Posted: Thu Oct 23, 2003 5:27 am Post subject: Installing and Configuring GnuPG in Redhat 9
Okay, folks. Here's the long-awaited instructions for installing, configuring & implementing GnuPG in Redhat 9"
[quote]If you are running Redhat 9 on your Linux box, you already have GnuPG version 1.2.1 installed by default. From an X-Terminal window, you'll want to generate your public/private key pair. To do so, open the X-Terminal window and type in gpg --gen-key.
Next, you'll follow these instructions once the key generation process opens:
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
GnuPG is able to create several different types of keypairs, but a primary key must be capable of making signatures. There are therefore only three options. Option 1 actually creates two keypairs. A DSA keypair is the primary keypair usable only for making signatures. An ElGamal subordinate keypair is also created for encryption. Option 2 is similar but creates only a DSA keypair. Option 4 creates a single ElGamal keypair usable for both making signatures and performing encryption. In all cases it is possible to later add additional subkeys for encryption and signing. For most users the default option is fine.
You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits, and an ElGamal key may be of any size. GnuPG, however, requires that keys be no smaller than 768 bits. Therefore, if Option 1 was chosen and you choose a keysize larger than 1024 bits, the ElGamal key will have the requested size, but the DSA key will be 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)
The longer the key the more secure it is against brute-force attacks, but for almost all purposes the default keysize is adequate since it would be cheaper to circumvent the encryption than try to break it. Also, encryption and decryption will be slower as the key size is increased, and a larger keysize may affect signature length. Once selected, the keysize can never be changed.
Finally, you must choose an expiration date. If Option 1 was chosen, the expiration date will be used for both the ElGamal and DSA keypairs.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
For most users a key that does not expire is adequate. The expiration time should be chosen with care, however, since although it is possible to change the expiration date after the key is created, it may be difficult to communicate a change to users who have your public key.
You must provide a user ID in addition to the key parameters. The user ID is used to associate the key being created with a real person.
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <firstname.lastname@example.org>"
Only one user ID is created when a key is created, but it is possible to create additional user IDs if you want to use the key in two or more contexts, e.g., as an employee at work and a political activist on the side. A user ID should be created carefully since it cannot be edited after it is created.
GnuPG needs a passphrase to protect the primary and subordinate private keys that you keep in your possession.
You need a Passphrase to protect your private key.
There is no limit on the length of a passphrase, and it should be carefully chosen. From the perspective of security, the passphrase to unlock the private key is one of the weakest points in GnuPG (and other public-key encryption systems as well) since it is the only protection you have if another individual gets your private key. Ideally, the passphrase should not use words from a dictionary and should mix the case of alphabetic characters as well as use non-alphabetic characters. A good passphrase is crucial to the secure use of GnuPG.
To communicate with others you must exchange public keys. To list the keys on your public keyring use the command-line option --list-keys.
In the example below, Alice is listing the keys on her keyring by typing in the gpg --list-keys command at the X-Terminal window and receiving the response as indicated.
alice% gpg --list-keys
pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <email@example.com>
sub 1024g/78E9A8FA 1999-06-04
A public key may be added to your public keyring with the --import option.
alice% gpg --import blake.gpg
gpg: key 9E98BC16: public key imported
gpg: Total number processed: 1
gpg: imported: 1
alice% gpg --list-keys
pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <firstname.lastname@example.org>
sub 1024g/78E9A8FA 1999-06-04
pub 1024D/9E98BC16 1999-06-04 Blake (Executioner) <email@example.com>
sub 1024g/5C8CBD41 1999-06-04
Once a key is imported it should be validated. GnuPG uses a powerful and flexible trust model that does not require you to personally validate each key you import. Some keys may need to be personally validated, however. A key is validated by verifying the key's fingerprint and then signing the key to certify it as a valid key. A key's fingerprint can be quickly viewed with the --fingerprint command-line option, but in order to certify the key you must edit it.
A key's fingerprint is verified with the key's owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. If the fingerprint you get is the same as the fingerprint the key's owner gets, then you can be sure that you have a correct copy of the key.
After checking the fingerprint, you may sign the key to validate it. Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key's fingerprint with the owner before signing the key.
Are you really sure that you want to sign this key
with your key: "Alice (Judge) <firstname.lastname@example.org>"
Once signed you can check the key to list the signatures on it and see the signature that you have added. Every user ID on the key will have one or more self-signatures as well as a signature for each user that has validated the key.
A public and private key each have a specific role when encrypting and decrypting documents. A public key may be thought of as an open safe. When a correspondent encrypts a document using a public key, that document is put in the safe, the safe shut, and the combination lock spun several times. The corresponding private key is the combination that can reopen the safe and retrieve the document. In other words, only the person who holds the private key can recover a document encrypted using the associated public key.
The procedure for encrypting and decrypting documents is straightforward with this mental model. If you want to encrypt a message to Alice, you encrypt it using Alice's public key, and she decrypts it with her private key. If Alice wants to send you a message, she encrypts it using your public key, and you decrypt it with your private key.
To encrypt a document the option --encrypt is used. You must have the public keys of the intended recipients. The software expects the name of the document to encrypt as input; if omitted, it reads standard input. The encrypted result is placed on standard output or as specified using the option --output. The document is compressed for additional security in addition to encrypting it.
The --recipient option is used once for each recipient and takes an extra argument specifying the public key to which the document should be encrypted. The encrypted document can only be decrypted by someone with a private key that complements one of the recipients' public keys. In particular, you cannot decrypt a document encrypted by you unless you included your own public key in the recipient list.
To decrypt a message the option --decrypt is used. You need the private key to which the message was encrypted. Similar to the encryption process, the document to decrypt is input, and the decrypted result is output.
blake% gpg --output doc --decrypt doc.gpg
You need a passphrase to unlock the secret key for
user: "Blake (Executioner) <email@example.com>"
1024-bit ELG-E key, ID 5C8CBD41, created 1999-06-04 (main key ID 9E98BC16)
Documents may also be encrypted without using public-key cryptography. Instead, you use a symmetric cipher to encrypt the document. The key used to drive the symmetric cipher is derived from a passphrase supplied when the document is encrypted, and for good security, it should not be the same passphrase that you use to protect your private key. Symmetric encryption is useful for securing documents when the passphrase does not need to be communicated to others. A document can be encrypted with a symmetric cipher by using the --symmetric option.
alice% gpg --output doc.gpg --symmetric doc
Once you have successfully setup your public key pairs and exchange them, you can move on to setting up GnuPG in a mail client so that you can start sending & receiving secure email.
The email client of choice here is Mozilla Mail 1.2.1, although it can be successfully setup in a number of mail clients such as Thunderbird 0.3 or Ximian Evolution mail. I will only cover the steps for implementing GnuPG in the first client.
After installing Mozilla Mail Client version 1.2.1 built-into Mozilla 1.2.1 browser, you will have to download and install two extension packages: enigmail-0.71.0.xpi and enigmime-0.71.0-linux-redhat-90.xpi , both available from http://enigmail.mozdev.org/download.html#moz12 . These two extensions are for Redhat 9.0 users only and you should [u]not[/u] take the Express Install here.
Log in as root user and click on the links and install both files. Redhat 9 will alert you to their successful installation in Mozilla Mail 1.2.1. You will need to launch the Mozilla browser and Mozilla Mail as root user, then log out and log in as yourself and launch both as well. You will now have a successful install in the Mozilla Mail client and will be able to start using the program to send/receive encrypted mail once you configure the Mozilla Mail Client to automatically encrypt and sign or simply encrypt messages upon send. Using the EnigSend button you will be able to do just that. You can also tell the client to automatically decrypt message you receive as encrypted through the Preferences interface.[/quote] _________________ Dan Calloway
A+/N+ Certified PC Technician
Asheville, NC 28805
"Great minds think a lot."
As you can see i'm new here but would like to say you
did some great work on this i had been looking for this
type of info all over the place when i happen to drop in
to this forum & am glad i did so keep up the great work
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum