GnuPG / PGP

GnuPG stands for GNU Privacy Guard and is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc. (adapted from http://www.GnuPG.org/(en)/documentation/faqs.html#q1.1)

Links

• Home of GnuPG is http://www.GnuPG.org/
• Here’s also a great documentation http://www.GnuPG.org/documentation/guides.html
• A good and compact howto http://www.GnuPG.org/documentation/howtos.html
• I used GnuPG with Mozilla/Firebird and a plugin called Enigmail (http://enigmail.mozdev.org).
• I also used GnuPG with Evolution – it works out of the box.
• On OS X I use MacGPG which nicely integrates with Mail (http://macgpg.sourceforge.net/).

Most important commands to use GnuPG

• Generating a new keypair
  • gpg –gen-key
• Adding a second email address
  • gpg –edit-key yourID
  • adduid or revuid
  • save or quit
• Generating a revocation certificate (mykey key specifier e.g. 40240B2E)
  • gpg –output revoke.asc –gen-revoke mykey
• Listing keys and keys with sigs
  • gpg –list-keys
  • gpg –list-sigs
• Exporting a public key
  • gpg –armor -o publicKey.gpg –export email@foo.bar
• Exporting a key to a public keyserver
  • gpg –keyserver blackhole.pca.dfn.de –send-keys email@foo.bar
• Importing a public key
  • gpg –import aPublicKey.gpg
• Importing automatically a key
  • gpg –keyserver blackhole.pca.dfn.de –recv-keys somebody@foo.bar
• Once imported, you should check the key
  • gpg –fingerprint \A key’s fingerprint is verified with the key’s owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key’s true owner. If the fingerprint you get is the same as the fingerprint the key’s owner gets, then you can be sure that you have a correct copy of the key.
• If the owner, the email and the fingerprint fits with your data, you can sign his public key:
  • gpg –sign-key somebody@foo.bar
  • gpg –send-key –keyserver blackhole.pca.dfn.de somebody@foo.bar
• Deleting a key from your keyring
  • gpg –delete-keys somebody@foo.bar
• Updating key information from keyserver
  • gpg –refresh-keys
• Revoking a key (ONLY if your key was compromised or lost!)
  • gpg –import revoke.asc
  • gpg –keyserver blackhole.pca.dfn.de –send-keys email@foo.bar

GPG behind a firewall

set your environment, e.g in .bashrc:
export http_proxy="http://proxyAddress:PORT"
export ENIGMAIL_PASS_ENV=http_proxy
gpg –keyserver blackhole.pca.dfn.de –keyserver-options honor-http-proxy –someCommand
For WH3 in Freising/Germany you have to set your Proxy like this:
export http_proxy="http://proxy.fr3.swh.mhn.de:8080"
export ENIGMAIL_PASS_ENV=http_proxy