Encrypting email with GnuPG

Closed Society

To send encrypted emails yourself, you can import the recipient's public key to your keyring, as follows:

$ gpg --import <key_file>.asc

The file extension doesn't matter. If you don't have the recipient's public key, you can search for it on a key server by using the following command:

$ gpg --keyserver hkp://keys.gnupg.net --search-keys "<name>|<email_address>"

To import the key, simply enter the resulting ID. If the software already recognizes the imported ID, use the following command to store it on your keyring:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys <id>

Keep in mind, as previous noted, that keys can be spoofed with incorrect email addresses and names. The gpg --fingerprint <id> command shows the fingerprint that you should compare via a tamper-proof communication with your encrypted email's recipient.

You can check the key signatures with the gpg --check-sigs <id> command (Figure 3), substituting the email address or name for the ID. By default, not all certifying keys are included in the keyring (marked in red in Figure 3). GnuPG considers any unaudited signatures as untrustworthy and ignores them. An exclamation point identifies a successfully verified credential.

Figure 3: The gpg --check-sigs command verifies the signatures for all known names in your personal keyring.

Trust and Identify

If you want to find the names of all signed individuals, use the gpg --list-sigs <id> command (with the ID identified in the second column of the output) and download the corresponding keys with the following command:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys <id>

The key fingerprint may also appear on the individual's homepage, which reduces forgery risks. Once you trust a particular key, you can open it with gpg --edit <id> to edit it. Then, you can personally sign it with the "local sign" (lsign) command or with sign. To publish your signature later, use the following command:

$ gpg --keyserver hkp://keys.gnupg.net --send-keys <id>

KMail displays a warning for an unsigned key, but the key can still be used after you confirm it. After installation, Thunderbird's Enigmail has the option Always trust keys in OpenPGP | Settings. Thus, it accepts any key by default. And this wasn't intended as an acceptable practice by GnuPG developers. You are recommended to disable this option, after which, the program refuses to consider any unsigned keys.

If you have a lot of mail contacts, signing all their keys can be annoying. To lessen the number of required signatures, OpenPGP provides the "Web of Trust" concept, whereby you can assign restricted or full trust to individuals on your keyring.

If one trustworthy and three partially trustworthy individuals publicly signed a key, then the key is automatically considered signed on your system.

You can set the trust level using gpg --edit <id> followed by trust at the GnuPG command prompt. The value 5 ("absolute trust") is normally set for your own keys only; values between 3 and 4 are normally set for closer acquaintances. The "no trust" value 2 is assigned to less reliable individuals.