Illustrated Guide to GPG for Noobs

This is just a guide I'm making to show people I know how to learn GPG well enough that they can use it and figure out the rest from there. So I'm going to do everything in as easy a way as possible. If you are looking for advanced information about the command line GPG, put "man gpg" into the terminal or check the website.

First off, GPG is an open-source program based on PGP. GPG stands for "GNU Privacy Guard", PGP stands for "Pretty Good Privacy". It's used for encryption and signatures with are, for all practical purposes, unbreakable and unforgable, unless somebody gets their hands on your password or your secret key (don't give those out, by the way).

Before doing anything else you need to have the program and have a key pair. If you have any modern distribution of Linux there's a good chance GPG is already installed on it. No distribution I have tested does not include it. There is also a version for Windows, but the Linux version is better.

In Linux, GPG has two frontends that I have used: Kgpg (for KDE) and GPGP (for GNOME). The basic program, in it's original and most powerful form, is command-line based.

In Windows, I do not know of a fully-featured command-line version of GPG. The version of Gpg4Win I used provided me with Windows Privacy Tray as a frontend.

All three are similar enough in their general usage that it won't take much adaptation to do what you want based on this guide. But this one focuses on Kgpg, which is my favorite and in my opinion, the easiest.

Now, if you've got your GPG frontend open, you'll see something that looks roughly like this:

I believe most GPG frontends will detect on the first run that you don't have any keys, and will give you a prompt to make one. So make one, you'll need it. If you aren't prompted for one, you can look through the menu options and find "Generate Key Pair".

This should bring you to the same dialog you'd get if it had detected zero keys, which looks like this.

Fill out all the information you have to, and click OK. You'll be asked for a password:

And upon clicking OK again, you'll probably see a few random characters appearing and disappearing in a small window as it generates your key. It might be there for a little bit, but it'll be gone in 2 minutes at most, and give you this message:

If so, great, you've got yourself a key pair.

You get two keys when using GPG or PGP. One is your public key, the other is your private key. You give others your public key.

In encryption, someone encrypts a message with your public key. Now there's only one way to decrypt it, and that's using your private key.

In signatures, you sign a message with your private key. In order to check the signature, someone else uses your public key.

Whenever you use your private key, you'll be asked for your password. When you decrypt something or sign it, you need your password. Now I'll show you how to do that.

After clicking OK again, you'll be back at your key management window.

The bold key is the default. So now you've got your keys. But nobody else has your public key. So you need to send it to them. But to do that you need to get it.

In Kgpg you get these options. I haven't used email, but I assume it emails the key to someone else. Clipboard will "copy" it so that you can "paste" it somewhere else. Default key server is self-explanatory. File will save it to a text file where you tell it to. The ".asc" extension means it's an ASCII format text file.

Whatever method of output you use, send the key to somebody else who has or may soon get GPG. Post it on a forum. Send it to them in an email. Put it on your website. Whatever you want. Then you can start actually using GPG.

Now, you probably have two windows with these frontends:

The top window is the key manager, the second window is the editor. You use this second window to actually do your encyption and signing, where the real fun begins.

Type the message you want to encrypt or sign. In this case, I typed "Hello world!".

If you both encrypt and sign a file (you don't have to do both), you should sign it first, then encrypt. Not only does it make a much nicer, neat little block of text, it also makes it easier for the recipient to decrypt and see a signed message, than to get the encrypted message out of the signed block and then decrypt it. Sign first, then encrypt.

So let's sign it. Click the "Sign/Verify" button. You'll get this window:

Only private keys will be listed. If you have only one private key and a hundred public keys of other people, you'll only see your key here. So pick the key you want to use, and click OK.

Signing a message requires your private key, which means you need to use your password. The editor window will now show something similar to this:

Now your message is signed so that anyone with your public key can verify that you did indeed type this. With this signed message in hand, you can now post on forums full of assholes that keep editing your posts to make you look like a moron, and if they tamper with any part of it, someone checking the signature will know. You can also check the signature yourself. Click the "Sign/Verify" button again and you'll get something like this:

Unless you've modified the text, you should get a confirmation message.

Now that you've signed the file, let's encrypt it. You don't have to sign before encrypting, but if you do sign, do it before encrypting instead of after.

Click the "Encrypt" button.

When you encrypt something, it uses someone else's public key. Because it's not using a private key, you won't be asked for a password. Choose whoever you want to encrypt it for, and click OK.

Now your message is encrypted, and ready to be sent through the security gauntlet of internet tubes. You can encrypt this encrypted message if you want, but since the default GPG cipher can't be cracked, it won't do you any good, and it'll annoy the recipient.

Whenever you get an encrypted message, it'll look something like this. Suppose you're the recipient of this message. You can now decrypt it with your private key. Click "Decrypt". The recipient is specified in the encrypted block of text, so you won't get a menu of keys to choose from. Decryption needs your secret key, though, so you will be asked for a password.

And now the message is decrypted, and you can check the signature to verify the sender. If you decrypt any message you find that uses your public key, keep in mind that anyone can get your public key, including people you don't know.

That's all you really need to know about using GPG for simple text-based communications. You can also encrypt files, encrypt to a non-ASCII file (I find ASCII to be more convenient), and do symmetrical encryption. Unfortunately the last time I used Gpg4Win, it didn't have an option for symmetrical encryption.

Symmetrical encryption in Kgpg is under the "Details" button at the encryption prompt. Symmetrical encryption does not use keys. Instead it bases the encryption scheme on a password you give it. Anyone with the password can decrypt it. This is less secure but more convenient if you're frequently sending messages to several of the same people at once.

If you want to get into the command line, you surrender ease-of-use for an amazingly powerful and flexible encryption tool. Frontends are designed to work well with what most people do with these programs, and they do that well.

So there you go. GPG for noobs.

While playing with it I noticed that the unencrypted copy of George Orwell's 1984 that I have in text format is about 587k. A symmetrically encrypted copy is about 320k, and a copy encrypted with my public key is 291k. So GPG will also compress files (quite well!) when encrypting them.

1 comment:

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!