Workshops

User Tools

Site Tools

Trace:
pgp_workshop

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pgp_workshop [2025/04/09 19:34] userapgp_workshop [2025/05/29 07:47] (current) – [The actual Key signing] usera
Line 94: Line 94:
 {{ :kleopatra_10.png?600 |}} {{ :kleopatra_10.png?600 |}}
 Open a new mail, and write the mail address of the person you want to write to in the "To" field. Click on the GpgOL option "Secure" and you should see the two options "Sign" and "Encrypt" squared in black, meaning that they are activated. Write your mail (remember to use a vague subject or no subject at all) and then hit "send". That's it ! You can then check on your webmail to see what the server actually receives, which should be only encrypted data. Attachments are also encrypted, if you used any. Open a new mail, and write the mail address of the person you want to write to in the "To" field. Click on the GpgOL option "Secure" and you should see the two options "Sign" and "Encrypt" squared in black, meaning that they are activated. Write your mail (remember to use a vague subject or no subject at all) and then hit "send". That's it ! You can then check on your webmail to see what the server actually receives, which should be only encrypted data. Attachments are also encrypted, if you used any.
 +
 +===== All platforms with Mozilla Thunderbird =====
 +
 +
 +Once you have a set up thunderbird installation with your mail server, open it and do the following:
 +
 +
 +{{ :thunderbird_2.png?600 |}}
 +Right click on your mail address on the left, then click on "Settings"
 +
 +{{ :thunderbird_3.png?600 |}}
 +In the "End to End encryption" section, click on "OpenPGP Key Manager"
 +
 +{{ :thunderbird_4.png?600 |}}
 +Click on Generate->New Key Pair
 +
 +{{ :thunderbird_5.png?600 |}}
 +After the key generation, click on Keyserver->Publish if you want anyone to be able to find your public key. Then you can find enother person public key with Keyserver-Discover Keys Online. Remember to enter the full mail address associated with the key you are looking for in the search field. Alternatively, you can use File->Import Public Key from File and File->Export Public Key to File functions to share your public key to a smaller audience.
 +
 +{{ :thunderbird_6.png?600 |}}
 +Go back to Settings, then select your key as the default key for your mail address
 +
 +{{ :thunderbird_7.png?600 |}}
 +Open a new mail, and write the mail address of the person you want to write to in the "To" field. You should see appearing the mention "OpenPGP end-to-end-encryption is possible", and you can then click on "Encrypt". You can also click on the Encrypt button next to send to have the same effect. Write your mail (remember to use a vague subject or no subject at all) and then hit "send". That's it ! You can then check on your webmail to see what the server actually receives, which should be only encrypted data. Attachments are also encrypted, if you used any.
 +
 +{{ :thunderbird_8.png?600 |}}
 +We need now to activate a master password to encrypt the keys (and also the mails on your computer at rest) by going to Settings->Thunderbird Settings
 +
 +{{ :thunderbird_9.png?600 |}}
 +Then click on "Privacy and Security"->"Use a primary password" and set up a strong passphrase
 +
 +=====Encrypting and decrypting files with GPG, regardless of the fact that you use email to transfer them=====
 +
 +==== Using Windows and GNU4Win ====
 +
 +If you are on Windows and have installed GNU4WIN (see above), then you can simply open the file explorer, right click on a file and see the options "sign and encrypt" and "More GpgEx options" to generate an encrypted file with a public key you previously stored with Kleopatra, or to decrypt it with your private key.
 +{{ :gpgol_encrypt.png?600 |}}
 +
 +==== On all platforms using the command line tool gpg ====
 +
 +This command line tool is already installed natively in many Linux distribution. Otherwise you can install it with the command, for example on Debian based distributions like Debian, Ubuntu or Linux Mint:
 +<code>
 +sudo apt-get install gnupg
 +</code>
 +On Windows, it is installed with the installation of Gnu4Win. On MacOS, it can be installed with homebrew (see above). You can use it to bypass any of the mail system assumption, and therefore transfer things via not only any mail systems, but also other messaging apps, while being certain that it is end to end encrypted.
 +
 +Here is a cheat sheet for the commands you can enter with it:
 +
 +^ Function     ^ Command      ^ Note^
 +| generate a public/private key pair | <code>gpg full-generate-key</code>  | |
 +| list all public keys | <code>gpg --list-keys</code> | you can see the signature of the key, the level of trust under brackets, the validity f the key, and the name and mail addresses|
 +| list all private keys | <code>gpg --list-secret-keys</code>  | you can see the signature of the key, the level of trust under brackets, the validity f the key, and the name and mail addresses|
 +| send a key to a keyserver | <code>gpg --send-keys [key_id]</code>  | replace <code>[key_id]</code>  with the fingerprint of the key you want to send. Default to keys.openpgp.org, but this can be changed with the --keyserver option|
 +| get the fingerprint of a key | <code>gpg --fingerprint [mail]</code> | replace <code> [mail]</code>  with the mail address of the key you want to investigate |
 +| search for a public key on a server | <code>gpg --search-keys [mail]</code>  | replace <code>[mail]</code>  with the mail address of the person you want to communicate to. It will return the fingerprint of the found key(s) |
 +| Receive a key from a keyserver | <code>gpg --receive-keys [key_id]</code>  | replace <code>[key_id]</code>  with the fingerprint of the key you want to receive, that you would typically have found with the <code>gpg --search-keys [mail]</code> command above |
 +| Import a public key from a file | <code>gpg --import [key_file]</code>  | replace <code> [key_file]</code>  with the file containing the public key you want to import in your keyring |
 +| Export a public key to a file | <code>gpg --export [mail] > [filename]</code>  | replace <code>[mail]</code>  with the mail of the key you want to export, and <code>[filename]</code>  by the name of the file you want to create|
 +| Encrypt a file with GPG | <code>gpg --encrypt --recipient [mail] --sign --armor [filename]</code>  | replace <code>[mail]</code> with the mail of a person you have the public key of, and <code> [filename]</code>  with the file you want to encrypt. This will create another file named <code>filename.asc</code> which is a text file containing the encrypted data.|
 +| Decrypt a file with GPG | <code>gpg [filename]</code>  | replace <code>[filename]</code>  with the file you want to decrypt. This will create another file that is the decrypted file. If you want to specify the name of the output file, you can use the option <code>--output [filename]</code> |
 +
 +
 +===== Signing and verifying signatures with OpenPGP =====
 +
 +PGP is not only used to encrypt, but also to make "signatures" and to verify them, to check that:
 +  - the sender of the message is the person you think they are, or
 +  - that the file you downloaded has not been tampered with while being sent to you
 +
 +The signature mechanism works in the opposite way as the encryption:
 +  - Your **private key** is used to **sign**
 +  - Your **public key** is used by the person receiving the message to **verify the signature**
 +
 +The way it is done is the following:
 +  - The file is **[[hashed|hashed]]** (see the paragraph below).
 +  - This hashed file is encrypted with your private key
 +  - The result is added at the end of your file, giving a **signed** file.
 +
 +Actually, in most case you will do both: signing (with your private key) then encrypting (with the public key of someone else). The person receiving the message will decrypt it with their private key, and then extract the signature and verify it with your public key.
 +
 +
 +==== First step if you only set up Thunderbird with PGP so far ====
 +
 +If you were on Windows and set up your keys with Kleopatra, the command line gpg tool will already know those keys. However, if you used the PGP key manager from thunderbird, it is different. You will therefore have to copy all your keys from the thunderbird key manager to the keys that are known by the gpg command line tool.
 +
 +This is how to do it. First, go to the key manager, select your own key, that you will use to sign things with, and click on File->Backup Secret Key to File, then find a location on your computer (you will be asked for a passphrase for this, please use a [[diceware|good one]])
 +
 +Then, open a command line, navigate to the directory where your secret key file is located and enter:
 +
 +<code>
 +gpg --import [filename]
 +</code>
 +
 +where [filename] is the name of this secret key file. you then need to tell the gpg command tool to use this key as a default signing key. This is done by the command:
 +
 +<code>
 +echo 'default-key:0:"[fingerprint]' | gpgconf --change-options gpg
 +</code>
 +
 +where [fingerprint] is the fingerprint of your key. You can find it with the command:
 +
 +<code>
 +gpg --fingerprint [NAME]
 +</code>
 +
 +where [NAME] can be a small part of your mail address: gpg is cleaver enough to do a search among your keys and guess which one is the closest. 
 +
 +You are then ready to sign files and keys !
 +==== Checking the integrity of a downloaded file ====
 +
 +In some case you will download something from a website and there will be a signature associated with it, like in this example from the software [[https://www.veracrypt.fr/en/Downloads.html|veracrypt]]:
 +
 +{{ :signature_file_example_veracrypt.png?600 |}}
 +
 +You can download the file, the associated signature and the public key. In the veracrypt example, the public key can be found [[https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc|here]]. You can import it with:
 +
 +<code>
 +wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc && gpg --import VeraCrypt_PGP_public_key.asc
 +</code>
 +
 +In the download page, they tell you to check that the fingerprint is correct:
 +
 +
 +<code>
 +foo@bar:~ gpg --fingerprint veracrypt@idrix.fr
 +pub   rsa4096 2018-09-11 [SC]
 +      5069 A233 D55A 0EEB 174A  5FC3 821A CD02 680D 16DE
 +uid           [ unknown] VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>
 +sub   rsa4096 2018-09-11 [E]
 +sub   rsa4096 2018-09-11 [A]
 +</code>
 +
 +and that it should be 5069 A233 D55A 0EEB 174A 5FC3 821A CD02 680D 16DE.
 +Once you checked the fingerprint the public key, you can sign it with your private key to indicate that you trust it:
 +
 +<code>
 +foo@bar:~ gpg --sign-key veracrypt@idrix.fr
 +pub  rsa4096/821ACD02680D16DE
 +     created: 2018-09-11  expires: never       usage: SC
 +     trust: unknown       validity: unknown
 +sub  rsa4096/200B5A9D26878A32
 +     created: 2018-09-11  expires: never       usage: E
 +sub  rsa4096/0F5AACD65483D029
 +     created: 2018-09-11  expires: never       usage: A
 +[ unknown] (1). VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>
 +
 +
 +pub  rsa4096/821ACD02680D16DE
 +     created: 2018-09-11  expires: never       usage: SC
 +     trust: unknown       validity: unknown
 + Primary key fingerprint: 5069 A233 D55A 0EEB 174A  5FC3 821A CD02 680D 16DE
 +
 +     VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>
 +
 +Are you sure that you want to sign this key with your
 +key "my Name <my@mail.net>" (my_key_id)
 +
 +Really sign? (y/N) y
 +</code>
 +
 +you can then check that you have the correct file by entering:
 +
 +<code>
 +foo@bar:~ gpg --verify "VeraCrypt Setup 1.26.20.exe.sig" "VeraCrypt Setup 1.26.20.exe"
 +gpg: Signature made Tue 04 Feb 2025 15:53:43 CET
 +gpg:                using RSA key 5069A233D55A0EEB174A5FC3821ACD02680D16DE
 +gpg: checking the trustdb
 +gpg: marginals needed: 3  completes needed: 1  trust model: pgp
 +gpg: depth: 0  valid:    signed:    trust: 0-, 0q, 0n, 0m, 0f, 3u
 +gpg: depth: 1  valid:    signed:    trust: 1-, 0q, 0n, 0m, 0f, 0u
 +gpg: next trustdb check due at 2025-11-29
 +gpg: Good signature from "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" [full]
 +</code>
 +
 +This Good signature indication tells you that you have downloaded a file that was certified as genuine by the owner of the private key associated with veracrypt, and that it has not been tampered with.
 +
 +==== Signing a document ====
 +
 +With the command line, you can sign a document with <code> gpg --sign [filename] </code> to output a signed document or <code> gpg --detach-sign [filename] </code> to output only the signature.
 +
 +==== Sign the public key of someone ====
 +
 +GPG is a lot based on the trust that you are talking to the right person. Therefore, to tell to the whole world that you trust some public key, you should **sign the public keys** of other people.
 +
 +=== Note if you used Thunderbird and not Kleopatra ===
 +
 +To sign a key, you need to use the command line gpg, so as said before, if you used Kleopatra to generate your keys, you are good to go, as the gpg tool will already know your keys. However, if you used Thunderbird, you need to copy the keys you want to sign. This is how you do it.
 +  - First, go to the PGP key manager in Thunderbird
 +  - Select the public key you want to sign, then right click and click on Export public key to file and select a location on your computer
 +  - Open a command line, navigate to the folder where your file is and enter ''%%gpg --import [FILENAME]%%'', where [FILENAME] is the file you exported the public key to
 +  - repeat the operaton for each key you want to sign
 +
 +=== The actual Key signing ===
 +
 +This is how to do it (as recommended [[https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84|here]]):
 +
 +  - Alice (you) get the public key of Bob
 +  - Alice sign it with her private key: ''%%gpg --sign-key [key_id]%%'' where ''%%[key_id]%%'' is the fingerprint of the Bob public key. In the process you will be asked to check that the fingerprint match with the key of the other person, which you should do in a secure channel, or in person, with the person owning the key. Note: you can at every time look at all signatures on a key with the command: ''%%gpg --list-sig [NAME]%%'', with [NAME] being for example part of the mail address associated with the key.
 +  - Alice exports, then encrypts the signed key with Bob public key, with the following command: <code>gpg --armor --export [key_id] | gpg --sign --encrypt -r [key_id] > [filename]</code>, where ''%%[key_id]%%'' is the fingerprint of Bob public key and ''%%[filename]%%'' is the output filename. Note: you can alternatively, since you already configured your mails for this, just export the key with ''%%gpg --armor --export [key_id] > [filename]%%'', and attach it to a mail encrypted with your mail client.
 +  - Alice emails the key to Bob using the mail address associated with the key
 +  - Bob receives it, then decrypt it with his private key and import it: ''%%gpg --decrypt [filename]%%'' and then ''%%gpg --import [filename_decrypted]%%''
 +  - He can then send it to a keyserver, containing Alice signature: ''%%gpg --send_keys [key_id]%%''
  
pgp_workshop.1744227256.txt.gz · Last modified: by usera