PGP (P retty G ood P rivacy) is computing software/standards for cryptographically signing and/or encrypting data (including emails). PGP is most often used with public key cryptography, but can support other schemes (symmetric encryption for example).

Read more about PGP and related topics at wikipedia:

A popular free software program for signing, encrypting and decrypting data is GPG (G NU P rivacy G uard). gpg} is installed on our Linux Timeshare and Mill laboratory.

Generating a PGP keypair

These instructions assume a GnuPG Version ≥ 1.4.0 and that you are operating on a UNIX-like system (Mac OS X or Linux). Some things may differ when running on Windows.

You need a PGP keypair in order to use PGP/GPG and public key cryptography for e.g. signing emails. Ideally you should install GPG on your local machine and generate it there, but you could do it on the Linux timeshare system. Make sure you use a passphrase!

Create a directory ~/.gnupg and place file gpg.conf within it, containing the following

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Then invoke gpg --gen-key and choose the following options

  • Key type: Key type: (1) RSA and RSA (default)
  • ensure all allowed actions are enabled: Sign Certify Encrypt Authenticate
  • size 4096 bits
  • No expiry (0)
  • your preferred 'full' name
  • your e-mail address
  • no comment necessary
  • select a strong passphrase.

The output of the above command should tell you your key's fingerprint, e.g. 13AE 8503 DEC2 176C 6747 6754 805E C2AE 9459 2548. The last two octets are often used as a short-hand for identifying the key (e.g. 94592548). This is fine for local operations when you are sure that there is no clash with another key in your keyring, but for verifying someone else's key for the first time, you should check the full fingerprint.

You probably want to push your public key to a public keyserver. Here's how:

gpg --keyserver pgp.mit.edu --send-key 94592548

(Instructions condensed and adapted from http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ )

Signing Mail

You need an email client which supports PGP/GPG. Outlook/Exchange at Newcastle University do not. We recommend ensuring you have IMAP access enabled to your Exchange mailbox (ask your school computing officer to request this from central NUIT if you do not have it), and using Thunderbird combined with the Enigmail plug-in (sorry, it is central NUIT policy that we have to warn you about the support implications of using IMAP before allowing it).

Some details on configuring Thunderbird are available at Thunderbird.

Other email clients are available, of note are Emacs and mutt if you are already familiar with them.

Using PGP/MIME

There are two ways to include a signature with an email: "inline", the default, puts the signature at the bottom of your email text, as a lump. e.g.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

hello world
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRliozAAoJEAkHQJYGqqqqUTwP/09Nh3WLGL45lzu738ZWbxJ8
Aq6HBMRQAT84tHkOD6yfPJkSMlUBitF/XPK0W03qO5y7Xz11O1C4t+YDi+CckJd6
rfyDsI+QF/s/BlE9PGBuKvOuFEjpvMJIp6tWnOjktVW35mx0WNldOdAwhbI6nxqT
4NhX9FvSc9OVjq+wnRO0lJxXtKYqlFa9SshF/rg8qxY46+F9mNu2nXAeOz5yFna
CiialfXtI/MoPR/uyCOqHWCLAuMT1oyUkcnTqzeH89KKT1sR7Vn4A432BRIQ2fDX
qRBt6YRBke1rRJn+inhj8sdpQ6U/uenluGm1AhvP9Efoqk7VrqQVcs9wqS0VEWMP
nOUD0AIG+XEeMoUc1lsCHzrPBeNbDOp4le01zKQT9lBy2bNFdqShOMAIC2s8UWUG
juUN3d07rSuVPMPPNg7vRtH8jS4u68OCj1+cCJfEQx9cnN9UonwDDPrnzLgRIoI4
hD0D6GPifldV4gJhAbISzlyOLVqeLP3+ViNzMm0RYgfFesHxLmT3i1Nn2tp8qveU
VUxmDI3fxgXvDN/cu6MNy53deh6ahFg5EsGmjiE85fnJ0WTJ+9qJTT7ZoZIUa43a
+zEdzIHfRLvYEs5oMt2M/a3c5yluZzt96mQCsMd11g2cUGhg2Oj0JbdY7/QEOPu+
x78fozdF01+R4ivhAMvJ
=VAY0
-----END PGP SIGNATURE-----

With 'safe' keys (large sizes) you also get large signatures which are ugly for recipients who do not run a PGP-supporting email client. An alternative is to use PGP/MIME, which attaches the signature to the mail instead. To enable this with Thunderbird/enigmail, start a new email, click the OpenPGP button and select "sign this message". You should be asked to configure enigmail. On the corresponding pop-up, click "Use PGP/MIME by default".


Exchanging public keys

Giving out your public key

Prepare key slips with your public keys fingerprint on them. Print them out. You can get your fingerprint using gpg --fingerprint <your-id>. If you can't immediately recall the short-id of your key, try a chunk of your name or email address that is likely to be unique in your keyring, e.g.

$ gpg --fingerprint dowland
pub   4096R/06AAAAAA 2009-09-14
      Key fingerprint = E037 CB2A 1A00 61B9 4336  3C8B 0907 4096 06AA AAAA
uid                  Jon Dowland <jmtd@debian.org>
uid                  Jon Dowland <jon@alcopop.org>
uid                  Jon Dowland <jon.dowland@ncl.ac.uk>
sub   4096R/9F51B963 2012-03-29

Ensure your slips have the full fingerprint and all your uids on them (if you have more than one).

You should give these slips to people who are interested in verifying your public key, in conjunction with some form of official identification (e.g. a passport or driving license). The recipient can then trust the fingerprint, and later on fetch your public key from a keyserver, verify the fingerprintmatches and sign the key.

Receiving public keys

Accept key slips from people as long as they have at least one UID and a full fingerprint on them. Verify the identity of the person who is giving you the keyslip, using e.g. a passport or drivers license.

Later on, fetch their public key from a public keyserver:

$ gpg --keyserver pgp.mit.edu --recv-keys 06aaaaaa
$ gpg --edit 06aaaaaa
gpg> sign
Really sign all user IDs? (y/N) y
Really sign? (y/N) y

You have now added your signature to the local copy of the person's public key. You should now give them a copy of that signed public key. It's considered polite to return this to them via email, rather than push it to a public key server. Export an email-friendly copy of their key using

gpg --export --armor 06aaaaaa > 06aaaaaaa.txt

Note in the above example: strictly you should only sign UIDs that were on the printed keyslip you received. To select a particular UID to sign, use the command uid 1 (to select the first UID), etc.

If you are on a Linux-based system, the caff tool automates many of these steps. See http://pgp-tools.alioth.debian.org/ or the package signing-party in Debian/Ubuntu-based systems.

Checking trust paths

See e.g. http://pgp.cs.uu.nl/mk_path.cgi?FROM=06aaaaaa&TO=650D5882&PATHS=trust+paths and see how many hops there are between your key and the Red Hat Security Team.