Overview

GnuPG is a tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate.

Features

•       Full replacement of PGP.
•      Does not use any patented algorithms.
•       GPLed, written from scratch.
•      Can be used as a filter program.
•      Full OpenPGP implementation.
•      Better functionality than PGP and some security enhancements over PGP 2.
•      Decrypts and verifies PGP 5.x messages.
•      Supports ElGamal (signature and encryption), DSA, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER.
•     Easy implementation of new algorithms using extension modules.
•      User ID is forced to be in a standard format.
•      Supports key and signature expiration dates.
•      English, Danish, Dutch, Esperanto, French, German, Japanese, Italian, Polish, Portuguese (Brazilian), Portuguese (Portuguese), Russian, Spanish and Swedish language support.
•      Online help system.
•      Optional anonymous message receivers.
•      Integrated support for HKP keyservers (wwwkeys.pgp.net).
•      Has lots of GUI frontend

You can find all the software related to GnuPG at http://www.gnupg.org/download.html

Installation

Copy the gnupg source file to ./usr/local/ directory or wherever you want to install it and then cd to that directory.
[root@dragon local]  tar xvzf gnupg-1.0.4.tar.gz
[root@dragon local]# cd gnupg-1.0.4
[root@dragon gnupg-1.0.4]# ./configure
[root@dragon gnupg-1.0.4]# make
This will compile all source files into executable binaries.
[root@dragon gnupg-1.0.4]# make check
It will run any self-tests that come with the package.
[root@dragon gnupg-1.0.4]# make install
It will install the binaries and any supporting files into appropriate locations.
[root@dragon gnupg-1.0.4]# strip /usr/bin/gpg
The "strip" command will reduce the size of the "gpg" binary for better performance.
 

Common Commands

1: Generating a new keypair
We must create a new key-pair (public and private) for the first time. The command line option --gen-key is used to create a new primary keypair.

Step 1
[root@dragon /]# gpg --gen-key
gpg (GnuPG) 1.0.2; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: /root/.gnupg: directory created
gpg: /root/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file

Step 2
Start GnuPG again with the following command:
[root@dragon /]# gpg --gen-key
gpg (GnuPG) 1.0.2; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg:/root/.gnupg/secring.gpg: keyring created
gpg: /root/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)
Your selection?  1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048
Do you really need such a large keysize? y
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Kapil sharma
Email address: kapil@linux4biz.net
Comment: Unix/Linux consultant
You selected this USER-ID:
    "Kapil Sharma (Unix/Linux consultant) <kapil@linux4biz.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Enter passphrase: [enter a passphrase]

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Now I will explain about the various inputs asked during the generation of the keypairs.

• Please select what kind of key you want:

(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection?

• You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits, and an ElGamal key may be of any size.

 There are advantages and disadvantages of choosing a longer key. The advantages are: 1) The longer the key the more secure it is against brute-force attacks
  The disadvantages are: 1) encryption and decryption will be slower as the key size is increased 2) a larger keysize may affect signature length

  The default keysize is adequate for almost all purpose and  the keysize can never be changed after selection.
 

• Finally, you must choose an expiration date. If Option 1 was chosen, the expiration date will be used for both the ElGamal and DSA keypairs

  Please specify how long the key should be valid
  0 = key does not expire
< n>  = key expires in n days
< n>w = key expires in n weeks
< n>m = key expires in n months
< n>y = key expires in n years
Key is valid for? (0)

• You must provide a user ID in addition to the key parameters. The user ID is used to associate the key being created with a real person.

             Real name: Enter you name here
             Email address: Enter you email address
           Comment: Enter any comment here
 
 

• GnuPG needs a passphrase to protect the primary and subordinate private keys that you keep in your possession.

You need a Passphrase to protect your secret key.

There is no limit on the length of a passphrase, and it should be carefully chosen. From the perspective of security, the passphrase to unlock the private key is one of the weakest points in GnuPG
(and other public-key encryption systems as well) since it is the only protection you have if another individual gets your private key. Ideally, the passphrase should not use words from a
dictionary and should mix the case of alphabetic characters as well as use non-alphabetic characters. A good passphrase is crucial to the secure use of GnuPG.
 

2: Generating a revocation certificate

After your keypair is created you should immediately generate a revocation certificate for the primary public key using the option --gen-revoke. If you forget your passphrase or if your private
key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.

 [root@dragon /]# gpg --output revoke.asc --gen-revoke mykey

Here mykey must be a key specifier, either the key ID of your primary keypair or any part of a user ID that identifies your keypair. The generated certificate will be left in the file
revoke.asc. The certificate should not be stored where others can access it since anybody can publish the revocation certificate and render the corresponding public key
useless.
 
 

3: Listing Keys

 To list the keys on your public keyring use the command-line option --list-keys.

[root@dragon /]#  gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub  1024D/020C9884 2000-11-09 Kapil Sharma (Unix/Linux consultant) <kapil@linux4biz.net>
sub  2048g/555286CA 2000-11-09

4: Exporting a public key

You can export your public key to use it on your homepage or on a available key server on the Internet or any other method. To send your public key to a correspondent you must first export it. The command-line option --export is used to do this. It takes an additional argument identifying the public key to export.
 

• To export your public key in binary format, use the following command:

  [root@dragon /]# gpg --output kapil.gpg --export kapil@linux4biz.net
• To export your public key in ASCII armored output, use the following command:

  [root@dragon /]# gpg  --export-armor> kapil-key.asc
Here "--export" is for extracting your Public-key from your pubring encrypted file , "-armor" is to create ASCII armored output that you can mail, publish it on a web page and ">kapil-key.asc" is to put the result in a file.
• To export your public key in ASCII armored output and to view it , use the following command:

  [root@dragon /]# gpg  --export-armor
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org

[...]
-----END PGP PUBLIC KEY BLOCK-----
 

 [root@dragon /]# gpg --import <filename>
Here "filename" is the name of the exported public key.
For example:
[root@dragon /]# gpg --import mandrake.asc
gpg: key :9B4A4024: public key imported
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg:              imported: 1

In the above example we imported the Public key file "mandrake.asc" from the company Mandrake Linux, downloadable from Mandrake Internet site, into our keyring.

6: Validating the key
Once a key is imported it should be validated.  A key is validated by verifying the key's fingerprint and then signing the key to certify it as a valid key. A key's fingerprint can be quickly viewed with the --fingerprint command-line option.
[root@dragon /]# gpg --fingerprint <UID>
As a example:
[root@dragon /]# gpg --fingerprint mandrake
pub  1024D/9B4A4024 2000-01-06 MandrakeSoft (MandrakeSoft official keys) <mandrake@mandrakesoft.com>
     Key fingerprint = 63A2 8CBD A7A8 387E 1A53  2C1E 59E7 0DEE 9B4A 4024
sub  1024g/686FF394 2000-01-06

In the above example we verified the fingerprint of mandrake. A key's fingerprint is verified with the key's owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. If the fingerprint you get is the same as the fingerprint the key's owner gets, then you can be sure that you have a correct copy of the key.

7: Key Signing
After importing and verifying the keys that you have imported into your public database, you can start signing them. Signing a key certifies that you know the owner of the keys. You should only sign the keys when you are 100% sure of teh authentication of the key.
 

• To sign a key for the company Mandrake that we have added on our keyring above, use the following command:

[root@dragon /]# gpg --sign-key <UID>
As an example:
[root@dragon /]# gpg --sign-key <UID>
pub  1024D/9B4A4024  created: 2000-01-06 expires: never      trust: -/q
sub  1024g/686FF394  created: 2000-01-06 expires: never
(1)  MandrakeSoft (MandrakeSoft official keys) <mandrake@mandrakesoft.com>
 

pub  1024D/9B4A4024  created: 2000-01-06 expires: never      trust: -/q
             Fingerprint: 63A2 8CBD A7A8 387E 1A53  2C1E 59E7 0DEE 9B4A 4024

     MandrakeSoft (MandrakeSoft official keys) <mandrake@mandrakesoft.com>

Are you really sure that you want to sign this key
with your key: "Kapil Sharma (Unix/Linux consultant) <kapil@linux4biz.net>"

Really sign? y

You need a passphrase to unlock the secret key for
user: "Kapil Sharma (Unix/Linux consultant) <kapil@linux4biz.net>"
1024-bit DSA key, ID 020C9884, created 2000-11-09

Enter passphrase:
 

9: Encrypting and decrypting
The procedure for encrypting and decrypting documents is very simple. If you want to encrypt a message to mandrake, you encrypt it using mandrake public key, and then only mandrake can
decrypt that file  with his private key. If Mandrake wants to send you a message, it  encrypts it using your public key, and you decrypt it with your private key.

To encrypt and sign data for the user Mandrake that we have added on our keyring use the following command (You must have a public key of the recipient):
[root@dragon /]# gpg  -sear <UID of the public key> <file>

As an example:
[root@dragon /]# gpg -sear Mandrake document.txt
You need a passphrase to unlock the secret key for
user: "Kapil Sharma (Unix/Linux consultant) <kapil@linux4biz.net>"
1024-bit DSA key, ID 020C9884, created 2000-11-09

Enter passphrase:

Here "s" is for signing , "e" for encrypting, "a" to create ASCII armored output (".asc" is ready for sending by mail), "r" to encrypt the user id name and <file> is the data you want to encrypt

To decrypt data ,use the following command:
[root@dragon /]# gpg  -d <file>

As an example:
[root@dragon /]# gpg -d documentforkapil.asc
You need a passphrase to unlock the secret key for
user: "Kapil Sharma (Unix/Linux consultant) <kapil@linux4biz.net>"
1024-bit DSA key, ID 020C9884, created 2000-11-09
Enter passphrase:

Here the parameter "d" is for decrypting the data and <file> is a data you want to decrypt.
[Note: you must have the public key of the sender of the message/data that you want to decrypt in your public keyring database.]

10: Checking the signature
Once you have extracted your public key and exported it then by using the --verify option of GnuPG anybody can check whether encrypted data from you is also signed by you.

• To check the signature of encrypted data, use the following command:

[root@dragon /]#  gpg --verify <Data>
Here "--verify" option is to check the signature and "<Data>" is the encrypted data/file you want to verify.

Some uses of GnuPG software

1: Send encrypted mail messages.
2: Encrypt files and documents
3: Transmit encrypted files and important documents through network
 

Here is a list of some of the Frontend and software for GnuPG

GPA aims to be the standard GnuPG graphical frontend. This has a very nice GUI interface. GnomePGP is a GNOME desktop tool to control GnuPG. Geheimniss is a KDE frontend for GnuPG. pgp4pine is a Pine filter to handle PGP messages. MagicPGP is yet another set of scripts to use GnuPG with Pine. PinePGP is also a Pine filter for GnuPG.

More Information

http://www.gnupg.org/docs.html

Conclusion

Anybody who is cautious about security must use GnuPG. It is one of the best Open source software which has all the functions for encryption and decryption for all your secure data and can be used without any restrictions as it is under GNU General Public License. It can be used to send encrypted mail messages, files and documents for security. It can also be used  to transmit  files and important documents through network securely.

This article is Copyright (c) 2000 by Kapil Sharma. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Written by: Kapil Sharma
Email:
Website: http://www.linux4biz.net
[Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux/Unix systems and Internet Security for more than 4 years. He is maintaining a web site http://www.linux4biz.net for providing free as well as commercial support for web, Linux and Unix solutions.]

[Back]