PGP - Beginners Guide

This is less a beginners guide, more a guide to some basic commands to get you started. If you require something a bit more in-depth then I recommend that you take a look at the EFH Workshop.

Generating a Key

One of the very first things you will wish to do is generate your own key.

	pgp -kg

You will receive various prompts as to key length, pass phrase et cetera. You should choose the maximum key length for maximum security. You can go above a key length of 1024-bits by explicitly stating the key length, but bear in mind that those with earlier versions of PGP will not be able to handle your key.

You will be asked to give an ID for your key. This will usually be of the form

	My Name <e-mail>

If you lack an e-mail address, you could choose your house number, postcode and country or an international telephone number. Choose something that together with your name makes you unique in the world. Also remember that people may need a means to contact you in order to verify your key.

	Fred Bloggs <12 Postcode UK>

	Fred Bloggs <+44-1235-456789>

Always sign your own key. Later versions of PGP do this automatically. If your key is not signed, sign it.

	pgp -ks "my key"

Extracting a Key

Once you have generated your key, you will want to extract a copy to pass around to friends and colleagues.

	pgp -kxa  "my key"

PGP will prompt you for a file name if you have not specified it on the command line.

Once you have a copy of your key in a file you can put it on disk and pass around or paste it into an e-mail.

Now you have a key, pass it around as quickly and widely as possible. This is to pre-empt anyone who may be tempted to circulate a fake copy of your key. Fake keys (and the problem of validating keys) are the Achilles Heal of any public key cryptosystem.

The same procedure can be used to extract a copy of anyone's key. A friend for example may have passed you a copy of his key and asked you to sign it. Once you have signed it hand it back (do not upload it to a key server unless explicitly asked to do so).

	pgp -kxa  "a keyID or userID"

Adding a key

PGP comes with a bunch of keys, you may also have received keys from friends and colleagues.

	pgp -ka keyfile

PGP will ask if you wish to certify the key. Only if you know the person and are certain that it is their key say Yes. If there is any doubt in your mind as the authenticity of the key or the ID of its claimed owner do not sign the key - that is say NO. Certifying a key is the same as signing a key. Other people are reliant on your judgement so exercise it wisely.

There is often the temptation to sign a key because someone you know has signed the key therefore it must be valid. You are adding no useful information. When you sign a key you are making a statement that you have performed your own independent checks as to the authenticity of the key.

When you sign or certify a key you are asked to give your opinion as to how you trust the key owner to sign other keys, that is do they exercise the same degree of care as yourself before they sign a key.

Once you have signed a key it is a good idea to pass a copy of the signed key back to its owner.

Encrypting a file

Now that you have got PGP up and running you can get down to the real business of encryption.

	pgp -e filename  "To User ID"

If you wish to e-mail your encrypted file it is a good idea to ascii-armour the file.

	pgp -ea filename "To User ID"

You will often get a warning when encrypting a file that the key has not been certified and thus may be dubious. This is telling you that the key that you are using has not been signed either by yourself or by a key that can be linked to your key. It is OK to go ahead, but be aware that the key has not been validated and could be a fake key or one that has been tampered with.

Signing a file

To prove that a file has originated from you, that is the file is authentic, you will wish to sign the file. A signed file can not be altered.

PGP will prompt you for your secret key pass phrase. You haven't forgotten it have you? If yes, tough luck as there is no way of recovering it.

For a text file you will wish to clear sign the file, that is the signature is appended to the file to enable others (who foolishly may not use PGP) to be able to read the file.

	pgp -sat textfile

If you have more than one PGP key, the most recent will be used. This can be overridden by putting your keyID on the command line.

For anything other than a text file (that is all binary files, word processor files are binary files) you should produce a separated detached signature file. This is exactly the same as the above clear signing except that the key is placed in a separate signature file.

	pgp -sb binaryfile

For sending through e-mail you may wish to produce an ascii-armoured version of the detached signature.

	pgp -sab binaryfile

It is also possible to combine encryption and signing of a file

	pgp -seat textfile "To User ID"

The file is first signed, then encrypted. Anyone intercepting the file is unable to see who has signed it. Only the recipient is able to read the file. The recipient is also able to verify who has sent the file.

The procedure shown is for a text file. If you wish to send a binary file you have a choice of whether or not to ascii-armour the file. If you are sending via e-mail it should be ascii-armoured, via other means (ftp, disk) it can be sent in digital format.

	pgp -se binaryfile  "to recipient ID"

	pgp -sea binaryfile  "to recipient ID"

Reading a File

Reading a PGP file is easy

	pgp pgpfile

This is used for all PGP files, be they encrypted, signed or a key file. PGP will handle it all automatically.

The procedure for a detached signature file is slightly different.

	pgp signaturefile signedfile

If you omit the signed file, PGP will prompt.

If the file is signed, you will receive a message noting 'good signature' to indicate that the file is authentic and has not been corrupted. A 'bad signature', will be given for a corrupt or invalid file. This assumes that the senders' public key is on your keyring.

If the file is encrypted, PGP will automatically decrypt and give you the plaintext file. This assumes that the sender has used your public key.

If the file is a key file, PGP will show you the keys and signatures within the file. You will then be prompted as to whether you wish to add the keys to your keyring. This is very useful for seeing what keys are in the file prior to adding to your keyring.

Checking the Key Fingerprint

Someone has your key, but can't but sure it actually belongs to you. By comparing key fingerprints with you they can perform a positive check.

	pgp -kvc "My ID"

This can also be used the other way on to perform a positive ID on a key.

	pgp -kvc "Her ID"

The ID used can be either the UserID or the KeyID.

Always compare key fingerprints via a tamper-proof route. For example if you know the person well and would recognise their voice, speak with them on the telephone. Human voice recognition is a very good authentication system. Never use plaintext e-mail to confirm the fingerprint as it can be altered en-route - that is it is not tamper-proof.

Viewing the Signatures on a key

You have a key from an unknown source and wish to check its validity. If it has been signed by a friend and you have their key, you can use their signature to check the validity of the key.

The first command will simply show the signatures on a key, the second command performs a positive check of the signatures.

	pgp -kvv  "keyID or userID"

	pgp -kc  "keyID or userID"

You may get a message saying 'unknown signator'. This is nothing to worry about. It simply means that you do not have that key on your keyring. If you note the keyID, this can be used to obtain the key from a public key server (assuming the key has been uploaded to a key server).

Getting More Help

PGP comes with detailed documentation. Essential reading is Volume I of the Official Guide. My PGP page is a vast reservoir of PGP resource material (as is the PGP disk that I supply to people who order direct).

PGP can be used to obtain help on the commands, either a general help or specific to the keys.

	pgp -h

	pgp -k

I have produced a quick reference guide for PGP. If you are unconvinced as to why you should be using PGP read my Privacy paper, I have also written a brief overview of PGP if you have not yet grasped what PGP is.

Home ~ PGP ~ What is PGP ~ Why use PGP ~ Web of Trust ~ Quick Reference ~ My Key
(c) Keith Parkins 1997 -- September 1997 rev 8