The key generation process is fairly involved, but you only have to do it one time. To begin the key generation process, type the command:
pgpk -gAt this point, if you have never used PGP before, you will see something like this:
Cannot open configuration file /home/username/.pgp/pgp.cfg Choose the type of your public key: 1) DSS/Diffie-Hellman - New algorithm for 5.0 (default) 2) RSA Choose 1 or 2: _This first question is prompting you for the type of encryption you want to use. If you want to use keys that are backward compatible with PGP 2.6, then you may select RSA - but if you use RSA keys, then you may have to obtain a commercial license for PGP. Most people will want to use the default.
If you took the default, the next question will look like this:
Pick your public/private keypair key size: (Sizes are Diffie-Hellman/DSS; Read the user's guide for more information) 1) 768/768 bits- Commercial grade, probably not currently breakable 2) 1024/1024 bits- High commercial grade, secure for many years 3) 2048/1024 bits- "Military" grade, secure for forseeable future(default) 4) 3072/1024 bits- Archival grade, slow, highest security Choose 1, 2, 3 or 4, or enter desired number of Diffie-Hellman bits (768 - 4096): _This question is asking you how large you want your key to be. The larger your key is, the more secure it is - but the longer it will take for PGP to generate your keys, and to encrypt and decrypt messages. If you intend to use PGP for keeping important secrets (for example, corporate trade secrets, or military secrets), then you should use the largest key size. If your security needs are more modest, then the default value should be sufficient. We would not recommend using anything smaller than the default size, even with a slow computer.
Next, you will be asked for your user ID:
(Producing a 1024 bit DSS and a 2048 bit Diffie-Hellman key) You need a user ID for your public key. The desired form for this user ID is your FULL name, followed by your E-mail address enclosed in <angle brackets>, if you have an E-mail address. For example: Joe Smith <firstname.lastname@example.org> If you violate this standard, you will lose much of the benefits of PGP 5.0's keyserver and email integration. Enter a user ID for your public key: _Most people will want to use their real name and e-mail address to answer this question. Of course, if you wish to use an alias for some reason, then you may use that instead.
After answering this question, you will see something like this:
Enter the validity period of your key in days from 0 - 999 0 is forever (and the default): _With PGP, you have the ability to set expiration dates on your key pair. This means that people are expected to stop using your public key after a certain period of time, presumably because you are going to make a larger (more secure) one as computers become faster. Unless you have special needs, the default value (your key will never expire) should be fine.
Finally, you will be asked to select a passphrase:
You need a pass phrase to protect your private key(s). Your pass phrase can be any sentence or phrase and may have many words, spaces, punctuation, or any other printable characters. Enter pass phrase: _Because the secret key must be protected at all times, PGP does not store it in a readable form. Instead, it encrypts the secret key, using your passphrase as the key. Every time you use PGP to decrypt a message that was sent to you, or to digitally sign a message that you send, you will have to type your passphrase.
After typing your passphrase twice (to confirm it), you will see something like this:
******* .................................******* .At this point, PGP is using random numbers to create a secret key and a public key. The Linux kernel continually looks at your computer and, based on how you use it, collects various numbers which cannot be predicted. So, if this step is taking a considerable length of time (which will be the case with the larger key sizes), you should go do other tasks while it works. The more you do with your computer, the sooner the key generation will finish.
Finally, you should see something like this:
Keypair created successfully. If you wish to send this new key to a server, enter the URL of the server, below. If not, enter nothing. _You do not need to send your key to a server just yet; we will discuss public key servers later. Just press the Enter key.
Now, the key generation is finished. If you wish, you can look around to see what PGP has done. (The rest of this section will contain simple exercises to help you learn how to use the software. If you already know how to use PGP, you can skip ahead.)
In your home directory, there should be a subdirectory called .pgp. This contains all of the files that GPG uses, including your secret key and your public key(s):
$ ls -la ~/.pgp total 7 drwx------ 2 username users 1024 Sep 30 09:34 . drwxr-xr-x 5 username staff 1024 Sep 28 22:11 .. -rw------- 1 username users 0 Sep 30 09:32 pubring.bak -rw------- 1 username users 1144 Sep 30 09:34 pubring.pkr -rw------- 1 username users 512 Sep 30 09:35 randseed.bin -rw------- 1 username users 0 Sep 30 09:32 secring.bak -rw------- 1 username users 1242 Sep 30 09:35 secring.skrThe file pubring.pkr is your public key ring. Right now, this file only contains your public key; but later you will probably put other people's public keys in it, so that you can encrypt messages to them and verify their digital signatures. The file secring.skr is your secret key ring. Normally this will contain only the secret key that you just created; but if for some reason you have more than one key pair, this file will contain all of your secret keys. The randseed.bin file contains some numbers used internally by PGP's random number generator; you don't need to worry about this file.
There are also some basic commands you can use to learn more about how PGP works. For example, to show the contents of your public key ring, you can use this command:
pgpk -lThis should show you something like this:
Cannot open configuration file /home/username/.pgp/pgp.cfg Type Bits KeyID Created Expires Algorithm Use sec+ 1024 0x92EB359E 1999-09-30 ---------- DSS Sign & Encrypt sub 2048 0xE0F2F8C0 1999-09-30 ---------- Diffie-Hellman uid John Q. Smith <email@example.com> 1 matching key foundIf you want to see your secret key ring, you can use the command:
pgpk -cThis will show you something like this:
Cannot open configuration file /home/username/.pgp/pgp.cfg Type Bits KeyID Created Expires Algorithm Use sec+ 1024 0x92EB359E 1999-09-30 ---------- DSS Sign & Encrypt sub 2048 0xE0F2F8C0 1999-09-30 ---------- Diffie-Hellman uid John Q. Smith <firstname.lastname@example.org> SIG! 0x92EB359E 1999-09-30 John Q. Smith <email@example.com> KeyID Trust Validity User ID * 0x92EB359E ultimate complete John Q. Smith <firstname.lastname@example.org> John Q. Smith <email@example.com>Now you are ready to start signing and encrypting messages. It's helpful to practice this on your computer before you actually start using it with your e-mail messages. So, let's start by creating a simple message. Using your favorite text editor, go ahead and create a file called message. It can contain anything you want. For example,
$ cat message This is a secret message. I am using it to learn PGP.Now, suppose you want to put your digital signature on this message. You can do that with this command:
$ pgps -a -t message Cannot open configuration file /home/username/.pgp/pgp.cfg A private key is required to make a signature. Need a pass phrase to decrypt private key: 1024 bits, Key ID 92EB359E, Created 1999-09-30 "John Q. Smith <firstname.lastname@example.org>" Enter pass phrase: _The -a and -t options make an output file which contains only printable characters. This is called ''ASCII armored''. This is useful, because this type of file can be sent in an e-mail message. Later, when you use PGP with your mail program, your mail program will automatically use these options.
After doing this, you should have a file called message.asc, which is your message plus your digital signature. It looks something like this:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a secret message. I am using it to learn PGP. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBN/N3EjSOJpKS6zWeEQJJGACgrGkSl3UT+HuZOqMSCg7NoPKX7a8An23+ eQSuJLcVww/cr1W6ZwsHbGls =R074 -----END PGP SIGNATURE-----As you can see, your message is still there, clearly readable. You haven't encrypted it yet - you've only signed it. Now, you can verify your digital signature to make sure it worked:
$ pgpv -f message.asc Cannot open configuration file /home/username/.pgp/pgp.cfg Opening file "stdout" type text. This is a secret message. I am using it to learn PGP. Good signature made 1999-09-30 14:43 GMT by key: 1024 bits, Key ID 92EB359E, Created 1999-09-30 "John Q. Smith <email@example.com>"If you want to see how digital signatures protect you, go ahead and change the file message.asc with a text editor. You can change either the message at the top, or the signature at the bottom. In either case, when you try to verify the signature, you'll see that it is not valid any more:
BAD signature made 1999-09-30 14:43 GMT by key: 1024 bits, Key ID 92EB359E, Created 1999-09-30 "John Q. Smith <firstname.lastname@example.org>"Side note: if you do not want PGP to print the message when you are verifying the digital signature, you can use the command:
pgpv -f message.asc >/dev/nullThis may be useful with larger messages.
As you can see now, the digital signature depends on the message which is being signed, and on the secret key used to sign it. You can't just copy a digital signature from one message and put it on a different message - it won't be valid any more. This is what makes digital signatures so powerful and useful.
Now, you can practice encrypting and decrypting a message. We'll use the same message file that we used when we were practicing digital signatures. To encrypt a message, use the command:
$ pgpe -a message -r smith Cannot open configuration file /home/username/.pgp/pgp.cfg 1024 bits, Key ID 92EB359E, Created 1999-09-30 "John Q. Smith <email@example.com>" File "message.asc" already exists. Overwrite? [y/N] y Creating output file message.ascAs before, this command created a file called message.asc. But now, if we look at this file, we see something like this:
-----BEGIN PGP MESSAGE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: i4gLvbL/hL3MrvKviNnoAZA6JJIi1LO2 qANQR1DBwU4DHMKJduDy+MAQB/4iXaEP9KEvfrSjiAMKWVmWf2d5VY10wvDKHs4b lxChcCB86LsFJSO3s2NdEt0/1muG18jrVJE43lI2CfaWa6HZJcBnVKq0xtMyqQcd P553CLr1HOJfknP03rJq3QNOWkPDlrrsOhZqr1/kcU3/Zz+ZeBgPnQgvGA++wZeh Iu2vgKSCNAE9njU7UmsRFRGY/40+xq0IoEUs8x8ZibQUuxDeP3bHUqiQJocoP51/ 3GLUN8ncW6Zp8Ase1r7DK8qw1gohZKnsl7isUU5whf4rhV4Fo9Yt9W/tqOoVZuWD sJsojhAuWtw3AZvaDiWEIaAXMIp5vWXrWBGPQGHZ/JIvxHAVCADu1Zmgx+jXHGmt ZQo3VS9ILNZgD2QRWy6Emm3BvIm/qaGheiXkQ9X6+cXjRW/lhnh/Ynu314zsiY8Q vxA2Vxmc56Tj3ovMXiHezNHKNsp7XSbddcTp+o0s6HDvtHvQE9iNrVVb7m0YqRRu H6KsE1zibV8+m4iE9I2jy0MnD5eGLAlAkcbS9D8+Dx/0xw9q+/SFSODtYLXRgJzO 5CDBwuTLvLkqQ3iHfFYmcOx+BLvaEh4FtuqnRQBoWUBKd+I8c408sDdxUlvs/pGZ yQU4cJYxEPv4gGoKLiAIQUPFFxjI2bVDU8MEuMr10YAHgETlTWyGEqmRHtiAEqCk k8Y8v+wbyU2kLGOlvxfUSmtTraz8c8l0/130pHxpIgTGeiRrOP4aQKmoM2lsHZhI cX+ZscUu4AZqlIEG2GiEqtng8d7Rd2dC5uWOFLHk7AMpjYd3ig== =XHJH -----END PGP MESSAGE-----As you can see, the original message is no longer readable. It has been encrypted into this message, which looks random but isn't. The only way to read the message is to decrypt it, which requires the correct secret key.
There are two other things you may have noticed above. First, when we were encrypting the message, we had to specify a user ID. This is so that PGP knows which public key to use for encrypting the message. Right now, you only have one public key - your own. But later, you will probably have several public keys, and you will not normally encrypt messages to yourself (although you can, if you wish). So PGP has to be told which user(s) should be able to read the message.
Second, you were not prompted for your passphrase. This is because the process of encryption only uses public keys, not your secret key. However, you will need your secret key (and therefore your passphrase) to decrypt the message:
$ pgpv -f message.asc Cannot open configuration file /home/username/.pgp/pgp.cfg Message is encrypted. Need a pass phrase to decrypt private key: 2048 bits, Key ID E0F2F8C0, Created 1999-09-30 Enter pass phrase: _ After typing your passphrase, you will see the message: Pass phrase is good. Opening file "stdout" type binary. This is a secret message. I am using it to learn PGP.If you have lost your secret key, or if you have forgotten your passphrase, you will not be able to read the message. If you type the wrong passphrase four times in a row, for example, you will see something like this:
Error: Bad pass phrase. Cannot decrypt message. It can only be decrypted by: 2048 bits, Key ID E0F2F8C0, Created 1999-09-30