Installing GnuPG 1.0.1
GnuPG is a public key
encryption program designed to replace PGP, which is encumbered with patented
algorithms like RSA and IDEA. It is GPL'd and also conforms
to the Open PGP
standard. There are many different reasons to use encryption in everyday
life but a couple major ones are how simple it is to intercept or "spoof"
emails and the fact that an application like GnuPG can be used to sign a document
or file, proving that it came from the person that signed it and that it
hasn't been tampered with in transit.
There's quite a bit of information on the concept of public key cryptography
on the net,
most written better than I could explain it so I won't go into more detail
about the specifics of what it is and what it can be used for. Instead,
let's move on to the installation and it's basic use.
First we'll go to the GnuPG web site, www.gnupg.org, and download the source
code for it. At the website we find that GnuPG 1.0.1 is the current
version and while we're there, let's copy the MD5
checksum < 14ce577afd03d56cba5d8ee59b9580ed > to verify that the file we
will download is in fact an unaltered or uncorrupted version of the file.
Now we download gnupg-1.0.1.tar.gz from ftp.gnupg.org with
either the browser or our favorite FTP client and save it as:
/tmp/gnupg-1.0.1.tar.gz.
Next we run the command md5sum
/tmp/gnupg-1.0.1.tar.gz
Hopefully the output will match the MD5
checksum we copied from the web site. If not, stop right here, something
is wrong...
Now let's get down to compiling and installing GnuPG. I'll use normal
text for commands and gpg output, my comments will be in italics. First
we'll need to un-tar the source.
cd /tmp
tar -xzf gnupg-1.0.1.tar.gz
This will create a /tmp/gnupg-1.0.1 directory, containing the GnuPG
source files.
cd gnupg-1.0.1
This puts us in the source's directory.
Many of you probably don't want to hear this but, you should read
the documents included with GnuPG. Using encryption wrong is pretty much
the same as not using it at all, possibly worse because you have a false
sense of security. Now if we read through the INSTALL doc we can see that
basically it looks like all the default settings are the way we want to
go so we won't pass any options to the configure script, so let's compile
it.
./configure
This should automatically configure the Makefile for your
system.
make -s
This should actually compile GnuPG from all the source's files.
(Note: The -s switch suppresses all messages except errors, which is
easier to follow. Don't panic when you start to see errors or warnings
like "gpg: Warning: using insecure memory!". As bad as that sounds it
just means that GnuPG is writing 'tmp" files to the disk. Perhaps if you
ran it in single user mode and used a ram disk for the tmp directory it
wouldn't happen but, I'm not worried enough to find out for
sure.)
su
Switch to root so you can write the binary to a system directory
for use.
make install
This actually installs the GnuPG binary, which by default goes in
/usr/local/bin/pgp.
exit
This closes the root session we previously opened with the su
command.
Congratulations, if you received no errors, besides the "gpg: Warning:
using insecure memory!", GnuPG is now installed. Now we can create our
first set of keys, one public key and one private. The Public key should
be widely distributed so people can find it to send you messages and
verify your signature. The secret key needs to remain just that,
SECRET. If anyone else gets a hold of your secret key the whole
process becomes compromised. Throw away the keys and start over.
Now let's figure out what some of the commands are for GnuPG.
gpg -h | less
This lists all the command switches so we can see what can be done
with GnuPG.
(Note: if the "gpg" command returns a "command not found" error,
/usr/local/bin may not be in your "path". If you use the BASH shell, you
can add /usr/local/bin to the path entry in /etc/profile or run GnuPG as
/usr/local/bin/gpg.)
gpg --gen-key
This we see is the command to create a new GnuPG key set.
We'll see the following dialog:
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1
We'll select #1, which is the default key type.
DSA key-pair will have 1024 bits.
About to generate a new ELG-E key-pair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048
Do you really need such a large keysize? y
Requested keysize is 2048 bits
Here we decide what size keys to create. Bigger is better up to a
point. A 2048 bit key should be more than adequate for most
purposes.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Thu Feb 15 00:33:15 2001 EST
Is this correct (y/n)? y
Most people agree that all keys should expire at some point. This
way we don't end up with old "valid" keys floating around the net forever
if we happened to lose the corresponding secret key or have some other
unfortunate thing happen.
You need a User-ID to identify your key;
the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "
Real name: Here I. Am
Email address: hereiam@linuxfan.com
Comment: GNUs Not Unix
You selected this USER-ID:
"Here I. Am (GNUs Not Unix)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Here we set the default ID for the keys. Obviously you would change
the information for your own use, this is my example.
Enter passphrase:
This is where we protect our secret key with a password that only
you should know.
We need to generate a lot of random bytes. It is a good idea to
perform some other action (type on the keyboard, move the mouse,
utilize the disks) during the prime generation; this gives the random
number generator a better chance to gain enough entropy.
+ ++++.+++++.+++++.+++++++++++++++.+++++ ++++++++++.++++++++++++++++++
+ +++++++++++++++++++++.++++++++++++++++++ ++++++++++++.+++++++++++++++
> ++++++++++.......................... ...............................
.........<..+++++....+++++
This step makes the key more random and therefore more
secure.
public and secret key created and signed.
That's pretty self-explanatory.
Now let's check our key-ring and make sure the keys are
there.
gpg --list-keys
pub 1024D/B99B9864 2000-02-16 Here I. Am (GNUs Not Unix)
sub 2048g/xxxxxxxx 2000-02-16
Yup, there they are, we successfully created our first key pair.
automatically this also created a .gnupg directory containing our
key-rings in our home directory. For added security, let's restrict who
can view these files.
chmod -R 600 ~/.gnupg
This makes you the owner, the only one who can read the
files.
chmod 700 ~/.gnupg
This allows only us to see inside the ~/.gnupg directory. We had to
make the directory itself executable.
Now to distribute our public key we'll need to extract it into an
ASCII text file so we can print or post it for others to use. This can be
accomplished with the following command.
gpg --export -a hereiam@linuxfan.com > gpgkey
This command will extract the public key to a file named
gpgkey.
(Note: You would insert your own key's ID instead of
hereiam@linuxfan.com.)
Now the file gpgkey can be emailed, used as an email signature, posted
to a website, or perhaps sent to a Public Key Server such as http://pgp5.ai.mit.edu so others may
use it to send us encrypted email or files.
When we ran "gpg -h | less" we noticed that there are many different
commands to use with GnuPG, probably more than can be easily remembered.
We can go to freshmeat.net and see if
they have any helpful apps to make GnuPG's use a little bit easier. A
quick search of freshmeat shows a few promising apps like pgpgpg which is a "wrapper"
that accepts normal PGP 2.6.x commands and converts them to GnuPG's
syntax. That could be helpful if you already know how to use PGP from a
command line. We also find apps like TkPGP, a
graphical interface to GnuPG. That could be more helpful. Choose one to
your liking, download and install. Now GnuPG will be easier to use and
possibly used more often for that reason alone.
Copyright (c) 2000 by Matthew
Poor. This material may be distributed only subject to the terms and
conditions set forth in the Open Publication License, v1.0 or later (the
latest version is presently available at http://www.opencontent.org/openpub/).
|