Once GPG is installed and the key created, it is very easy to use it. To encrypt a file for friend@domain.com, just enter the following:
[julien@asus ˜]$gpg --recipientfriend@domain.com--encryptfilename
This implies that you already have the public key for friend@address.com. If you do not, you can retrieve it from a keyserver:
[julien@asus ˜]$gpg --search-keysfriend@domain.comgpg: searching for "friend@domain.com" from hkp server wwwkeys.eu.pgp.net(1) A Friend <friend@domain.com>A Friend (Work) <friend@work.com>1024 bit key BB0D830A, created: 2002-11-06Enter number(s), N)ext, or Q)uit >1gpg: requesting key BE0G830A from hkp server wwwkeys.eu.pgp.net gpg: key BB0D830F: public key "A Friend <friend@address.com>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 2 signed: 0 trust: 2-, 0q, 0n, 0m, 0f, 0u gpg: Total number processed: 1 gpg: imported: 1
This public key is used to encrypt filename, and the new encrypted file is named filename.gpg, which can only be decrypted by your friend! And not even by you!
The --armor argument can be used to encrypt the file into ASCII. The file created is named filemane.asc.
If you want to encrypt files for yourself, you can either use your own public key or you can use a passphrase. The passphrase is used as a symmetric key, meaning that the same key is used to encrypt and decrypt the file:
[julien@asus ˜]$gpg --symmetricfilenameEnter passphrase: Repeat passphrase:
The encrypted file can also be compressed:
[julien@asus ˜]$gpg -compress-algoZIP-symmetricfilename
BZIP2 has the best compression ratio, but it also requires more memory to compress and uncompress.
PGP supports only ZIP compression, so this algorithm is preferred to ensure a better interoperability.
All these options can be combined; for example, a file can be encrypted into ASCII with a passphrase or a public key, and compressed. You need both the private and the passphrase to decrypt it.
[julien@asus ˜]$gpg -compress-algoZIP-symmetric -armor --recipientfriend@domain.com--encryptfilename
Signing a file is done with your private key to allow people to verify that the file is really from you. It is easier than encrypting a file, since you do not need anyone else's public key. To create a signature, use the command:
[julien@asus ˜]$gpg --armor -detach-signfilenameYou need a passphrase to unlock the secret key for user: "Julien Sobrier <julien@sobrier.net>" 1024-bit DSA key, ID 5CA8B01C, created 2005-08-29 Enter passphrase:
Since your private key is needed, GPG needs your passphrase to decrypt it. Signatures are usually created in ASCII, so the --armor option is used. The signature file filename.asc must be provided along with the data file filemane.
The use of a private DSA key requires using a 160-bit hash size, such as SHA1. But SHA1 is considered a weak hash algorithm that is prone to collisions.
RSA can use any hash size, so the safer SHA512 hash algorithm can be used.
Instead of having two files, one for the signature and one for the actual data, the signature can be merged into the data file:
[julien@asus ˜]$gpg --clearsignfilename
The resulting filemane.asc looks like this:
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1test-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE4KxlOa0iVFyosBwRAmXGAJ47VNQ5LO/QriAFB0dXIU3wKEKG8QCffX4f 9aJMDpiJagdE6Y9jANP4js4= =ubt8 -----END PGP SIGNATURE-----
The first part of the file indicates the hash algorithm that was used (SHA1 here) and contains the actual data (the string test here). Then the signature follows.
The file can then be verified:
[julien@asus ˜]$gpg --verifyfilemane.ascgpg: Signature made Mon 14 Aug 2006 10:01:25 AM PDT using DSA key ID 5CA8B01C gpg: Good signature from "Julien Sobrier <address@domain.com>"
Linux distributions usually sign their packages with GPG. The installer clients (apt-get for Debian, yum for Fedora, urpmi for Mandriva, etc.) automatically verify the signature with the public key before installing a package.
The exact same procedures for file encryption and signature can be used for email. You can copy the signature file or encrypted data into the body of an email. If you look at the source of an email encrypted or signed with GPG, this is exactly what you see: the hash algorithm followed by the hash and the signature in a signed email, and the encrypted data in ASCII in an encrypted email.
However, there are plug-ins to make your life easier. For example, Enigmail for Mozilla Thunderbird or PGP for Outlook can handle encryption, decryption, and signature creation and verification directly inside the email client.
Plug-ins that work with GPG, such as Enigmail, use a GPG-agent, a daemon that handles secret keys. This avoids giving direct access to your secret keys to the plug-in.
Using a GPG plug-in does not provide better security than using the GPG command line. For example, since an encrypted email can only be decrypted by the recipient, some plug-ins keep a decrypted copy in the Sent folder. Enigmail keeps the encrypted version along with your own public key.
Before you choose a GPG plug-in, look at its security history.