Practical OpenPGP using GnuPG

Many organisations and individuals have a file that contains passwords for situations and systems that can't or don't use a kerberos authentication realm or other Single Sign-On mechanism. There are lots of different passwords in there, anything from the UPS/HVAC machines to the group's ebay account to the kerberos database password itself.

Sometimes data should be private, and maintain privacy is sufficiently important that not only should these files live on machines that are not accessible to the others, but also that the file should be encrypted on the disk.

Here is a short tutorial to teach how to share encrypted files using GnuPG. I'm not going to discuss the problems of this approach beyond saying that this is only a start and that good security requires effort at multiple levels. For more discussion on the details of assumptions and what you can and cannot logically infer from using OpenPGP, see the GNU Privacy Handbook.

Public Key Cryptography

Public Key Cryptography or cryptography using Asymmetric Key algorithms uses 2 keys for each encryption or decryption operation - the private key and the public key.

There are 2 basic ideas to public key cryptography:

If I encrypt something using your Public key, which you happily make available to anyone and everyone, I can be confident that only your key can decrypt it.
If I encrypt something with my Private key, you can verify (using my Public key) that my key is the one that encrypted it.

Better understanding is a Good Thing, but those 2 concepts are all the beginning user needs to understand to get started.

Getting Started

Creating a keypair

Probably accept the defaults for the kind of key you want, but please do set a limited validity period, perhaps 2 years. You'll want to think of a very good passphrase beforehand.

$ gpg --gen-key

Export the public key

In order for others to encrypt files for you, they need your public key:

$ gpg --armor --export 'dhutty@ece.cmu.edu' > my_public_gpg_key.asc

Encrypting to someone else's public key

You need to import their key:

$ gpg --import key.asc

And then encrypt your file:

$ gpg --encrypt --recipient 'someone@else.com' file.txt

Decrypting a file from someone else

If you receive a file that has been encrypted with your public key, only your private key can decrypt it:

$ gpg --output file.txt --decrypt file.txt.gpg

Key Management

Trusting keys

In order to use PGP, you need to trust someone! In GnuPG parlance, you trust yourself ultimately and others to a varying lesser extent. You really don't want to give anyone other than yourself 'ultimate trust'. Then they could sign files, including other keys, in your name. Here's how to assign some trust:

$ gpg --edit-key 'dhutty@ece.cmu.edu'
..
Command> trust
pub  1024D/25288AE5  created: 2010-06-18  expires: 2012-06-17  usage: SC
                  trust: unknown       validity: unknown
                  sub  2048g/6EF661D2  created: 2010-06-18  expires: 2012-06-17  usage: E
                  [ unknown] (1). Duncan Hutty <dhutty@ece.cmu.edu>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Signing a key

As we have seen above, in order to communicate with others using encryption, you must exchange public keys. You will need to import their public key, verify the fingerprint of that key with them and then sign it:

$ gpg --import someone.key.asc
$ gpg --edit-key 'someone@ece.cmu.edu'
..
Command>fpr
pub   1024D/25288AE5 2010-06-18 Someone <someone@ece.cmu.edu>
Primary key fingerprint: C9A0 C834 680B FC25 D484  5FA8 4F7B 4FFE 2528 8AE5

Publishing keys with keyservers

Your new public key is not much use unless other people have access to it. You can give them the ascii version, created above, but you might want to publish to one or more of the well known public keyservers. pgp.mit.edu is a large, well-known public keyserver and probably the easiest way to get your key to be as widely available as possible. There are also distributed keyserver pools at http://keys.gnupg.net and http://pool.sks-keyservers.net.

All you need to do is paste the contents of the export created above into the 'Submit Key' box.

Or if you're using GnuPG, you can publish a key with:

gpg --keyserver pgp.mit.edu --send-key <KeyID>

Getting a public key for someone else

You can search the keyservers:

gpg --keyserver pgp.mit.edu --search-keys <string>

Where the string is likely the name or email address.

And then get the key:

gpg --keyserver pgp.mit.edu --recv-key <KeyID>

It is critically important that you verify any key that you import, is actually the key that you want.

Verify that key's fingerprint and their key's fingerprint is the same and if so, sign it and trust it:

$ gpg --edit-key 'someone@example.com'
Command> fpr
Command> sign
Command> trust

Generating a revocation certificate for your key

If your key ever becomes compromised or even if you merely lose/forget your passphrase, you will be glad of a revocation certificate, so make one now and keep it safe:

$ gpg --output revoke-someone.asc --gen-revoke 'dhutty@allgoodbits.org'

AllGoodBits.org