This is a tutorial to get started using E-mail encryption and signing using GnuPG, and the OpenPGP standard. This guide is primairly written for Debian (and Ubuntu), but GnuPG is available for all major desktop operating systems.
To understand this tutorial better, you have to understand the basics of cryptography and private-public keypairs.
- Keypair: A private and a public key that belong together.
- Private key: Your secret key used for making signatures and decrypting mails. Unlocked using a passphrase. To be kept secret, and never shared!
- Public key: Used for verifying signatures, and encrypting emails. Can be shared freely (only compromising information in it, is the name and e-mail you provide (e.g. if an e-mail address is private).
- Signature: A cryptographic verification of an email, showing who wrote it and that it has not been tampered with on the way.
- Key signature: The signature of a key. Used to verify that a key belongs to the name/e-mail it claims, either directly or through the web of trust.
- Web of trust: When you have many keys signed, you get a web of trust. You can generally trust a key that's been signed by someone who's key you've signed. (There's an algorithm taking care of this automatically for you.)
The easiest way is to get GnuPG from the package management system, you can do this by writing the following in a terminal:
$ sudo apt-get install gnupg
There is alot of extra things you can learn about OpenPGP, but to get started you only need to decide two things, key-length and expiry. Key-length should be a minimal of 2048-bits (4096 recommended) and expiry at most 2 years, we recommend 1. Your passphrase should not be easy to guess, and sufficiently long not to be brute forced.
$ gpg --gen-key gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Wed 19 Dec 2012 02:47:01 PM CET Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <email@example.com>" Real name: Test Testsson Email address: firstname.lastname@example.org Comment: Test key, for tutorial only You selected this USER-ID: "Test Testsson (Test key, for tutorial only) <email@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2012-12-19 pub 4096R/EF8A4A77 2011-12-20 [expires: 2012-12-19] Key fingerprint = AFF0 7D2C FCA5 61E1 9370 CA0F E675 7610 EF8A 4A77 uid Test Testsson (Test key, for tutorial only) <firstname.lastname@example.org> sub 4096R/FD5F94AF 2011-12-20 [expires: 2012-12-19]
Now that you have your key-pair, you can verify it by running
$ gpg -K /home/jonatan/.gnupg/secring.gpg -------------------------------- sec 4096R/EF8A4A77 2011-12-20 [expires: 2012-12-19] uid Test Testsson (Test key, for tutorial only) <email@example.com> ssb 4096R/FD5F94AF 2011-12-20
There it is, all set!
There are more email clients out there, and most of them (Outlook being the notable exception) support GnuPG either natively or through an extension.