PGP using GPG.... ;o)

Gpg is stands for Gnu Privacy Guard and is a free alternative to the PGP cryptographic software.
GnuPG (or GPG) follows the RFC 4880 which is the standard specification of OpenPGP. The most important thing GPG is interoperable with PGP. GPG is build as a command line utility but also have several front-ends for KDE, Gnome and other Linux desktops, but also is directly integrated in other software like: Email Clients as Mozilla Thunderbird, Evolution, Kmail, Instant Messaging as PSI, Fire, Browsers as Mozilla Firefox etc.

GnuPG encrypts messages using asymmetric keys. This keys are generated by the users and are exchanged with others through TRUSTED key servers.GPG also knows symmetric key cryptography.

Installing GPG
sudo apt-get install pgpgpg

Generating key pairs

The basis of PGP encryption is you generate a key pair. This comes in two parts, a Secret Key and a Public Key. The Public Key you can upload to key servers or distribute via any means you like. (I have a copy of one of my keys on the public space of my Dropbox account)

Run “gpg –gen-key” and just follow the steps. An example of output is presented on following lines

 

You now need to select your key type. RSA is the default, to select RSA type "1" and press enter.

Then choose your key size. The default key size is 2048. Many people think a larger key is more secure than a smaller key, there is some truth in this, but it will also be larger, making your encrypted files larger.

Statistically, you are far better off having a 2048 bit key with a strong and longer pass phrase than a 4096 bit key with a poor pass phrase. I sit firmly in the stronger pass phrase camp, and just generate 2048 bit keys.

 Next you will be asked how long you want the key to remain valid. This is a nice feature if you want your keys to expire after a fixed time. For the purposes of this blog, I'm going to create a key which won't expire as shown above.

Next you will be asked some details about the key! In order for people to be able to find your key on a key server, GPG ask for "Real name". I like to think that people could get your key via your email address, and if I want to send something to someone encrypted, i would prefer to get there current public key direct from them.Supply the details required, I have generated the key above to show you what format the key will take. When complete, press "O" and enter to generate the key.

Your key will now be generated. At this stage I like to run my mouse around the screen to generate as much random data as I can...The time taken for the key generation varies depending on the key size, and how much random data you generate.

When your key is finished generating the key fingerprint will be displayed as shown above.You can also check the keys on your keyring with the "gpg --list-key" command as shown below.

 You can also check your keys fingerprint with the "gpg --fingerprint <name>" command.
As you can see from my screenshot below, I have found the key on all three sections of the name.

The first command was looking for the nickname (Your Nickname)
The second was searching on the Key name (Your Name)
The last command used the email address supplied (Your.Name@email.com)
I have also highlighted the keys fingerprint.

This concludes my fist blog on PGP. At this stage all we have done is installed the packaged and generated our own key in Linux and from the command line (CLI).

If you have any further questions, please feel free to ask Google! ;o)