Original article by Maurizio Antonelli
In the previous article we presented some basic concepts of encryption and made some examples of symmetrical and asymmetrical keys, we concluded by saying that a good way to get a certificate with an asymmetric key is GnuPG.
GnuPG is open-source and multiplatform. It uses native command line in a shell or from MS-DOS prompt.
There are also graphical interface:
Let’s see some example of GnuPG from the command line.
Once you have installed the progeam, the first thing to do is create a digital certificate. The command is:
You will be asked some personal information: name, e-mail and comments. You can then enter in the certificate other e-mail, at this stage we limit ourselves only to our principal e-mail.
This option requires the key length desired, to have the best security is always good to put the length as much as possible.
You will be then prompted for a passphrase, a kind of password, which will be required each time you use the private key. This is an added safety feature, if our private key should fall into the hands of a third parties.
Regarding the choice of passphrase is always best to comply with the usual simple rules: avoid the possible word, mixing uppercase and lowercase letters and numbers and always give a passphrase of at least 8 characters.
We can then export or import the public keys of others or even our keys, and this is useful if you want to use certificates on multiple PCs or operating systems.
gpg --export -a key_name-or-contained_string
If we send the output in a file with “
> file_name.asc“ will’have the key in that file. The option
-a allow an export in ascii with 7 bit, otherwise you’ll have a binary file. GnuPG will recognize the key that you are requesting from a simple string contained in the email address or in the full name.
The keys, exported in a file can then be imported with:
gpg --import file_name
The withdrawal of a key is important if the private key has fallen into the hands of others and so the safety has been compromised.
So, simply create a revocation certificate immediately, and store it in a safe place for a case of need.
here you can also redirect the certificate to a file. If the private key is no longer used (because they have compromised the security or for any other reason), the revocation certificate will be the guarantee of the validity has lapsed. Remember, after the withdrawal of a key, to send the revocation certificate to the different keyserver where the key had been registered.
Because to create a revocation certificate a private key is required, and because this may be lost, as mentioned above is a good idea to make the withdrawal certificate immediately.
The keys imported, including its own, can be administered to add new addresses, remove addresses and many other modifications and / or corrections.
gpg --edit-key key_name-or_contained_string
You’ll be prompted for commands; with
help you’ll get the list of all available commands for managing the keys.
Sign a public key
When you import a public key from someone, this will be included in our archive, a kind of virtual key ring. This is where the mail client will verify the digitally signed message. If the public key stored in our archive verify correctly the message, the client will say that the digital signature is correct.
But we must tell to the client that the public key really belongs to the person who sent the e-mail. After being assured by person or with full security of the identity of the owner of that key, we can sign her public key as “verified”. By signing the key we tell GnuPG that the public key is trusted.
Example of public key not verified in Mozilla
Example of public key verified in Mozilla
Here’s how Mozilla Thunderbird reports e-mail digitally signed. In the first case, the e-mail address is stated correctly signed, but there are no guarantees about who the real owner of the certificate used. In the second case, however, the signature is verified by a signed public key.
Another feature of GnuPG makes it possible to digitally sign a file (a document, photo, etc.)..
gpg --sign -b -a file_name
This command will generate a digital signature file with your private key. You will get a file with another extension .asc (.sig without the -a option that exports the signature file in ASCII).
To verify the signature, when you have the public key for the private who has signed:
gpg --verify file_name.asc (.sig)
As a final point you can use GnuPG for the encryption of files.
gpg -e nome_file
This encrypts the file with the public key that is specified at the next question after the launch of the command. You will get a file with another extension (.gpg) that is absolutely not readable, without the decryption.
To decrypt the file, when you have the private key of the public key that has encrypted:
gpg -d nome_file.gpg > nome_file
We thus have a tool to encrypt our sensitive files, such as those containing our codes and our password.
Thanks to Maurizio for the permission of republish this nice article about Gnupg and encryption of email.