个人工具

“UbuntuHelp:GnuPrivacyGuardHowto”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/GnuPrivacyGuardHowto}}
 
{{From|https://help.ubuntu.com/community/GnuPrivacyGuardHowto}}
 
{{Languages|UbuntuHelp:GnuPrivacyGuardHowto}}
 
{{Languages|UbuntuHelp:GnuPrivacyGuardHowto}}
 
 
 
''"GnuPG  uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate."'' -[http://www.gnupg.org/gph/en/manual.html GnuPG Manual]
 
''"GnuPG  uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate."'' -[http://www.gnupg.org/gph/en/manual.html GnuPG Manual]
 
 
== Topics Covered ==
 
== Topics Covered ==
 
The following topics will be covered by this article.  
 
The following topics will be covered by this article.  
 
 
* GnuPG, GPG, PGP and OpenPGP
 
* GnuPG, GPG, PGP and OpenPGP
 
* Generating an OpenPGP key
 
* Generating an OpenPGP key
第14行: 第10行:
 
* Signing Data
 
* Signing Data
 
* Configuring your mail clients to use GPG
 
* Configuring your mail clients to use GPG
 
 
== GnuPG, GPG, PGP and OpenPGP ==
 
== GnuPG, GPG, PGP and OpenPGP ==
 
 
OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.
 
OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.
 
 
* '''OpenPGP''' is technically a '''proposed standard''' although it is widely used.
 
* '''OpenPGP''' is technically a '''proposed standard''' although it is widely used.
 
* '''PGP''' is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.  
 
* '''PGP''' is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.  
 
* '''GnuPG''' is an abreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.  
 
* '''GnuPG''' is an abreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.  
 
 
PGP and GnuPG are computer programs that implement the OpenPGP standard. To find out more about those see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
 
PGP and GnuPG are computer programs that implement the OpenPGP standard. To find out more about those see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
 
 
== Generating an OpenPGP Key ==
 
== Generating an OpenPGP Key ==
 
The core package required to start using OpenPGP, '''gnupg''', is installed by default on Ubuntu systems.
 
The core package required to start using OpenPGP, '''gnupg''', is installed by default on Ubuntu systems.
 
 
A portable, standalone version with enhanced features is also available from source: version 2.0.6. It's a bit harder to configure. See [http://www.gnupg.org/ The GPG site] for more information.
 
A portable, standalone version with enhanced features is also available from source: version 2.0.6. It's a bit harder to configure. See [http://www.gnupg.org/ The GPG site] for more information.
 
 
There are several programs which provide a graphical interface to the GnuPG system.  
 
There are several programs which provide a graphical interface to the GnuPG system.  
 
* Enigmail, an OpenPGP plugin including key management for Mozilla Thunderbird. <code><nowiki>sudo apt-get install mozilla-thunderbird-enigmail</nowiki></code>
 
* Enigmail, an OpenPGP plugin including key management for Mozilla Thunderbird. <code><nowiki>sudo apt-get install mozilla-thunderbird-enigmail</nowiki></code>
第35行: 第24行:
 
* [http://seahorse.sourceforge.net/ Seahorse] <code><nowiki> sudo apt-get install seahorse </nowiki></code>
 
* [http://seahorse.sourceforge.net/ Seahorse] <code><nowiki> sudo apt-get install seahorse </nowiki></code>
 
* KGPG, for a KDE interface. <code><nowiki>sudo apt-get install kgpg</nowiki></code>
 
* KGPG, for a KDE interface. <code><nowiki>sudo apt-get install kgpg</nowiki></code>
 
 
You can also generate keys using these programs and use the section below for recommendations.  
 
You can also generate keys using these programs and use the section below for recommendations.  
 
 
=== Using GnuPG ===
 
=== Using GnuPG ===
 
<pre><nowiki>  
 
<pre><nowiki>  
第58行: 第45行:
 
</nowiki></pre>
 
</nowiki></pre>
 
Most people make their keys valid until infinity, which is the default option. If you do this don't forget to revoke the key when you no longer use it (see later). Hit <code><nowiki>Y</nowiki></code> and proceed.  
 
Most people make their keys valid until infinity, which is the default option. If you do this don't forget to revoke the key when you no longer use it (see later). Hit <code><nowiki>Y</nowiki></code> and proceed.  
 
 
<pre><nowiki>
 
<pre><nowiki>
 
You need a user ID to identify your key; the software constructs the user ID
 
You need a user ID to identify your key; the software constructs the user ID
 
from the Real Name, Comment and Email Address in this form:
 
from the Real Name, Comment and Email Address in this form:
 
"Heinrich Heine (Der Dichter) <[email protected]>"
 
"Heinrich Heine (Der Dichter) <[email protected]>"
 
 
Real name: Dennis Kaarsemaker
 
Real name: Dennis Kaarsemaker
 
Email address: [email protected]
 
Email address: [email protected]
第70行: 第55行:
 
"Dennis Kaarsemaker (Tutorial key) <[email protected]>"
 
"Dennis Kaarsemaker (Tutorial key) <[email protected]>"
 
</nowiki></pre>
 
</nowiki></pre>
 
 
Make sure that the name on the key matches the name in your passport, or other government issued photo-identification! You can add extra e-mail addresses to the key later.  
 
Make sure that the name on the key matches the name in your passport, or other government issued photo-identification! You can add extra e-mail addresses to the key later.  
 
 
Type <code><nowiki>O</nowiki></code> to create your key.
 
Type <code><nowiki>O</nowiki></code> to create your key.
 
<pre><nowiki>
 
<pre><nowiki>
第78行: 第61行:
 
</nowiki></pre>
 
</nowiki></pre>
 
You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.
 
You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.
 
 
'''IMPORTANT''' - Forgetting your passphrase will result in your key being useless. Remember this passphrase carefully, there is no way to recover it when it's lost. After you type your passphrase twice, the key will be generated. Please follow the instructions on the screen till you reach a screen similiar to the one below.  
 
'''IMPORTANT''' - Forgetting your passphrase will result in your key being useless. Remember this passphrase carefully, there is no way to recover it when it's lost. After you type your passphrase twice, the key will be generated. Please follow the instructions on the screen till you reach a screen similiar to the one below.  
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg: key D8FC66D2 marked as ultimately trusted
 
gpg: key D8FC66D2 marked as ultimately trusted
 
public and secret key created and signed.
 
public and secret key created and signed.
 
 
pub  1024D/D8FC66D2 2005-09-08
 
pub  1024D/D8FC66D2 2005-09-08
 
Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
 
Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
第90行: 第71行:
 
</nowiki></pre>
 
</nowiki></pre>
 
The key-id is <code><nowiki>D8FC66D2</nowiki></code> (yours will be different).  
 
The key-id is <code><nowiki>D8FC66D2</nowiki></code> (yours will be different).  
 
 
Tip: It's probably a good idea to set this key as default in your .bashrc, so that applications using GPG can automatically use your key.  Do this by entering the line below in your ~/.bashrc. Please note that will be sourced only during your next session, unless you source it manually.
 
Tip: It's probably a good idea to set this key as default in your .bashrc, so that applications using GPG can automatically use your key.  Do this by entering the line below in your ~/.bashrc. Please note that will be sourced only during your next session, unless you source it manually.
 
<pre><nowiki>
 
<pre><nowiki>
第101行: 第81行:
 
source ~/.bashrc
 
source ~/.bashrc
 
</nowiki></pre>
 
</nowiki></pre>
 
 
==== Revocation Certificate ====
 
==== Revocation Certificate ====
 
 
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. You can create a revocation certificate by doing
 
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. You can create a revocation certificate by doing
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --output revoke.asc --gen-revoke <KEY-ID>
 
gpg --output revoke.asc --gen-revoke <KEY-ID>
 
</nowiki></pre>
 
</nowiki></pre>
 
 
The key may be printed and stored carefully preventing access to it. '''Anybody having access to your revocation certificate can render the public key useless.'''
 
The key may be printed and stored carefully preventing access to it. '''Anybody having access to your revocation certificate can render the public key useless.'''
 
 
== Uploading the Key to Ubuntu keyserver ==
 
== Uploading the Key to Ubuntu keyserver ==
 
This section explains how to upload your key to a keyserver so that anyone can download it. When you have uploaded it to one keyserver, after a short time, all the keyservers will have it. You can help this process along by sending your key to several keyservers.  
 
This section explains how to upload your key to a keyserver so that anyone can download it. When you have uploaded it to one keyserver, after a short time, all the keyservers will have it. You can help this process along by sending your key to several keyservers.  
 
 
Using GnuPG:
 
Using GnuPG:
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --send-keys --keyserver keyserver.ubuntu.com <KEY-ID>
 
gpg --send-keys --keyserver keyserver.ubuntu.com <KEY-ID>
 
</nowiki></pre>
 
</nowiki></pre>
 
 
using the above example it would be  
 
using the above example it would be  
 
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2
 
gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2
 
</nowiki></pre>
 
</nowiki></pre>
 
 
Using a webbrowser to submit to Ubuntu key server:
 
Using a webbrowser to submit to Ubuntu key server:
 
 
* Export your key by doing <code><nowiki>gpg --export -a "Key-ID" > public.key</nowiki></code>
 
* Export your key by doing <code><nowiki>gpg --export -a "Key-ID" > public.key</nowiki></code>
 
* Copy the content of <code><nowiki>public.key</nowiki></code>:
 
* Copy the content of <code><nowiki>public.key</nowiki></code>:
第132行: 第103行:
 
* Paste the copied content in the box under the label, <code><nowiki>Submit a key</nowiki></code>
 
* Paste the copied content in the box under the label, <code><nowiki>Submit a key</nowiki></code>
 
* Click on <code><nowiki>Submit this key to the keyserver!</nowiki></code>
 
* Click on <code><nowiki>Submit this key to the keyserver!</nowiki></code>
 
 
=== Reading OpenPGP E-mail ===
 
=== Reading OpenPGP E-mail ===
 
 
OpenPGP implementations can be used to digitally sign, encrypt, and decrypt email messages for heightened security. You can register your own personal OpenPGP keys with Launchpad, and under some situations, Launchpad will send you signed or encrypted email. You would then use OpenPGP support in your mail reader to decrypt these messages or verify a message's digital signature. Of course, you can also use the OpenPGP support in your mail reader to trade encrypted messages with your colleagues, or sign your own messages so that others can have better assurances that the email that appears to come from you actually does comes from you.
 
OpenPGP implementations can be used to digitally sign, encrypt, and decrypt email messages for heightened security. You can register your own personal OpenPGP keys with Launchpad, and under some situations, Launchpad will send you signed or encrypted email. You would then use OpenPGP support in your mail reader to decrypt these messages or verify a message's digital signature. Of course, you can also use the OpenPGP support in your mail reader to trade encrypted messages with your colleagues, or sign your own messages so that others can have better assurances that the email that appears to come from you actually does comes from you.
 
 
The instructions below are not intended to provide you with detailed information on OpenPGP, its various implementations, or its use. These instructions simply provide links that can help you set up your mail reader to be compatible with OpenPGP signed and/or encrypted email.
 
The instructions below are not intended to provide you with detailed information on OpenPGP, its various implementations, or its use. These instructions simply provide links that can help you set up your mail reader to be compatible with OpenPGP signed and/or encrypted email.
 
 
We need your help to flesh out these instructions!
 
We need your help to flesh out these instructions!
 
Linux mail readers
 
Linux mail readers
 
Thunderbird
 
Thunderbird
 
 
You probably want [WWW] Enigmail, a Thunderbird add-on. On Ubuntu systems, you should just install the mozilla-thunderbird-enigmail package; I think this will install everything you need to get started with reading GPG signed and/or encrypted email. [BarryWarsaw 2007-04-04].
 
You probably want [WWW] Enigmail, a Thunderbird add-on. On Ubuntu systems, you should just install the mozilla-thunderbird-enigmail package; I think this will install everything you need to get started with reading GPG signed and/or encrypted email. [BarryWarsaw 2007-04-04].
 
Evolution
 
Evolution
 
 
Evolution has built-in support for OpenPGP. Look under the Security tab when you edit accounts.
 
Evolution has built-in support for OpenPGP. Look under the Security tab when you edit accounts.
 
 
Kmail/Kontact has built-in support.  See the [https://help.ubuntu.com/community/KMailGPGAgent Kmail] GPG page for details.
 
Kmail/Kontact has built-in support.  See the [https://help.ubuntu.com/community/KMailGPGAgent Kmail] GPG page for details.
 
 
Claws
 
Claws
 
Mac OS X mail readers
 
Mac OS X mail readers
 
Mail.app
 
Mail.app
 
 
[WWW] GPGMail from Sen:te is an excellent plugin for Apple's Mail.app mail reader. It has great support for reading GPG signed and/or encrypted email, assuming you already have GnuPG installed on your Mac (if not, the Sen:te pages can help you with that). The plugin is easy to install, easy to use, and seems very stable. I have only tried it with Mail.app on Mac OS X 10.4. [BarryWarsaw 2007-04-04]
 
[WWW] GPGMail from Sen:te is an excellent plugin for Apple's Mail.app mail reader. It has great support for reading GPG signed and/or encrypted email, assuming you already have GnuPG installed on your Mac (if not, the Sen:te pages can help you with that). The plugin is easy to install, easy to use, and seems very stable. I have only tried it with Mail.app on Mac OS X 10.4. [BarryWarsaw 2007-04-04]
 
Thunderbird
 
Thunderbird
 
 
You probably want [WWW] Enigmail, a Thunderbird add-on. Although I have not tried it, you should just be able to install this plugin into your Thunderbird and be good to go. [BarryWarsaw 2007-04-04].
 
You probably want [WWW] Enigmail, a Thunderbird add-on. Although I have not tried it, you should just be able to install this plugin into your Thunderbird and be good to go. [BarryWarsaw 2007-04-04].
 
Entourage
 
Entourage
第163行: 第124行:
 
Outlook Express
 
Outlook Express
 
Thunderbird
 
Thunderbird
 
 
You probably want [WWW] Enigmail, a Thunderbird add-on. Although I have not tried it, you should just be able to install this plugin into your Thunderbird and be good to go. [BarryWarsaw 2007-04-04].
 
You probably want [WWW] Enigmail, a Thunderbird add-on. Although I have not tried it, you should just be able to install this plugin into your Thunderbird and be good to go. [BarryWarsaw 2007-04-04].
 
Miscellaneous
 
Miscellaneous
 
Google mail (Gmail)
 
Google mail (Gmail)
 
 
Something like the [WWW] FireGPG Firefox plugin might do the trick.
 
Something like the [WWW] FireGPG Firefox plugin might do the trick.
 
 
(add yours here)  
 
(add yours here)  
 
 
 
=== Making an ASCII armored version of Public Key ===
 
=== Making an ASCII armored version of Public Key ===
 
 
There are several sites out there that also allow you to paste an ASCII armored version your public key to import it. This is the preferred method, because the key comes directly from the user - as opposed to fetching from a keyserver, where the key may be corrupted, or the keyserver unavailable. To create an ASCII armored version of your public key using GnuPG, use the following command:
 
There are several sites out there that also allow you to paste an ASCII armored version your public key to import it. This is the preferred method, because the key comes directly from the user - as opposed to fetching from a keyserver, where the key may be corrupted, or the keyserver unavailable. To create an ASCII armored version of your public key using GnuPG, use the following command:
 
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --export -a <Key-ID> > mykey.asc
 
gpg --export -a <Key-ID> > mykey.asc
 
</nowiki></pre>
 
</nowiki></pre>
 
 
or, using the above example  
 
or, using the above example  
 
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --export -a D8FC66D2 > mykey.asc
 
gpg --export -a D8FC66D2 > mykey.asc
 
</nowiki></pre>
 
</nowiki></pre>
 
 
 
=== Validation on Launchpad ===
 
=== Validation on Launchpad ===
 
 
You need to enter the GPG fingerprint at [[https://launchpad.net/~<username>/+editpgpkeys]].  To obtain it, type:
 
You need to enter the GPG fingerprint at [[https://launchpad.net/~<username>/+editpgpkeys]].  To obtain it, type:
 
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --fingerprint <key-id>  
 
gpg --fingerprint <key-id>  
 
</nowiki></pre>
 
</nowiki></pre>
 
 
or, using the above example:
 
or, using the above example:
 
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --fingerprint D8FC66D2
 
gpg --fingerprint D8FC66D2
 
</nowiki></pre>
 
</nowiki></pre>
 
 
which should output the   
 
which should output the   
 
 
<pre><nowiki>
 
<pre><nowiki>
 
public key/date of creation
 
public key/date of creation
第210行: 第154行:
 
sub private key/date of creation
 
sub private key/date of creation
 
</nowiki></pre>   
 
</nowiki></pre>   
 
 
Example from above
 
Example from above
 
 
<pre><nowiki>
 
<pre><nowiki>
 
pub  1024D/D8FC66D2 2005-09-08
 
pub  1024D/D8FC66D2 2005-09-08
第219行: 第161行:
 
sub  2048g/389AA63E 2005-09-08
 
sub  2048g/389AA63E 2005-09-08
 
</nowiki></pre>
 
</nowiki></pre>
 
 
Now copy this fingerprint (yours will be different) to the fingerprint field on launchpad.
 
Now copy this fingerprint (yours will be different) to the fingerprint field on launchpad.
 
 
Now click on the "Import" button.
 
Now click on the "Import" button.
 
 
This will generate an encrypted email from "Launchpad OpenPGP Key Confirmation <[email protected]>"
 
This will generate an encrypted email from "Launchpad OpenPGP Key Confirmation <[email protected]>"
 
 
If you are on gmail, using the FireGPG addon, simply scroll down and click "decrypt this mail". You will now see the decrypted message with a link and a token. Copy that URL:
 
If you are on gmail, using the FireGPG addon, simply scroll down and click "decrypt this mail". You will now see the decrypted message with a link and a token. Copy that URL:
 
 
https://beta.launchpad.net/token/somealphanumerictoken
 
https://beta.launchpad.net/token/somealphanumerictoken
 
 
Click on "Confirm". Please note that validation does take some time. If you run into an internal 500 server, simply try again with the same token.  
 
Click on "Confirm". Please note that validation does take some time. If you run into an internal 500 server, simply try again with the same token.  
 
 
A confirming page should appear once the validation is successfully completed.  
 
A confirming page should appear once the validation is successfully completed.  
 
 
 
 
== Getting your key signed ==
 
== Getting your key signed ==
 
The whole point of all this is to create a web of trust. By signing someone's public key, you state that you have checked that the person that uses a certain keypair, is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the ''Strongly connected set''. Information about it can be found at http://pgp.cs.uu.nl/
 
The whole point of all this is to create a web of trust. By signing someone's public key, you state that you have checked that the person that uses a certain keypair, is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the ''Strongly connected set''. Information about it can be found at http://pgp.cs.uu.nl/
 
 
In summary,  
 
In summary,  
 
* Locate someone that lives near you and can meet with you to verify your ID. Sites like http://www.biglumber.com/ are useful for this purpose
 
* Locate someone that lives near you and can meet with you to verify your ID. Sites like http://www.biglumber.com/ are useful for this purpose
第245行: 第176行:
 
* Sign the key of the person you've just met. Send him/her the key you've just signed.
 
* Sign the key of the person you've just met. Send him/her the key you've just signed.
 
* Update your keys on the keyserver, the signature you've just created will be uploaded.
 
* Update your keys on the keyserver, the signature you've just created will be uploaded.
 
 
=== Keysigning Guidelines ===
 
=== Keysigning Guidelines ===
 
Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:
 
Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:
 
+
# Keysigning is always done after meeting in person
* Keysigning is always done after meeting in person
+
# During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID '''with a photograph'''. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party)
* During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID '''with a photograph'''. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party)
+
# You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is.
* You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is.
+
# Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. You need to create a file named <code><nowiki>.caffrc</nowiki></code> in your homedir (only once) with the following content:  
* Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. You need to create a file named <code><nowiki>.caffrc</nowiki></code> in your homedir (only once) with the following content:  
+
 
<pre><nowiki>
 
<pre><nowiki>
 
$CONFIG{owner} = q{Your full name here};
 
$CONFIG{owner} = q{Your full name here};
第259行: 第188行:
 
<pre><nowiki>
 
<pre><nowiki>
 
caff key_id_of_other_persons_key</nowiki></pre>
 
caff key_id_of_other_persons_key</nowiki></pre>
* When you receive signed keys from others, you get them as attachment, save these attachments and import them with gpg. You can then send this signature to the keyservers so other people can know about it.  
+
# When you receive signed keys from others, you get them as attachment, save these attachments and import them with gpg. You can then send this signature to the keyservers so other people can know about it.  
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --import filename_of_saved_signature
 
gpg --import filename_of_saved_signature
 
gpg --send-keys $GPGKEY</nowiki></pre>
 
gpg --send-keys $GPGKEY</nowiki></pre>
 
 
== Signing Data ==
 
== Signing Data ==
 
Signing data is helpful in verifying if the data from a person is indeed from that person. A typical scenario is described below.
 
Signing data is helpful in verifying if the data from a person is indeed from that person. A typical scenario is described below.
 
 
=== Launchpad Key Signing ===
 
=== Launchpad Key Signing ===
 
 
When you've set up GnuPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member or Ubuntero. Signing is done in 3 easy steps:
 
When you've set up GnuPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member or Ubuntero. Signing is done in 3 easy steps:
* Download the code of conduct from https://launchpad.net/codeofconduct/1.0.1.
+
# Download the code of conduct from https://launchpad.net/codeofconduct/1.0.1.
* Run the command  
+
# Run the command  
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --clearsign UbuntuCodeofConduct-1.0.1.txt</nowiki></pre>
 
gpg --clearsign UbuntuCodeofConduct-1.0.1.txt</nowiki></pre>
* Upload the contents of Ubuntu``Codeof``Conduct-1.0.txt.asc on https://launchpad.net/codeofconduct/1.0.1/+sign
+
# Upload the contents of Ubuntu``Codeof``Conduct-1.0.txt.asc on https://launchpad.net/codeofconduct/1.0.1/+sign
 
+
 
'''OpenPGP Keys and Launchpad'''  You need to tell Launchpad about your OpenPGP key(s) to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntero) and to build packages using HCT.
 
'''OpenPGP Keys and Launchpad'''  You need to tell Launchpad about your OpenPGP key(s) to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntero) and to build packages using HCT.
 
 
Visit the OpenPGP Keys page once logged into Launchpad.  Paste your key fingerprint into the textbox:
 
Visit the OpenPGP Keys page once logged into Launchpad.  Paste your key fingerprint into the textbox:
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --fingerprint</nowiki></pre>
 
gpg --fingerprint</nowiki></pre>
 
 
Example:  the key fingerprint would be something like "95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2"
 
Example:  the key fingerprint would be something like "95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2"
 
 
Launchpad will send you and email which you will have to decrypt.  You can save the text to a file and run
 
Launchpad will send you and email which you will have to decrypt.  You can save the text to a file and run
 
 
<pre><nowiki>
 
<pre><nowiki>
 
gpg --decrypt file.txt</nowiki></pre>
 
gpg --decrypt file.txt</nowiki></pre>
 
 
You will need to enter your passphrase.
 
You will need to enter your passphrase.
 
 
The message will be displayed along with the link you must follow to confirm your key in Launchpad.
 
The message will be displayed along with the link you must follow to confirm your key in Launchpad.
 
 
Follow it, enter your Launchpad password as asked and you are done!
 
Follow it, enter your Launchpad password as asked and you are done!
 
 
=== Signing and Encrypting Emails ===
 
=== Signing and Encrypting Emails ===
 
This section addresses setting up your the Evolution, Thunderbird, and Kmail/Kontact mail clients to sign and encrpyt your emails. Other email clients may be added to this list later.
 
This section addresses setting up your the Evolution, Thunderbird, and Kmail/Kontact mail clients to sign and encrpyt your emails. Other email clients may be added to this list later.
 
 
==== Evolution ====
 
==== Evolution ====
 
 
* Open Evolution and go to <code><nowiki>Edit->Preferences</nowiki></code>.
 
* Open Evolution and go to <code><nowiki>Edit->Preferences</nowiki></code>.
 
* Choose your email account, click on it, and then click <code><nowiki>Edit</nowiki></code>.
 
* Choose your email account, click on it, and then click <code><nowiki>Edit</nowiki></code>.
第305行: 第220行:
 
* In the <code><nowiki>PGP/GPG Key ID</nowiki></code>: box, paste the <code><nowiki>KEY-ID</nowiki></code>.
 
* In the <code><nowiki>PGP/GPG Key ID</nowiki></code>: box, paste the <code><nowiki>KEY-ID</nowiki></code>.
 
* Click <code><nowiki>OK</nowiki></code>. Click <code><nowiki>Close</nowiki></code>.
 
* Click <code><nowiki>OK</nowiki></code>. Click <code><nowiki>Close</nowiki></code>.
 
 
If you want to use your key in any new email, simply click on the <code><nowiki>Security</nowiki></code> menu item in your new mail message, and then click on <code><nowiki>PGP Sign</nowiki></code>.
 
If you want to use your key in any new email, simply click on the <code><nowiki>Security</nowiki></code> menu item in your new mail message, and then click on <code><nowiki>PGP Sign</nowiki></code>.
 
 
==== Kmail/Kontact ====
 
==== Kmail/Kontact ====
 
 
See the [https://help.ubuntu.com/community/KMailGPGAgent Kmail] GPG page for details.
 
See the [https://help.ubuntu.com/community/KMailGPGAgent Kmail] GPG page for details.
 
 
==== Mozilla Thunderbird ====
 
==== Mozilla Thunderbird ====
 
 
Install the <code><nowiki>Enigmail plugin</nowiki></code> either by:
 
Install the <code><nowiki>Enigmail plugin</nowiki></code> either by:
 
<pre><nowiki>
 
<pre><nowiki>
第320行: 第230行:
 
or
 
or
 
by downloading the plugin from [http://enigmail.mozdev.org/ here] and install it manually.
 
by downloading the plugin from [http://enigmail.mozdev.org/ here] and install it manually.
 
 
Configure OpenPGP support in Thunderbird under: <code><nowiki>Enigmail->Preferences</nowiki></code> and add under <code><nowiki>GnuPG executable path</nowiki></code> the following path <code><nowiki>/usr/bin/gpg</nowiki></code>
 
Configure OpenPGP support in Thunderbird under: <code><nowiki>Enigmail->Preferences</nowiki></code> and add under <code><nowiki>GnuPG executable path</nowiki></code> the following path <code><nowiki>/usr/bin/gpg</nowiki></code>
 
 
==== Mutt ====
 
==== Mutt ====
 
 
Create a ~/.mutt directory and copy this file into it: /usr/share/doc/mutt/examples/gpg.rc
 
Create a ~/.mutt directory and copy this file into it: /usr/share/doc/mutt/examples/gpg.rc
 
 
Append this line to the muttrc configuration file.
 
Append this line to the muttrc configuration file.
 
<pre><nowiki>
 
<pre><nowiki>
第332行: 第238行:
 
</nowiki></pre>
 
</nowiki></pre>
 
If you're using Mutt 1.5.13, you'll need to fix the paths to pgpewrap as detailed in [http://ubuntuforums.org/showthread.php?t=522646 this post]
 
If you're using Mutt 1.5.13, you'll need to fix the paths to pgpewrap as detailed in [http://ubuntuforums.org/showthread.php?t=522646 this post]
 
 
 
 
== Tips and Tricks ==
 
== Tips and Tricks ==
 
 
*. Add your key to ''~/.bashrc'' by adding a line similiar to <code><nowiki>export GPGKEY=YOUR-KEY-ID</nowiki></code>
 
*. Add your key to ''~/.bashrc'' by adding a line similiar to <code><nowiki>export GPGKEY=YOUR-KEY-ID</nowiki></code>
 
*. gnupg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. Open the file <code><nowiki>~/.gnupg/gpg.conf</nowiki></code> in your favorite editor. Browse through it and change what you like. A few useful things to change are:
 
*. gnupg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. Open the file <code><nowiki>~/.gnupg/gpg.conf</nowiki></code> in your favorite editor. Browse through it and change what you like. A few useful things to change are:
**** keyserver-options auto-key-retrieve
+
* keyserver-options auto-key-retrieve
**** use-agent
+
* use-agent
 
The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time.  It is also required for some programs (such a Kmail) to sign or encrypt messages).  Gnupg-agent and pinentry are in Main for Gutsy and automatically installed/configured in Kubuntu.
 
The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time.  It is also required for some programs (such a Kmail) to sign or encrypt messages).  Gnupg-agent and pinentry are in Main for Gutsy and automatically installed/configured in Kubuntu.
 
 
Now create the file ~/.gnupg/gpg-agent.conf with the following content:
 
Now create the file ~/.gnupg/gpg-agent.conf with the following content:
 
<pre><nowiki>pinentry-program /usr/bin/pinentry-gtk-2
 
<pre><nowiki>pinentry-program /usr/bin/pinentry-gtk-2
 
default-cache-ttl 86400
 
default-cache-ttl 86400
 
max-cache-ttl 86400</nowiki></pre>
 
max-cache-ttl 86400</nowiki></pre>
 
 
This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours.  For Kubuntu, use pinentry-qt instead.
 
This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours.  For Kubuntu, use pinentry-qt instead.
 
 
=== GPG 2.0 ===
 
=== GPG 2.0 ===
 
 
GPG 2.0 is the new kid on the block. Now GPG 2.0 is aimed or done for the desktops rather than embedded or server which the previous version was for. The package needs to be installed & is in universe. Another difference is gpg 2.0 is now modular in nature. If you want to use gnupg2 with '''firepg''' firefox extension you better install gnupg2 first. Also consider using gpg2 for all the applications for which you were using gpg. While both of them can & do co-exist with each other its preferable to uninstall gpg before installing gpg2.
 
GPG 2.0 is the new kid on the block. Now GPG 2.0 is aimed or done for the desktops rather than embedded or server which the previous version was for. The package needs to be installed & is in universe. Another difference is gpg 2.0 is now modular in nature. If you want to use gnupg2 with '''firepg''' firefox extension you better install gnupg2 first. Also consider using gpg2 for all the applications for which you were using gpg. While both of them can & do co-exist with each other its preferable to uninstall gpg before installing gpg2.
 
 
Now if you are going to use gpg2 for the same purposes as outlined above then just need to add 2 to the gpg command for e.g.  
 
Now if you are going to use gpg2 for the same purposes as outlined above then just need to add 2 to the gpg command for e.g.  
 
 
<pre><nowiki>  
 
<pre><nowiki>  
 
gpg2 --gen-key
 
gpg2 --gen-key
 
</nowiki></pre>
 
</nowiki></pre>
 
 
== Related Articles ==
 
== Related Articles ==
 
* [[UbuntuHelp:GPGKeyOnUSBDrive]]
 
* [[UbuntuHelp:GPGKeyOnUSBDrive]]
 
* UnsignedGpgKey
 
* UnsignedGpgKey
 
* [[UbuntuHelp:GPGsigningforSSHHowTo]]
 
* [[UbuntuHelp:GPGsigningforSSHHowTo]]
 
 
 
 
== Resources ==
 
== Resources ==
 
* [http://www.gnupg.org/gph/en/manual.html GNUPG Manual]
 
* [http://www.gnupg.org/gph/en/manual.html GNUPG Manual]

2007年11月30日 (五) 17:28的版本

"GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate." -GnuPG Manual

Topics Covered

The following topics will be covered by this article.

  • GnuPG, GPG, PGP and OpenPGP
  • Generating an OpenPGP key
  • Uploading key to keyserver
  • Keysigning
  • Signing Data
  • Configuring your mail clients to use GPG

GnuPG, GPG, PGP and OpenPGP

OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.

  • OpenPGP is technically a proposed standard although it is widely used.
  • PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.
  • GnuPG is an abreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.

PGP and GnuPG are computer programs that implement the OpenPGP standard. To find out more about those see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

Generating an OpenPGP Key

The core package required to start using OpenPGP, gnupg, is installed by default on Ubuntu systems. A portable, standalone version with enhanced features is also available from source: version 2.0.6. It's a bit harder to configure. See The GPG site for more information. There are several programs which provide a graphical interface to the GnuPG system.

  • Enigmail, an OpenPGP plugin including key management for Mozilla Thunderbird. sudo apt-get install mozilla-thunderbird-enigmail
  • GNU Privacy Assistant (gpa) sudo apt-get install gpa
  • Seahorse sudo apt-get install seahorse
  • KGPG, for a KDE interface. sudo apt-get install kgpg

You can also generate keys using these programs and use the section below for recommendations.

Using GnuPG

 
gpg --gen-key

This will lead to a selection screen with the following options

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)

The default choice (1) is preferred, since the others cannot be used for encryption.

What keysize do you want? (2048)

A keysize of 2048 (which is the default) is also a good choice.

Key is valid for? (0)

Most people make their keys valid until infinity, which is the default option. If you do this don't forget to revoke the key when you no longer use it (see later). Hit Y and proceed.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name: Dennis Kaarsemaker
Email address: [email protected]
Comment: Tutorial key
You selected this USER-ID:
"Dennis Kaarsemaker (Tutorial key) <[email protected]>"

Make sure that the name on the key matches the name in your passport, or other government issued photo-identification! You can add extra e-mail addresses to the key later. Type O to create your key.

You need a Passphrase to protect your secret key.

You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key. IMPORTANT - Forgetting your passphrase will result in your key being useless. Remember this passphrase carefully, there is no way to recover it when it's lost. After you type your passphrase twice, the key will be generated. Please follow the instructions on the screen till you reach a screen similiar to the one below.

gpg: key D8FC66D2 marked as ultimately trusted
public and secret key created and signed.
pub   1024D/D8FC66D2 2005-09-08
Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
uid                  Dennis Kaarsemaker (Tutorial key) <[email protected]>
sub   2048g/389AA63E 2005-09-08

The key-id is D8FC66D2 (yours will be different). Tip: It's probably a good idea to set this key as default in your .bashrc, so that applications using GPG can automatically use your key. Do this by entering the line below in your ~/.bashrc. Please note that will be sourced only during your next session, unless you source it manually.

export GPGKEY=D8FC66D2

Now restart the gpg-agent and source your .bashrc again:

killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc

Revocation Certificate

A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. You can create a revocation certificate by doing

gpg --output revoke.asc --gen-revoke <KEY-ID>

The key may be printed and stored carefully preventing access to it. Anybody having access to your revocation certificate can render the public key useless.

Uploading the Key to Ubuntu keyserver

This section explains how to upload your key to a keyserver so that anyone can download it. When you have uploaded it to one keyserver, after a short time, all the keyservers will have it. You can help this process along by sending your key to several keyservers. Using GnuPG:

gpg --send-keys --keyserver keyserver.ubuntu.com <KEY-ID>

using the above example it would be

gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2

Using a webbrowser to submit to Ubuntu key server:

  • Export your key by doing gpg --export -a "Key-ID" > public.key
  • Copy the content of public.key:
  • Open http://keyserver.ubuntu.com:11371/ in a browser window.
  • Paste the copied content in the box under the label, Submit a key
  • Click on Submit this key to the keyserver!

Reading OpenPGP E-mail

OpenPGP implementations can be used to digitally sign, encrypt, and decrypt email messages for heightened security. You can register your own personal OpenPGP keys with Launchpad, and under some situations, Launchpad will send you signed or encrypted email. You would then use OpenPGP support in your mail reader to decrypt these messages or verify a message's digital signature. Of course, you can also use the OpenPGP support in your mail reader to trade encrypted messages with your colleagues, or sign your own messages so that others can have better assurances that the email that appears to come from you actually does comes from you. The instructions below are not intended to provide you with detailed information on OpenPGP, its various implementations, or its use. These instructions simply provide links that can help you set up your mail reader to be compatible with OpenPGP signed and/or encrypted email. We need your help to flesh out these instructions! Linux mail readers Thunderbird You probably want [WWW] Enigmail, a Thunderbird add-on. On Ubuntu systems, you should just install the mozilla-thunderbird-enigmail package; I think this will install everything you need to get started with reading GPG signed and/or encrypted email. [BarryWarsaw 2007-04-04]. Evolution Evolution has built-in support for OpenPGP. Look under the Security tab when you edit accounts. Kmail/Kontact has built-in support. See the Kmail GPG page for details. Claws Mac OS X mail readers Mail.app [WWW] GPGMail from Sen:te is an excellent plugin for Apple's Mail.app mail reader. It has great support for reading GPG signed and/or encrypted email, assuming you already have GnuPG installed on your Mac (if not, the Sen:te pages can help you with that). The plugin is easy to install, easy to use, and seems very stable. I have only tried it with Mail.app on Mac OS X 10.4. [BarryWarsaw 2007-04-04] Thunderbird You probably want [WWW] Enigmail, a Thunderbird add-on. Although I have not tried it, you should just be able to install this plugin into your Thunderbird and be good to go. [BarryWarsaw 2007-04-04]. Entourage Windows mail readers Outlook Outlook Express Thunderbird You probably want [WWW] Enigmail, a Thunderbird add-on. Although I have not tried it, you should just be able to install this plugin into your Thunderbird and be good to go. [BarryWarsaw 2007-04-04]. Miscellaneous Google mail (Gmail) Something like the [WWW] FireGPG Firefox plugin might do the trick. (add yours here)

Making an ASCII armored version of Public Key

There are several sites out there that also allow you to paste an ASCII armored version your public key to import it. This is the preferred method, because the key comes directly from the user - as opposed to fetching from a keyserver, where the key may be corrupted, or the keyserver unavailable. To create an ASCII armored version of your public key using GnuPG, use the following command:

gpg --export -a <Key-ID> > mykey.asc

or, using the above example

gpg --export -a D8FC66D2 > mykey.asc

Validation on Launchpad

You need to enter the GPG fingerprint at [<username>/+editpgpkeys ]. To obtain it, type:

gpg --fingerprint <key-id> 

or, using the above example:

gpg --fingerprint D8FC66D2

which should output the

public key/date of creation
key fingerprint = 10 blocks of 4 alphanumeric words
uid  comment with email addresss
sub private key/date of creation

Example from above

pub   1024D/D8FC66D2 2005-09-08
Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
uid                  Dennis Kaarsemaker (Tutorial key) <[email protected]>
sub   2048g/389AA63E 2005-09-08

Now copy this fingerprint (yours will be different) to the fingerprint field on launchpad. Now click on the "Import" button. This will generate an encrypted email from "Launchpad OpenPGP Key Confirmation <[email protected]>" If you are on gmail, using the FireGPG addon, simply scroll down and click "decrypt this mail". You will now see the decrypted message with a link and a token. Copy that URL: https://beta.launchpad.net/token/somealphanumerictoken Click on "Confirm". Please note that validation does take some time. If you run into an internal 500 server, simply try again with the same token. A confirming page should appear once the validation is successfully completed.

Getting your key signed

The whole point of all this is to create a web of trust. By signing someone's public key, you state that you have checked that the person that uses a certain keypair, is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the Strongly connected set. Information about it can be found at http://pgp.cs.uu.nl/ In summary,

  • Locate someone that lives near you and can meet with you to verify your ID. Sites like http://www.biglumber.com/ are useful for this purpose
  • Arrange for a meeting. Bring at least one ID with photo and printed fingerprint of your OpenPGP key, ask the same from the person you will be meeting with.
  • Meet, verify your IDs and exchange OpenPGP key fingerprints
  • Sign the key of the person you've just met. Send him/her the key you've just signed.
  • Update your keys on the keyserver, the signature you've just created will be uploaded.

Keysigning Guidelines

Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:

  1. Keysigning is always done after meeting in person
  2. During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID with a photograph. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party)
  3. You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is.
  4. Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. You need to create a file named .caffrc in your homedir (only once) with the following content:
$CONFIG{owner} = q{Your full name here};
$CONFIG{email} = q{The emailaddress used in your key here};
$CONFIG{keyid} = [ qw{last 16 characters of your key fingerprint here} ];
Now you can simply run the following command:
caff key_id_of_other_persons_key
  1. When you receive signed keys from others, you get them as attachment, save these attachments and import them with gpg. You can then send this signature to the keyservers so other people can know about it.
gpg --import filename_of_saved_signature
gpg --send-keys $GPGKEY

Signing Data

Signing data is helpful in verifying if the data from a person is indeed from that person. A typical scenario is described below.

Launchpad Key Signing

When you've set up GnuPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member or Ubuntero. Signing is done in 3 easy steps:

  1. Download the code of conduct from https://launchpad.net/codeofconduct/1.0.1.
  2. Run the command
gpg --clearsign UbuntuCodeofConduct-1.0.1.txt
  1. Upload the contents of Ubuntu``Codeof``Conduct-1.0.txt.asc on https://launchpad.net/codeofconduct/1.0.1/+sign

OpenPGP Keys and Launchpad You need to tell Launchpad about your OpenPGP key(s) to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntero) and to build packages using HCT. Visit the OpenPGP Keys page once logged into Launchpad. Paste your key fingerprint into the textbox:

gpg --fingerprint

Example: the key fingerprint would be something like "95BD 8377 2644 DD4F 28B5 2C37 0F6E 4CA6 D8FC 66D2" Launchpad will send you and email which you will have to decrypt. You can save the text to a file and run

gpg --decrypt file.txt

You will need to enter your passphrase. The message will be displayed along with the link you must follow to confirm your key in Launchpad. Follow it, enter your Launchpad password as asked and you are done!

Signing and Encrypting Emails

This section addresses setting up your the Evolution, Thunderbird, and Kmail/Kontact mail clients to sign and encrpyt your emails. Other email clients may be added to this list later.

Evolution

  • Open Evolution and go to Edit->Preferences.
  • Choose your email account, click on it, and then click Edit.
  • Click on the security tab.
  • In the PGP/GPG Key ID: box, paste the KEY-ID.
  • Click OK. Click Close.

If you want to use your key in any new email, simply click on the Security menu item in your new mail message, and then click on PGP Sign.

Kmail/Kontact

See the Kmail GPG page for details.

Mozilla Thunderbird

Install the Enigmail plugin either by:

sudo apt-get install mozilla-thunderbird-enigmail

or by downloading the plugin from here and install it manually. Configure OpenPGP support in Thunderbird under: Enigmail->Preferences and add under GnuPG executable path the following path /usr/bin/gpg

Mutt

Create a ~/.mutt directory and copy this file into it: /usr/share/doc/mutt/examples/gpg.rc Append this line to the muttrc configuration file.

source ~/.mutt/gpg.rc                           # Use GPG

If you're using Mutt 1.5.13, you'll need to fix the paths to pgpewrap as detailed in this post

Tips and Tricks

  • . Add your key to ~/.bashrc by adding a line similiar to export GPGKEY=YOUR-KEY-ID
  • . gnupg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. Open the file ~/.gnupg/gpg.conf in your favorite editor. Browse through it and change what you like. A few useful things to change are:
  • keyserver-options auto-key-retrieve
  • use-agent

The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time. It is also required for some programs (such a Kmail) to sign or encrypt messages). Gnupg-agent and pinentry are in Main for Gutsy and automatically installed/configured in Kubuntu. Now create the file ~/.gnupg/gpg-agent.conf with the following content:

pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 86400
max-cache-ttl 86400

This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours. For Kubuntu, use pinentry-qt instead.

GPG 2.0

GPG 2.0 is the new kid on the block. Now GPG 2.0 is aimed or done for the desktops rather than embedded or server which the previous version was for. The package needs to be installed & is in universe. Another difference is gpg 2.0 is now modular in nature. If you want to use gnupg2 with firepg firefox extension you better install gnupg2 first. Also consider using gpg2 for all the applications for which you were using gpg. While both of them can & do co-exist with each other its preferable to uninstall gpg before installing gpg2. Now if you are going to use gpg2 for the same purposes as outlined above then just need to add 2 to the gpg command for e.g.

 
gpg2 --gen-key

Related Articles

Resources