com-science.de | Linux / Gpg

external links

EMail-Security using GnuPG for Windows
Firegpg an very easy to use plugin for Firefox. To encrypt, sign and verify your emails easiely independent of which email web client you use.
http://linuxwiki.de/GnuPG#head-583d3484a35508c62a7c8d653b9b83f87b0db8a2

Encrypt files with a passphrase

    gpg --symmetric filename.bin

creates file filename.bin.gpg encrypted with a passphrase that you have to give as input.

    gpg --decrypt -o filename.bin filename.bin.gpg

Decrypt the file and writes the data to the file given by option -o instead of writing to the standard output device.

signatures for emails or files

 gpg --sign --armor plaintext.txt
 gpg --verify plaintext.txt.asc
 gpg --decrypt plaintext.txt.asc > plaintext.txt

The original file does not need to be present where the verification takes place. It will be genereated through the signature.

 gpg --clearsign plaintext.txt
 gpg --verify plaintext.txt.asc

here the original message will be placed together with the signature. The message text stays plain!

 gpg --detach-sign filename
 gpg --verify filename.gpg filename

You have to have the file there where you want to verify the signature.

security with every mail client you want

If you want to send secret emails but your favourite client does not use any cryptology there is nevertheless a solution. You only need GnuGPG installed. After generating a key for your encryption/decryption.

 gpg --encryption --armor --recipient bob << EOM
 >this is secret
 >EOM

The ascii characters that will be printed out you can easily insert per mark&paste into your edit/compose window of your mail client. Afterwards send this to bob. He has to decrypt with

 gpg --decrypt << EOM

and paste also per mark&paste the ascii part of the email here into the shell and see what is supposed only for his eyes.

short reference

 gpg --gen-key

generates a key for you or some guy. let's call him Bob. So we use bob as "real name".

 gpg --export --armor bob > bob.asc

exports the public key. For exporting the private key use --export-secret-key

 scp bob.asc webserver:

Now Bob's public key is on the webserver. Alice has to import it to write a encrypted message to Bob.

 wget http://webserver/bob.asc

 scp webserver:bob.asc .
 gpg --import bob.asc
 gpg --encypt --armor --recipients bob file_with_sec.txt

creates file_with_sec.txt.asc. This file can be send by mail or something else. Here we take ssh.

 scp file_with_sec.txt.asc bobs_computer:

After this Bob decrypts file_with_sec.txt.asc with

 gpg --decrypt file_with_sec.txt.asc

Then you have to give the secret passphrase that you entered while key generation process.

The passphrase protects the private key from accessing except you.

sign a file

 gpg --sign filename
 gpg --verify filename.gpg
 gpg --encrypt --sign -r bob secrettextfile.doc

add --armor if you want to send it via email to create ascii instead of binary data.

use --clearsign if you want the data in readable form:

 gpg --clearsign cleartext.txt

 gpg --detach-sign filename

creates a binary signature with extension .gpg

To verify against the original file:

 gpg --detach-sign cleartext.txt
 gpg --verify cleartext.txt.asc cleartext.txt

 gpg --encrypt --sign -r bob rechnung.sxc

If decrypted the plaintext will also be printed.

things to know

 gpg --gen-key

creates a new key pair

Afterwards think about securing the directory where the key are stored with

 chmod 700 .gnupg -R

With "shred" you can overwrite a file to hide its contents. To export the key to an external media after creating them on the hard disk use

 shred *ring.gpg

in .gnupg directory.

 secring.gpg

contains private keys.

 pubring.gpg

contains all public keys. Also the keys from other persons.

 gpg --list-keys

shows all public keys.

gpg --gen-revoke <keyid>

revokes a key which was being created.

gpg --edit-key <keyid> or <userid>

commands:

quit
save
help
fpr
list
uid
key
check
sign
lsign
nrsign
nrlsign
adduid
addphoto
deluid
addkey
delkey
addrevoker
delsig
expire
primary
toggle
pref
showpref
setpref
updpref
passwd
trust
revsig
revuid
revkey
disable
enable
showphoto

export a public key

 gpg --export --armor alice > alice.asc

exports as ascii text. Without parameter --armor the outcome will be a binary file.

 gpg --keyserver keyserver --send-key keyid

exports to keyserver

import public key

 gpg --import bob.ascii

imports public key from bob as ascii text.

 gpg --rec-key ABDD123

receives key with this id.

To verify the received key you can ask Bob for a fingerprint and compare it with the outcome of:

 gpg --fingerprint bob

To set the status of the key to "trust" do the following:

 gpg --edit-key bob
 Command>trust
 Your decision? 4

The level of trust can be

unknown (q)
no trust (n)
partial trust (m)
unbounded trust (u) (status of your own keys)

gpg --search-keys Pattern Patternoix gpg --list-sigs bob