Current Software

At the moment there are two implementations consistent with the OpenPGP protocol: Network Associate, Inc's PGP (the descendent of Zimmermann's original program), and the open-source project GnuPG. I use GnuPG myself (I support the philosophy of Free Software), and the example shown here will be made referring to GnuPG, but the functionality should be the same as PGP itself.

I will discuss four main functions here:

  1. Creating a key set
  2. Importing and exporting public keys
  3. Encrypting and decrypting a file
  4. Signing and verifying a file

The Web of Trust is in principle an important concept also, but I have found little need for it yet while the usage of PGP is still low.

Note that some mail programs can be set up to encrypt or sign an email message using MIME definitions for PGP. I will tell a little about that on the next page.

I will use the command line version of GnuPG as an example (for which the command is 'gpg' rather than 'pgp'). PGP (command 'pgp') should operate similarly from the command line - check the documentation. Graphical interfaces are also available, eg. GnomePGP. A wrapper script called pgpgpg serves to allows scripts intended for pgp to be used where gpg is actually used instead.

Creating a Key Set

The first thing you need to use PGP is to create your own public and private key. You will have to assign a passphrase to allow access to your private key. Note that is "passphrase", not "password", emphasising that it should be of reasonable complexity, not a simple word that could be located in a dictionary. The command is: 
   gpg --gen-key

You will be asked to choose the public key algorithm (GnuPG has DS together with ElGamal as default) and the size of the key. 1024 bits is default, but personally I'd choose 2048. You also choose the lifetime of the key (unlimited lifespan, or limited life, after which the key can be used for decrypting but not encrypting). The key also contains a small amount of information about you - your name and email address.

The new key is generated using random noise (via /dev/urandom in Linux), so you may be asked to create this random noise with arbitrary mouse and keyboard movements. Finally, the new key should be signed with itself for additional security.

Importing and exporting public keys

Your public key can be made available as an ASCII file using 
   gpg --export --armor [name]
You must supply the name when you are exporting a key other than your main default key. If the --armor option is not used, the public key is output in binary format rather than ASCII. This file can then be distributed like any other file, by email or over the web (like I did here). The key can also be published "officially" using keyservers (see options --send-key or --recv-key with --keyserver), although I do not currently use this facility. It may become more important when use of public key encryption becomes more widespread. Assuming you received the ASCII file containing some else's public key, you can import it to your keyring via 
   gpg --import

If the file is not specified, the program will wait for input from standard input, so you could copy and paste from a webpage without actually storing the file itself. You want to be confident of the authenticity of the key you imported. This can be done by checking the key's fingerprint with 

   gpg --fingerprint
The output looks like: 
pub  1024D/20A72DD9 2000-04-16 test key (just a test) 
     Key fingerprint = 731F 2C5B FF3A E94D DADD  E04D A1C8 7C72 20A7 2DD9
sub  1024g/9F1F4C93 2000-04-16
This fingerprint could be provided in the owner' email signature or over the phone. Another means of verifying authenticity is using the "web of trust", which I will mention briefly below.

Encrypting and decrypting a file

 A file is encrypted using the obvious command 
   gpg --encrypt file
The recipient can be specified via -r , but if omitted will be prompted for. This will produce a binary file called file.gpg. An ascii encrypted file (file.asc) can be produced with 
   gpg --encrypt --armor file

Decryption is likewise performed using 

   gpg --decrypt decrypted-file
The program will ask you to input your passphrase before decrypting. Output is to stdout and can be redirected in the usual unix way (via '>' or '|').

Note that there are graphics interfaces such as GnomePGP which help perform these functions. Likewise, a properly configured mail program will perform encryption and decryption automatically, asking for the passphrase when needed.

Signing and verifying a file

There are two ways of digitally signing a file. The signature can be either incorporated into the file being signed, with 
   gpg --sign file
which creates file.gpg, containing the file and its signature together, or created as a separate detached file: 
   gpg --detach-sign file
which creates file.sig, separate from the original file. A detached signature may be appropriate in the case of, for instance, authenticating a source code file, where the signature would interfere with compilation of the file if it were included within.

As in the case of encrypting the file, these commands produce a binary signed file or detached signature. An ASCII file is created by adding the option --armor.

The authenticity of a signed file can be verified with the command 

   gpg --verify signed-file
or, in the case of a detached signature, by putting the signature file first: 
   gpg --verify file.sig file

Finally, a file can be encrypted and signed at the same time, e.g. 

   gpg --encrypt --sign --armor file

Web Of Trust

 The question was raised above on how confident one can be that a given public key actually belongs to the person you think it does. Short of meeting every recipient in person, you can indicate trust by signing the keys of those you know personally with your own key, assigning the degree of trust-worthiness you have in a given person. Then those who trust your key will also be able to trust the authenticity of those keys that you have sign. This provides a degree of confidence in communicating with "a friend of a friend", and builds what is known as a "web of trust". The importance of the web of trust should increase when a greater number of people start using PGP. A key's fingerprint may also be check in order to verify a key, as mentioned above.

Previous: Origins and Ideas of PGP
Next: Integration with mail programs
Back to index