PGP use asymmetrics cryptography. It mean, that PGP use two keys.
- private key
- public key
After generate your keys you must protect your private key and import your public key to Key server in Internet. Key server is repository of public PGP keys. You can search and take public keys of other people there.
If you want use GnuPG in comfortable way, you use Firefox plug-in FireGPG.
$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire
= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 2y Key expires at Tue 20 Dec 2011 07:02:09 PM CET Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Tomas Jurman Email address: firstname.lastname@example.org Comment: You selected this USER-ID: "Tomas Jurman " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .+++++++++++++++.++++++++++.+++++.++++++++++++++++++++.+++++..+++++++++++++++++++++++++.++++++++++.+++++++++++++++.+++++++++++++++.++++++++++>++++++++++.........+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++..+++++.++++++++++.++++++++++++++++++++.++++++++++.+++++..++++++++++..+++++.+++++...+++++.++++++++++++++++++++++++++++++++++++++++.+++++.+++++....+++++++++++++++>.++++++++++>...+++++...>+++++........................................................................................................................+++++^^^^^^^^^^^ gpg: key 1DA0400B marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2011-12-19 pub 1024D/1DA0400B 2009-12-20 [expires: 2011-12-20] Key fingerprint = 30DA B2F5 67B6 52D5 CEFE B8F3 3500 2542 1DA0 400B uid Tomas Jurman sub 2048g/8273984F 2009-12-20 [expires: 2011-12-20]
$ gpg --list-keys
pub 1024D/09CEB475 2009-12-19 [expires: 2011-12-19] uid Tomáš JurmanYou can see your ID (hexadecimal number after slash - 09CEB475), identity (name and email address), expiration time and other.
sub 2048g/4288E83B 2009-12-19 [expires: 2011-12-19]
Create revocation keyIf You want to revoke your keys for reason If has been your keys compromised. (your private key become public known), you must prepare revocation keys.
It is good idea, prepare your revocation keys immediately after generate your keys. Because if you for example by mistake delete your private key, you can not generate your revocation keys. You can prepare revocation keys in advance, save revocation key to file and use in future if it you need.
$ gpg --gen-revoke 4CA09BBE
sec 1024D/4CA09BBE 2009-12-20 tomas jurmanLast part of statement you copy and paste to file with name for example "revok.key" and retain in secret place.
Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Key has been compromised > My women bought my private notebook with my private keys. > Reason for revocation: Key has been compromised Key has been compromised My women bought my private notebook with my private keys. Is this okay? (y/N) y You need a passphrase to unlock the secret key for user: "tomas jurman " 1024-bit DSA key, ID 4CA09BBE, created 2009-12-20 ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: A revocation certificate should follow iJsEIBECAFsFAksufFxUHQJLZXkgaGFzIGJlZW4gY29tcHJvbWlzZWQKTXkgd29t ZW4gYm91Z2h0IG15IHByaXZhdGUgbm90ZWJvb2sgd2l0aCBteSBwcml2YXRlIGtl eXMuAAoJEK4w30tMoJu+5GEAoJ7gDvekN3DHDj/fg97N6Wx3aM1yAKCrW/EBaVnf A0AzEx5BoJ01raygyg== =5ln0 -----END PGP PUBLIC KEY BLOCK-----
$ gpg --import revok.key
$ gpg --delete-secret-keys 1DA0400B
$ gpg --delete-keys 1DA0400B
First you must delete private key and then public key.
Import your public key to Key serverFor sending your public key to Key server you must determine your key ID.
$ gpg --send-keys 09CEB475
gpg: sending key 09CEB475 to hkp server keys.gnupg.net
Search public keys in Key server
$ gpg --search-key yourFriend@email.com
gpg: searching for "yourFriend@email.com" from hkp server keys.gnupg.net (1) Tomáš JurmanThe key will bee find and GPG offer you to import key in your keys store.
1024 bit DSA key 05CEA475, created: 2009-12-19 Keys 1-1 of 1 for "yourFriend@email.com". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key 05CEA475 from hkp server keys.gnupg.net gpgkeys: key 05CEA475 not found on keyserver gpg: no valid OpenPGP data found. gpg: Total number processed: 0
Export public key to file
$ gpg -a --export email@example.com > my.key
Export secret key to file
gpg --export-secret-keys -a [id] > /home/tomas/mySecrKey.txt
Value Id is optional. If you dont use id, gpg export all yours secret keys
Import public key from file
$ gpg --import my.key
$ gpg -ear 09CEB475 sourcerPlainText.txt
-e = encryt, -r = recipient, -o = output, -a = armor (to ascii)
$ gpg -d encryptOutputFile.txt
Encrypt and Sign
gpg -esr 09CEB475 -u 16582121 sourcerPlainText.txt
This create .pgp file decript of recipient with ID 09CEB475 and sign of user with ID 16582121
-e = encrypt; -s - sign; -r = recipient; -u = user
$ gpg -s sourcerPlainText.txt
Create .pgp file. Use compression and Contain source file data.
gpg --clearsign sourcerPlainText.txt
Create .asc file. Dont use compression. Contain source file data.
gpg -b sourcerPlainText.txt
Create .asc file. Create only sign, not contains data from file.
gpg -bau 16582121 sourcerPlainText.txt
Fingerprintgpg --fingerprint [ID | email]
Verify signYou need 2 files. First file is Sign and second file contains some data for verify.
gpg --verify test.txt.sig test.txt
Create encrypt and sign file for SIMSEvery quarter of year we have to send encrypt and sign file to SIMS.
-r(recipient) use ID or email address of Matrika studentu - sber dat
-u(user) use your ID or your email address.
Don´t forget use switch --pgp6.
gpg -easr firstname.lastname@example.org -u yourSchool@emailAddress.cz --pgp6 -o sims.pgp sims.xml
gpg -easr 8E4E1C1C -u 16582121 --pgp6 -o sims.pgp sims.xml