By Marcel Gagné

This article was first published in the April 2004 issue of Linux Journal.

François, can you keep a secret?
Images have been scaled down. Click each one to see the full sized version.

It really is a shame François, but we will just have to make sure it is available for next time. Everything else looks perfect, mon ami; all the workstations booted up and at a login. Wonderful! Ah, I see that our guests are already here! François, head down to the east wing of the wine cellar. There a small cache of 1999 Côte-Rôtie next to that old sealed-in door. Yes, the door we were never able to open. Vite, François! I promise you there is nothing frightening down there.

Please sit, mes amis. We have an almost perfect menu for you today, but sadly missing one item. Still, the Côte-Rôtie, Rhône red that is both sexy and mysterious should help take away from its absence. I had so wanted to prepare my famous Crème Linuxaise for you today, but there were problems. You see, the Linuxaise is an old and very secret family recipe and I could not risk it falling into the wrong hands. Nor could I risk sending it via email for fear of it being intercepted or read by a network sniffer, otherwise François could have prepared it in advance. It is that secret!

Next time, however, will not be a problem. I am setting up all users at the restaurant with GnuPG and public key encryption so that sensitive communications like the Crème Linuxaise can be sent without fear. GnuPG is the GNU Privacy Guard, a program that makes it possible to encrypt messages and data in general. It is a patent free, open source replacement for PGP (Pretty Good Privacy). A number of Linux email packages allow you to send and receive encrypted emails using GnuPG and this is what I’d like to show you today. Most modern distributions will have GnuPG included so if you don’t have it on the system, check your CD first. You can also find the latest version at www.gnupg.org. But first, a little background.

Ah, François. That was amazingly fast. Well done! Please, pour for our guests. And please get rid of the frightened look on your face. I told you there is nothing down there.

Now, where was I? Ah, yes. Historically, all encryption methods worked on the premise of a shared key file. You would give the person with whom you wanted to communicate the same key by which the message was encoded. Think secret decoder ring and you aren’t far off the mark. The catch is that anyone intercepting the key could then decipher all your messages. With GnuPG, messages are encrypted with two keys, one being your private key, which you guard jealously and never hand out to anyone. When I encode a message, I do so by combining my key with a public key, not my public key, but one supplied to me by the person I want to communicate with, like François for instance. Both keys are required for the encryption/decryption process, but anyone having just one half of the key pair has nothing, which is why you never hand out your private key to anyone. To get in on this top-secret action, you need to create a “key pair”, meaning both your private (and jealously guarded) key and your public key which is the one you hand out to all your friends. Here is the command:

gpg --gen-key

What follows is a small question and answer session. The first question has to do with the encryption algorithm, or cipher. The default is “DSA and ElGamal”. Just accept the default. When asked about key length, you have a choice among 768, 1024 and 2048 bytes. Since the DSA standard is 1024, chose that for now. Then, you’ll be asked for the expiration date of your key, the default being no expiration date. You can, however, define days, weeks, months, and even years. For now, choose the default and confirm your choice. Finally, you will then be asked to supply the name of the key user, e-mail address, and a comment.

It’s all over by the pass phrase and that is your final step. Make sure that you choose something secure but also something that you will remember as well. When you have entered your phrase, the gpg program will run off and generate your secure key pair. After the command completes its work, you can verify the result by looking in the {cw].gnupg directory in your home directory.

$ cd /home/marcel/.gnupg
$ ls
gpg.conf pubring.gpg random_seed secring.gpg trustdb.gpg

The gpg.conf file contains a list of default flags for the gpg command and makes for good reading. The pubring.gpg and secring.gpg files are particularly important. Make backups of these files immediately and store them somewhere other than your computer and never lose them — the secring.gpg file contains your personal secret key. The last file, trustdb.gpg, is your database of trust. It defines the level of trust that you assign to the public keys you collect.

To exchange encrypted information between two users, you need to exchange private keys with one another. As you might guess, the flag to export a key is --export but you may wish to include the -a flag as well to confine the output to ASCII format.

gpg -a --export 3E2FCF7D > marcelkey.asc

The resulting file is just a simple ASCII text file and how you get it to the other person is up to you. There are key-servers where you can upload your public keys so that anyone can download it (which makes it easier for large scale distribution), key signing parties where groups like LUGs will get together and exchange public keys, or as an attachment in an email. The recipient could then import the key like this.

gpg --import marcelkey.asc

At any point, you can choose to see the keys in your keyring like this.

gpg --list-keys

The results of that will depend on how many keys you have, but the following should give you an idea of what to expect. In particular, take note of the hexadecimal number following the “1024D“. That is the key ID and you’ll be referring to that in the future.

/home/marcel/.gnupg/pubring.gpg
-------------------------------
pub 1024D/3E2FCF7D 2004-01-07 Marcel Gagné (Writer and Free Thinker at Large)
sub 1024g/B24717BE 2004-01-07

pub 1024D/EE392B87 2004-01-07 Francois (I am but a humble waiter)
sub 1024g/F4E07040 2004-01-07

Before you can start your friend’s key to encrypt email messages, you need to sign the key, to verify its authenticity. This involves doing two things. If you are absolutely, positively sure of the key’s origins, you might skip the first step which is to get the key’s fingerprint.

$ gpg --fingerprint francois
pub 1024D/EE392B87 2004-01-07 Francois (I am but a humble waiter)
Key fingerprint = 8C5B 775C 33F8 E97C 5ADC 019D C6C8 4B83 EE39 2B87
sub 1024g/F4E07040 2004-01-07

Notice that I used the person’s name in the above command which is part of the key info. If you have more than one person with that name in their key info, you’ll want to specify the key ID instead. In order to verify this fingerprint, you can ask your friend to check the fingerprint of their personal key in exactly the same way. The final step is to sign the key. You do that with the --edit-key flag.

gpg --edit-key francois

The whole process isn’t too complicated. You’ll be asked to confirm that you really, genuinely want to sign this public key, then it ask you to confirm again with your pass phrase. You need to do this with all the people with who you want to exchange encrypted email. Once done, however, let the secret message flow. Speaking of things flowing, François, would be so kind as to refill our wine glasses?

Incidentally, there are a number of nice, graphical utilities for using GnuPG, essentially friendly wrappers for the command line utility. KDE comes with a very slick utility called Kgpg which integrates nicely with the desktop and with the email system as well. For instance, if someone sends you their public key as an attachment in Kmail and you have started Kgpg (command name : kgpg), rather than having to save the attachment to a file, drop down to the command line and perform the above steps, you will instead get a friendly pop up like the one in figure 1.

[ Figure 1, “Kmail will confirm key imports” ]

With this tool, which docks in your panel, you can then edit keys, add, remove, change trust levels, and do all those things you can do with command line gpg but with a click of your mouse. You can even do keyserver lookups over the net and use photo IDs as well. Its integration with other KDE tools means you can drag and drop to encrypt or access GnuPG functions with a click from Konqueror or the clipboard. Kgpg is an addon to KDE 3.1 but with the release of KDE 3.2, it will be part of the standard distribution. Figure 2 shows Kgpg in action.

[ Figure 2, “Kgpg makes key management easy” ]

Another graphical administration tool worth your time is gpa. This is the default GNU Privacy Assistant and the official keyring editor of the GnuPG project. It is also available from www.gnupg.org.

Now, it’s time to get those encrypted emails out and we’ll start with Kmail. Open Kmail, click on Settings in the menu bar and choose Configure Kmail after which the Configure Kmail dialogue will appear. In the sidebar to the left, you’ll see an icon labeled “Security”. Click that (figure 3).

[ Figure 3, “Configuring Kmail to use GnuPG encryption” ]

The new window to the right has three tabs, one labeled General, one OpenPGP, and the other Crypto Plugins. We are interested in the OpenPGP tab. On that tab, look at the drop down box labeled “Select encryption tool to use” and choose “GnuPG – GNU Privacy Guard” from the list. In the options below, I would recommend that, for the time being, you do not choose to automatically sign and encrypt all messages. You might, however, want to keep the pass phrase in memory (you still get asked the first time an encrypted message is encountered). Click “Apply”, then click on the identity tab to the left.

Unless you have multiple email identities defined, there should be only one entry. Click “Modify” and select the “Advanced” tab from the resulting dialogue. In the middle of that panel (figure 4), there is a space for OpenPGP key. That’s your personal private key. You can click “Change” here to open another window from which you can select your private key information.

[ Figure 4, “Specifying your public key with Kmail” ]

When you are done, click OK to close the Edit Identity window, the OK again to close the Configure Kmail window. In order to properly reload the keys into Kmail, you may have to shut Kmail down and restart it (not the whole system, just Kmail).

We seem to be running low on wine. Surely there are more of these bottles in the cellar. François, please bring up more. Now, don’t look so worried, there is nothing to fear. I have told you many times. Now go. Vite!

You are now able to send encrypted emails, in principle at least. If you already have your friend’s public key in your keyring and you have signed the key, then there is nothing to do but write your email. Start a new message, and write what you need to write. When you are ready to send, click Options on the message’s menu bar. You’ll notice two interesting options here related to encryption. One says “Sign Message” and the other says “Encrypt Message”. Let’s talk about that for a moment.

Signing a message makes use of your key by attaching an electronic signature (your public key) to your message but not encrypting it. The person receiving the message then has a means of verifying that the message did indeed come from you, should they want to verify it. Since the message is not encrypted, anyone can still read it. This is simply a means to confirm that the message came from who it claimed to come from. Encryption goes one step further in that you are using your friend’s public key to encrypt the message. In both cases, Kmail will ask you for your pass phrase before sending the message.

Unfortunately, not all email packages follow the same rules for encryption. That would just be too simple, non? Let’s use the two gentlemen at table 17, Larry and Michael in a hypothetical scenario. Each needs to send the other sensitive corporate information, so the information will have to be encrypted. Larry uses Evolution and Michael uses Kmail. We have already covered Kmail for sending encrypted mail so let us spend a moment looking at it with Ximian Evolution.

[ Figure 5, “Evolution’s mail account editor” ]

With Evolution open, click on your inbox. Now, click “Tools” on the menu bar and select “Settings”. You’ll be looking at the “Evolution Settings” window (figure 5). If the “Mail Accounts” icon in the left hand sidebar isn’t selected, click to select it now. Most people will have one main account. If you have more than one, select the one you want to use with encryption and click the “Edit” button to the left. The “Account” dialogue will appear with several tabs along the top. The one you are interested in is labeled “Security”. Click on that one now.

Look for a field labeled “PGP/GPG Key ID” and enter your key ID there. Click OK to close that dialogue, then OK again to get out of the “Evolution Settings” window. Assuming that Larry and Michael have already exchanged public keys, Larry is now ready to send encrypted email. To do so, he composes an email normally. When he is ready to send, he clicks “Security” on the menu bar and selects “PGP Encrypt”. When he clicks “Send”, Larry will be asked for his GPG pass phrase. Once entered, the message is sent. Before I move on, I should mention that you can select “PGP Sign” from the “Security” menu if all you wish to do is sign the message.

[ Figure 6, “Specifying your GnuPG key in Evolution” ]

As wonderful as all this encryption and decryption stuff is, there are some problems. For instance, many packages (like Kmail) will encrypt the message inline while a few others, like Evolution, will not. Instead, encrypted messages are MIME attachments. Consequently, reading a message from Kmail (or Eudora or Outlook) in Evolution requires that you save the message as a text file. You can then decrypt it like this.

gpg -d message.txt

To read an Evolution encrypted message sent to Kmail (and a few others) you need to save the attachment (as opposed to the message itself). Decrypting it is the same as above.

There are many email clients available to us in the Linux world. Kmail and Evolution are popular graphical choices but so is Mozilla. For users of Mozilla, a plug-in called Enigmail allows for seamless encryption and signing of messages. Text-based clients also exist that support encryption, either on their own or through plugins. mutt and pine are popular examples.

Mon Dieu! Has the time gone by so quickly? I fear, mes amis that closing time is upon us once again. François will refill your glasses once more before you go. As you leisurely sip that last glass, take some time to create and exchange public keys with each other. Perhaps I may even be convinced to share the Crème Linuxaise with some of you . . . assuming proper security precautions, of course. Who knows, our security may be the very reason that door in the wine cellar remains tightly shut! Until next time, mes amis, let us all drink to one another’s health.

A votre santé! Bon appétit!

Resources

Gnu Privacy Guard (GnuPG)
http://www.gnupg.org

Kmail
http://kmail.kde.org

Mozilla
http://www.mozilla.org

Mozilla Enigmail
http://enigmail.mozdev.org/

Ximian Evolution
http://www.ximian.com/products/evolution/