MASTERCLASS GNUPG MASTERCLASS You Wouldn’T Want Other People Opening Your Letters and BEN EVERARD Your Data Is No Different
Total Page:16
File Type:pdf, Size:1020Kb
MASTERCLASS GNUPG MASTERCLASS You wouldn’t want other people opening your letters and BEN EVERARD your data is no different. Encrypt it today! SECURE EMAIL WITH GNUPG AND ENIGMAIL Send encrypted emails from your favourite email client. our typical email is about as secure as a The first thing that you need to do is create a key to JOHN LANE postcard, which is good news if you’re a represent your identity in the OpenPGP world. You’d Ygovernment agency. But you wouldn’t use a typically create one key per identity that you have. postcard for most things sent in the post; you’d use a Most people would have one identity, being sealed envelope. Email is no different; you just need themselves as a person. However, some may find an envelope – and it’s called “Encryption”. having separate personal and professional identities Since the early 1990s, the main way to encrypt useful. It’s a personal choice, but starting with a single email has been PGP, which stands for “Pretty Good key will help while you’re learning. Privacy”. It’s a protocol for the secure encryption of Launch Seahorse and click on the large plus-sign email that has since evolved into an open standard icon that’s just below the menu. Select ‘PGP Key’ and called OpenPGP. work your way through the screens that follow to supply your name and email address and then My lovely horse generate the key. The GNU Privacy Guard (GnuPG), is a free, GPL-licensed You can, optionally, use the Advanced Key Options implementation of the OpenPGP standard (there are to add a comment that can help others identify your other implementations, both free and commercial – key and to select the cipher, its strength and set when the PGP name now refers to a commercial product the key should expire. owned by Symantec). An easy way to get started with The final step requires you to supply a passphrase encryption is to use Seahorse, a GTK graphical user – you’ll need to supply this later on when you use your Seahorse makes it easy to manage PGP keys, and its interface for GnuPG that should be available in your key. After doing so, a new key is generated in the step-by-step key creation chosen distribution’s package repository. It’s installed background. There’s no feedback while this is dialog is a good way to get by default on Ubuntu, where it’s called “Passwords happening (which gives the impression that it isn’t started. and Keys”. working) but, eventually, you should see your key in the main Seahorse window (select ‘GnuPG Keys’ in the main window to see it). Get the key… Key generation can take a few minutes, because the algorithms need to collect sufficient entropy (randomness) to generate a secure key. If your system struggles to provide this, you can install a package called haveged from your distribution’s repository; it’s a daemon that gathers entropy from unpredictable background system events and will quickly deliver the entropy needed to satisfy key generation. Once you have a key, you can right-click to view its properties, which will show you the details that you supplied when creating it, plus its Key ID. This is shown as an eight-digit hexadecimal number but the 110 www.linuxvoice.com GNUPG MASTERCLASS actual key ID is 64 bits. The lower 32 bits are usually sufficient to identify a key (you can see the full key ID Web of trust on the Details tab). Key servers offer a convenient way to possible. To help with this, Seahorse’s Key distribute your key and to obtain others’ keys, Properties screen displays a human-readable Know the secret… but they don’t prove authenticity in they way “Key Fingerprint” that can be easily Your key is complex: it contains a secret part that you that an SSL certificate authority would. PGP compared. You can then indicate your trust uses a “Web of Trust” model instead, where by selecting a trust level from the drop-down should keep for yourself, plus a public part that you trust is left to the users. This means that it’s menu on the same screen. If you want to can share with others. Someone wishing to send you up to you to decide if a key obtained from a share that trust publicly then you can use the encrypted email will need your public key. If you look key server really does belong to who you “Trust” tab to sign the key. A popular way to at the Details tab, you’ll see that you actually have two think it does. You should use offline methods build your web of trust is to attend a keys; the first one is your primary key and the other to establish a key’s authenticity, in-person if key-signing party, as we explain on page 113. one is a subkey. The subkey is used for encryption and the primary key is used for GnuPG’s other purpose: signing. You can sign other people’s keys to affirm your trust and you can sign emails and other files to affirm their authenticity, which others may verify using your public key. For your key to be useful, its public part needs to be accessible by anyone who may want to send encrypted documents to you, or anyone wishing to verify a document or key that you’ve signed. You could personally issue your public key to those that need it but it’s better to publish it to a key server. Likewise, you can use a key server to get any public keys that you You can sign a key that you trust, but be honest about how much you trust it. need. Seahorse will do this for you if you select its Remote > Sync And Publish Keys menu option. You can browse key servers that have web them with any applications that support GnuPG, and interfaces – try http://pool.sks-keyservers. your email client is an obvious candidate here. net:11371 which, as its URL suggests, is actually a Enigmail is a GnuPG add-on for Mozilla Thunderbird PRO TIP pool of many key servers. Some key servers may offer that you can install by selecting Thunderbird’s Tools > an option to upload keys directly through the website. Add-ons from its menu bar and searching for Seahorse can also be used to manage SSH keys Key servers propagate changes so, if you’re looking ‘enigmail’. and X.509 certificates. for a key, you can use any server. Seahorse will help you manage your own keys as Encrypting email well as any public keys that you’ve downloaded and, It adds a new menu with options for encryption and because it’s a front-end to GnuPG, they’re stored at signing, plus key management that provides similar ~/.gnupg within your home directory. You can use functionality to Seahorse (try both and see which you prefer). It automatically decrypts or verifies inbound email using your keys once you’ve configured your PRO TIP email account to use it. Use Thunderbird’s Edit > PGP keys are often Account Settings to do that – you’ll notice there is a referred to as a ‘key pair’ new OpenPGP Security settings page there with a and the secret and public check a box that enables OpenPGP support. parts as a ‘Private Key’ and a ‘Public Key’. By default, Enigmail locates your key with your email address, and this should be sufficient unless you have multiple of either. You can, however, use the Account Settings screen to explicitly select a key if you need to. You can also configure default behaviour there, such as whether to sign “You may find it useful to have or encrypt messages. separate personal and private With the configuration done, you can write your identities for use with GnuPGP.” first email. Adele” is “The friendly OpenPGP email robot” and it can help you test your setup. Just send a message to adele-en@ gnupp.de and you’ll get a reply that will highlight any Enigmail uses your secret key to open encrypted issues with your ability to send encrypted messages. messages that you receive, like this from “Adele”, which You can attach your public key to the message if you confirms that sending encrypted messages works too. haven’t published it to a key server. www.linuxvoice.com 111 MASTERCLASS GNUPG USE GNUPG ENCRYPTION FROM THE COMMAND LINE owering the desktop applications and plugins JOHN LANE we’ve just looked at is libgcrypt, the GnuPG Pcryptographic library, and gpg, is its command line utility. If you’ve already installed a GUI tool then you’ll already have gpg; if not, you can install it from your repository and confirm the version that you have: $ sudo apt-get install gpg $ gpg --version gpg (GnuPG) 2.0.26 libgcrypt 1.6.2 You’ll need to create a key if you’re starting out and, There are pass phrase dialogs for GTK 2, Qt 4, and if you as gpg affords you more control than the graphical aren’t running a graphical desktop, Curses. tools that we looked at previously, it’s worth using it to create your key if you’re comfortable on the command Use the file as input to batch mode: line. The simplest way to create a key is to use gpg $ gpg --gen-key --verbose --batch alice.keygen interactively and follow its prompts: gpg: key 4A924D1C marked as ultimately trusted $ gpg --gen-key The --verbose argument is there to show what’s going Alternatively, you can write your settings into a text on.