Encrypted Email and GPG Key Management

This is a protocol for generating a GNU PGP key to be used for e-mail encryption and file/directory encryption.

GnuPG uses public-key encryption and a web-of-trust to implement cryptography. With public-key cryptography, a public and private key pair are generated. The public key is made available to everyone, and the private key is kept safe by the key owner. GnuPG provides the tools to manage and disseminate these keys.

In encrypting messages and files, there are two uses for these keys :

  1. Signing. Files and messages are signed using the private key, which only the owner (YOU) has. Members of the public (friends, coworkers) that have your public key, and trust that the public key that they have is paired to your private key, can use the public key to verify that the generated signature was indeed created by you.

  2. Encryption. Members of the public (friends, coworkers) that have your public key, can use this public key to encrypt files and messages to you. Only your private key can be used to decrypt these.

This asymmetric encryption system relies on the pairing of the public key and the private key. The public key, as the name implies, is open to the public. You distribute this key to everyone so that they can check your signatures and send encrypted files and messages to you. The private key is kept safe by GPG, and is password-protected–see the GPG manual. You should back up both keys and keep them in a safe place; losing the private key could mean that others can decrypt and sign messages in your place, if the password is cracked. For this reason, a good password should be selected to keep your private key safe.

Generating a public/private key pair is fairly easy, and someone could, in principle, create one in your place. This is why the web-of-trust component is important : you distribute your public keys to people that can verify its authenticity (i.e. friends and colleges that can verify that the key came from you), and this builds trust in your public-key. An untrusted public-key from John Steinbeck might not, in fact, be from him.

Generating the keys

After you have installed GnuPG, you must generate a public/private key pair to be used for encryption/decryption.

$ gpg --gen-key

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want: 
(1) RSA and RSA (default) 
(2) DSA and Elgamal 
(3) DSA (sign only) 
(4) RSA (sign only)
Your selection? 1

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048

Requested keysize is 2048 bits
Please specify how long the key should be valid. 
 0 = key does not expire 
 = key expires in n days 
 w = key expires in n weeks 
 m = key expires in n months 
 y = key expires in n years
Key is valid for? (0) 0

Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form: 
 "Heinrich Heine (Der Dichter) "

Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.

You selected this USER-ID:
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.
Enter passphrase:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Registering your Public Key

You can upload your public keys to a keyserver for others to access.

$ gpg --list-keys

pub   2048R/YYYYYYYY 2009-10-07
uid                  Name 
sub   2048R/ZZZZZZZZ 2009-10-07

$ gpg  --keyserver pgp.mit.edu --send-key YYYYYYYY

gpg: sending key YYYYYYYY to hkp server pgp.mit.edu

$ gpg  --keyserver keys.gnupg.net --send-key YYYYYYYY

gpg: sending key YYYYYYYY to hkp server keys.gnupg.net

The list-keys command is used to get the key ID (YYYYYYYY) for your public key. Substitute YYYYYYYY for your actual key id. The following two commands upload your key to public key servers. Other key servers exist, and your public key can be added to them in the same way.

Key Restore and Backup

Backing up your keys, and keeping them in a safe place will ensure that you will be able to continue decrypting your messages and files in the event of data loss. Export them with the following command:

$ gpg --list-keys

pub   2048R/YYYYYYYY 2009-10-07
uid                  Name 
sub   2048R/ZZZZZZZZ 2009-10-07

$ gpg --export -a "Name" > public-key.asc

Substitute the “Name” with the name that appears when listing the keys. Keep these files in a safe place! A cracked private key could be used to decrypt and sign messages. Make sure that the private key can only be accessed by you.

When you are ready to import and merge these keys, use the following command:

$ gpg --import public-key.asc

$ gpg --import private-key.asc

This can be used to import your private and public keys on a new system

Thunderbird E-mail Encryption

Mozilla thunderbird has a plugin called Enigmail which handles e-mail encryption and GnuPGP. The Enigmail tutorial is quite complete, and can be used to setup e-mail encryption. The wizard will walk you through public/private key pair creatuib, upload public keys, and save public/private keys.

site stats