GnuPG

From LinuxReviews
Jump to navigationJump to search
GNU Privacy Guard
GnuPG is GNU software
GnuPG is GNU software
A ascii armored GnuPG public key.
A ascii armored GnuPG public key.
Original author(s)Werner Koch
Developer(s)GNU Project
Initial releaseApril 8, 1999; 22 years ago (1999-04-08)
Repositorydev.gnupg.org/source/gnupg/
Operating systemGNU/Linux, *BSD, Android, Windows, macOS, RISC OS,
LicenseGNU GPL v3
Websitegnupg.org
Mystery unlock.png

GnuPG (GNU Privacy Guard) is a command-line utility with many front-ends available that lets you encrypt and/or sign instant messages, e-mails, and files using a public/private key-pair. It is very widely used within the free software world where it is used to encrypt e-mails, sign ISO image releases and packages in distribution repositories and much more. Nobody outside of the free software community knows about it, and most won't care about securely encrypting their e-mails if they are made aware of its existence.

A Brief Introduction[edit]

GnuPG uses symmetric key-pairs individually generated by GnuPG users. You create a key-pair and get a public key you can share with friends and family and a private key you should keep all to yourself. The public key is used to encrypt files and messages and the private key, which can and should be protected by a passphrase, is used to decrypt files and messages.

GnuPG is mostly used to encrypt e-mail messages, instant messages and files meant to be sent to others, though it can be used to encrypt local files for safe-keeping. You can think about e-mail messages as messages written on postcards or letters put in envelopes. Regular unencrypted mail is like a postcard, anyone who picks it up along the way can read it. A GnuPG-encrypted e-mail is like a letter in a secure envelope.

A GnuPG can also be used to sign files or messages so you can be sure that the owner of the key used to sign the file or messages is the one who created it and that the file or message has not been altered since. A GnuPG signature is worthless on its own, it is only useful if you are sure that the key that was used to sign a file or message actually belongs to the person you think it belongs to.

GnuPG is compatible and interoperable with the very similar proprietary Pretty Good Privacy (PGP) tool from NortonLifeLock Inc (formally Symantec).

Features And Usability[edit]

The GnuPG software itself is just a command-line utility. It is, as such, hard and cumbersome to use. You should learn how to use it if you will be working with the free software community. You do not have to since there are numerous graphical front-ends for it, and GnuPG support is either built into most free software e-mail clients or available as a plug-in. GnuPG support is, sadly, missing from most proprietary e-mail clients.

A basic understanding of how the GnuPG gpg command-line utility works does help a bit when you use graphical front-ends though some basic understanding of how GnuPG in general works is enough. The most important fundamental thing to understand is that there are key-pairs public keys meant to be used for encryption and private keys keys for decryption that should not be shared, but they should be backed up. There is no way to recover a private key from a key-pair if you lose it.

GnuPG is not hard to learn, but you do have to learn it to use the gpg utility from the GnuPG package. gpg --help will show you a long and scary list of all the options that are available.

A public/private key pair can be generated by running gpg --generate-key.

A local file can be encrypted to a key you have made with:

gpg -e -r KEYID file.txt

-e means encrypt and -r, short for --recipient, is the key that will "receive" the encrypted file. The new encrypted file will be created as a file with the same name with the additional file extensions .gpg added to it (encrypting file.txt creates file.txt.gpg).

Decrypting a file ending with .gpg is a simple matter of running gpg file.txt.gpg.

The -a option can be used to create encrypted files, or exported key files, with the contents stored as ASCII armor. Key files listed on public websites are usually in this format. It is useful for creating encrypted e-mail messages, though you will in practice never have to do that since you are probably going to sue a e-mail client with built-in support if you want to use GnuPG regularly. Manually creating encrypted e-mail messages with <code<gpg would be a pain in the long run.

Understanding Keys[edit]

A GnuPG key will typically have a name, a e-mail address and, more importantly, a digital signature attached to it. The digital signature is the important part, it is what you should primarily look at when you evaluate if a key should be trusted or not. The reason is simple: Anyone can generate a key with someone's name and e-mail address in it and upload that to the public key-servers. There may be 10 keys with the name of someone on a key-server and only one key that actually belongs to the person who's identity is shown on the key. Thus; you will have to somehow verify that the key ID is the one that belongs to the person you want to communicate with. Don't be as dumb as a Arch Linux security team member and think that a key with someone's name on it on a key-server guarantees that it actually belongs to that person (Yes, they are really are that ignorant of how GnuPG works. Perhaps some of them will be compelled to learn GnuPG basics if/when they see their shear stupidity mentioned here. We don't have high hopes, but it's possible).

GnuPG has a somewhat useful feature that can, in rare cases, help solve the question of who's key you are looking at: Key Verification Signatures. Your key A can sign a friend's key B indicating that you believe key B belongs to your friend. This allows someone who trusts your key A to see that you believe key B is a key belonging to your friend.

Identifying what key is the correct one using signatures from other keys used to be simpler than it is today. GnuPG key signature spam became a big problem the first half of 2019. It works like this: You take the key of someone you don't like for some reason and add 10000 signatures to it. The result is that anyone who tries to download that key with the 10000 signatures get to store and process a really huge key. The public key-servers begun omitting GnuPG signatures when keys are requested as a response. The result is that it will look like nobody has signed your key if they fetch it from a public key-server even if you have attended 100 key-signing parties and you have 200 actual signatures from people who have met you in person.

Applications And Front-Ends[edit]

KGPG from the KDE Application Suite (available as a separate package) is an acceptable, but not great, graphical front-end for GnuPG.

Support is built into these e-mail clients:

  • Thunderbird (only never versions, older versions required a plug-in)
  • KMail (part of the KDE Kontact application suite)
  • Mutt

Support is available in the form of a plug-in for these e-mail clients:

  • Claws-Mail

HOWTOs[edit]

Finding Keys[edit]

The following example is from 2006 so the key-servers in it may not exist. It makes the GnuPG tool gpg look for a public key on a number of public key-servers. It can be used with one key ID as an argument, it is not for searching for a random persons name or e-mail.

File: fetachkey
#!/bin/sh
#
# Thanks to George Shaffer
#
if [ "$1" == "" ];then
  echo "Enter a key as argument!"
  exit 1
fi

echo 'tickets.rutgers.edu
tickets.rutgers.edu
pgp.mit.edu
keyserver.veridis.com
pgp.keyserver.ch
pgp.surfnet.nl
www.stinkfoot.org
pgp.es.net'|while read keyserver;do

if gpg --keyserver $keyserver --recv-key $1
then
   echo Found key at $keyserver
   exit
fi
done

History[edit]

Phil Zimmermann released a encryption program called Pretty Good Privacy (PGP) in 1991. It is now owned and maintained by the NortonLifeLock Inc corporation (formally Symantec). German software developer Werner Koch begun creating GnuPG to have a compatible free software implementation in 1997. The first version, 1.0.0, was released on September 7th, 1999. A Windows port, funded by the German Federal Ministry of Economics and Technology, became available in 2000.

Links[edit]

The GnuPG homepage is at https://gnupg.org/. It has a rather big documentation section at https://gnupg.org/documentation/.


Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.