How Do I Generate A Pgp Key In Linux

Posted on  by
  1. How Do I Generate A Pgp Key In Linux Pdf
  2. How Do I Generate A Pgp Key In Linux Windows 10

Table of Contents

  • 4Sending and receiving public keys

This tutorial explains how to set up Thunderbird to digitally sign, encrypt and decrypt messages in order to make them secure.

A PGP public key contains information about one's email address. This is generally acceptable since the public key is used to encrypt email to your address. However, in some cases, this is undesirable. For most use cases, the secret key need not be exported and should not distributed. How to Generate PGP Keys. Initialize the GPG Directory. gpg -gen-key. Gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. This program comes with. Generate a Private Key. gpg -gen-key. Gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc. This program comes.

The email infrastructure that everyone uses is, by design, not secure. While most people connect to their email servers using a secure ('SSL') connection, some servers allow unsecured access. Furthermore, as the message moves through its transmission path from sender to recipient, the connections between each server are not necessarily secure. It is possible for third parties to intercept, read and alter email messages as they are transmitted.

When you digitally sign a message, you embed information in the message that validates your identity. When you encrypt a message, it appears to be 'scrambled' and can only by read by a person who has the key to decrypting the message. Digitally signing a message ensures that the message originated from the stated sender. Encrypting ensures that the message has not been read or altered during transmission.

To encrypt messages, you can use the public-key cryptographic system. In this system, each participant has two separate keys: a public encryption key and a private decryption key. When someone wants send you an encrypted message, he or she uses your public key to generate the encryption algorithm. When you receive the message, you must use your private key to decrypt it.

The protocol used to encrypt emails is called PGP (Pretty Good Privacy). To use PGP within Thunderbird, you must first install:

  • GnuPG: (GNU Privacy Guard): a free software implementation of PGP
  • Enigmail: a Thunderbird add-on

These two applications also provide the capability to digitally sign messages.

To install GnuPG, download appropriate package from the GnuPG binaries page. Follow the installation instructions provided for your particular package. For more information on installing PGP on specific operating systems, refer to:

To install Enigmail:

  1. In Thunderbird, select Tools > Add-ons.
  2. Use the search bar in the top right corner to search for Enigmail.
  3. Select Enigmail from the search results and follow the instructions to install the add-on.

Create your public/private keys as follows:

  1. On the Thunderbird menu bar, click OpenPGP and select Setup Wizard.
  2. Select Yes, I would like the wizard to get me started as shown in the image below. Click to proceed.
  3. The wizard asks whether you want to sign all outgoing messages or whether you want to configure different rules for different recipients. It is usually a good idea to sign all emails so that people can confirm that the email is indeed from you. Message recipients do not need to use digital signatures or PGP to read a digitally signed message. Select Yes, I want to sign all of my email and click to proceed.
  4. Next, the wizard asks if you want to encrypt all your emails. You should not select this option unless you have the public keys for all the people that you expect to send messages to. Select No, I will create per-recipient rules for those who send me their public keys and click to proceed.
  5. The wizard asks if it can change some of your mail formatting settings to better work with PGP. It is a good choice to answer Yes here. Click to proceed.
  6. Select the email account for which you want to create the keys. You need to enter a password in the ‘Passphrase’ text box which is used to protect your private key. This password is used to decrypt messages, so don't forget it. The password should be at least 8 characters long and not use any dictionary words. (See this Wikipedia article for information on creating strong passwords.) Enter this password twice and click to proceed.
  7. The next screen displays the preferences you configured. If you are satisfied, click to proceed.
  8. When the process of creating your keys is completed, click to proceed.
  9. The wizard will ask if you want to create a ‘Revocation certificate’ which you would use if the security of your key pair was compromised and you needed to inform others that it is no longer valid. If you want to create the file click on and follow the steps on the subsequent screens. Otherwise, click .
  10. The wizard finally informs you that it has completed the process. Click to exit the wizard.

Sending your public key via email

To receive encrypted messages from other people, you must first send them your public key:

  1. Compose the message.
  2. Select OpenPGP from the Thunderbird menu bar and select Attach My Public Key.
  3. Send the email as usual.

Receiving a public key via email

To send encrypted messages to other people, you must receive and store their public key:

  1. Open the message that contains the public key.
  2. At the bottom of the window, double click on the attachment that ends in '.asc'. (This file contains the public key.)
  3. Thunderbird automatically recognizes that this is a PGP key. A dialog box appears, prompting you to ‘Import’ or ‘View’ the key. Click to import the key.
  4. You will see a confirmation that the key has been successfully imported. Click to complete the process.
  1. Compose the message as usual.
  2. To digitally sign a message, select OpenPGP from the Thunderbird menu and enable the Sign Message option. To encrypt a message, enable the Encrypt Message option. The system may ask you to enter your Passphrase before encrypting the message.
  3. If your email address is associated with a PGP key, the message will be encrypted with that key. If the email address is not associated with a PGP key, you will be prompted to select a key from a list.
  4. Send the message as usual.
Note: The subject line of the message will not be encrypted.

When you receive an encrypted message, Thunderbird will ask you to enter your secret passphrase to decrypt the message. To determine whether or not the incoming message has been signed or digitally encrypted you need to look at the information bar above the message body.

If Thunderbird recognizes the signature, a green bar (as shown below) appears above the message.

If the message has been encrypted and signed, the green bar also displays the text 'Decrypted message'.

If the message has been encrypted but not signed the bar would appear as shown below.

Note: A message which has not been signed could be from someone trying to impersonate someone else.

If you believe that your private key has been 'compromised' (that is, someone else has had access to the file that contains your private key), you should revoke your current set of keys as soon as possible and create a new pair. To revoke your current set of keys:

  1. On the Thunderbird menu, click OpenPGP and select Key Management.
  2. A dialog box appears as shown below. Check Display All Keys by Default to show all the keys.
  3. Right-click on the key you want to revoke and select Revoke Key.
  4. A dialog box appears asking if you really want to revoke the key. Click to proceed.
  5. Another dialog box appears asking you to enter your secret passphrase. Enter the passphrase and click to revoke the key.

Send the revocation certificate to the people you correspond with so that they know that your current key is no longer valid. This ensures that if someone tries to use your current key to impersonate you, the recipients will know that the key pair is not valid.

Related

How To Install and Configure Postfix as a Send-Only SMTP Server on Ubuntu 18.04 Tutorial
How To Set Up and Configure an OpenVPN Server on CentOS 8 Tutorial

Introduction

GPG, or GNU Privacy Guard, is a public key cryptography implementation. This allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine.

In this guide, we will discuss how GPG works and how to implement it. We will be using an Ubuntu 16.04 server for this demonstration, but will include instructions for other distributions as well.

How Public Key Encryption Works

A problem that many users face is how to communicate securely and validate the identity of the party they are talking to. Many schemes that attempt to answer this question require, at least at some point, the transfer of a password or other identifying credentials, over an insecure medium.

Ensure That Only the Intended Party Can Read

To get around this issue, GPG relies on a security concept known as public key encryption. The idea is that you can split the encrypting and decrypting stages of the transmission into two separate pieces. That way, you can freely distribute the encrypting portion, as long as you secure the decrypting portion.

This would allow for a one-way message transfer that can be created and encrypted by anyone, but only be decrypted by the designated user (the one with the private decrypting key). If both of the parties create public/private key pairs and give each other their public encrypting keys, they can both encrypt messages to each other.

So in this scenario, each party has their own private key and the other user’s public key.

Validate the Identity of the Sender

Another benefit of this system is that the sender of a message can “sign” the message with their private key. The public key that the receiver has can be used to verify that the signature is actually being sent by the indicated user.

Set Up GPG Keys

GPG is installed by default in most distributions.

If for any reason GPG is not installed, on Ubuntu and Debian, you can update the local repo index and install it by typing:

On CentOS, you can install GPG by typing:

To begin using GPG to encrypt your communications, you need to create a key pair. You can do this by issuing the following command:

This will take you through a few questions that will configure your keys:

  • Please select what kind of key you want: (1) RSA and RSA (default)
  • What keysize do you want? 4096
  • Key is valid for? 1y (expires after 1 year. If you are just testing, you may want to create a short-lived key the first time by using a number like “3” instead.)
  • Is this correct? y
  • Real name: your real name here
  • Email address: your_email@address.com
  • Comment: Optional comment that will be visible in your signature
  • Change (N)ame, ©omment, (E)mail or (O)kay/(Q)uit? O
  • Enter passphrase: Enter a secure passphrase here (upper & lower case, digits, symbols)

At this point, gpg will generate the keys using entropy. Entropy describes the amount of unpredictability and nondeterminism that exists in a system. GPG needs this entropy to generate a secure set of keys.

This process may take a long time depending on how active your system is and the keysize you selected. To generate additional entropy more easily, you can use a tool called haveged. Open up a new terminal and SSH into the server again to set up haveged on your server.

Create a Revocation Certificate

You need to have a way of invalidating your key pair in case there is a security breach or in case you lose your secret key. There is an easy way of doing this with the GPG software.

This should be done as soon as you make the key pair, not when you need it. This revocation key must be generated ahead of time and kept in a secure, separate location in case your computer is compromised or inoperable. To generate a revocation key, type:

You will be asked to confirm the revocation key creation and then prompted for the reason that it is being revoked. This information will be visible to other users if the revocation is used in the future. You can choose any of the available options, but since this is being done ahead of time, you won’t have the specifics. Often, it is a good idea to create a revocation certificate for each of the likely scenarios for maximum flexibility.

Afterwards, you will then be asked to supply a comment and finally, to confirm the selections. Before creating the revocation certificate, you will need to enter your GPG key’s passphrase to confirm your identity. The revocation certificate will be written to the file specified by the --output flag (revocation.crt in our example):

You should immediately restrict the permissions on the generated certificate file in order to prevent unauthorized access:

The revocation certificate must be kept secure so that other users cannot revoke your key. As the message states, you should consider backing the certificate up to other machines and printing it out, as long as you can secure it properly.

How To Import Other Users’ Public Keys

GPG would be pretty useless if you could not accept other public keys from people you wished to communicate with.

You can import someone’s public key in a variety of ways. If you’ve obtained a public key from someone in a text file, GPG can import it with the following command:

There is also the possibility that the person you are wishing to communicate with has uploaded their key to a public key server. These key servers are used to house people’s public keys from all over the world.

A popular key server that syncs its information with a variety of other servers is the MIT public key server. You can search for people by their name or email address by going here in your web browser:

You can also search the key server from within GPG by typing the following:

You can use this method of searching by name or email address. You can import keys that you find by following the prompts.

How To Verify and Sign Keys

While you can freely distribute your generated public key file and people can use this to contact you in a secure way, it is important to be able to trust that the key belongs to who you think it does during the initial public key transmission.

Verify the Other Person’s Identity

How do you know that the person giving you the public key is who they say they are? In some cases, this may be simple. You may be sitting right next to the person with your laptops both open and exchanging keys. This should be a pretty secure way of identifying that you are receiving the correct, legitimate key.

But there are many other circumstances where such personal contact is not possible. You may not know the other party personally, or you may be separated by physical distance. If you never want to communicate over insecure channels, verification of the public key could be problematic.

Luckily, instead of verifying the entire public keys of both parties, you can simply compare the “fingerprint” derived from these keys. This will give you a reasonable assurance that you both are using the same public key information.

You can get the fingerprint of a public key by typing:

This will produce a much more manageable string of numbers to compare. You can compare this string with the person themselves, or with someone else who has access to that person.

Sign Their Key

Signing a key tells your software that you trust the key that you have been provided with and that you have verified that it is associated with the person in question.

To sign a key that you’ve imported, simply type:

When you sign the key, it means you verify that you trust the person is who they claim to be. This can help other people decide whether to trust that person too. If someone trusts you, and they see that you’ve signed this person’s key, they may be more likely to trust their identity too.

You should allow the person whose key you are signing to take advantage of your trusted relationship by sending them back the signed key. You can do this by typing:

You’ll have to type in your passphrase again. Afterwards, their public key, signed by you, will be displayed. Send them this, so that they can benefit from gaining your “stamp of approval” when interacting with others.

When they receive this new, signed key, they can import it, adding the signing information you’ve generated into their GPG database. They can do this by typing:

They can now demonstrate to other people that you trust that their identity is correct.

How To Make Your Public Key Highly Available

Because of the way that public key encryption is designed, there is not anything malicious that can happen if unknown people have your public key.

With this in mind, it may be beneficial to make your public key publicly available. People can then find your information to send you messages securely from your very first interaction.

You can send anyone your public key by requesting it from the GPG system:

You can then send this file to the other party over an appropriate medium.

If you want to publish your key to a key server, you can do it manually through the forms available on most of the server sites.

Another option is to do this through the GPG interface. Look up your key ID by typing:

The highlighted portion in the output below is the key ID (look for the pub along the left-hand column if you’re uncertain about which one to use). It is a short way to reference the key to the internal software.

To upload your key to a certain key server, you can then use this syntax:

The key will be uploaded to the specified server. Afterwards, it will likely be distributed to other key servers around the world.

Encrypt and Decrypt Messages with GPG

You can easily encrypt and decrypt messages after you have shared your keys with the other party.

Encrypt Messages

You can encrypt messages using the “–encrypt” flag for GPG. The basic syntax would be:

This encrypts the message using the recipient’s public key, signs it with your own private key to guarantee that it is coming from you, and outputs the message in a text format instead of raw bytes. The filename will be the same as the input filename, but with an .asc extension.

Linux

You should include a second “-r” recipient with your own email address if you want to be able to read the encrypted message. This is because the message will be encrypted with each person’s public key, and will only be able to be decrypted with the associated private key.

So if it was only encrypted with the other party’s public key, you would not be able to view the message again, unless you somehow obtained their private key. Adding yourself as a second recipient encrypts the message two separate times, one for each recipient.

Decrypt Messages

When you receive a message, simply call GPG on the message file:

Let’s get this out of the way, first of all: Plants vs Zombies Garden Warfare 2 has Yes graphics “cute”. Download plants vs zombies garden warfare cd-key generator download Playing the game, however, it is clear that Plants vs Zombies Garden Warfare 2 is much more than a mindless shooting with graphics.OK.

The software will prompt you as necessary.

If instead of a file, you have the message as a raw text stream, you can copy and paste it after typing gpg without any arguments. You can press “CTRL-D” to signify the end of the message and GPG will decrypt it for you.

Key Maintenance

How Do I Generate A Pgp Key In Linux Pdf

There are a number of procedures that you may need to use on a regular basis to manage your key database.

To list your available GPG keys that you have from other people, you can issue this command:

Your key information can become outdated if you are relying on information pulled from public key servers. You do not want to be relying on revoked keys, because that would mean you are trusting potentially compromised keys.

You can update the key information by issuing:

How Do I Generate A Pgp Key In Linux Windows 10

This will fetch new information from the key servers.

You can pull information from a specific key server by using:

You may receive error messages if any of your keys cannot be found on the key server.

Conclusion

Using GPG correctly can help you secure your communications with different people. This is extremely helpful, especially when dealing with sensitive information, but also when dealing with regular, everyday messaging.

Because of the way that certain encrypted communications can be flagged by monitoring programs, it is recommended to use encryption for everything, not just “secret” data. That will make it more difficult for people to know when you are sending important data or just sending a friendly hello.