HOWTO Setup GnuPG Quickly
Introduction
GnuPG stands for GNU Privacy Guard. It is a free, open-source GNU program for cryptography. It is
typically used for encrypting, decrypting, and authenticating email
messages. See the GnuPG website
for more information.
This page is a guide for the impatient user who wants to set up
GnuPG, start using it, and ask questions later (or never).
Obtain and Install GnuPG
First, check to see if GnuPG is already installed on your system:
gpg --version
Even if it's installed, compare your version with the latest version,
found at the GnuPG
website to see if you should upgrade. If the latest version is
already installed, go to the next section.
Go to http://www.gnupg.org/download.html and download and install the
sources directly, or follow a link from that page to a binary distribution
for your particular system. Install the software as you would any other
program.
If you are looking for an RPM (for RedHat Linux distros)
and can't find one for the most recent version of GnuPG from
that page, check out http://www.redhat.com/mirrors.html and find a link under the ``Red
Hat Linux'' or ``Updates'' columns from a site you trust. If a new
version has just been released, you may have to wait a few days or a
week for an RPM to become available.
Generate Your Private/Public Key Pair
If this is the first time installing GnuPG, here are steps to quickly
generate your public/private key pair, as well as some useful settings.
For the ultra-impatient, you can just read the words in bold,
though it is highly recommended that you RTFM (Read The Fine
Manual) to know what is going on. Please read the disclaimer
at the bottom of this page so that if you accidentally encrypt all your
personal information and forget who you are, it's not my fault.
- Generate your public/private key pair.
gpg --gen-key
The following steps for generating the key pair were written using
version 1.0.6 of GnuPG. Other versions may differ.
- For the kind of key, select the default. You want to be
able to sign and encrypt messages.
- For the keysize, the default is probably good enough for normal
usage. If you need security that will keep your messages private
or authentic for the next 10,000 years or longer, then you may want
to consider using a larger key.
- When choosing how long the key should be valid, 2 years is
an okay choice for first-time users. One reason to choose an
expiration date for a key, as opposed to none, is in case your
private key falls into the wrong hands. This way it is only a
limited time, up until the expiration date, during which someone
else will be forging your signatures and reading your encrypted
email. It's not that bad though; GnuPG takes an extra precaution
of encrypting your secret key using a passphrase only you know.
- Use care when choosing your passphrase, to choose something you
will not forget. Unlike websites that will help out if you
forget your password, if your passphrase is forgotten, there is
no way (other than a direct cryptographic attack) to use your
secret key to decrypt messages sent to you nor to sign messages
from you. If you actually do forget the passphrase, you may as
well revoke your public key, using the revocation certificate you
made when you knew the passphrase, and generate a new key pair.
(See the documentation for how to, as well as why you would want to,
generate a revocation certificate.)
- Export your public key and send copies to all your friends.
gpg --armour --export my_email_address
--output mykey.asc
Substitute my_email_address with the email address you entered when
generating your key.
Take a look at mykey.asc and verify that it begins with
-----BEGIN PGP PUBLIC KEY BLOCK-----
and contains a large block of nonsense text. This is your public
key; this file can safely be spread far and wide. This is required
by other people in order for them to send you encrypted messages.
That's it! Now just read the disclaimer below and you're done.
Importing Someone Else's Public Key Into Your Key Ring
If someone else has just completed the above steps and has sent you
their public key in a file theirkey.asc, you can import it
into your public key ring, simply by doing:
gpg --import theirkey.asc
This step is necessary if you want to encrypt a message to that person,
or you want to verify a message signed by them.
Optional Settings
There are few things one might want done automatically when using GnuPG.
For example, when encrypting messages to other people using a public key,
you might want the message to also be decryptable by yourself so that
you can review email that you sent out. (The default behavior
is to only encrypt a message using the public key of the recipient,
which you cannot even decrypt.) GnuPG allows you to save such options
in a file that gpg will always check when it is run. Here are a few
useful options:
fingerprint
This line will have gpg display which keys you have in your
public key ring, along with their fingerprints, when you run gpg
without any arguments.
default-key "my_email_address"
where my_email_address is the email address associated with
your key. This line will use your key as the default key to sign
messages with. (This only has an effect if you have more than one
private key.)
encrypt-to "my_email_address"
where my_email_address is the email address associated with
your key. This line will automatically encrypt messages to yourself,
as well as the intended recipients, when using public key
cryptography.
verbose
This line tells gpg to be verbose so that the cryptography isn't
as arcane and mysterious.
The default location for the options file is in a file called
options in your .gnupg directory, usually found as a
subdirectory in your home directory. Use your favorite text editor to
enter in any or all of the lines listed above, and save it to this
options file.
Disclaimer
These tips are distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. Use at your own risk.
Back to Pine Privacy Guard home page.