Ensuring secure communications over an insecure medium such as the Internet is vital. GnuPG (www.gnupg.org) is an encryption tool that can be used to ensure the security of messages and files sent to others. Compatible with the popular PGP encryption program, it uses the public-key cryptography method, which relies on two ‘keys’ to protect a message.
It is important to understand how public-key cryptography works before we get started with GnuPG. The two keys are known as the private key and public key. The private key is kept by its owner and is protected by a passphrase; the public key is distributed freely to anyone. A message encrypted with one key can only be decrypted using the other. This allows for two forms of communication, providing different types of security:
- A message can be encrypted by its owner using a private key, and must be decrypted using the corresponding public key. This form verifies the origin of the message, as it could only have come from the owner of the private key. It does not control who can read the message, as the public key used to decrypt it is openly available.
- A message can be encrypted by someone using its intended target’s public key, and must then be decrypted using its target’s private key. This form ensures the message can only be read by its intended target. It does nothing to verify that the origin of the message is authentic. These methods outlined can be combined to ensure both source verification and security against unauthorised viewing.
Getting started with GnuPG
After installing GnuPG and GPA, you should initialise GnuPG by typing in a shell:
This will create the directories GnuPG needs to work properly. Now you can start the GNU Privacy Assistant (GPA) by running ‘gpa’ while in X11.
To generate your keypair, click on the Keys menu and select Generate key. You will be asked to provide an identifier for your key, consisting of your name, e-mail address and a comment. A passphrase is also needed to protect against someone else using your private key. The passphrase should not be a word or name that can be found in a dictionary and, ideally, should consist of a random combination of mixed-case alphabetic letters and numbers. Once you have entered an identifier and passphrase, a keypair will be generated for you. This may take several seconds, even on a fast computer.
Before you can start encrypting and sharing files, you need to distribute your public key. Your public key is required by others to communicate with you securely. The easiest way to distribute your public key is by using a plain text signature. This can be generated by clicking the Export button in GPA and typing in a filename next to ‘Export to file’. You should put this file in a public place, such as your personal Web page, and direct others to it. You can also export your key to a public key sever where it can be obtained by others using the information in the key’s identifier. You can import other users’ keys by using the Import button.
To get started with GnuPG, open the GPA file manager by clicking on Windows and selecting Filemanager. Encrypting a file is easy with the Filemanager. Click the Open button and select the file to be encrypted. Once selected, the file will appear in the Filemanager with a status listed as ‘clear’. To encrypt the file, click the Encrypt button. Select your key from the list and click OK. A new copy of the file will be made with the suffix .gpg to indicate an encrypted version. The new copy will be listed in the file manager with a status of ‘encrypted’.
To decrypt a file, you will need either the public key from its sender or your own private key, depending on the form of encryption used. To decrypt a file, select it in the file manager and click the Decrypt button. If it has been encrypted with your public key, you will need to supply your private key passphrase. If decryption is successful, a newly decrypted copy of the file will appear in the file manager list with a status of ‘decrypted’.
Most popular Linux e-mail programs support the use of GnuPG, such as Evolution, KMail and mutt. You will need to supply the path to the ‘gpg’ binary in each program’s configuration settings. E-mail programs combine both forms of encryption to protect messages so you must obtain your intended targets’ public key before sending them a message. You can try it out by sending yourself an encrypted e-mail.