It is common to find PGP related files with the wrong extensions. If you suspect this to be the case, open the file in your
gedit
program (right-click the file >
Open with
>
gedit
). The top line of the text will tell you if it is a public PGP key, private PGP key or signature file. Just rename the file as needed. If the entire text is pure chaos, including the first line, it is an encrypted file, which you can give a .pgp extension.
Create your PGP key
- Open the
Passwords and Keys
program (
Applications
>
System Tools
>
Preferences
>
Passwords and Keys
)
- In the Passwords and Keys window, click
File
>
New
- Choose
PGP key
, and then
continue
- Enter a full name and email address (these do not have to be real). Adding a Comment is optional
- Click 'Advanced key options'
- Choose RSA and set the Key Strength to “4096” bits. You do not need to set an Expiration Date
- Click
Create
- Make a strong password and remember it (it is unrecoverable)
- Your brand new public PGP key is visible by selecting
GnuPG keys
from the left column
- By right-clicking your key and selecting
Properties
, you can view its details, as well as change its password
Export and share your public PGP key
- Open the
Passwords and Keys
program
(
Applications
>
System Tools
>
Preferences
>
Passwords and Keys
)
- Select the
GnuPG
from the left column
- Click your key to highlight it
- Click
File
>
Export
- Select
Armored PGP keys
from the
PGP Keys
drop-box (in the bottom right corner of the Seahorse Export window)
- Give your key any
Name
you wish, just make sure it has the .asc extension (
keyname
.asc)
- Choose a location, and then click
Export
- This file is your public PGP key. As the name suggests, it is for the public
.
You can share it with anyone, post it on a website, and give it to your worst enemy. It is used to 'lock' a file so that only you can 'unlock' it
- An Extra Special Step
– Go to the location that you saved your exported public PGP key and use
gedit
to open it (right-click the file, Open with >
gedit Text Editor
). The text is your actual public PGP key. You can share this text instead of sharing the file. For example, instead of attaching a public PGP key file to an email, you can paste its text into an email. Likewise, you can post the key's text on a website as opposed to the file
Copy everything, Starting with “
-----
BEGIN PGP PUBLIC KEY BLOCK
-----
”
and ending with
“
-----
END PGP PUBLIC KEY BLOCK
-----
”
Import someone else's public PGP key
- Save their
filename
.asc or
filename
.pgp public
PGP key (you can save it anywhere, this is temporary). If you only have the text of someone's public PGP key, copy the text into
gedit
and save it as
filename
.asc. The
filename
can be anyname you choose
Copy everything, Starting with “
-----
BEGIN PGP PUBLIC KEY BLOCK
-----
”
and ending with
“
-----
END PGP PUBLIC KEY BLOCK
-----
”
- Open the
Passwords and Keys
program (
Applications
>
System Tools
>
Preferences
>
Passwords and Keys
)
- In the main window, click
File
>
Import
- Find and open
filename
.asc
- You have imported the key and can
see it
by selecting
GnuPG keys
from the left column
- You can now delete the
original
filename
.asc file that you used in Step 1
Import a public PGP key from a Keyserver
You can easily look up someone's public PGP key if they upload it to a keyserver.
Keyservers
are databases that anyone (even you) can use to share their public PGP key(s) with the world. To import someone's public PGP key from the keyservers:
- Make sure you are connected to the internet
- Open the
Passwords and Keys
program (
Applications
>
System Tools
>
Preferences
>
Passwords and Keys
)
- Select
Remote
>
Find Remote Keys
- Enter a search term, such as a Key ID or a Key name
- A list of public PGP keys containing the search term will appear. To Import a key, right-click it and select
Import
. Once imported, you can close the window
- The public PGP key is visible by selecting
GnuPG keys
from the left column
Encrypt a file with PGP
In the next steps, you are NOT using the Passwords and Encryption Keys program
- Before you choose a file to encrypt, you must have already imported the intended recipient's public PGP key. If you do not have anyone else's public PGP key, you can use your own key and send a file to yourself. Better yet, make a second public PGP key, and then use it
- Find the file that you want to encrypt (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open
gedit
, write yourself a little note and save it)
- Right-click the file and select
Encrypt
- The
Choose Recipients
window will open. The public PGP keys you have in your system are listed
- Select the recipient(s) for whom you are encrypting the file. Whether or not you sign the file is up to you. If you sign it, when the recipient decrypts the file they can see it is from you. It is kind of like putting your signature on a letter
- Click
OK
- If you do not sign the file, you will be prompted to name the file. Any name will do (
filename
.pgp), and then click
OK
- Only the chosen recipient(s) will be able to decrypt the file
- You can now send the encrypted file
Sign a file using your PGP key
You can put your signature on a file, so people know it is from you, not an impostor. You can sign both encrypted and non-encrypted files.
- Find the file that you want to sign (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open
gedit
, write yourself a little note and save it)
- Right-click the file and select
Sign
- Select your PGP key from the
Sign message as
window,
and then click
OK
- If prompted, enter your key password, and then click
OK
- At the location of the original file a second file appears. It has the same name as the original, plus '.sig' added to the end (
filename
.txt.sig appears after signing
filename
.txt)
- The person verifying your signature needs three t
hings, the original file you signed, the '.sig' file and your public PGP key
(
filename
.txt
,
filename
.txt.sig
and
your_public_key
.asc
)
Where security gets tricky
Ideally, the person verifying your signature had previously received and verified your public PGP key.
This process works like bank signatures did in the old days.
- When you opened a checking account, you would go the bank in person and sign a signature card. This way the bank had your authentic signature on file
- When a check came into the bank, they would compare the signature on the check with the authentic signature on file
- If the signatures matched, they would consider the check authenticated
Now, suppose the bank received a signature card and a signed check at the same time. Meanwhile, you were not present. Even though the signatures match, the bank cannot tell if they are authentic.
You face the same dilemma if you get a public PGP key online at the same time as a signed file. You need a way to authenticate the public PGP key before you can use it to authenticate a signed file.
Authenticating a public PGP key
There are a two ways to make sure you have someone's actual public PGP key, not a fake.
- You can check the key with the
Keyservers
- You can check the key by its
Fingerprint
Authenticate with the Keyservers:
If someone trusts that a public PGP key is authentic, they can sign it. When you import a particular key, you can see the keys of all the people that have chosen to publicly sign it, vouching for its authenticity. Using the
terminal
, you will view these signatures.
- Open the
Passwords and Keys
program (
Applications
>
System Tools
>
Preferences
>
Passwords and Keys
)
- Select the
GnuPG
from the left column
- Right-click an imported public PGP key, and then select
Properties
(as an example, select
Tails Developers [email protected] 'offline long-term identity key'
)
- Take note of the
Key ID
, because you will need it in a moment (in this case, 58ACD84F – as of August 1, 2015). You can leave this window open while you proceed to the next step
- Open the
Terminal
program (
Applications
>
Accessories
>
Terminal
)
- In the
Terminal
window, type “
gpg --list-sigs
Key_ID
”. In this example, you would type
gpg --list-sigs 58ACD84F
- The terminal displays a list of signers
The more signatures that are from people you know and trust, the more trust you can have in the keys authenticity
This trust stuff is a big deal for software developers collaborating on projects and, in the case of my family, Christian missionaries spreading the word to hostile lands. For most other people, PGP is just a way of pretending to be Batman and Robin exchanging puppy memes without the Joker eavesdropping.
Authenticate with the key's Fingerprint
.
To check a key's Fingerprint:
- Open the
Passwords and Keys
program (
Applications
>
System Tools
>
Preferences
>
Passwords and Keys
), and then import the key in question
- Select the
GnuPG
from the left column
- Right-click the key, and then select
Properties
- Under the
Details
tab is the key's
Fingerprint
(for example, the Tails developers fingerprint is A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F)
- Compare the Fingerprint to that of others who have the same key in their possession. The more corroborating sources, the more trust you can have in the keys authenticity. If it is a popular key, an online search may provide a number of comparisons
- If you believe the key is fake you can delete it (right-click the key, and then select
Delete
)