Encrypting email with GnuPG

Slashdot it! Delicious Share on Facebook Tweet! Digg!

Closed Society

To send encrypted emails yourself, you can import the recipient's public key to your keyring, as follows:

$ gpg --import <key_file>.asc

The file extension doesn't matter. If you don't have the recipient's public key, you can search for it on a key server by using the following command:

$ gpg --keyserver hkp://keys.gnupg.net --search-keys "<name>|<email_address>"

To import the key, simply enter the resulting ID. If the software already recognizes the imported ID, use the following command to store it on your keyring:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys <id>

Keep in mind, as previous noted, that keys can be spoofed with incorrect email addresses and names. The gpg --fingerprint <id> command shows the fingerprint that you should compare via a tamper-proof communication with your encrypted email's recipient.

You can check the key signatures with the gpg --check-sigs <id> command (Figure 3), substituting the email address or name for the ID. By default, not all certifying keys are included in the keyring (marked in red in Figure 3). GnuPG considers any unaudited signatures as untrustworthy and ignores them. An exclamation point identifies a successfully verified credential.

Figure 3: The gpg --check-sigs command verifies the signatures for all known names in your personal keyring.

Trust and Identify

If you want to find the names of all signed individuals, use the gpg --list-sigs <id> command (with the ID identified in the second column of the output) and download the corresponding keys with the following command:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys <id>

The key fingerprint may also appear on the individual's homepage, which reduces forgery risks. Once you trust a particular key, you can open it with gpg --edit <id> to edit it. Then, you can personally sign it with the "local sign" (lsign) command or with sign. To publish your signature later, use the following command:

$ gpg --keyserver hkp://keys.gnupg.net --send-keys <id>

KMail displays a warning for an unsigned key, but the key can still be used after you confirm it. After installation, Thunderbird's Enigmail has the option Always trust keys in OpenPGP | Settings. Thus, it accepts any key by default. And this wasn't intended as an acceptable practice by GnuPG developers. You are recommended to disable this option, after which, the program refuses to consider any unsigned keys.

If you have a lot of mail contacts, signing all their keys can be annoying. To lessen the number of required signatures, OpenPGP provides the "Web of Trust" concept, whereby you can assign restricted or full trust to individuals on your keyring.

If one trustworthy and three partially trustworthy individuals publicly signed a key, then the key is automatically considered signed on your system.

You can set the trust level using gpg --edit <id> followed by trust at the GnuPG command prompt. The value 5 ("absolute trust") is normally set for your own keys only; values between 3 and 4 are normally set for closer acquaintances. The "no trust" value 2 is assigned to less reliable individuals.

Buy this article as PDF

Express-Checkout as PDF

Pages: 6

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • An overview of the IMAP client Trojitá

    Trojitá is new to the scene of email clients, but it already stands out for its intuitive interface and speed. Even so, this client is still missing some essential functions.

  • Welcome

    The title of this issue's Editorial section is a shameless rip-off of a section that used to run in Omni, the influential and very cool 80s magazine of "Science Fiction, Fact, and Fantasy." The section in Omni talked about advances in science and technology and where they would lead us. The title played on the actual verbal tense – the word "will" was used a lot in the articles, and the fact that, well, it was about the future.

  • GNOME Cleartext Passwords: Bug or Feature?

    The current discussion in the Ubuntu forums is about a possible security hole in GNOME, specifically about GNOME registered users having their passwords appear as cleartext on the keyring. Not a bug, say its defenders, but the security concept behind the GNOME keyring.

  • Anonymous and secure surfing with Tails

    If you need an anonymous connection to the web, Tails 0.19 is just what you need. The Live system conceals all traces of surfing and mailing.

  • Pyspread – The Spreadsheet with a Python connection

    You can find plenty of spreadsheets offering a multitude of features. The Python-based Pyspread demonstrates that a sophisticated spreadsheet application can also be newcomer-friendly.