# GPG Intro # title: "GPG Intro" page: http://www.guckes.net/talks/gpg_intro.txt page: http://www.guckes.net/talks/gpg_intro.html Latest change: Mon Jul 09 00:42:23 CEST 2018 # Description # ## Description (short) ## * motto: "encryption? of course i use it!" * kind: talk and/or workshop. * duration: between 1h and 4h. * goal: create a key pair to encrypt+decrypt+sign data. simple key management. discuss key signing parties. * Motto: "Verschlüsselung? Natürlich verwende ich das!" * Art: Vortrag und/oder Workshop. * Dauer: zwischen einer und vier stunden. * Ziel: Schlüsselpaarerzeugung zur Verschlüsselung+Signierung von Daten. Einfaches Schlüsselmanagement. Diskussion über Key Signing Parties und dem Web of Trust. ## EN Description (long) ## These are some easy steps to get you started with crypto, using the program GnuPG (gpg). The goal is to be able to encrypt and sign data (read: e-mails,files), add userIDs (and maybe a photoID), create a revocation certificate, do some simple key management. It concludes with an outlook on cryptoparties, key signing parties, and the web of trust. # EN Structure # ## EN Startup ## * creation: we will create a key pair. * creation: create a revoke certificate. ## EN Simple Use ## * encrypt files/messages * decrypt files/messages * sign files/messages ## EN Key Management ## * add userIDs (name+email+comment) * find/search keys on a keyserver. * download and upload keys from/to a keyserver. * view paths between keys on a keyserver * signing another person's key. * extend validity of your key * revoke UIDs of your key we will be using gpg from the command line. yes, some typing involved. but it's really easy! and remember: "the shell is your friend!" :) so it provides you with aliases and functions. ## EN Discussion ## * why do we run key signing parties? -> "Web of Trust" * preparation for Key Signing Parties. ## EN Outlook ## possible special workshops for emailing with encryption and digital signatures: * using Thunderbird * using mutt (or neomutt) * using vim for message editing ## DE Beschreibung (lang) ## Dies sind ein paar einfache Schritte, um mit Crypto zu beginnen - unter der Verwendung von GnuPG (gpg). Da Ziel ist das Verschlüsseln und das Signieren von Daten (E-Mails,Dateien), das Hinzufügen von userIDs (und photoIDs), das Erstellen eines Widerrufszertifikats (revocation certificate), und von einem einfachen Schlüsselmanagement. Es beschließ dann mit einer Aussicht auf Cryptoparties, Key Signing Parties und dem Web of Trust. ## DE Beschreibung (lang) ## 2018-04-03 # DE Struktur # ## Anfang ## * Erzeugung eines Schlüsselpaars (pubkey+seckey) * Erzeugung eines Widerrufszertifikats ## Einfache Handhabung ## * Verschlüsselung von Dateien/Nachrichten * Entschlüsselung von Dateien/Nachrichten * Signieren von Dateien/Nachrichten ## Schlüsselmanagement ## * UserIDs hinzufügen (Name+Email+Kommentar) * Finde/Suche Schlüssel auf einem Keyserver. * Runterladen von bzw Hochladen auf einen Keyserver. * Verbindungswege zwischen Schlüsseln visualisieren * Unterschreiben von anderen Schlüsseln * Erweiterung der Gültigkeit des eigenen Schlüssels * Widerrufen von UserIDs des eigenen Schlüssels Wir werden gpg von der Kommandozeile/Shell benutzen. Ja.. da muss man mal tippen. Ist aber recht einfach. Man erinnere sich: "Die Shell ist dein Freund!" Sie stellt Aliase und Funktionen für dich bereit. ## Diskussion ## * Warum machen wir Key Signing Parties? -> "Web of Trust" * Vorbereitung auf Key Signing Parties. ## Ausblick ## Spezielle Workshops zum Mailen mit Verschlüsselung und Digitalen Signaturen. * mit Thunderbird * mit mutt (oder neomutt) * mit vim zum Nachrichtenschreiben # Voraussetzungen # Bringt einen Rechner mit auf dem schon ein Linux installiert ist. Ihr solltet einen (*irgendeinen*) *Editor* installiert haben, den ihr bedienen könnt. Euer *Terminal* solltet ihr per Tastenkombination öffnen können, sowie dessen Zeichensatzgröße vergrößern bzw verkleinern können (zB mit CTRL-Plus und CTRL-Minus). [Paketmanager] Es hilft, wenn ihr die Befehle kennt, um Programmpakete zu installieren (oder auch zu deinstallieren). Zumeist wird als Shell eine bash installiert sein. In der *Shell* solltet ihr den Cursor positionieren können [Navigation], sowie Text/Worte löschen und einfügen können. [Insert+Delete] # EN Intro # how does this gpg program work? simply calling it by its name looks like this: $ gpg gpg: Go ahead and type your message ... ^C gpg: Interrupt caught ... exiting how boring! ;-) here, gpg already expects an encrypted message as *input*. but typing an encrypted message all by yourself probably is just a bit too much. but you can make gpg *encrypt* a message for you: create some message as input with "echo" and use the pipe symbol (|) to feed it to gpg: $ echo this is a test | gpg -e -a gpg will encrypt (option "-e") the text "this is a test" with your default key (which might be set within the config already, ie the file ~/.gnupg/gpg.conf ) and the output is requested as ASCII with the option "-a". but if you do not have created a key yet then you should first let it *generate* a key *pair*, consisting of the public key (aka pubkey) and the secret key (aka seckey). # GNU! # as gpg is a GNU tool, there are the two standard "long options": $ gpg --help $ gpg --version there are *many* options: $ gpg -- zsh: do you wish to see all 530 possibilities (177 lines)? why does gpg have so many options? because it can do a lot of things. it is like a swiss army knife. but before we can do anything for ourselves, we must generate a key. actually, a key *pair*. # Key Generation with gpg-1.x.x # to generate a key *pair* (public key and secret key), you'd use the long option "--gen-key": $ gpg --gen-key ## step-by-step ## the process is like this: first, gpg asks you three questions about the key itself: (1) KIND: the "kind" of key refers to its generation *algorithm*. which is the best and most secure? well, there are many papers and books about this. for now, just use the default ("(1) RSA and DSA (default)") by typing RETURN. (2) BITS: how many bits shall your key have? this basically means: how *long* shall it be? if you are only testing this then enter "1024". the key generation might be a lot quicker then. however, for real use, better use the default of "2048". and if you want more, well, use "4096". this will take much longer - for sure. (3) VALIDITY: for now, accept the default with a RETURN. they key will not expire then. you can change that later still. after these three questions comes the prompt: "Is this correct? (y/N)". when you type RETURN here, the 'N' is the default answer, ie "no". in this case gpg returns to the beginning and you have to answer these three questions again. Answer with 'y' to go on.. then next three questions are about your "user ID" which consists of a *name*, an *email address*, and a *comment*. NAME (COMMENT)
the name has to be at least five characters long and may not start with a digit; however, both the email and the comment are optional and thus can be empty. whether you use your full real name or a pseudonym - that is all up to you. by the way, you can add more UIDs (name+email+comment) to the same key, too. so the same key might be used in connection to more of your addresses. the next question is: "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?" so in case you mistyped something then you can still edit one of your previous entries here. when you are done then enter 'o' (for OK) to finish this part. your secret key will not simply be stored "as is", it will be encrypted with a *passphrase* of yours: "You need a Passphrase to protect your secret key. Enter passphrase:" enter a "passphrase" now. this is like a password - but it can be quite much longer. maybe enter a short one for now, something you *will* remember. you can change it later to something longer and more complicated, of course. you will have to repeat the entry to make sure you did not mistype anything: "Repeat passphrase:" after that the process of the generation starts.. "We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 197 more bytes)" [TODO: insert info on haveged] during the operation gpg will display some plus signs and dots, eg ".+++++". when this process completes then you should see something like this: gpg: key 705AD0FDBD0FEC14 marked as ultimately trusted public and secret key created and signed. pub 2048R/705AD0FDBD0FEC14 2018-03-28 Key fingerprint = FCF3 5AE0 0C8A 3162 9C6C F93D 705A D0FD BD0F EC14 uid Sven Guckes sub 2048R/B390A65158D8A0BB 2018-03-28 congratulations.. you now have a key! \o/ mind you, actually a key *pair* has been created. others will use your pubkey to *encrypt* *to* *you*, and you will use your seckey to *decrypt* their messages. # Key Creation Summary # a short summary of that process: GPG Key Generation: $ gpg --gen-key ($KIND) RET ($BITS) RET ($VALIDITY) RET y RET $NAME RET $MAIL RET $COMMENT RET o $PASSPHRASE RET $PASSPHRASE RET -> generation # Key Generation with GPG2 # versions gpg-2.x.x $ gpg2 --gen-key Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Sven Guckes Email address: 2018-04-19-test@guckes.net You selected this USER-ID: "Sven Guckes <2018-04-19-test@guckes.net>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .____________________________________________________. |Please enter the passphrase to protect your new key | | | |Passphrase: ********________________________________| | | | | `----------------------------------------------------' .____________________________________________________. |Please re-enter this passphrase | | | |Passphrase: ********________________________________| | | | | `----------------------------------------------------' We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key C9F155B6779E1541 marked as ultimately trusted gpg: directory '/home/user/guckes/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/user/guckes/.gnupg/openpgp-revocs.d/2629D21C321A15F7B91AB75BC9F155B6779E1541.rev' public and secret key created and signed. pub rsa2048/C9F155B6779E1541 2018-04-18 [SC] [expires: 2020-04-17] 2629D21C321A15F7B91AB75BC9F155B6779E1541 uid Sven Guckes <2018-04-19-test@guckes.net> sub rsa2048/959D6EB7AA060F14 2018-04-18 [E] [expires: 2020-04-17] # New Key # "i have a key!" TODO... show *all* keys with their fingerprints: $ gpg --fingerprint however, as you will gather more public keys the output of that command will become bigger. for showing your own pubkey only you must give it explicitly. so: remember your keyID! # Look Back # now that you have a key, let us look back at the beginning again: $ echo this is a test | gpg -e -a this yields a message like this: -----BEGIN PGP MESSAGE----- Version: GnuPG v1 hQP0A+q5fyABhTkbAR88DffhHGYg5EBgwYG/8GY4+TWFn5U6RgMWNE4ES3+/KhiG ................................................................ Fp4z2yJo+xIPQX2lXXZRDJY1u9NCtNDySOKpstIlg7K1 =Wvju -----END PGP MESSAGE----- now you can feed this output back to gpg again: $ echo this is a test | gpg -e -a | gpg this is a test as you can see - the input had been converted to something unintelligible data - and back again. gpg has first been used for encryption, then for decryption. "yay!" # encrypting files # to encrypt a file for yourself you must encrypt it *to* the keyID as a "recipient": $ gpg -e -r $KEYID file -e encrypt (to) -r $ID recipient of $ID file file containing the data this creates a new file in the same directory by the same name, adding the extension "gpg", ie "file.gpg". $ ls -lh /dir/file* ... file ASCII text ... file.gpg data usually, the encrypted data should be smaller than the original file. however, if the original file is small or already compressed then the resulting encrypted data might be bigger. # messaging others # using the pubkey of others: * downloading from a keyserver. * checking the fingerprint. * using gpg to encrypt with a pubkey. example: $ gpg -e -r 0185391B file -> file.gpg # signing files # anyone can check the consistence of data (read: a message) and its digital signature. "this message has been signed by this entity". whether the seckey actually belongs to the person is another problem. this can be somewhat solved with digital signatures on the pubkey. that's where key signing parties come in. # Key Signing Party # Key Signing Parties are congrerations of people where they can check each others' identities and where they exchange the fingerprints of their keys. mind you: no food, no music, no dancing. usually. you can provide these when you throw your own party, of course. but usually - dont expect any of these. the point of it all is to establish a connection between the person and his keys. when you have made this connection then you sign his key. actually, you sign a *copy* of his pubkey - and then upload it to one of the keyservers. the keyserver will merge the existing copy of the key with the new copy of the key. and the keyservers will exchange keys ("gossipping") between each other. # Result # others have done it - you can do this, too! the maschine does the number crunching for you. programs are there to help you do it. it takes a bit of getting used it. seek the opportunity to do this together with others. take your questions to a cryptoparty and talk to people. they will help you install and configure programs, as well provide a communication with you. see the website www.cryptoparty.in for crypto parties happening around the world. # Conversation # typical conversations essentially run like this: "why do you do this?" "because now i can." "are you hiding sth?" "yes - my privacy." "isn't this illegal?" "no. encryption is legal. it is applied math." ".only for military?" "no, your bank wants you to use crypto, too." "what does it cost?" "it is free of charge *and* free software as well" "are there backdoors?" "free software means open source. you can check!" "i'm no programmer." "well - at least you can let others check for you." "and how to use it?" "i can teach you. we all can!" -> cryptoparties here is one question i usually ask people all the time: "imagine.. if all your devices had crypto installed already, and would encrypt all you data automatically, so only *you* can open them, and would also encrypt all messages to others by default so only *they* can read them - would you take the time to learn how to turn it all *off*?" the future might be that "crypto" is simply *included* as a feature by *default* - and working for you. # Links # * [GPG Intro](http://www.guckes.net/talks/gpg_intro.txt) * [a minimal setup for gpg (by Sven Guckes, 2006-05-29)](http://www.guckes.net/Setup/gnupg_options.minimal) * [PRIVACY AND HUMAN RIGHTS](http://gilc.org/privacy/survey/intro.html) * [Right to Privacy](https://en.wikipedia.org/wiki/Right_to_privacy) * [Concepts/OpenPGP Getting Started](https://userbase.kde.org/Concepts/OpenPGP_Getting_Started) [last updated 2013-11-06] * [kostenlose OpenPGP-Schulungen](https://www.openpgp-schulungen.de) Event Kalender: * [FLOSS Calendar](http://cal.guckes.net/) * [VereinsRaum Kalender](http://vrkalender.in-berlin.de/) Cryptoparties: * [Cryptoparty in Berlin](https://www.cryptoparty.in/berlin) * [Cryptoparty in Graz ](https://www.cryptoparty.in/graz) * [Cryptoparty in Wien ](https://www.cryptoparty.in/wien) * [Cryptoparty in FRANCE](https://www.cryptoparty.in/location#france) Events: * [GnuPG für blutige Anfänger/innen 2018-04-22 14-16h](http://www.linux-works.de/Wiki/LinuxPresentationDay/April2018#head-7b80ba914c05f4f64ce464e944b2e46e9db63010) Keyserver: * http://njh.eu:11371/ (non-gossiping!) * [HowTo set up a private keyserver)(https://njh.eu/keyserver) by Volker Diels-Grabsch. Created 2014-01-27, updated 2017-07-05 * [HowTo compile your own gpg2 binary](https://njh.eu/gpg) by Volker Diels-Grabsch. Created 2017-09-13, updated 2017-09-13 Misc: * [Anatomy of a GPG Key - Dave Steele's Blog 2014-09-20](https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/) * [GPG Tutorial by Alan Eliasen](https://futureboy.us/pgp.html) * [Kernel Maintainer PGP guide](https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html) # Contact # contact me here.. Sven Guckes guckes.crypto@guckes.net keysigningparty@guckes.net 8000R/0185391B 2014-03-11 32CE 5648 6E6D 6D6D 33E5 3A38 EAB9 7F20 0185 391B key download: curl http://tinyurl.com/8000R-0185391B | gpg --import # Event # ## past ## this has been presented at these events: 2016-11-13 Sat 12-13h Track3 Sven Guckes: "GPG Intro" page: https://www.t-dose.org/node/1051 link: http://www.guckes.net/talks/gpg_intro.txt ## future ## this will be presented: 2018-04-18 Mi/Wed 18-22h @BeLUG "gpg 1-2-3" https://www.belug.de/aktivitaeten-kalender/GPG2018.html http://www.guckes.net/talks/gpg_intro.txt 2018 Grazer LinuxTage Workshop on gpg: (#349) Sven Guckes: "gpg-1-2-3" Raum G.AP149.125 Fr 2018-04-27 13:30-16:30 Workshop https://glt18-programm.linuxtage.at/events/349.html So 2018-04-29 11:30-14:00 Brunch https://tinyurl.com/glt18-brunch-doodle So 2018-04-29 18:00-22:00 Show+Tell https://grical.realraum.at/e/show/1044/ 2018 Grazer LinuxTage Workshop on gpg: (#802) Sven Guckes: "gpg-1-2-3" Raum F1.01 Do 2018-05-03 10:00-11:45 Workshop https://cfp.linuxwochen.at/de/LWW18/public/events/802 # TODO # * add shell aliases and functions * use *pwgen* as a creator for passwords and sample text * gpg version output; gpg latest version # THE END # $ date -d @1478904223 Fr 11. Nov 23:43:43 CET 2016 vim: set et fenc=latin1 ft=sven tw=999 nowrap: THPXRF EOF