Blog‎ > ‎


posted Aug 11, 2012, 8:30 AM by Tommy Williams   [ updated Aug 11, 2012, 9:05 AM ]
Hash: SHA1

Wouldn't it be great if you could verify that an email or forum post was really from the person it claimed to be from?  You can. It takes a little tech savvy and the desire to learn how to use a new tool. Say hello to the GNU Privacy Guard.

As stated on the GNU Privacy Guard home page:
"GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG allows you to encrypt and sign your data and communication..."
"GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License ."

Sounds complicated huh?  Its not!  Or... it could be.  "Casual" use of GPG in communication is fairly simple. The underlying system is difficult to wrap your head around unless you are a mathematician and enjoy studying cryptography (subjects most of us (myself included) find dull and dry).  Let me take a stab at explaining how this works and perhaps provide an example. The system relies on the existance of two pices of data (generally files) called keys. One is your private key. This private key is password protected (a pass phrase would be better), and you should be the only person with access to this key. The other bit of data is your public key. This key should be publicly available and is used by other people to verify signatures created by your private key.

Digital signatures are a great place to begin implementation of GPG for yourself. A message signed with someone's private key can be verified by anybody who has access to the sender's public key. What this does is allow someone to be reasonably sure that the sender had access to the private key (or was someone with access to the private key and knows the password). This signature also allows a person to be sure that the message has not been tampered with and is authentic. A good analogy for digital signatures: They are like sealing an envelop with a personal wax seal.

So here we have Dumbledore and Harry Potter. Dumbledore has generated a GPG key and shared his public key with Harry Potter. Dumbledore sends a message to Harry Potter and decides to digitally sign it. Dumbledore is prompted for his private key file and his password when he sends the message. The message has a digital signature attached to it and is then sent along its merry way. Harry Potter receives this message and notices its digitally signed. Harry Potter imports Dumbledore's public key and is able to verify that this message was indeed digitally signed by someone who had both access to the key file and knowledge of the password. Harry Potter is also able to verify that the message has not been modified by anyone while it was in transit and arrived just as it was composed by Dumbledore . Harry Potter trusts Dumbledore to be careful with his private key and trusts also that this message did indeed come from him.

Security is paramount. Its your personal signature. People will depend on this to verify who you are, verify messages you have sent, and potentially send you encrypted messages. Never re-use a pass phrase. The pass phrase on your GPG private key should be 100% unique. Never loose your private key. Its not something you can recover. It can be replaced with a new private/public key pair, but then everyone has to know you did this. If you have questions or want me to clarify anything, I am leaving the comments section open below.

For the sake of beginners being introduced to the use of GPG for encryption I have intentionally not gone into a lot of detail here. Lets get them used to the idea first.
Version: GnuPG v1.4.12 (GNU/Linux)