home/undergrad/hasselg/.gnupg/pubring.gpg
	------------------------------------------
	pub   1024D/945210F0 2007-10-31
	uid                  Greg Hasseler 
	sub   2048g/95316828 2007-10-31

	pub   1024D/F3A839A5 2007-11-02
	uid                  Greg Hasseler 
	sub   2048g/285A8F24 2007-11-02

	pub   1024D/320E45A3 2000-04-22
	uid                  Nick Merante 
	uid                  Nick Merante 
	sub   3072g/640C309F 2000-04-22

Command Line Encryption/Decryption

Encrypting Messages

Once you have someone else's public key on your keyring, you can encrypt messages or files to securely transmit to that person. This example will encrypt the text file secrets to hasselg. The -e option specifies to encrypt the file, the -r option specifies the recipient. The encrypted output will be saved to secrets.gpg. 

	$ gpg -e -r hasselg secrets

The contents of secrets.gpg are now encrypted. One may confirm this by attempting to cat the file.

Our secret message may now be securely transmitted via insecure channels.




Decrypting Messages

Now that you have created your GPG keys, distributed your public key, and have started sending encrypted messages, you may be eager to receive encrypted messages. Once you have received an encrypted message, it can be viewed with either of the following steps:



Option 1: The decrypted message will be saved to the file secrets:

	$ gpg --output secrets --decrypt secrets.gpg
	
	You need a passphrase to unlock the secret key for
	user: "Greg Hasseler "
	2048-bit ELG-E key, ID 95316828, created 2007-10-31 (main key ID 945210F0)

	gpg: encrypted with 2048-bit ELG-E key, ID 95316828, created 2007-10-31
	      "Greg Hasseler "

Option 2: The decrypted message will be outputted to the screen (STDOUT):


	$ gpg --decrypt secrets.gpg
	
	You need a passphrase to unlock the secret key for
	user: "Greg Hasseler "
	2048-bit ELG-E key, ID 95316828, created 2007-10-31 (main key ID 945210F0)

	gpg: encrypted with 2048-bit ELG-E key, ID 95316828, created 2007-10-31
	      "Greg Hasseler "
	THIS IS OUR SECRET MESSAGE!

	THE YELLOW EAGLE FLIES AT DUSK.


Conclusion

GPG is a very powerful privacy and security tool. As the size of the internet and the widespread use of personal computers grow, so will the need to keep our private information secure, whether it be bank account information kept on your computer at work or secret messages transmitted within oppressive nations. The success of a encryption scheme such as GPG depends solely upon its widespread use.