noizZze

PGP for Mortal Developers

Why do I need it?

PGP has two main purposes – signing and encryption. When you sign a document (letter or file), you let the recipient know who is the origin and be sure the document wasn’t altered on its way.

Encryption doesn’t let anyone except the recipient to see the contents of the document.

We, programmers, can use this feature in many practical cases. Here is just a couple of them:

  • Store a secret file with passwords and configuration details that’s intended for your development team only in the open (version control repository)
  • Exchange sensitive messages with clients (invoices, server account passwords, confidential information)

How does it work?

Everyone has two keys – public and secret. Public keys you give away to people you want to be able to send you encrypted documents. In return, if they want you to send them encrypted documents, they give their public keys to you. This is important concept to understand – you can encrypt documents with public keys of recipients. In other words, you can send documents only to the people in your “PGP address book”.

Secret keys are kept in secret (read-only media stashed somewhere secretly comes to mind). You use them to open encrypted documents that are addressed to you by others. Under no condition do you hand it over to anyone.

Usually, to share public keys, (a) you send them directly via e-mail, (b) publish on your web site, or (c) publish them on key servers (for example, pgp.mit.edu). Think of the key server as a directory of keys. You can find people you know there if they use PGP. Some well-known key servers synchronize their records, some not.

Once you have your own key, you may want to start exchanging it for keys of the members of your team, family, friends and clients. When you get a key from the person you trust, you can sign it thus building the trusted web of keys. It starts to really work when some friend of a friend sends you his key, and you see that Gus trusts him while you trust Gus, so that’s probably OK to trust and sign. Note, that it’s not about the trust between people, as you might think, it’s the trust in that the key you’ve been given does really belong to that person (not forged).

When you have a directory of keys, you can now start signing documents (again, letters, files) and sending them over to your contacts. They will be able to open them.

How to configure?

First, you need a key if you don’t have one:

$ gpg --gen-key

… is what you do. Answer the questions and wait while the key-pair is generated. The common choice is 1024-bit “DSA and ElGamal”, but you may choose more bits. The encryption will be slower, but you won’t notice it on modern hardware unless you are encrypting wikipedia. DSA lets you sign your documents, and ElGammal give the encryption. Usually people don’t use expiration at all if it’s not a mission critical temporary key. Don’t forget the passphrase. It’s important to protect your keys.

Manuals recommend creating a revocation key to be able to revoke your keys in case of theft or bad pass phrase memory:

$ gpg -o revoke.asc --gen-revoke my_key_id

Now you can see your key in the list:

$ gpg -k

To export the key in binary form and give it to someone use:

$ gpg -o john.gpg --export my_key_id

To get the same key in plain text, add the ‘–armor’ key:

$ gpg -o john.gpg --armor --export my_key_id

(you can omit ‘-o …’ to get it all in stdout)

When someone sends you a key, you can import it with:

$ gpg --import mark.gpg
$ gpg -k

If you trust the key, sign it:

$ gpg --sign-key key_id

When you are ready to send your key, find the server (i.e. pgp.mit.edu) and submit your key either through the web interface or using the gpg command again:

$ gpg --keyserver pgp.mit.edu --send-key my_key_id

How to sign?

Now that you have your key, keys of your recipients and documents to protect, here’s what you do.

To sign a document there are two ways – clear text and binary with optional compression.

When you have a plain text document that you want to sign leaving it legible, you choose clear text signing. It will add the plain text block with your signature to the bottom of your document. If anyone touches the document, the signature won’t match the content and it won’t be your authentic copy any more.

$ gpg --clearsign document.txt

When you have a binary document or want to compress along with signing and additionally protect from change:

$ gpg -o doc.txt.sig --sign doc.txt

To verify the signature of the document that’s sent to you:

$ gpg --verify doc.txt.sig

To get the original (doc.txt):

$ gpg doc.txt.sig

How to encrypt and decrypt?

When you need to encrypt a document, you choose the recipients first and then use their public keys from your “keychain” (gpg -k) to create the encrypted version.

$ gpg -o doc.txt.gpg -e -r mike -r robert doc.txt

NOTE: You won’t be able to open the file if you don’t include yourself into the recipients list.

To decrypt the file:

$ gpg doc.txt.gpg

What else?

Once you are familiar with these simple tools, you may want to start exchanging protected e-mails with your co-workers, clients and friends. Many e-mail client support PGP these days.

Today, as we store our mail on the servers of giant Internet companies, it’s a norm to feel uncomfortable knowing that anyone can read your correspondence. Let’s make it a little bit harder.

That’s all folks. If you notice any inaccuracies, or have any suggestions, please let me know. I’m not an expert in this area at any stretch of imagination. This is just a quick summary for those who want to start quickly. You can find more info on official web site: http://www.gnupg.org.