This is a protocol for generating a GNU PGP key to be used for e-mail encryption and file/directory encryption.
GnuPG uses public-key encryption and a web-of-trust to implement cryptography. With public-key cryptography, a public and private key pair are generated. The public key is made available to everyone, and the private key is kept safe by the key owner. GnuPG provides the tools to manage and disseminate these keys.
In encrypting messages and files, there are two uses for these keys :
Signing. Files and messages are signed using the private key, which only the owner (YOU) has. Members of the public (friends, coworkers) that have your public key, and trust that the public key that they have is paired to your private key, can use the public key to verify that the generated signature was indeed created by you.
Encryption. Members of the public (friends, coworkers) that have your public key, can use this public key to encrypt files and messages to you. Only your private key can be used to decrypt these.
This asymmetric encryption system relies on the pairing of the public key and the private key. The public key, as the name implies, is open to the public. You distribute this key to everyone so that they can check your signatures and send encrypted files and messages to you. The private key is kept safe by GPG, and is password-protected–see the GPG manual. You should back up both keys and keep them in a safe place; losing the private key could mean that others can decrypt and sign messages in your place, if the password is cracked. For this reason, a good password should be selected to keep your private key safe.
Generating a public/private key pair is fairly easy, and someone could, in principle, create one in your place. This is why the web-of-trust component is important : you distribute your public keys to people that can verify its authenticity (i.e. friends and colleges that can verify that the key came from you), and this builds trust in your public-key. An untrusted public-key from John Steinbeck might not, in fact, be from him.
Generating the keys
After you have installed GnuPG, you must generate a public/private key pair to be used for encryption/decryption.
Registering your Public Key
You can upload your public keys to a keyserver for others to access.
$ gpg --list-keys /home/user/.gnupg/pubring.gpg --------------------------------- pub 2048R/YYYYYYYY 2009-10-07 uid Name sub 2048R/ZZZZZZZZ 2009-10-07 $ gpg --keyserver pgp.mit.edu --send-key YYYYYYYY gpg: sending key YYYYYYYY to hkp server pgp.mit.edu $ gpg --keyserver keys.gnupg.net --send-key YYYYYYYY gpg: sending key YYYYYYYY to hkp server keys.gnupg.net
The list-keys command is used to get the key ID (YYYYYYYY) for your public key. Substitute YYYYYYYY for your actual key id. The following two commands upload your key to public key servers. Other key servers exist, and your public key can be added to them in the same way.
Key Restore and Backup
Backing up your keys, and keeping them in a safe place will ensure that you will be able to continue decrypting your messages and files in the event of data loss. Export them with the following command:
$ gpg --list-keys /home/user/.gnupg/pubring.gpg --------------------------------- pub 2048R/YYYYYYYY 2009-10-07 uid Name sub 2048R/ZZZZZZZZ 2009-10-07 $ gpg --export -a "Name" > public-key.asc
Substitute the “Name” with the name that appears when listing the keys. Keep these files in a safe place! A cracked private key could be used to decrypt and sign messages. Make sure that the private key can only be accessed by you.
When you are ready to import and merge these keys, use the following command:
$ gpg --import public-key.asc $ gpg --import private-key.asc
This can be used to import your private and public keys on a new system
Thunderbird E-mail Encryption
Mozilla thunderbird has a plugin called Enigmail which handles e-mail encryption and GnuPGP. The Enigmail tutorial is quite complete, and can be used to setup e-mail encryption. The wizard will walk you through public/private key pair creatuib, upload public keys, and save public/private keys.