Updated 20 Sep 01, Harald(at)iki.fi, v0.02 Created 6 Mar 01, Haral(at)iki.fi, v0.01 Copyright: You may copy and re-distribute this howto, as long as you inform me of the changes you make in this file. You have to inform me of errors, or stuff to improve. Disclaimer: #include ----------------------------------------------------------------------------- TOC: 1) PGP aka. gpg Directory setup Keys Backup 2) pgp4pine 3) Using it 4) Quickstart ----------------------------------------------------------------------------- gpg and gnupg (not so) short howto for penti.org PGP is an abbreviation for Pretty Good Privacy, originally created by Mr. Zimmermann. This howto is about using the GPL licensed version of the pgp software, gnupg or just gpg in short. This howto solely covers gnupg (gpg) and it's usage in mail with the pine MUA. If someone would write a gpg mutt howto, I can include it here. This howto doesn't explain assymetric crypto, this just covers how to set it up on penti.org so you'll be able to use it here. Read more about it on http://google.com. There are a couple of steps to follow before you can start, be patient, and take some time. This will probably take something under an hour, but the steps require some reading and understanding, so there's no use in rushing it. If you're in a real hurry, and just want to use it, jump to the "Quickstart" section. 1) PGP aka. gpg --------------- Directory setup --------------- - Run the command 'gpg' once in order to have it create your ~/.gnupg directory - Rename your ~/.gnupg/options file ~/.gnupg/options.dist or some- thing like that, and put this into your options file: $ cat ~/.gnupg/options no-secmem-warning keyserver belgium.keyserver.net keyserver wwwkeys.eu.pgp.net Keys ---- - Create your own, personal pgp certificates with the command 'gpg --gen-key'. The defaults are usually good enough. If you have already have keys, generated by e.g. NAI's pgp, you should be able to export/import them into your gnupg keyrings as well. You will be asked for a passphrase, choose something you'll never, ever forget and be shure it isn't something easily guessed like 'passphrase' or something equally silly. When choosing the pass- phrase it's good to know that you will be entering this passphrase *every* time you are encrypting/signing something, so don't choose the first verse of our national song. ! Don't ever forget your passphrase, or let someone else know it. - Now is a good time to create a revocation certificate, that can be used to invalidate your pgp-key if it gets compromised or something like that. You'll be able to do that with the command 'gpg --gen-revoke'. This will print out a certificate, which you should copy/paste into a file, maybe ~/.gnupg/revoke.cert. This file can then later be used to revoke your key, should you ever forget your password, or if your keys get stolen. - Play around a bit with 'gpg --edit-key "your_username"', using that you can countersign, set trust, change the passprhase and many other things... You should now create subkeys for all the e-mail addresses you are known as. Use the same name, but alter the e-mail addresses. I for instance ran 'adduid' and added harald@fopenti.org, harald.hannelius@fopenti.org to my primary harald@foxiki.fi address. This so that when people receive e-mail from me, all the addresses that appear in the e-mail are really mine. (Think headers...) You should obviosly use the 'help' command once inside gpg, and equally obviosly you should put full trust with the 'trust' command on your own keys. Or what do I know, you might not even trust yourself? :) Backup ------ - Use ssh or some other secure mean to copy all of the files, or the whole .gnupg directory to a diskette. Put the read-only tab on on the diskette, and put it in an envelope. Also write down your passphrase and put the paper in the same envelope. Seal the envelope and put it in the most secure safe you'll ever find. Periodically check that the envelope is un-opened. - Publish your keys with 'gpg --send-keys your_username', and ask someone to counter-sign your key and then re-send them back to the keyserver. The trust in pgp is built on the assumption that if many of my friends tell you that my key really is my key, you can be pretty shure that I really am who I pretend to be. Screenshot:: $ gpg --send-keys harald gpg: success sending to `belgium.keyserver.net' (status=200) Now you can go to http://www.keyserver.net and look for keys of people you know. Also check that your own key looks ok. There's usually a minute or two delay between sending a key with gpg, and before it actually is on the web. The delay can be longer. Here are the most common arguments used: --list-keys, --fingerprint, --delete-key, --edit-key, --import N.B that you should always use the '-a' argument when exporting keys, or you'll get your display grabled with binary moosh. 2) pgp4pine ----------- pgp4pine is a wrapper, that acts both as a out- and infilter in pine, so using pgp would be as easy as possible when communicating. With pgp4pine you'll be able to at least sign, crypt, verify and decrypt e-mail sent to you. In order to get signing and other stuff through pine working, you have to run the following command: 'cp /usr/local/doc/pgp4pine/example.pgp4pinerc ~/.pgp4pinerc' Edit the file ~/.pgp4pinerc and check that you have the lines "profile_list=gpg" and "profile_gpg_encrypt_to_self=1" and edit .pinerc as follows (also look 'man 1 pgp4pine'): $ grep pgp .pinerc display-filters=_BEGINNING("-----BEGIN PGP")_ /usr/local/bin/pgp4pine -d -i _TMPFILE_ sending-filters=/usr/local/bin/pgp4pine -e -i _TMPFILE_ -r _RECIPIENTS_ Optionally put this in .pinerc: "compose-send-offers-first-filter" under your options section. This would default to use the wrapper every time you send an e-mail. If you use pgp just occasionally, it might be a good idea to leave it out, or have "no-compose-send-offers-first-filter". You'll be able to walk through the options when sending by doing ^N or ^P in pine after ^X. Read more on 'man gpg' and 'man pgp4pine'... 3) Using it ----------- When composing an e-mail, and you want to be shure that the recipient beliefs that it was really sent by you, you should choose 'sign' when sending the e-mail through pgp4pine. If you are sending secret stuff, you might want to encrypt the whole e-mail. You can choose this by choosing 'encrypt'. Note that this shouldn't be over-used, it is kind of frustrating to get crypted chit-chat, and the reader has to enter their passphrase every time he look through his inbox. So don't encrypt if not necessary. ! NB. If I'm correct, attachments don't get encrypted. When you receive a signed or crypted e-mail, it has a line similar to this: -----BEGIN PGP SIGNED MESSAGE----- This won't be visible in pine, since the pgp4pinerc display filter will check the content against the signature, and just show you a footer instead, which should, if everything is ok, look like this: ------------ Output from gpg ------------ gpg: Good signature from "Mr. RootWeiler " gpg: aka "Mr. RootWeiler " This is a sign that the content probably really was written by the sender. If you trust the imported key, please put the appropriate trust on the key, sign it and send it to the keyserver. This is especially nice of you, if you notice on http://www.keyserver.net that some- one has signed your key to return the favour and countersign their key as well. 4) Quickstart ------------- No guarantees, untested, your neck: Paste the following commands in a shell: cd gpg cat << EOF > ~/.gnupg/options no-secmem-warning keyserver belgium.keyserver.net keyserver wwwkeys.eu.pgp.net EOF gpg --gen-key echo "Now run adduid, if required: " gpg --edit-key $LOGNAME gpg --send-keys $LOGNAME wget http://penti.org/howto/pinerc.patch && patch < pinerc.patch