= GPG Intro = title: "GPG Intro" page: http://www.guckes.net/talks/gpg_intro.txt page: http://www.guckes.net/talks/gpg_intro.html Latest change: Tue Nov 22 18:10:51 CET 2016 = Description = workshop. duration 2h-3h. "encryption? of course i use it!" * creation: we will create a key pair. * use: encrypt+decrypt files, and sign files. * key_management: find keys on a keyserver. download and upload keys from/to a keyserver. * signing: sign another person's key. we will be using gpg from the command line. yes, some typing involved. it's really easy! and remember: "the shell is your friend!" :) discussion: why we do key signing parties? "Web of Trust" some preparation for Key Signing Parties. outlook: using mutt (or neomutt) for emailing with encryption and digital signatures. = Intro = $ gpg gpg: Go ahead and type your message ... ^C gpg: Interrupt caught ... exiting boring! ;-) here, gpg already expects an encrypted message as input. typing it all yourself probably is too much. but you can make gpg *encrypt* a message for you: $ echo this is a test | gpg -e -a gpg will encrypt (option "-e") the text "this is a test" with your default key. but if you do not have one yet then you should first let it generate a key pair, consisting of pubkey and seckey. = GNU! = as gpg is a GNU tool, there are the two standard "long options": $ gpg --help $ gpg --version there are *many* options: $ gpg -- zsh: do you wish to see all 530 possibilities (177 lines)? why does gpg have so many options? because it can do a lot of things. it is like a swiss army knife. but before we can do anything for ourselves, we must generate a key. actually, a key *pair*. = Key Generation = to generate a key *pair* (public key and secret key), you'd use the long option "--gen-key": $ gpg --gen-key == step-by-step == the process is like this: first, gpg asks you three questions about the key itself: (1) KIND: the "kind" of key refers to its generation *algorithm*. which is the best and most secure? well, there are many papers and books about this. for now, just use the default ("(1) RSA and DSA (default)") by typing RETURN. (2) BITS: how many bits shall your key have? this basically means: how *long* shall it be? if you are only testing this then enter "1024". the key generation might be a lot quicker then. however, for real use, better use the default of "2048". and if you want more, well, use "4096". this will take much longer - for sure. (3) VALIDITY: for now, accept the default with a RETURN. they key will not expire then. you can change that later still. after these three questions comes the prompt "Is this correct? (y/N)". when you type RETURN here, the 'N' is the answer and you have to answer these questions again. Answer with 'y' to go on.. then next three questions are about your "user ID" which consists of a name, an email address, and a comment. NAME (COMMENT)
the name has to be at least five characters long and may not start with a digit; however, both the email and the comment are optional. whether you use your full real name or a pseudonym - that is all up to you. by the way, you can add more UIDs (name+email+comment) to the same key, too. so the same key might be used in connection to more of your addresses. next question is: "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?" so you can still edit previous entries here. enter 'o' to finish this part. "You need a Passphrase to protect your secret key. Enter passphrase:" enter a "passphrase" now. this is like a password - but i can be quite much longer. maybe enter a short one for now, something you *will* remember. you can change it later. you will have to repeat the entry to make sure you did not mistype anything: "Repeat passphrase:" after that the process of the generation starts.. "We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 197 more bytes)" [TODO: insert info on haveged] a summary of that process: GPG Key Generation $ gpg --gen-key ($KIND) RET ($BITS) RET ($VALIDITY) RET y RET $NAME RET $MAIL RET $COMMENT RET o $PASSPHRASE RET $PASSPHRASE RET -> generation = New Key = "i have a key!" TODO... = Look Back = now that you have a key, let us look back at the beginning again: $ echo this is a test | gpg -e -a this yields a message like this: -----BEGIN PGP MESSAGE----- Version: GnuPG v1 hQP0A+q5fyABhTkbAR88DffhHGYg5EBgwYG/8GY4+TWFn5U6RgMWNE4ES3+/KhiG ................................................................ Fp4z2yJo+xIPQX2lXXZRDJY1u9NCtNDySOKpstIlg7K1 =Wvju -----END PGP MESSAGE----- now you can feed this output back to gpg again: $ echo this is a test | gpg -e -a | gpg this is a test as you can see - the inout had been converted to something unitelligible data - and back again. gpg has been used for encryption, then decryption. "yay!" = messaging others = using the pubkey of others: * downloading from a keyserver. * checking the fingerprint. * using gpg to encrypt with a pubkey. example: $ gpg -e -r 0185391B file -> file.gpg = signing files = anyone can check the consistence of data (read: a message) and its digital signature. "this message has been signed by this entity". whether the seckey actually belongs to the person is another problem. this can be somewhat solved with digital signatures on the pubkey. that's where key signing parties come in. = Key Signing Party = Key Signing Parties are congrerations of people where they can check each others' identities and where they exchange the fingerprints of their keys. mind you: no food, no music, no dancing. usually. you can provide these when you throw your own party, of course. but usually - dont expect any of these. the point of it all is to establish a connection between the person and his keys. when you have made this connection then you sign his key. actually, you sign a *copy* of his pubkey - and then upload it to one of the keyservers. the keyserver will merge the existing copy of the key with the new copy of the key. and the keyservers will exchange keys ("gossipping") between each other. = Result = others have done it - you can do this, too! the maschine does the number crunching for you. programs are there to help you do it. it takes a bit of getting used it. seek the opportunity to do this together with others. take your questions to a cryptoparty and talk to people. they will help you install and configure programs, as well provide a communication with you. = Conversation = typical conversations essentially run like this: "why do you do this?" "because now i can." "are you hiding sth?" "yes - my privacy." "isn't this illegal?" "no, it isnt." ".only for military?" "no, your bank wants you to use crypto, too." "what does it cost?" "it is free of charge *and* free software as well" "are there backdoors?" "free software means open source. you can check!" "i'm no programmer." "well - at least you can let others check for you." "and how to use it?" "i can teach you. we all can!" -> cryptoparties "if all your devices simply has crypto installed, and would encrypt all you data so only *you* can open them, and would encrypt all messages to others by default so only *they* can read them - would you turn it *off*?" = Links = http://gilc.org/privacy/survey/intro.html https://en.wikipedia.org/wiki/Right_to_privacy https://userbase.kde.org/Concepts/OpenPGP_Getting_Started "Concepts/OpenPGP Getting Started" [last updated 2013-11-06] = Contact = contact me here.. Sven Guckes keysigningparty@guckes.net http://tinyurl.com/8000R-0185391B 8000R/0185391B 2014-03-11 32CE 5648 6E6D 6D6D 33E5 3A38 EAB9 7F20 0185 391B keysigningparty@guckes.net = Event = this has been presented at these events: 2016-11-13 Sat 12-13h Track3 Sven Guckes: "GPG Intro" page: https://www.t-dose.org/node/1051 link: http://www.guckes.net/talks/gpg_intro.txt = TODO = use pwgen as a text creator = THE END = $ date -d @1478904223 Fr 11. Nov 23:43:43 CET 2016 vim: set et fenc=latin1 ft=sven tw=999 nowrap: THPXRF EOF