User Tools

Site Tools


documentation:gpg-keys

Make use the GPG keys

Introduction

This page is about theory of public-private key cryptography. And, additionally, gives you a more information about practical use of this method.

To make it more useful, a links for the specific software how-tos were placed at the end of this page.

Please read this page carefully if you're not familiar with public-private cryptography and signing. Knowing the base things are helpful to manage things in a practice.

Brief history

GPG is a reimplementation of the old well known PGP (Pretty Good Privacy). Both GPG and PGP are widely used at present day.

GPG (GnuPG) is a most common software used for this encryption scheme. GPG might be used for instant message communication, sms/mms, file encryption, mail …

Nowadays gpg is used for emails quite actively, and to make this easy MUA (mail clients) has a special support to handle pgp, or, at least has a plugin to do so.

Quick overview

Classically you're need a one key to encrypt data and the very same key to decrypt this data. The problem is you cannot send this key because others had the opportunity to obtain this key thus making this crypto scheme useless, because if somebody else is able to obtain this key your goal is failed.

To avoid this problem a new scheme was introduced. Instead of having one key let's use two keys:

  • Public key: used to spread across public channels and it's accessible for everyone
  • Private key: the actual secret (this part isn't accessible for everyone, instead it's a secret of this key owner)

This system is implemented to make conversion from public key to private impossible. Well, in this scheme the sender is encrypting a data with a receiver public key, and encrypted data might be ridden only with receiver private key.

NOTE: NEVER SEND YOUR PRIVATE KEY(S) OVER INTERNET AND KEEP IT PRIVATE.

Signing

Another problem is a way to check a data authenticity e.g. ability to check if a message was really sent by alleged sender. To mitigate this problem a concept of digital signature was proposed. If you have a senders public key and signature for a received data you are able to check this data authenticity.

Key servers

Everything has a weak point, the weak point of this cryptography scheme is the spreading of public keys. Some user could bring a false public key with someone's else ID. To prevent this each public key might be signed by other users, and public key might be published on the key server to spread it.

NOTE: always check a new public keys, if you're able to check the identity of the public key owner this is a best way to do so.

Used terms

Term Description
Public key A part of your key is freely accessible used for/to: check your signature, encrypt data for you
Private key A secret part of the key, used to: decrypt data, sign the data
Digital signature/signature  A data used to signature some other data (i.e. message), used to: check the data wasn't changed, check the data for it's authenticity
MUA MUA is a Mail User Agent e.g. mail client used to have a deal with emails

Why to use gpg?

It might be feel weird to use gpg for mail as example, since connections between MUA and server is secure and encrypted. Well, with the MUA your email is going with the following steps:

  • Transfers to the destination mail server (encrypted)
  • Stored on the destination mail server (not encrypted)
  • Fetched via receiver's MUA (encrypted)
  • Stored on the receiver's side (not encrypted)

Using the same server for secure messaging is a good idea (you may trust for the server), but it's not enough. Firstly it's limiting you to have a conversations with other part of the world, secondly it doesn't guarantee safety, because server might be accessible in a data centre.

Also, you should notice some mail servers (google mail is a good example) actually is reading mail messages for some purposes (any free (I meant free as a beer here) email service will do mail reading).

In order to get a truly secure conversations you must use gpg for this. GPG encrypted messages are stored on the server, but without private key nobody is able to read this message. Also, you kept a sent message encrypted and impossible to read either by you. Finally, it's better to avoid free email services such as google mail (if it's possible).

Askele mail service is going deeper with privacy and security and provide Crypto Mail Store (CrMS) feature.

First steps

First steps means the first operations required to start using gpg encryption scheme. Specific software information is provided later on this page. This is a “generic” description of actions to be made in order to make encryption, decryption and signing works.

Create your own key

The very first step is to create a key pair for your own. Usually you need to provide the following information:

  • Your real name
  • Your email
  • Passphrase

If you're planning to use gpg with email, provide email of the purpose. Passphrase is used to crypt your private key (passphrase will be required on each operation with cryptography), this part might be avoided, but we don't recommend to store private keys in a plain text (e.g. not encrypted).

Please note, you will be asked (via software) to provide expiration date for the new key-pair, we don't recommend to use pairs without expiration date, the optimal lifespan for the pair is 2 years.

Spread your public key to your recipients in order to make public-private scheme works with desired contacts.

Import other keys

The next step is to get your contacts public keys and import it.

Key servers

We'd recommend to publish your public key on public key servers.

Everyday use

Signing

MUA can sign your emails automatically, but if you're required to publish some data (files) it's recommended to sign it.

Encryption

For secure communications it's better to encrypt a message, MUA is doing this job for your emails (and attachments as well). But you're able to encrypt a data on your local storage to make it safe.

Software to use

There are a plenty of software, however there are most popular described:

documentation/gpg-keys.txt · Last modified: 2019/10/03 11:49 by derek