214 lines
4.9 KiB
Markdown
214 lines
4.9 KiB
Markdown
# GnuPG Quickstart
|
|
|
|
I love GPG and the way it works. I know there are many that complain
|
|
about it because it has flaws. My stance on this is that I prefer
|
|
battle-tested software with known flaws to something with unknown flaws.
|
|
|
|
Anyway, this should get you started with GnuPG
|
|
|
|
## Prerequisites
|
|
|
|
Install gpg and pinentry.
|
|
|
|
<pre>
|
|
# pkg_add gnupg pinentry
|
|
</pre>
|
|
|
|
## You need a Key
|
|
|
|
If you want to lock and unlock stuff, you need a key. This is how you
|
|
get to one:
|
|
|
|
<pre>
|
|
$ gpg --generate-key
|
|
</pre>
|
|
|
|
Hop through the wizard until you see these lines:
|
|
|
|
<pre>
|
|
pub rsa3072 2021-05-19 [SC] [expires: 2023-05-19]
|
|
BA696588D9A04AD9F70DA33EC54733F6DBECC2C1
|
|
uid John Doe <j.doe@example.com>
|
|
sub rsa3072 2021-05-19 [E] [expires: 2023-05-19]
|
|
</pre>
|
|
|
|
If you see an error like:
|
|
gpg: agent_genkey failed: Permission denied
|
|
|
|
Add the following entry and try again.
|
|
|
|
<pre>
|
|
$ echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
|
|
</pre>
|
|
|
|
Congratulations, you got yourself a GPG Key. This long gibberish is your
|
|
full GPG Key ID. Most of the time, you can simply use the last 8
|
|
characters. So the short version of this GPG Key is DBECC2C1.
|
|
|
|
You can set it as default key, so it's used to encrypt stuff when no
|
|
explicit key is given.
|
|
|
|
<pre>
|
|
$ echo "default-key DBECC2C1" >> ~/.gnupg/gpg.conf
|
|
</pre>
|
|
|
|
## Share the key with your people
|
|
|
|
If you want someone to be able to encrypt something for you, send him or
|
|
her the output of:
|
|
|
|
<pre>
|
|
$ gpg --export -a DBECC2C1
|
|
</pre>
|
|
|
|
You can also use your email address instead of the Key ID, if you have
|
|
only one key with it. This key is public. So put it on some webspace and
|
|
add a link to your email header or signature.
|
|
|
|
## Upload the key so people can find it (optional)
|
|
|
|
You can also upload your key to a key server. For this, configure a
|
|
keyserver:
|
|
|
|
<pre>
|
|
$ echo "keyserver hkps://keys.openpgp.org" >> ~/.gnupg/gpg.conf
|
|
</pre>
|
|
|
|
Then send your key to it:
|
|
|
|
<pre>
|
|
$ gpg --send-keys DBECC2C1
|
|
</pre>
|
|
|
|
## You got a key from someone
|
|
|
|
Add a key from someone else to gnupg, so you can use it to encrypt data
|
|
for this person. If the key is on your harddrive, use:
|
|
|
|
<pre>
|
|
$ gpg --import <pubkeyfile.asc>
|
|
</pre>
|
|
|
|
The file ending here is kind of undefined. Some call it .asc, .gpg, .pub
|
|
or .key. If the key is on a key server, you can import it like so:
|
|
|
|
<pre>
|
|
$ gpg --recv-key 52BE43BA
|
|
</pre>
|
|
|
|
This would import my key. You can look at it now with:
|
|
|
|
<pre>
|
|
$ gpg --list-keys 52BE43BA
|
|
</pre>
|
|
|
|
## Encrypt a file
|
|
|
|
This encrypts the file plain.txt with the public key DBECC2C1.
|
|
|
|
<pre>
|
|
$ gpg --encrypt -r DBECC2C1 file.txt
|
|
</pre>
|
|
|
|
Now you have file.txt.gpg, which is the encrypted version
|
|
|
|
## Decrypt a file
|
|
|
|
GnuPG automaticall figures out what key it can use to decrypt a file. So
|
|
this will output the content of file.txt on the terminal. If you want
|
|
to save the output in a file, add -o file.txt.
|
|
|
|
<pre>
|
|
$ gpg -d file.txt.gpg
|
|
$ gpg -d file.txt.gpg -o file.txt
|
|
</pre>
|
|
|
|
## Choose a better password prompt (optional)
|
|
|
|
You can change the way gpg asks for the password:
|
|
|
|
<pre>
|
|
$ cat ~/.gnupg/gpg-agent.conf
|
|
[...]
|
|
pinentry-program /usr/local/bin/pinentry-curses
|
|
[...]
|
|
</pre>
|
|
|
|
Options are:
|
|
|
|
- pinentry (sometimes also called pinentry-tty)
|
|
- pinentry-curses
|
|
- pinentry-gtk2: pkg_add pinentry-gtk2
|
|
- pinentry-gnome3: pkg_add pinentry-gnome3
|
|
- pinentry-dmenu: https://github.com/ritze/pinentry-dmenu
|
|
|
|
*Note: If you use a console pinentry program and want to use gpg with a
|
|
GUI tool (like thunderbird), the password prompt will be invisible and
|
|
gpg/thunderbird will freeze.*
|
|
|
|
Makes sense, doesn't it?
|
|
|
|
## Start GPG Agent for password caching (optional)
|
|
|
|
Put this in your .kshrc or .bashrc:
|
|
|
|
<pre>
|
|
export GPG_TTY=$(tty)
|
|
gpg-connect-agent /bye
|
|
</pre>
|
|
|
|
## Make a Backup (not so optional)
|
|
|
|
There is no handholding cloud or support team you can call when you
|
|
messed up or deleted your key. So back it up safely.
|
|
|
|
Either you backup your ~/.gnugp directory, or you export the secret
|
|
keys and backup them safely.
|
|
|
|
<pre>
|
|
$ gpg --export-secret-keys -a DBECC2C1 > gpg_key_backup.sec
|
|
</pre>
|
|
|
|
Seriously, don't skip this step.
|
|
|
|
## Configure Mutt (optional)
|
|
|
|
Install mutt with the gpgme flavor. Gpgme is the "new way" of handling
|
|
gpg in mutt.
|
|
|
|
<pre>
|
|
# pkg_add mutt--gpgme
|
|
</pre>
|
|
|
|
If you're not on OpenBSD, check with `mutt -v` if it was compiled with
|
|
the `--enable-gpgme` option. Then enable it in mutt.
|
|
|
|
<pre>
|
|
$ cat ~/.muttrc
|
|
[...]
|
|
crypt_use_gpgme = yes
|
|
[...]
|
|
</pre>
|
|
|
|
In the mutt compose view, you can now select Security Options.
|
|
|
|
<pre>
|
|
From: c0dev0id <c0@example.com>
|
|
To: j.doe@example.com
|
|
Cc:
|
|
Bcc:
|
|
Subject: Hello my friend
|
|
Reply-To:
|
|
Fcc: =Sent
|
|
Security: Sign, Encrypt (PGP/MIME)
|
|
Sign as: <default>
|
|
</pre>
|
|
|
|
You can change the setting with the key "p", which should bring up a
|
|
selection menu.
|
|
|
|
PGP (e)ncrypt, (s)ign, sign (a)s, (b)oth, s/(m)ime or (c)lear?
|
|
|
|
*That's it! GPG is not difficult. You need to know a few bits, but these are not
|
|
more difficult than many other things we do on a daily basis.*
|