GnuPG Mini Howto
GnuPG GnuPG for daily use (a mini How-To...)
Ringkasan ini bukan deskripsi lengkap tentang GnuPG dan semua aspeknya. Namun, ini akan menjadi pendahuluan dan referensi singkat, terutama dipikirkan orang-orang yang belum pernah menggunakan GnuPG sejauh ini atau baru saja memulai. Untuk informasi lebih lanjut silahkan lihat link yang ada.
Ini berasumsi bahwa pembaca menggunakan sistem seperti UNIX dan GPG sudah terpasang pada sistem.
Apakah GPG?
Kriptografi memiliki dua tugas utama: Kriptografi harus memberikan kerahasiaan (secrecy) dan keaslian (authenticity). Kerahasiaan berarti bahwa pesan yang ditulis oleh seseorang A hanya dapat dibaca oleh orang B yang dipilih oleh A. Keaslian, di sisi lain, harus memastikan bahwa orang yang menerima pesan dapat yakin bahwa pesan ini telah ditulis oleh A dan bukan oleh orang lain.
Ada cukup banyak sistem yang memenuhi tugas ini. Namun, sistem konvensional tersebut memiliki kelemahan besar bahwa A dan B harus menukar kunci rahasia sebelumnya. Hal ini tidak hanya sangat menyebalkan, tapi bahkan terkadang tidak mungkin (misalnya jika B tinggal sangat jauh dari A dll). GPG memecahkan masalah ini dengan cara yang sangat cerdas: daripada hanya memiliki satu kunci yang dibutuhkan oleh keduanya, A dan B, setiap pengguna memiliki dua kunci, yang umum (dikenal semua orang) dan yang private (yang harus dirahasiakan). Clue-nya adalah jika sebuah pesan dienkripsi oleh kunci publik, dia hanya dapat didekripsi lagi dengan kunci privat, dan sebaliknya.
Jadi, jika A mengenkripsi pesannya dengan kunci publik B, maka tidak ada yang bisa mendekripnya lagi kecuali B karena hanya dia yang memiliki kunci privat yang sesuai. Dan, di sisi lain, jika A mengenkripsi pesannya dengan kunci pribadinya, maka hanya kunci publik A yang bisa mendekrip pesannya lagi, yang diketahui B. Tapi karena hanya A yang dapat mengenkripsi pesan sedemikian rupa sehingga Kunci publik A mendekripnya lagi, B dapat memastikan bahwa pesan tersebut telah ditulis oleh A.
Jadi, jika A melakukan keduanya, mengenkripsi dengan kunci privatnya dan kunci publik B, maka hanya B yang bisa membaca pesannya dan B pasti akan menjadi A yang telah mengirim pesannya.
Mulai
Untuk memulai, anda harus membuat sepasang kunci publik dan private anda masing-masing, dan anda harus menjadikan kunci publik diketahui sebanyak mungkin orang. Untuk yang terakhir, ada server kunci besar yang didistribusikan ke seluruh dunia yang terhubung satu sama lain. Jadi, jika Anda mengirim kunci anda ke satu server, server ini akan secara otomatis menginformasikan semua hal lain tentang kunci anda. Dan jika anda memerlukan kunci siapa pun, anda mungkin "meminta" server untuk itu. Cara bagaimana melakukan ini akan dijelaskan di bawah ini.
Membuat pasangan kunci
Untuk membuat pasangan kunci, anda harus mengambil shell dan menjalankan perintah berikut:
gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/home/onno/.gnupg' created
gpg: new configuration file `/home/onno/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/onno/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/onno/.gnupg/secring.gpg' created
gpg: keyring `/home/onno/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Onno W. Purbo
Email address: onno@indo.net.id
Comment:
You selected this USER-ID:
"Onno W. Purbo <onno@indo.net.id>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
Sekarang Anda memiliki direktori baru, yang disebut .gnupg, dan private dan public key. Untuk memeriksa ini, ketik:
gpg --list-keys <description>
Di sini, dan juga di bab-bab berikut, kami bermaksud dengan <description> nama atau alamat email Anda atau bagian darinya. Jadi misalnya jika User-ID "Stefan M. Moser <stefan.moser@switzerland.NOSPAM.org>", maka <description> bisa seperti
Stefan Moser stefan stefan.moser stefan.moser@switzerland.NOSPAM.org stef oser
Jika Anda ingin daftar semua kunci anda, ketik tanpa argumen, yaitu,
gpg --list-keys
Dalam kasus saya jawaban dari shell terlihat sebagai berikut:
/home/smmoser/.gnupg/pubring.gpg -------------------------------- pub 1024D/91AD85E1 2004-03-10 Stefan M. Moser (Blabla) <moser@quark.ch> sub 2048g/A19D8175 2004-03-10
Sebenarnya, anda akan mendapatkan info lebih lanjut jika anda menyertakan opsi -v dalam perintah anda, dan yang lebih baik adalah sebagai berikut:
gpg -v --fingerprint <description>
Yang memberikan output seperti:
smmoser@tardis-a04:~>gpg -v --fingerprint
/home/smmoser/.gnupg/pubring.gpg
--------------------------------
pub 1024D/91AD85E1 2004-03-10 Stefan M. Moser (Blabla) <moser@quark.ch>
Key fingerprint = 8530 BA60 156A EF97 2616 189B D573 397C 91AD 85E1
sig 3 91AD85E1 2004-03-10 Stefan M. Moser (Blabla) <moser@quark.ch>
sub 2048g/A19D8175 2004-03-10
sig 91AD85E1 2004-03-10 Stefan M. Moser (Blabla) <moser@quark.ch>
This shows that actually you have got two key pairs, but this should not bother you as these keys belong together and can be looked at as only one. The Key-ID (mine is 91AD85E1) together with the finger-print (the 10x4 digits) uniquely determines your key. Furthermore it shows that so far only you have signed this key. What this means, we will see later. As a next step it is very important to generate a revocation-certificate. top
Revocation-Certificate
Sekarang, anda telah membuat sebuah kunci. Tapi bagaimana cara memusnahkannya lagi? Mungkin anda berpikir bahwa ini tidak penting pada saat ini, dan pada dasarnya anda benar. Namun, ada masalah: dalam beberapa bulan atau tahun banyak orang akan tahu kunci publik Anda. Jadi, jika anda tidak ingin menggunakan kunci ini lagi (mungkin karena anda lupa kalimat rahasianya, atau karena ada yang menemukannya dll.), Anda harus memberi tahu semua orang. Jika tidak, anda akan terus menerima email yang dienkripsi dengan kunci ini. Untuk melakukannya, ada sertifikat yang disebut pencabutan. Jika sertifikat ini dikirim ke server kunci, kunci tersebut secara definitif "hancur". Alasan mengapa saya memberi tahu anda sekarang, adalah sebagai berikut: hanya mungkin membuat surat pencabutan jika anda mengetahui kalimat rahasia tersebut. Jadi jika anda lupa, maka anda tidak bisa menggunakan kunci anda lagi, tapi anda juga tidak bisa menghancurkannya. Oleh karena itu, sangat penting bahwa Anda mempersiapkan sertifikat ini SEKARANG karena sekarang Anda masih harus mengetahui kalimat rahasia anda, bukan?
Anda harus melakukan langkah-langkah berikut:
Answer of the shell Your command > gpg -a --gen-revoke <description> (the description should be part of your name, like in my case "moser") Create a revocation certificate for this key? y Select the reason for the revocation: (I guess either 0 or 1 makes sense) Enter an optional description: (press return) Is this okay? y Passphrase: (Give your passphrase)
Now the revocation certificate is generated. It should look something like the following
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.3 (SunOS) Comment: A revocation certificate should follow iEkEIBECAAkFAkBQW9oCHQAACgkQ1XM5fJGtheGdYgCdGLN32ck9F3CL3lb2Rbef weZOg00An3gedAc9chK5aSAAnjCwRC0Vftsv =luxm -----END PGP PUBLIC KEY BLOCK-----
Copy these few lines into a file and store it in a safe place. Best on a floppy disk or print it out and keep the paper somewhere safe. top
To make your public key public
Now, you have reached the step where you can make your key public. The easiest way of doing so is to use one of the many key-server. Which server you use doesn't really matter as they are connected and update each other at least daily. For example you could use the server at the MIT:
gpg --keyserver=x-hkp://pgp.mit.edu -a --send-keys <key-ID>
As at the moment you only have your own key in your keyring, you may also drop the description. A second possibility is using a web-interface, like for example at the ETH: www.tik.ee.ethz.ch/~pgp. There you will have to copy-paste your key. In order to be able to copy your key, the following command:
gpg -a --export <description>
Now, your key is already public. We will test this in a second. There is just one small nice feature: instead of every time specifying the keyserver, it is easier if you define it in your config-file. Edit the file .gnupg/gpg.conf: search for "keyserver" and uncomment or add the entry keyserver x-hkp://pgp.mit.edu. If you have done so, you may check, if your key is already available:
gpg --search-keys <description>
You will be presented with a list of possibilities, depending on how specific your description has been (this list can be very long if you just search for a "Peter" or so!). At the moment just type q to quit.
Your Personal Key-Ring
In order to be able to decode and encode mails with the public key of other users, it is important that you have those keys. As it is not very practical to have to ask every time a key-server for such a key, you keep your own key-ring with all keys of those people you often communicate with.
At the moment, I guess the only key in your key ring is the one you just have created. If you are not sure about that, you may check it, as seen above, by:
gpg -v --list-keys
Adding a key to your personal key-ring
If you have a file with a public key then you may add this key to your key-ring in the following way:
gpg --import <file>
However, it is even easier to get the keys directly from a key-server: use again the command
gpg --search-keys <description>
and choose in the list the wanted key. And that's it.
Removing a key from your personal key-ring
Of course you can also remove any key from your key-ring:
gpg --delete-key <description>
<description> can be anything of the name or email-address (or part of it) of the key that is not needed anymore. If you try to remove a key where you own also the secret key, then you will have to remove first the secret key by gpg --delete-secret-keys.
The Whole Story of Trusted and Untrusted Keys and Signing Keys
As mentioned above GPG solves the problem of the need of exchanging keys in advance. As replacement public and private keys are introduced. However, by doing so a new problem appears: If I receive (by a keyserver, or mail etc.) a public key from somebody, how do I know that this key REALLY belongs to the person it is said that it belongs to? There could be just anybody create a key under my name and use it and nobody would realize that it is not me!!
The only solution to this problem is, that I have to be very careful in accepting other keys, i.e., I have to be sure that key and person belong together. This can be checked by comparing the Key-ID and the fingerprint (see above). This is not really satisfactory, as you will agree. Therefore, one has searched for better ideas - and has found one: I don't need to be able to check if a key and a person belong together, as long as there are a few friends of mine (that I trust) that confirm a certain key! And this is done by the "key-signing". If I sign the public key of another person (by using my key), then I confirm that this key belongs to the person that it should. Or the other way round: If I receive a public key of someone I don't know, but see that his key is signed by several people I do know, then I may be sure that this key also is a correct key that I may use.
Therefore, it is important that your key is signed by as many people as possible, and you will probably also sometimes be asked if you would sign a key. Do so, but only do it if you are really sure that the person you ask for a signature and the key you are signing belong together!
How to sign a public key
Firstly, you should print out your Key-ID and fingerprint (use gpg -v --fingerprint <description>) and sign this paper by hand. This can be useful whenever you have to prove to someone that this is YOUR public key.
In order to sign a public key, you must have the key in your key-ring. The way how to include a key into your key-ring is described above. When you have the key and you are sure that it is the right key, then you sign it as follows:
Answer of the shell Your command > gpg --edit-key <description> (The User-ID of the chosen key is shown) Command> sign (with "help" you get a list of all possible commands) How carefully have you verified the key... (Choose your degree of trust between 0 and 3) Really sign? y Passphrase: (Give your passphrase) Command> save
After you have signed it, nobody knows about this new signature. Thus, next, the key has to be sent again to the owner of the key or even better back to a key-server. This is done exactly the same way as before:
gpg -a --send-keys <key-ID>
The owner who receives such a newly signed public key only has to include it again into his key-ring. Note: GPG and the key-server realize that the key has been included already once and will only update the signatures of the key!
Keep your key-ring updated
As you normally don't know when someone is signing a public key that is also inside your key-ring, it is important to update your key-ring from time to time. This is done by the following command:
gpg --refresh-keys
Then all your keys in your key-ring are compared with those on the key-server and if necessary they are updated.
Encrypting and Decrypting
You can encrypt any file using the following command:
gpg -e -a -r <description> file
If you want to be able to decrypt your file afterwards again, then you probably should use your own public key... Choose for example as description your Key-ID (with 0x in front, e.g., 0x91AD85E1). A new file will be generated that is called file.asc. Note that the option -a makes sure the output is ASCII and not binary, if not set you will get a binary file called file.gpg.
To decrypt your file again use the following command:
gpg -d -o newdecryptedfile file.asc/gpg
You will be asked for your passphrase. The decrypted file is stored in newdecryptedfile.
However, it is not very convenient, if you have to write your mail firstly, then encrypt it, and then finally send it. Thus, it would be easier if the mail-program knew how to deal with gpg. And this is the normally the case. Below follows now the example of the mail-program pine.
How to set up pine for use with GPG
Pine offers the option to include additional filers to choose from just after you press Ctrl-x for "send your mail". We will show how to set these up in a second. However there is one small problem we have to solve beforehand: GPG always uses only one interface (gpg and all details are specified in the given options. In pine however you will not see the options, but just the name of the program. So, in order to be able to specify several different filters that you can distinguish, we have to introduce artificially some new names for gpg. First you have to find out where the gpg is situated:
which gpg
You will get an answer that could look, e.g., like /usr/sepp/bin/gpg. Use this path to generate the following aliases in a reasonable directory like, e.g., in your bin/:
cd yourhomedirectory/bin ln -s /usr/sepp/bin/gpg encrypt ln -s /usr/sepp/bin/gpg sign ln -s /usr/sepp/bin/gpg gpg
Of course use the path you have found above for the path of gpg! Now, you can set up pine by copying the following lines into .pinerc at the right place:
display-filters=_LEADING("-----BEGIN PGP MESSAGE-----")_ yourhomedirectory/bin/gpg --decrypt,
_LEADING("-----BEGIN PGP SIGNED MESSAGE-----")_ yourhomedirectory/bin/gpg --decrypt
sending-filters=yourhomedirectory/bin/sign --clearsign,
yourhomedirectory/bin/encrypt -a --encrypt -r _RECIPIENTS_ -r moser@quark.ch,
yourhomedirectory/bin/gpg -a -s --encrypt -r _RECIPIENTS_ -r moser@quark.ch
yourhomedirectory/ has to be replaced by the path to your home-directory, and moser@quark.ch with your own key description. Now everything should work.
Sending emails with pine
With pine you write your mail as usual. When you want to send it, you have to press Ctrl-x (also as usual). However now, you can choose so-called "filters". Normal is "unfiltered". By pressing Ctrl-n or Ctrl-p you can get to "gpg", "encrypt", and "sign". The first filter will encrypt and sign your mail, the second only encrypt and the third only sign. Pine will automatically figure out to whom you send the mail and use this person's public key (if it is in your key-ring, otherwise there will be an error!). Just try it, it is really easy!
Receiving emails with pine
Receiving mails with pine is even easier: Everything is done automatically. You only have to read your mails as usual, and in case an encrypted message is coming in, you will be asked for your passphrase automatically.
A comment about pine
You will have noticed that the setup of the pine filters is such that every mail is encrypted both with the recipient's key and with your own key. The reason behind this is the following: if you only used the recipient's key then the message that is stored in your "Sent"-folder is encrypted such that you will never be able to decrypt it anymore! So the additional encryption with your own public-key makes sure that you will be able to read your own email also after the encryption process. (Many thanks to Clemens Hofmann for this hint!)
Note that there are several clever programs to simplify the use of gpg with pine even more (see the links below).
Security Tips
GPG is used by thousands of people (up to half a million already). Therefore, it is important that you show a certain care when using it. Mainly, it is really important that you only sign keys where you are absolutely sure that key and person belong together.
However, the most important point one has to remember when using GPG is that one should NEVER enter the pass phrase by remote (rlogin, telnet, etc.; exception: ssh, as ssh encrypts the transmission to the other computer), and never on a computer which one does not know or is not logged in (it is really easy to find out what you have typed, even afterwards when you have left already!).
How to use the revocation certificate
If you want to "delete" your key on all servers, you have to use a revocation certificate, as described above. If you still know your passphrase, then you can create a such one easily (again see above). If you have forgotten your passphrase, then HOPEFULLY you have created a revocation certificate at the time you created your key, otherwise you are lost... In order to revoke your key, you have to import your revocation certificate into your keyring:
gpg --import <file>
Here, file should contain the revocation certificate. Now, you just have to send your own key on a key-server, as described above.
Links to Other Websites about GPG
This introduction is quite short and of course does not contain all information about using GPG, neither about GPG itself. If you like to read more, here are a few links:
- The official GnuPG Homepage
- The GnuPG Manual
- MIT PGP Key Server
- ETH PGP Key Server
- pgp4pine
- Pine Privacy Guard
- PGP Envelope
- PinePgp
Furthermore, the man-page is also very helpful:
man gpg
In case you know some more useful links, or have even written a site about GPG, please mail to !
This page is completely new. Therefore, I would be very happy to hear of you! Please, send any comments, suggestions about paragraphs that are not clear, any mistakes or also positive feedback to !
-||- _|_ _|_ / __|__ Stefan M. Moser [-] --__|__ /__\ /__ Associate Professor at National Chiao _|_ -- --|- _ / / Tung University (NCTU), Hsinchu, Taiwan / \ [] \| |_| / \/ Web: http://moser.cm.nctu.edu.tw/