Saturday night the Ubuntu Utah Team had a great presentation on Privacy and Encryption. One very important topic and another very interesting topic. With as much is going on these days to screw with our privacy (NSA) it isn’t a bad idea to learn a little bit about encryption. Now, I know you may think that you aren’t doing anything private so what is the point? I’m not doing anything “private” either, but honestly if I really wanted to talk to the NSA I’d send my emails directly to them. I’m not doing things that *needs* to be hidden, it’s simply a matter of it not being any of their business.
I have for some time now been digitally signing my emails. If you’ve seen me pop-up on a mailing list or got any emails from me you’ve probably seen a digital signature in-line or as an attachment. Via this digital signature you can verify that the exact contents of the email into your box is the same contents that came out of mine. If even *one* character changed the signature would not validate and you could tell the email or signature had been tampered with.
I have also started signing and *encrypting* emails to others that also have a PGP key pair that I have personally trust-signed. We’ll get into the trust signing later but I wanted to share a few steps and some other references to how you can generate your own key and also be able to sign and / or encrypt emails or files.
The GUI Front-End
There are a number of tools to help you generate and manage your PGP keys. I suggest seahorse on gnome or kgpg on KDE. You can also use the command line equivalent on either system, which will be standard between the two. (note: there are also solutions for OS X and Windows, but I won’t get into those.)
First we’ll install the GUI front-end to go with the pre-installed GnuPG back-end.
sudo aptitude install seahorse (gnome)
sudo aptitude install gpa (gnome)
sudo aptitude install kgpg (kde)
Creating The Key
Now that we have one of these installed we’ll launch the front-end and start creating a key. In this example I’ll refer to seahorse but the steps should fairly easily transfer to the other two applications.
Applications > Accessories > Passwords and Encryption Keys
Select “Key” from the File Menu and “Create New Key (ctrl-N)”
This will prompt you with a selection between PGP and SSH. In this case we’ll want PGP.
The next window will prompt you for your full name, email address and comment. It is generally recommended to use your full legal name (not nicknames or aliases) and your primary valid email address. I suggest leaving the comment section empty.
You may want to select the “Advanced key options” button and set a higher key strength. The default type DSA Elgamal of 2048 is a very powerful key strength but it does support up to 4096 as well. Personally I chose the 4096 but, again, the default 2048 is plenty powerful in itself.
You can also optionally select a date that this key will expire. Unless you know a reason why you’d want to do that (sometimes for temporary project-based keys, etc) you can safely set it to not-expire.
When you hit “Create” it will ask you for a passphrase to bind to this key pair. Choose a good, solid, more-than-a-dozen character passphrase to make this even more solid. Your digital signature and key are only as strong as its weakest link which is the passphrase. If someone gets a hold of your passphrase they can make use of your private key, un-encrypt emails sent to you or appear to be you! Once you have entered the passphrase it will generate your key pair. Remember this passphrase because, without it, the key pair is useless!
Depending on the key strength and the speed of your machine this may take a while. You should see a progress bar on the screen while it processes a new key. Just be patient.
You now have a basic key that is capable of digitally signing and optionally encrypting emails or files. One great use of this is to digitally sign the Ubuntu Code of Conduct as outlined here.
Using the Key
For those of you that want to get started right away signing emails you may be interested in some of the extensions available for commonly used mail applications. Thunderbird has a great one (actually the #1 reason I use Thunderbird as my client) with Enigmail. You can find it on the mozilla addons site or via the ubuntu repositories.
Evolution has PGP support built in but it is not as flexible (or at least I haven’t figured it out). You can find this in the Privacy tab of your email box settings.
Now this tutorial is getting a bit long so I’ll have to expand this next time and explain expanding your key with your alternate email addresses, keysigning parties, etc.
Until then I hope this helped a little bit.
Two major things to remember before you run off and start playing around. Remember your passphrase and back up your private key!!
Your public and private keys are found in ~/.gnupg/ . I suggest backing up this entire folder to an external USB. If you lose your private key the whole pair is useless. Even if you still have the public key and the passphrase the private key section is the most critical part of the process.