↑↑ Home ↑ Net & Web  

GnuPG without mailer support

GnuPG is a free software implementation of PGP (Pretty Good Privacy), an open encryption standard. There exist several introductions (1) (2) (3) (4), a manual and advanced tips for GnuPG, as well as a number of documents describing its use with various e-mail programs (Enigmail/Thunderbird, mutt, KMail, MS Outlook). But most texts omit to demonstrate how easily you can start using GnuPG without any mail program integration, for example when using a webmail service or a mailer that does not support encryption. What is more, when writing to someone who already uses GnuPG and whose (public) key you have obtained, you do not have to generate a key of your own. This is also the way to try out GnuPG without configuration overhead or other commitment.

Installing GnuPG

I am not going to go into details of obtaining and installing GnuPG, which is of course the very first step. Use the packet manager of your Linux distribution or get a suitable binary from the download page.

Obtaining the public key of your communication partner

Obtaining the key manually

If you regularly meet your communication partner in person, it is easiest for him or her to copy the key or to give you a thumb drive or CDROM with the key on it. The public key is exported from GPG with the command:

gpg --export <key-id>  >  keyfile

(This is really something your communication partner, who already uses GnuPG, should know already. <key-id> is the ID of the key to export, an eight-digit hexadecimal number.)

On your own system you import the key with the command:

gpg --import keyfile

Obtaining the key from a key server

If there is no option of passing the public key personally, your communication partner should upload her or his key to a key server. There are several major open key servers, such as the MIT key server or the SKS key server pool. Which server the key was uploaded to is not really important, as they synchronise with each other. To obtain the key, go to the / a keyserver and search for the name or (if applicable) personal domain of your communication partner. After clicking on a link in the results page (usually a key ID), an ASCII version of the key is displayed in your web browser. Save it to a file and run the command:

gpg --import lookup.html

Now the following important step should not be omitted:

Verifying the key fingerprint

To make sure that the public key you obtained is genuine, you should compare its fingerprint with a reference fingerprint you have received from the communication partner. After importing a key, you display its fingerprint with the command:

gpg -k <name or id>

Where <name or id> is the name of the key's owner or the key ID. If this is the first key you have imported, you can just run gpg -k, which displays all keys.

The reference key fingerprint should have reached you by a different path than the key itself, so an attacker can less easily modify both, making the comparison pointless. Some people have their key fingerprint on their personal web site or homepage, some print it on their business card, or your communication partner can give it to you on a printed piece of paper.

Make gpg connect to a key server, and verifying the SKS key server

This is an advanced topic that you can skip if you are just starting to use GnuPG casually.

You can configure gpg to connect to a key server to avoid having to import large numbers of keys manually as described above. For the SKS keyserver pool, you would put the following lines into ~/.gnupg/gpg.conf:

keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/home/yourusername/.gnupg/sks-keyservers.netCA.pem

(In addition the keyserver-options no-try-dns-srv and no-honor-keyserver-url may be set for increased security. There seems to be no authoritative documentation on them but this page describes the latter.) The certificate file determined with the ca-cert-file option is necessary so GnuPG can verify it is really connecting to the server it is supposed to. Therefore it is important to verify the certificate file itself, which is woefully underdocumented.

You do this as follows. First, go to this page and download the certifcate sks-keyservers.netCA.pem from the link given on the page under the headline "HKPS pool verification". Two verificatino criteria are printed in the same paragraph, the fingerprint and the X509v3 Subject Key Identifier. You extract the values to compare from the downloaded certificate with the openssl program from the openssl library project:

openssl x509 -in sks-keyservers.netCA.pem -noout -fingerprint
openssl x509 -in sks-keyservers.netCA.pem -noout -text

The second command prints a lot of things beside the Subject Key Identifier we are looking for, but it is at least labeled. A neat trick for visually comparing fingerprints is printing them in successive lines in your terminal using the echo program twice:

echo <fingerprint1>; echo <fingerprint2>

Here <fingerprint1> is the one from the web page and <fingerprint2> the one from the openssl output.

Sending an encrypted mail

With a webmail service or mail program not supporting GnuPG directly, you have to encrypt the mail text (or other data you want to send) and attach the encrypted data to a mail you send. First write your message with your favourite text editor or word processor (it doesn't matter which format it is in so long as the recepient can read it). Then run either one of the following encryption commands:

gpg -e -r <name or key ID> <message file>
gpg -e -a -r <name or key ID> <message file>

<name or key ID> is the name or ID of the key belonging to your communication partner. The encrypted result is saved to a file with the same name as the message but with the additional extension .gpg. The -a option in the second command causes "ASCII-armored" output to be generated, which is plain text that can be pasted into the message field of any mail or messaging service. It is useful if you cannot send attachments for some reason; without -a, the result is a binary file.

Verifying a signature

Besides encrypting and decrypting messages, GnuPG can be used to sign messages. So you may receive a signed message from a GnuPG user and want to verify that it is indeed his or her signature. There may be three kinds of signatures:

  1. A binary signature including the message, with file extension .gpg. This is the most inconvenient kind of signature, as the only way to read the text seems to be to display the binary file into which the message is embedded.
  2. A clear or clearsigned signature, with file extension .asc, containing the message and the signature as plain text.
  3. A detached binary signature, with file extension .sig, accompanied by the message in a different file / mail attachment.

In the first two cases, you verify the signature with the command:

gpg --verify <.gpg or .asc file>

A detached signature can be verified only if the file to which it refers is also known:

gpg --verify <signature.sig> <message>

Like encryption, this requires that you have imported the public key of your communication partner.

Receiving an encrypted mail

In order to be able to receive encrypted mail, you have to generate your own keypair and distribute your public key to others. If you have got so far as to want this, it is time to read the regular tutorials linked at the top.


TOS / Impressum