Working With PGP and Mac OS X

Robert SosinskiGithub Linkedin Email

Working with PGP and Mac OS X

PGP, or Pretty Good Privacy, is a commonly used and very secure encryption program using public

key cryptography. Through PGP, you can encrypt information such as messages, documents and les

in a manner so that only the recipient can decrypt and open them.

The goal of this tutorial is to get you up and running with PGP through terminal and familiar with its

operation.

An Encryption Primer

There are two types of encryption, symmetric and asymmetric (also called public key). Symmetric

encryption uses one key to encrypt and decrypt messages. Often, symmetric encryption works out

very well as there are extremely strong algorithms available that secure data very quickly. However,

symmetric encryption carries the major drawback that a key must be transported securely to the

recipient. In regards to communicating through the internet, this is not really feasible.

Asymmetric encryption however, uses two keys, a public and private one. When using asymmetric

encryption, you oer your public key to everyone while keeping your private key secret. Messages

that are encrypted with your public key can only be decrypted with your private key. Because of this,

you can send and receive encrypted messages with another party without having to transport an

encryption key through secure means.

The other benet of asymmetric encryption is that key pairs can be used to authenticate messages

too. This is done by encrypting information with your private key. Upon receiving a message, the

recipient will use your public key to decrypt it. Encrypting any information with a private key for

authentication purposes is referred to as creating a digital signature.

For example. I have my public key posted here as well on multiple public key servers. Whenever

someone wants to send me an encrypted message, they use my public key to encrypt it and their

private key to sign it. Once this is done, the only way to decrypt the message is to use my private key,

which I keep heavily secured. Upon receiving the encrypted message, I decrypt it with my private key

and authenticate it with the senders public key.

Easy enough, lets get started.

Back Home

Working with PGP and Mac OS X - Robert Sosinski http://www.robertsosinski.com/2008/02/18/working-with-pgp-and-mac-os-x/

1 of 16 5/11/13 7:03 PM

Installing the Software

1. PGP comes in many implementations, however the one you will be using in this tutorial is GPG

(GNU Privacy Guard) as it follows the OpenPGP standard, is completely free and oers an easy to use

Mac OS X installer.

Get the Mac GPG installer for your version of Mac OS X from sourceforge.

What are PGP Implementations?

PGP was at one time a commercial product by PGP Incorporated. However, realizing that a

strong open source encryption mechanism was so important, the encryption community and

PGP Inc. worked together to make the OpenPGP standard. Through OpenPGP, compatible

variations of PGP could be created by third parties and distributed freely.

Learn more about OpenPGP here.

2. Get Paranoid (optional)! You would not be reading this if you trusted everyone, so stay in that

frame of mind. The next step is to verify the MD5 checksum for the le you just downloaded. This

way, you are sure the installer came from Mac GPG and not a man in the middle. Navigate your

terminal to the downloaded image and type the following (where the le name and MD5 checksum

match for your particular version):

$ md5 GnuPG1.4.8.dmg | grep db046fd96e274dfe3c7021047561fb5aMD5 (GnuPG1.4.8.dmg) = db046fd96e274dfe3c7021047561fb5a

What did I just do?

Files can be digested to create a string relatively unique to them, and one such digestion

algorithm is MD5 (Machine Digest 5). Next to the download link for the installer on Mac GPGs

webpage , you will also see a 32 character string, this is the MD5 digest for the disk image

available for download.

In terminal, we use the md5 command to digest GnuPG1.4.8.dmg. We then grep it for the MD5

string posted on Mac GPGs website. If it matches, it will echo the value. If not, it will return a

blank.

Learn more about MD5 here.

3. Now that we know the disk image is legitimate, we can mount it and install Mac GPG. This is a

simple process as everything is done through an installation wizard. Just follow the steps and you will


2 of 16 5/11/13 7:03 PM

be up and running in no time.

Generating a Key

Now that you have GPG installed, you will start generating your key pair and adding it to your key

chain. All of this will be done through the shell, so open a terminal and get ready for some typing.

1. Start the process for generating your key pair. Upon doing so, you will be asked to choose between

three key types, pick the default DSA and Elgamal type by pressing enter.

NOTE: As this is your rst time generating keys, GPG will warn you about creating a ~/.gnupg

directory and exit. Just run the command again and you will be good to go.

$ gpg --gen-keygpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only)Your selection?

What is DSA and Elgamal?

DSA (Digital Signature Algorithm) and Elgamal (Also called ELG) are the encryption algorithms

used by GPG. DSA, as the name suggests, is used for authentication while Elgamal is used for

encrypting data.

Learn more about DSA here and Elgamal here.

2. Choose your Elgamal encryption (ELG-E) key size. GPG uses 1024 bit keys for DSA, however allows

you to choose your Elgamal key length. The default 2048 bit length should be plenty, so press enter.

DSA keypair will have 1024 bits.ELG-E keys may be between 1024 and 4096 bits long.What keysize do you want? (2048)

3. Choose your key pairs expiration date. Unless you are really paranoid, the default non-expiring key

should be ne. Press enter.

Please specify how long the key should be valid. 0 = key does not expire


3 of 16 5/11/13 7:03 PM

= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n yearsKey is valid for? (0)

4. Conrm that your key will not expire by typing y and pressing enter.

Key does not expire at allIs this correct? (y/N) y

5. Create an identity for your key. There are three parts, your name, email address and comment. The

comment for your key is optional, and is mostly used when you choose to have more then one key

pair to keep track of. Fill in your information, type O and press enter.

You need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) "

Real name: First and Last NameEmail address: [email protected]: Mac GPG TutorialYou selected this USER-ID: "First and Last Name (Mac GPG Tutorial) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

6. Choose your passphrase. In order to keep your private key secure (else someone could open your

computer and read it), PGP will encrypt it with symmetric encryption. The passphrase you are about

to give will be used as the encryption key. Everytime you want to use your private key, PGP will ask

for your passphrase. If it is correct, PGP will decrypt your private key and use it. Choose something

long (hence the term pass phrase) and press enter. You will then be asked to conrm your

passphrase. Do so and press enter again.

What if I forget my passphrase?

If passphrases were easily cracked, they would not be all that useful. As such, your only real

option is to make a new key pair.

Later in this tutorial, you will go through the process of making a revocation certicate, so you

can turn o your public key if this were to happen.

Learn more about passphrases here.


4 of 16 5/11/13 7:03 PM

7. GPG will then start to print some gibberish while it generates your key pair. During this period, GPG

will also ask you to do something with your computer such as typing on the keyboard, moving your

mouse or using your hard disk drive. This serves the purpose of creating more entropy and helps in

generating a better key.

What is entropy and why does it generate a better key?

In computing terms, entropy is randomness. Computers are actually not that good at making

random decisions, however people are. By moving the mouse and pressing keys, you are

making your computer randomly process instructions and thus, generate a stronger key pair.

Randomness is very important for generating encryption keys. If there were a pattern for

creating encryption keys, then there would be a reversed pattern for creating decryption keys,

which would be a big problem. A lot of work has gone into making random number generators

for encryption systems, but banging on the keyboard is probably as random as you can get. At

least for the moment.

Learn more about entropy here and random number generation here.

8. After your key pair is generated, GPG will then print the following information to the screen. The

basic gist is that GPG does the following:

Creates a trust database called ~/.gnupg/trustdb.gpg. Within this database, GPG will store how

well you trust public keys you receive from others.

1.

Marks your public key with the highest level of trust (ultimately), as it assumes that you can

completely trust any key you personally generate.

2.

Reports that a public and secret (private) key are created and authenticated (signed) to you.3.

Goes through the motions of how it assigned trust. Assigning trust is a bit beyond this tutorial,

however you can learn more here and here.

4.

Prints information about the newly created public key including its ngerprint and subkey (to be

discussed soon).

5.

gpg: ~/.gnupg/trustdb.gpg: trustdb createdgpg: key A7327C0E marked as ultimately trustedpublic and secret key created and signed.

gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2upub 1024D/A7327C0E 2008-02-14 Key fingerprint = 2291 60E9 A962 5C22 6E4F 1F20 120A 2881 A732 7C0Euid First and Last Name (Mac GPG Tutorial)


5 of 16 5/11/13 7:03 PM

sub 2048g/60ED8082 2008-02-14

9. List the public keys in your key chain (in which you should only have one at this time, yours). Take

special note of your key id (A7327C0E in this example) as you will need it later. You can always list your

keys again in the future if needed.

$ gpg --list-keys~/.gnupg/pubring.gpg--------------------------------pub 1024D/A7327C0E 2008-02-14uid First and Last Name (Mac GPG Tutorial) sub 2048g/60ED8082 2008-02-14

10. Finally, go ahead and list the private keys in your key chain too. (in which you should also only

have one).

$ gpg --list-secret-keys~/.gnupg/secring.gpg--------------------------------sec 1024D/A7327C0E 2008-02-14uid First and Last Name (Mac GPG Tutorial) ssb 2048g/60ED8082 2008-02-14

Managing Your Keys

Now that you have a key pair, the next step is managing your keys properly. You will do this by

sharing your public key with others and securely backing up your private key.

1. Create a directory in your home called keymat, so you have a place to work in for this tutorial.

$ cd$ mkdir keymat$ cd keymat

2. Output your public key as an ASCII armored le (replacing [email protected] with the email

address for your key).

$ gpg -ao publickey.asc --export [email protected]

What is ASCII armor?

ASCII armor is a term used with PGP for encoding binary data into text. Although this armor

does not make your data any more secure against brute-force attacks, it does protect your data

when sent over a series of communication paths.


6 of 16 5/11/13 7:03 PM

For example, if you wanted to send your public key through email, mail servers and spam lters

may not be able to process your key in binary format and as such, throw it out. With ASCII

armor however, it is treated as normal text and can survive its ght through the internet.

PGP can encode any encrypted le with ASCII armor which keeps your transmission options

open.

Learn more about ASCII armor here.

3. After a short wait, you should have a publickey.asc le in your keymat directory. Take a look at it.

-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.8 (Darwin)

mQGiBEe0cB0RBADScWGLrplJfLUrPBFNrBUqr8nh8AvTRcFaMt5ODK7c5G9JqNZdoDSI9WcbDVl26bleda7p0ZGTraY8Dhg58JQa140Rjfq2dMNq9/Dlayl5WHEWhX2LWhXz6HewOiI6T1ikDj9NBjLN72QYL/W57Zrf65IMvJxSjQEyu1BGPmbzfwCgkEC6LWygY2KDliAwKQB7klj26VsEAMTdGqr1ObGwx4mu3t9Jej0+vcLBvNfKgoSB/EwxfShUNXkvxHk6yleaLKe8TlPERfhkxCj8A32AN+TJbjcwgka0gOXwCP0e2N8+niRKRXkcooWRn7OOJ7Evw7dgQ722TCXJ+YsJya7mJ0oi61zsbQojrNk+7Y5P+jddm3tmRHgLA/0TY4bLMK3p83As/mF3SSp8gsFTnf9QO2tsVVHrNDUpmNm3AcpLNyO5z8AXC2vpuPlAjgQNLvOxCjZ2mSRq8329bnmMkoAs8u2rrBi0fVJ2FvvxLiA5CgqF2rWAFKkWa2MZUUwOvlXzGzHSCJsIRYgRlMuPH6t8D7U1+sVrHfs9S7Q4Rmlyc3QgYW5kIExhc3QgTmFtZSAoTWFjIEdQRyBUdXRvcmlhbCkgPG5hbWVAZG9tYWluLmNvbT6IYAQTEQIAIAUCR7RwHQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEBIKKIGnMnwO+dYAnierWBzFSDIzHAH9umnSf8sUXTeSAKCMhf0eN9uSblNdgHwt3BvQVO7JkLkCDQRHtHAdEAgA/x8rqhTDqSOCl+csy6zHDQoxjmC3mOoBhvMik+ZB96qS20pCU0eV6QYgoPhZ/wkPsXFO9EHJrrJsfLnzRxH7ylw0TmMHnVrN3GFRdhuRhYyO8sKpN9eKyWQpFtOry3JXYNpsFcUqOfutZ3v5xcUJ+r2cE11/VMmQykFiKyy/dAlD2nqshRhubN5xIE0Gu/0VZw4LQDO9jYZSEoX4QkntL8h2U85M1lmuWszUsvK5SV/OH57XhQYD4syR/QogIVNHHhS4/qFFnhX7oXggD73kbF+YRwgqvhbNyhsjQ7o0Rhyfq+XHk8/22/NDOx6YD3KmBKBulldv5gf/oALFBcnVXwADBwf9GlNviLWXmsVV5fpvqsuTgsX6vvdNpTGIksCviyptjT/Pf8ZS4u7pQuQ37sJ9LHQ1ld2tloAYf1meee+bZzTOzX4+4iohUxvGdGn+pBSDSS2Cs9cztl/gyz4rPga9g//Z2O0F8+1kP1RUBaFRL4lmavowgb9bzsWaax+tLzB2QwFgk0Phe5lULIKDpBOVk2OQB2L3MeRZoykN4W/IKaYP/c4kYN6IGVBrgdGE7nnO/ZCyvqNQq6ClIvWtrJdwiOEZTGXka06LW3+O3DHNOsjCuZAtMUx+pzkU0rNg+x0wPXYJOuN7Y3QuxD3gKrtPI2W7Ho13iVXuXlYfhZlaZotubIhJBBgRAgAJBQJHtHAdAhsMAAoJEBIKKIGnMnwOtacAnjYM5hAl6Zcn359Jy7REApx7kRj2AJ9AmMJBTDFUTj6y8HDMzwtmz3Aaug===pyBn-----END PGP PUBLIC KEY BLOCK-----

4. There it is, your public key. You can now upload it to your website, give it to your friends, email it to

your coworkers, print it out and post it on your front door. This is what people need to contact you,


7 of 16 5/11/13 7:03 PM

and only you, securely.

5. Next, send your public key to a key server, so that people interested in contacting you securely

have an easy way to access it. For this, you will need your keys id (replacing A7327C0E with the id for

your key).

$ gpg --send-keys A7327C0Egpg: sending key A7327C0E to hkp server subkeys.pgp.net

6. Good to go. Once your key is propagated to a series of PGP key servers, anyone can go to a key

lookup website, type the keys information (key id, owners name or email address) and get it. Two

examples of key lookup sites are keyserver.pgp.com and pgp.mit.edu. Check them out and see if

anyone you know has a public key available.

How do key servers work?

There are many PGP key servers throughout the world, however you only need to send your

public key to one, the default for GPG being subkeys.pgp.net. After one key server receives

your key, it should propagate it to many other key servers, some of which having handy key

lookup websites.

Learn more about key servers here.

7. Once your key is propagated throughout a series of key servers, you can only have it disabled by

generating and uploading a revocation certicate. This is very useful if your private key were to

become compromised. There is a catch 22 however. If you want to revoke it because you forget your

passphrase, you will need to generate a revocation certicate. But to generate a revocation

certicate, you will need your passphrase. As such, a good practice is to pre-emptively generate a

revocation certicate so you have it if this ever happens. Do this now (replacing A7327C0E with the id

for your key).

$ gpg -ao revokecert.asc --gen-revoke A7327C0E

sec 1024D/A7327C0E 2008-02-14 First and Last Name (Mac GPG Tutorial)

Create a revocation certificate for this key? (y/N) yPlease select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel(Probably you want to select 1 here)


8 of 16 5/11/13 7:03 PM

8. GPG will ask the reason for generating a revocation certicate, as your key is not compromised,

superseded and is still in use, just give no reason by typing 0 and pressing enter.

Your decision? 0

9. Next, give a description why you are making this revocation certicate. I would just be honest on

this one.

Enter an optional description; end it with an empty line:> In case I forget my passphrase.>

10. GPG will then echo your reason for revocation and ask if you are sure. Type y and press enter.

You will then be prompted for you passphrase. Type it in and press enter.

Reason for revocation: No reason specifiedIn case I forget my passphrase.Is this okay? (y/N) y

You need a passphrase to unlock the secret key foruser: "First and Last Name (Mac GPG Tutorial) "1024-bit DSA key, ID A7327C0E, created 2008-02-14

Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory getsaccess to this certificate he can use it to make your key unusable.It is smart to print this certificate and store it away, just in caseyour media become unreadable. But have some caution: The print system ofyour machine might store the data and make it available to others!

11. After a short wait, you should have a revokecert.asc le in your keymat directory. Take a look at it.

$cat revokecert.asc-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.8 (Darwin)Comment: A revocation certificate should follow

baKlTel7dNK/vvVkuLgWbRNE8vaikEbTdmPSYdpc9q828O3w51dDCjTQhHPh5JpXyo7oxpJMANs/TdLzOtfcSdD9KgbTW7cdky7Htd9IbQnCAUoC1axK/GJpyMY89A5eLTMjufSJESOxdQ===b08k-----END PGP PUBLIC KEY BLOCK-----

12. You now have your public key accessible to others and your revocation certicate on your

computer. The next step is to make a backup of your private key. This is very important, as if you were


9 of 16 5/11/13 7:03 PM

loose your private key, you will be unable to retrieve any information encrypted by your public key.

For security purposes, you will also symmetrically encrypt your private key backup with a passphrase

and then output it as an ASCII armored le (replacing A7327C0E with the id for your key).

gpg -a --export-secret-keys A7327C0E | gpg -aco privatekey.pgp.asc

13. After entering your passphrase twice, you will now have a privatekey.pgp.asc le in your keymat

directory. Take a look at it.

$ cat privatekey.pgp.asc -----BEGIN PGP MESSAGE-----Version: GnuPG v1.4.8 (Darwin)

jA0EAwMCWs6GT6vWDtJgyepe6RTzGqJ+s4+eRy0zYRLSl4X8MVzaDnux6pqTipPgIMqAFjl0J4vKg9WvdTV6IEUFBl5WGYLXhHBEvnM/wRTU//7Ew1n4Mb235wZm/OBrKGNNBpJBmG88QduFPkLFtQYhJZAcpqWcvZWE8yF4XOVmfzRT470I30DSZrNDXVIiV0sqwj8jI7E9kjfwGArdUWDKAVNvpnCK9qxYKOAHq9gKD9di8IPtygp/zRHdAeB1cgpCRPyXh8iP1z7sA6V/i3b3B3aEg/w/Zr+/jgo3g3zndQtpw5/+ZHeD/wq2yilKQ/OGH9XZAHQg4kop8dfLxi/HVi14HLjigjrQ5OS9AzeiVsXddDBHt52NP567EA8IYlNtD3iEJJTCJIYgcJor21UX73Db0sHsNcUZ2Fa15WkwliJqxdR8ckxTs32ttlqpcLDeU/TPrNU1SY/luzMMn5rKTX5TBorLTcFJPHAMHOxGWYS+XTodLy+DXeQEwWdujZUo+0Eg3wkgPjX8uG0MaC2EZOuCkF1Qc6m7tXnsOYBQqtPT1dhg70+S5SgHPdLTLJkJUZIolIHdGtNAOONQeMkXFhA0l69kTVQvG206yp8YAJCcs8KRy4nqYLK/GQu3B9JKaNcJnguuN/LVs3PRJiOG2ANJmEX2RJi/riUAUBpF039oZbs03Z27n9g3qvXZTT8oyvAnzaoSMNWqosksVJ+ESzE85GJsp/gfq6J5MaWRhEqK7jRj2hl0RDu0MTL9L61bqD92jpIMK1HffS2Ype1cHAD6rBsWrCGCBeUg1xf8GJvufIgD6LBuOzT3XQqm0EsOVCtcMDeqlUaqOOF4rB3xuXzqdYm3/Wbr4BkTkxV/oJf6BVk7RR4F2bEKqrGxqreX4YZdBBZmE6vJRn74L7ag0fmf4Lle3eFNfkuZzDXfVU5pesMQQDVaZNW+yzZmKIxUCfJ81TpAcKKZq+LIHIv5xwqA64uEuntJ5ZpzSP0qKxcCN3Cl6arTueL5ngJspQnsjkmSFsKd7kYqZR6YIuJ5fkG89fsfkMLGRCTXYMpmOk4W0PvBihhpchG+pAIWYRIXdFzIg0Xkoc4iwMlMFvZNpUBEkmdOZOdM+mmFRXH/nQZKQo/+sJtAqllqhQ3NYcDjMZ5X9JBBKhghNCHmUp+IMsVHy4c3s+9JvQM0T0dZSkna5/aUph/W6HKSdWh/Kb6Fh93W6d44eiqF+zZMq/QlprhylMkTb+0Kt+sdXCCwCQ+VlgTEGcQrJzGptUDO9iet/k9Y+SuJnzRho0wvMx0+fIcBt2VbaNQEkqHHkQPnAlBsBc0rtG3ltDKtK5duoWkYNJMTZegty0b/abGSZfuoRh1EeitM+AwvktpVqSoxwR6ZKcWVfBTby68bWvP3kLxGC5xw0Fa34Vz8bTCz9Xb4+RjrKhoVIAwF7G2zYSXZ1xSn1Xi0v1stSiGqcx1dNmZdXT0vdFNjpMcrGPtDtbDqnv+LjGNvtFi64LwYJ7MamBZktvmj1icpK9aD+UxA6+9S0M9z6YV+M/6eAVfTNO63vrpCQa7NqSBqfRb8WXsWSNpwZHPz68z+WXtJDfDLzuCIRtP0Bq6g7FmfekKTehjLK/TUWzS8Nwzo8t5zFs191Fu2yJooBwhwBQY6Ms6X+P+FFQYZnOhH+fXJa4U9A7y6lpZuXKNxF4xwMb9VOuKVPxnT5NlLATN3gMR6CN8T9kWOZ9QFUZiMDFDsrNM/9DkPMJh9S3RiHd+2ZjhZitF1+Hp5uLu5NG/GJTMI2s7VBkEenU25+is4rlf2GLD7VUODFHrRAfa+C013Ef+s3okEjFWJbO6vo6DXobuEe+ysFona2StAgKLovpT9wAET0bHXZoaX7ZPwGJR2k6PngqEPnWvaE6fEDagLHgJXQjJdW6NcBp7AjHOcEygPi0Qto42BuF9iwL0OG/xjrhuQWarAJSEhpXdvrDreVZGHkBspLvCny/apTLpUJGs/TKxzz3cZJQCbaM0Lbxmy89FfoVEG=tKwz


10 of 16 5/11/13 7:03 PM

-----END PGP MESSAGE-----

14. Good to go, your private key is backed up as an encrypted le, your public key is available to

others and you have a contingency plan if you forget your passphrase. Now, you should save all three

of these les (publickey.asc, privatekey.pgp.asc and revokecert.asc) in a safe place. What I do is have

them burned onto a cd, printed on paper and stored in a safe within my house. After all three les are

backed up, you should then destroy the private key backup and revocation certicate on your

computer (I recommend the Mac OS X Secure Empty Trash feature).

Importing and Verifying Public Keys

Your public key is now available throughout the internet and people interested in sending you an

encrypted message have easy access to it. The next step is to go through the motions of importing a

public key and verifying its authenticity.

PGP also oers an easy way to verify public keys as every one also has a 40 character ngerprint. As

a ngerprint is much shorter then an ASCII armored public key and has only 16 possible characters

instead of 64, it is much easier to memorize and conrm in a voice conversation. Lets see how all this

works.

1. Once you have downloaded a public key from a friend or co-worker, you can add it to your key

chain by doing the following:

$ gpg --import publickey.ascgpg: key A7327C0E: "First and Last Name (Mac GPG Tutorial) "gpg: Total number processed: 1gpg: imported: 1

NOTE: Importing your own public key is not neccessary, however we will do so in this tutorial just

so you can go through the motions and become familiar with the proccess.

2. Importing a le is one way to get a public key into your key chain, however there is an easier way.

You already uploaded your key to a public key server so that others can easily get a hold of it. Now, try

getting the key used in this tutorial by searching for it. For this tutorial, you will use the keys unique

id, however entering a name or email address will make the server perform a search and return any

relevant results.

$ gpg --search-keys A7327C0Egpg: searching for "A7327C0E" from hkp server subkeys.pgp.net(1) First and Last Name (Mac GPG Tutorial) 1024 bit DSA key A7327C0E, created: 2008-02-14Enter number(s), N)ext, or Q)uit >

3. There it is. From here, you can type 1 and press enter. Also, keep note of the keys id (A7327C0E)


11 of 16 5/11/13 7:03 PM

as you will need it very soon.

gpg: requesting key A7327C0E from hkp server subkeys.pgp.netgpg: key A7327C0E: "First and Last Name (Mac GPG Tutorial) "gpg: Total number processed: 1gpg: imported: 1

4. You now know how to import keys from les and key servers. Next, you will generate and use the

keys ngerprint to verify it with the owner through another channel. Try it by verifying the Mac GPG

Tutorial key with its ngerprint.

$ gpg --fingerprint A7327C0Epub 1024D/A7327C0E 2008-02-14 Key fingerprint = 2291 60E9 A962 5C22 6E4F 1F20 120A 2881 A732 7C0Euid First and Last Name (Mac GPG Tutorial) sub 2048g/60ED8082 2008-02-14

How are PGP Fingerprints Created

Fingerprints are created by digesting your public key with SHA1 (Secure Hashing Algorithm 1), a

digestion algorithm similar to the MD5 algorithm talked about earlier. Although a SHA1 digest

of your public key cannot be anywhere near as unique as your public key, mathematics are on

your side in terms of being unique to any ngerprint an imposer could create through PGP.

Learn more about SHA here.

5. GPG makes everything easy for you as it adds a space every four characters and a double space in

the middle of the string. If the ngerprint for the key you have matches what your friend or co-worker

say, then it should be legitimate. For the Mac GPG Tutorial key, match the ngerprint with what the

example shows above and if it checks out, feel free to sign it.

$ gpg --sign-key A7327C0E

pub 1024D/A7327C0E created: 2008-02-14 expires: never usage: SCsub 2048g/60ED8082 created: 2008-02-14 expires: never usage: E(1). First and Last Name (Mac GPG Tutorial)

pub 1024D/A7327C0E created: 2008-02-14 expires: never usage: SCPrimary key fingerprint: 2291 60E9 A962 5C22 6E4F 1F20 120A 2881 A732 7C0E

First and Last Name (Mac GPG Tutorial)

Are you sure that you want to sign this key with yourkey "First and Last Name (Mac GPG Tutorial) " (A7327C0E)


12 of 16 5/11/13 7:03 PM

Really sign? (y/N)

6. GPG will then ask you if you are sure, type y and press enter. Then, verify your passphrase in

order to sign this key. The reason why you need your passphrase is because your ~/.gnupg/trustdb le

is also encrypted to ensure that malicious users do not assign levels of trust to keys for you. Enter

your passphrase and press enter.

You need a passphrase to unlock the secret key foruser: "First and Last Name (Mac GPG Tutorial) "1024-bit DSA key, ID A7327C0E, created 2008-02-13

7. You now have a signed public key in your key chain. Signing keys you trust is always a good practice

as anyone can import keys into your key chain, but only you can assign trust to them. Be very weary

of using any public keys that you have not signed and always try to verify any new keys with their

owners by using their ngerprint.

Encrypting and Decrypting Messages

Now that you are setup and familiar with GPG, we can now start using it to encrypt and decrypt

messages. In order to keep this part of the tutorial simple, you will only be sharing information with

yourself. Once you get the hang of it, you can then start sending encrypted messages to any other

PGP user.

1. Make a new directory in your home called crypto, so you have a place to work in for this tutorial.

cdmkdir cryptocd crypto

2. Make a new plain text le using your favorite text editor, type a message and save it in your crypto

directory as plain.txt. I wrote the following:

This is my secret message to myself.

3. Now, encrypt this le with your public key and sign it with your private key. This will facilitate that

you are sending the le to yourself, and ensuring it came from yourself. You will also output the

ciphered text with ASCII armor into cipher.asc. As you are using your private key to digitally sign this

message, you will be asked for your passphrase. Just type it in and press enter (replacing

[email protected] with the email address for your key).

$ gpg -ao cipher.asc -esr [email protected] plain.txt

You need a passphrase to unlock the secret key foruser: "First and Last Name (Mac GPG Tutorial) "


13 of 16 5/11/13 7:03 PM

1024-bit DSA key, ID A7327C0E, created 2008-02-13

DSA for authentication and Elgamel for encryption

When you generated your key pair, you noticed that you actually created two keys, one 1024 bit

DSA key and one 2048 bit Elgamel sub key. As you are encrypting and signing your message,

GPG will use your DSA private key to sign the message and your Elgamel public sub key to

encrypt it. When you decrypt this message, the process is reversed by using your Elgamel

private sub key for decryption and DSA public key for authentication. Currently, all PGP

implementations which adhere to the OpenPGP standard (like GPG) use these two

cryptographic algorithms.

4. After a short wait, you should now have a cipher.asc le in your crypto directory. Take a look.

$ cat cipher.asc-----BEGIN PGP MESSAGE-----Version: GnuPG v1.4.8 (Darwin)

hQIOAwqfNQVg7YCCEAgAr8xgbfhektMMwlnT4OaHHQxvNnn+2q6jxQDGLEDTcNxuA9uiNyMs0UzRjRRbYUyRucaBjnZGPZiv1qtaqWaDv4Aw3M9SWSnV17K7GqDpUq+67SmoO+4wUyLFvYo/5dWgUhU1OE4IVGF7A0dWVSYScHuO0tH+KbdpV+fCCOZ5dY0MMNgAaLt3Llv3P9uJOweVYJD/+++BdMUBrvPpURHmQPj1sVyo+994O9LBnW7jxuOQoNhNJY+vJZ/ZBkdwr/uUTtzrjQgvGz8bLJjCKZRbDsMKS9KQHJvkYN5b2tUidufLGOJ3f1/TQDtJVtwObmLV4rf5N08jdpd3dn2rk1H9Sgf+LpHJMew1U+cw0bg7zBe5ow28Hzh1caJqqs1pACC9HpecSCRcSKvsYbEWH7vN4/psOH/2Kegm69BKnPsqMJr/29r+wk+X/PLB6HdfYhGge09Ss+Ks1HJ1Jay+GDek5aHXXiZjtbgBrEF+aKf3K2lGeOlks19s3C1MiDRzC1vsIDx8eD3q6IBuWQvqWylDmtgs73/AGLSKiOva/8WNdfJ+pPgiUcjZXwEl5Cl3mOzkdobVOkvOwuheBoRUyb6lP8IHafbX5I5Kqjkk20SjIqRLtbcghyVIa9Q0RYgzSI0c2Al/prA+83hJM//Jw4RFS8XawPBQK4xg2VUgfVVAdpDzZNJlAYpVQ9c7G66OVLbIEa/5/aeMw5mOqc6yANQNp3T1x36mJ3oH8T+2N4d6Qnn1eVbi59V/ohmztX7/c79SApnHGojRFh8UlBX2ZRt2QS/96Q2AvvUHx7PkMfIS+kwTZ+9UgxOZbr0==u09w-----END PGP MESSAGE-----

5. Good to go, you now have an encrypted message that you can send secretly to, well, yourself. Lets

decrypt it into a le called decrypted_plain.txt and see what we get back. You will need to type your

passphrase for this too, as you are using your private key to decrypt cipher.asc.

$ gpg -o decrypted_plain.txt -d cipher.asc

You need a passphrase to unlock the secret key foruser: "First and Last Name (Mac GPG Tutorial) "2048-bit ELG-E key, ID 60ED8082, created 2008-02-14 (main key ID A7327C0E)


14 of 16 5/11/13 7:03 PM

gpg: encrypted with 2048-bit ELG-E key, ID 60ED8082, created 2008-02-14 "First and Last Name (Mac GPG Tutorial) "File `decrypted_plain.txt' exists. Overwrite? (y/N) ygpg: Signature made Fri Feb 15 13:07:19 2008 EST using DSA key ID A7327C0Egpg: Good signature from "First and Last Name (Mac GPG Tutorial) "

6. GPG will now decrypt the le and also let you know that the signature is good. Now, take a look at

your decrypted_plain.txt le and see if everything went well.

$ cat decrypted_plain.txtThis is my secret message to myself.

7. Fantastic, you just sent your rst secure message to yourself. Thats all there is to it.

What else can I encrypt and decrypt?

You can use GPG for more then encrypting short messages. Binary les, source code, Word

documents, pictures, video, anything can be encrypted to keep it from prying eyes. The format

which you choose to output depends on how you wish to send the information. A good rule of

thumb is to output encrypted plain text (which would include markup like HTML and source

code) with ASCII armor and output encrypted binary as binary (by not using the -a option).

However, if you wanted to send a picture to someone via email or some other messaging

system (even printing it out and sending it via snail mail), then ASCII armor would be the best

output to do it in.

Keep in mind, you can encrypt entire directories too. All you have to do is zip or tar the directory

and encrypt the archive. This is especially handy if you want to backup sensitive documents for

yourself, as you can encrypt the archive with your public key and store them anywhere (even

GMail or Amazon S3) without worry.

Conclusion

You went through a lot information in this tutorial. However, you should now have a very good

foundation on how cryptography works and some best practices on how to use it. The best way to

incorporate cryptography into your life is to get into the habit of using it. As such, get your friends,

family and coworkers familiar with PGP too. As time goes on, securing your information will be as

second nature as running spell check before you send an email.

More Tutorials by Category


15 of 16 5/11/13 7:03 PM

Ruby

The Dierence Between Ruby Symbols and Strings

Understanding Ruby Blocks, Procs and Lambdas

Up and Running with Custom RSpec Matchers

Security

Working with PGP and Mac OS X

JavaScript

Binding Scope in JavaScript

Ruby on Rails

Simple and RESTful Account Recovery for Ruby on Rails

Simple and RESTful Authentication for Ruby on Rails

Systems

Starting Amazon EC2 with Mac OS X

Copyright 2012 Robert Sosinski - Powered by Jekyll and Github


16 of 16 5/11/13 7:03 PM

Working With PGP and Mac OS X

Documents

Transcript of Working With PGP and Mac OS X