These exercises taken from track E0 of AfNOG 2006 by Joe Abley
Updates by Hervey Allen
February 16, 2007
Introduction
GnuPG is a free implementation of PGP. This mini-workshop uses GnuPG
on FreeBSD. We do not cover encryption or data-signing here, just
the business of creating key pairs, sharing public keys, verifying
fingerprints and key signing.
Check the GnuPG web page for documentation on the GnuPG package:
Public Key Cryptography
Key Concepts
On FreeBSD, GnuPG is included in the ports tree as security/gnupg. To check and see if GnuPG is already installed first do:
Creating a Public/Private Key Pair
Now that GnuPG is installed you can use the
Always set an expiry date, even if it is a long way in the future.
Choosing 1 year is reasonable (type "1y").
Type your real name, and your e-mail address that you wish to attach this key to when asked to do so. You don't have to type a comment. You can edit any of these before you create the key.
Type a passphrase. It's important to choose something that you can
remember but which will be hard for anybody else to guess, just
like any password. You will be asked to type it twice.
Note the term "passphrase" - This means that instead of a single
word "password" you can type an entire sentence. This can be very hard
to guess, but very easy to remember.
The GPG software will create a Public/Private key pair using random
information it obtains from the system. If it seems to be taking a
long time, try to keep the machine busy by using the network or the
keyboard, since both those things are used to add randomness to the
key generation process.
Your PGP information will be stored in your user's account home directory under the ".gnupg" directory.
Extracting your Public Key
To extract your public key as text which you can easily cut and
paste, or include in an e-mail message, do:
The key id is a hexadecimal number that will have been displayed
after you generated your key. If you know you only have one key
which matches your e-mail address, you can use your e-mail address
instead of the key id, and everything should work.
To see what public keys you have installed, you can always type
Once you have extracted your public key, you can send it to other
people. Good ways of doing this are e-mail, putting it on a web
page, or sending it to a key server.
For instance, to place your newly generated public key on the MIT
(Massachussetts Institute of Technology in Boston, Massachussetts,
United States) PGP server you can do the following:
Generating your Public Key's Fingerprint
Comparing public keys is difficult, because the keys themselves are
usually quite long. A much easier method (and, in practical terms,
pretty much as good) is for each person to generate the fingerprint
of their copy of a key, and then compare the fingerprints. Fingerprints
are short enough to be easily read out over the phone.
You calculate the fingerprint for a local copy of a public key like
this:
Once you have obtained a public key, you can import it to your local
keyring so that you can use it like this:
If you have a copy of someone else's public key on your keyring and
you have decided that you trust it (e.g. by verifying the fingerprint
with the key's owner) and you have also decided that you trust the
identity of the key's owner (e.g. by checking a passport) you can
sign it. This does two things:
At some events you may see announcements for a PGP Key Signing party. This is when a group of people get together, bring some form of ID (passport, drivers license, etc.), verify each other's identies and agree to sign one and another's public PGP keys.
If your instructor remembered to ask you to bring your passports, etc. to this session, and if there's time we'll have a key signing party right now. If not, then perhaps one can be arranged later.
More Information
There are many more things you can do with GnuPG than those described
in these notes. For more information, see:
Joe Abley
http://www.gnupg.org/
In particular, look at the documentation, and the "Mini HOWTO" which
is good background material for the topics in this workshop.
Two Precautions Worth Taking
Installing GnuPG
If it is not installed (look for version 2x), then you
can install it in the usual way (need to be root):
# pkg_info | grep pgp
You may be used to just doing something like:
# cd /usr/ports/security/gnupg
# make install && make clean (what's this?)
The command
# cd /usr/ports/security/gnupg
# make [agree to the default options shown]
# make install
make install
implies doing make
first, then make install
. The "&&" means follow the first command with the next. Alternately you could have done:
As usual, there's more than one way to do something in Unix.
# make install; make clean
gpg
command
to use the Gnu version of PGP. In these steps you should do this as your user on your system, not as the root user!:
The default values for the type and size of key are usually OK (but
feel free to choose larger key sizes if you like -- larger keys
require more computer power to work with, but are harder for other
people to compromise).
$ gpg --gen-key
Note: "your key id" is probably your email address.
$ gpg -a --export <your key id>
Public keys are installed by receiving a user's public key as a text file (say in email), saving it, and importing it in to your local PGP public key ring. Or, perhaps, you have a PGP plugin installed for your local email client. You may import public keys this way as well.
$ gpg --list-keys
That's it! Your public key is now available to anyone who goes to the MIT PGP server and searches on your name, email address, etc. This is a good thing.
Importing Someone Else's Public Key
$ gpg --fingerprint <key id>
Signing a Public Key
$ gpg --import <filename>
To sign a key:
Key Signing Party
$ gpg --sign-key <key id>
http://www.gnupg.org/
Of course, you can also ask your SANOG friends on the SANOG mailing list, or send e-mail to the instructors directly if the GnuPG documents
are not clear.
AfNOG, Nairobi, Kenya, 2006
Updated for ccTLD Workshop, Georgetown, Guyana, 2007