[Leaplist] New to PGP security

John Simpson jms1 at jms1.net
Fri May 11 17:35:22 EDT 2007 

On 2007-05-08, at 1825, Patrick wrote:
>
> Installed Simply Mepis 6.5.
>
> ...
>
> Opened Mozilla Thunderbird, and, upon opening my account, was  
> presented
> with the option to use PGP encryption, so, made a pass phrase, and  
> there
> it is!

the key files are like your "digital identity". you should make sure  
to back up your key files, and a revocation certificate for each key  
just in case, in a VERY secure location- i have my keys on a floppy 
(!), a small cd-r, and printed on paper, locked up in my safe. i also  
carry them within an encrypted container on a USB memory stick.

if you're not familiar with how PGP/GPG works, or even if you are and  
you feel like "brushing up your skills", this page is one of the best  
explanations of the concepts and the mechanics (using gnupg) involved.

	http://www.gnupg.org/gph/en/manual.html

in particular, you will need the following things:

- your "key id". run "gpg --list-keys" and find your key. the first  
line relating to your key will start with "pub", that line contains  
the key id. for example, the "key id" for the key i use every day is  
3306FCFB.

	$ gpg --list-keys
	...
	pub   1024D/3306FCFB 2002-02-27
	uid                  John Simpson <jms1 at jms1.net>
	uid                  [jpeg image of size 4420]
	uid                  John Simpson <jms1 at spamcop.net>
	sub   4096g/71CF8D66 2002-02-27
	...

- once you have the key id, you can then export the private and  
public keys into files.

	$ gpg -a --export 0x3306FCFB > 3306FCFB.pub.asc
	$ gpg -a --export-secret-keys 0x3306fcfb > 3306FCFB.sec.asc

- and if you haven't already generated a revocation certificate, you  
should do this now.

	$ gpg --output 3306FCFB.rev.asc --gen-revoke 0x3306FCFB

these three files should be physically safeguarded at least as well  
as you would guard your passport or other "identity documents".

note that the exported secret key file will still require your  
passphrase in order to use it. some people may want to create a  
backup of the secret key which does not require a passphrase. this is  
possible, but you need to make very sure that the password-less  
version of the key is never written to any physical media other than  
your backup floppy. a "live CD" environment makes this pretty easy.

for those who are curious, changing the passphrase on a secret key  
isn't listed in "gpg --help". this is an example of how it's done:

	$ gpg --edit-key 0x3306fcfb
	Secret key is available.
	pub  1024D/3306FCFB  created: 2002-02-27  expires: never
	...
	Command> toggle
	sec  1025D/3306FCFB  created: 2002-02-27  expires: never
	...
	Command> passwd
	...
	Command> quit
	Save changes? (y/N) y

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> ...

one other thing- if the mail program gives you a choice between  
"inline signature" and "S/MIME", you may want to go with S/MIME  
(which is what i'm using on the message you're reading right now.)  
seeing the extra block of garbage at the bottom of your message might  
confuse some people, and if somebody hits "reply" and doesn't trim  
those lines, it can confuse the software of anybody who tries to  
verify your signature. the S/MIME standard moves the signature to a  
separate MIME part of your message, which still allows interested  
parties to verify the signature, but doesn't put the signature in  
everybody's face.

of course, there are people who will always reply "i can't read your  
attachment" (i seem to get one of these every three months or so.) my  
response for these people is one or both of the following:

(1) it's a PGP digital signature, you obviously don't know and  
probably don't care what that is, so don't worry about it.

(2) why are you so intent opening unknown attachments in the first  
place? don't you know that's one of the most popular ways for viruses  
to propagate?

----------------------------------------------------------------
| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <jms1 at jms1.net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-4312730277175242198 |
----------------------------------------------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.leap-cf.org/pipermail/leaplist/attachments/20070511/bbcba819/PGP.bin

More information about the Leaplist mailing list