Here are some rough notes from a PGP tutorial I went to tonight:
Practical PGP: What you need to know to use PGP effectively
http://www.oclug.on.ca/pipermail/oclug-announce/2003-May/000074.html
presented by Matthew Wilcox
First need to generate a key, but due to a bug in gpg, run "gpg" first,
press ^D to exit.
$ gpg
^D
$ gpg --gen-key
choose (1)
RSA/DSA are signing keys; ElGamal for encrypting
put (0) for expiry time (presenter doesn't consider it important)
should have separate keys for signing and encryption.
GPG doesn't allow that (or makes it difficult?)
q: what happens when key expires?
a: nothing. just a message to other people not to use the key after
that date, they can obey or ignore that advice.
passphrase should be very long. (presenters is ~10 words, recommends
5-15 words.) tip: use offensive nonsense, things you would never say,
and would never be in dictionaries (don't use e.g. movie quotes, jargon)
Signing things:
---------------
gpg --sign
output contains compressed message
gpg --clearsign
output contains original message
to sign a file:
cp /etc/motd /tmp
gpg --sign /tmp/motd
creates /tmp/motd.gpg with binary signed compressed version.
probably want an ascii version, so:
gpg -a --sign /tmp/motd
creates /tmp/motd.asc with ascii-armored compressed version.
another option is clearsign:
gpg --clearsign /tmp/motd
creates /tmp/motd with original uncompressed file and attached signature.
also, with detached signature:
gpg -b --sign
useful if many people want to sign the same message: each can sign,
then signatures can be collected into one.
Verifying signatures:
--------------------
gpg --verify
verifies all kinds of sigs.
Encrypting things:
gpg --encrypt filename
(enter your loginid at prompt)
for many files at once:
gpg --encrypt-files *
Decrypting things:
gpg --decrypt
gpg --decrypt-files
[hmm, --encrypt-files etc don't seem supported by my version of gpg, 1.0.6]
Using keyservers (e.g. wwwkeys.pgp.net, settable in .gnupg/options):
gpg --send-keys [will send all keys in your pub ring]
gpg --recv-keys
presenter keeps a copy of his key on a floppy disk in an undisclosed
location, in case his usb device dies.
Keysigning parties:
- convince other people of identity
- be convinced of other peoples identiies
- sign their keys
- upload to keyservers
presenter "fully trusts someone if I have been to their house and met
their wife." If you just meet someone at a keysigning and look at a
couple docs, he gives them a level 2 sig, indicating "I have checked
this key casually."
You should upload your key ring to keyservers after keysignings.
(e.g. gpg --send-keys)
I uploaded my newly-generated key to pgp.mit.edu:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8D3456D0
(that is for my W3C identity,
[email protected]; not sure how I
should manage multiple identities yet.)
I still need to figure out how to integrate gpg with Mutt.
--
Gerald Oskoboiny <
[email protected]>
http://impressive.net/people/gerald/