At the moment there are two implementations consistent with the OpenPGP protocol: Network Associate, Inc's PGP (the descendent of Zimmermann's original program), and the open-source project GnuPG. I use GnuPG myself (I support the philosophy of Free Software), and the example shown here will be made referring to GnuPG, but the functionality should be the same as PGP itself.
I will discuss four main functions here:
The Web of Trust is in principle an important concept also, but I have found little need for it yet while the usage of PGP is still low.
Note that some mail programs can be set up to encrypt or sign an email message using MIME definitions for PGP. I will tell a little about that on the next page.
I will use the command line version of GnuPG as an example
(for which the command is 'gpg' rather than 'pgp'). PGP (command
'pgp') should operate similarly from the command line - check the
documentation. Graphical interfaces are also available, eg. GnomePGP.
A wrapper script called pgpgpg serves to allows scripts intended
for pgp to be used where gpg is actually used instead.
Creating a Key Set
The first thing you need to use PGP is to create your own public and
private key. You will have to assign a passphrase to allow access to
your private key. Note that is "passphrase", not "password",
emphasising that it should be of reasonable complexity, not a simple
word that could be located in a dictionary.
The command is:
gpg --gen-key
You will be asked to choose the public key algorithm (GnuPG has DS together with ElGamal as default) and the size of the key. 1024 bits is default, but personally I'd choose 2048. You also choose the lifetime of the key (unlimited lifespan, or limited life, after which the key can be used for decrypting but not encrypting). The key also contains a small amount of information about you - your name and email address.
The new key is generated using random noise (via /dev/urandom in
Linux), so you may be asked to create this random noise with arbitrary
mouse and keyboard movements. Finally, the new key should be signed
with itself for additional security.
Importing and exporting public
keys
Your public key can be made available as an ASCII file using
gpg --export --armor [name]You must supply the name when you are exporting a key other than your main default key. If the --armor option is not used, the public key is output in binary format rather than ASCII. This file can then be distributed like any other file, by email or over the web (like I did here). The key can also be published "officially" using keyservers (see options --send-key or --recv-key with --keyserver), although I do not currently use this facility. It may become more important when use of public key encryption becomes more widespread. Assuming you received the ASCII file containing some else's public key, you can import it to your keyring via
gpg --import
If the file is not specified, the program will wait for input from standard input, so you could copy and paste from a webpage without actually storing the file itself. You want to be confident of the authenticity of the key you imported. This can be done by checking the key's fingerprint with
gpg --fingerprintThe output looks like:
pub 1024D/20A72DD9 2000-04-16 test key (just a test)This fingerprint could be provided in the owner' email signature or over the phone. Another means of verifying authenticity is using the "web of trust", which I will mention briefly below.Key fingerprint = 731F 2C5B FF3A E94D DADD E04D A1C8 7C72 20A7 2DD9 sub 1024g/9F1F4C93 2000-04-16
gpg --encrypt fileThe recipient can be specified via -r
gpg --encrypt --armor file
Decryption is likewise performed using
gpg --decrypt decrypted-fileThe program will ask you to input your passphrase before decrypting. Output is to stdout and can be redirected in the usual unix way (via '>' or '|').
Note that there are graphics interfaces such as GnomePGP which help
perform these functions. Likewise, a properly configured mail program
will perform encryption and decryption automatically, asking for the
passphrase when needed.
Signing and verifying a file
There are two ways of digitally signing a file. The signature can be
either incorporated into the file being signed, with
gpg --sign filewhich creates file.gpg, containing the file and its signature together, or created as a separate detached file:
gpg --detach-sign filewhich creates file.sig, separate from the original file. A detached signature may be appropriate in the case of, for instance, authenticating a source code file, where the signature would interfere with compilation of the file if it were included within.
As in the case of encrypting the file, these commands produce a binary signed file or detached signature. An ASCII file is created by adding the option --armor.
The authenticity of a signed file can be verified with the command
gpg --verify signed-fileor, in the case of a detached signature, by putting the signature file first:
gpg --verify file.sig file
Finally, a file can be encrypted and signed at the same time, e.g.
gpg --encrypt --sign --armor file