PadlockWith as much is going on these days to screw with our privacy it isn’t a bad idea to learn a little bit about encryption. Now, I know you may think that you aren’t doing anything private so what is the point? I’m not doing anything “private” either, it’s simply a matter of it not being any of anyone else’s business.

I have for some time now been interested in digitally signing my emails. And if you’ve seen me pop-up on a mailing list or got any emails from me in the last few days you’ve probably seen a digital signature in-line or as an attachment. Via this digital signature you can verify that the exact contents of the email into your box is the same contents that came out of mine, therefore maintaining integrity. If even *one* character changed the signature would not validate and you could tell the email or signature had been tampered with.

I have also started signing and encrypting emails to others that also have a PGP key pair that I have personally trust-signed. I’ll talk about the trust signing later but I wanted to share a few steps and some other references to how you can generate your own key and also be able to sign and / or encrypt emails or files.

The GUI Front-End

There are a number of tools to help you generate and manage your PGP keys. I suggest seahorse on gnome or kgpg on KDE. You can also use the command line equivalent on either system, which will be standard between the two. (note: there are also solutions for OS X and Windows, but I won’t get into those.)

First we’ll install the GUI front-end to go with the pre-installed GnuPG back-end.

(for gnome)

sudo aptitude install seahorse

or

sudo aptitude install gpa

or (for kde)

sudo aptitude install kgpg

Creating The Key

Now that we have one of these installed we’ll launch the front-end and start creating a key. In this example I’ll refer to seahorse but the steps should fairly easily transfer to the other two applications.

Applications > Accessories > Passwords and Encryption Keys

Select “Key” from the File Menu and “Create New Key (ctrl-N)

This will prompt you with a selection between PGP and SSH. In this case we’ll want PGP.

The next window will prompt you for your full name, email address and comment. It is generally recommended to use your full legal name (not nicknames or aliases) and your primary valid email address. I suggest leaving the comment section empty.

You may want to select the “Advanced key options” button and set a higher key strength. The default type DSA Elgamal of 2048 is a very powerful key strength but it does support up to 4096 as well. Personally I left it at the default of 2048 as this is plenty powerful in itself.

You can also optionally select a date that this key will expire. Unless you know a reason why you’d want to do that (sometimes for temporary project-based keys, etc) you can safely set it to not-expire.

When you hit “Create” it will ask you for a passphrase to bind to this key pair. Choose a good, solid, more-than-a-dozen character passphrase to make this even more solid. Your digital signature and key are only as strong as its weakest link which is the passphrase. If someone gets a hold of your passphrase they can make use of your private key, un-encrypt emails sent to you or appear to be you! Once you have entered the passphrase it will generate your key pair. Remember this passphrase because, without it, the key pair is useless!

Depending on the key strength and the speed of your machine this may take a while. You should see a progress bar on the screen while it processes a new key. Just be patient.

You now have a basic key that is capable of digitally signing and optionally encrypting emails or files. One great use of this is to digitally sign the Ubuntu Code of Conduct as outlined here.

Using the Key

For those of you that want to get started right away signing emails you may be interested in some of the extensions available for commonly used mail applications. Thunderbird has a great one with Enigmail. You can find it on the mozilla addons site or via the ubuntu repositories.

Evolution has PGP support built in which is also very good. You can find this in the Edit>Preferences. Where you should select the email account then go to Edit>Security. Here you should enter the PGP key ID and check all boxes under the PGP header, except “Do not sign meeting requests”.

Now this tutorial is getting a bit long so I’ll have to expand this next time and explain expanding your key with your alternate email addresses, keysigning parties, etc.

Until then I hope this helped a little bit.

Two major things to remember before you run off and start playing around. Remember your passphrase and back up your private key!!

Your public and private keys are found in ~/.gnupg/ . I suggest backing up this entire folder to an external USB. If you lose your private key the whole pair is useless. Even if you still have the public key and the passphrase the private key section is the most critical part of the process.