Reliably encrypting emails using GnuPG

GnuPG in Everyday Use

If friends and relatives want to send you encrypted emails, they only need to have your key ID. As soon as an encrypted message appears in your Thunderbird mailbox, Enigmail automatically takes care of the decryption by asking you for the password of your private key.

A similar process takes place when you want to send an encrypted message to someone. For Enigmail to select the proper public key associated with recipient for encryption, you organize it through a key server. On the command line, you do this again with the gpg command, this time with the option --recv-keys (Listing 2, first line).

$ gpg --recv-keys Key-ID
$ gpg --search-keys 'Max Mustermann'
$ gpg --search-keys email@max-mustermann.de

As an alternative, you can search for the name or email address of the recipient with the --search-keys option (Listing 2, lines 2 and 3). By entering the number returned by the search, you import the key.

If you want to add more addresses to the key or remove some, GPG provides the ability to edit the information in the key. On the command line, use the --edit-key option followed by the key ID (Listing 3, first line).

$ gpg --edit-key Key-ID
$ gpg --send-keys Key-ID

This step will open a command line within gpg. You can add a new address at this point with the adduid command. The subsequent steps are like those for creating the key.

At the end, you quit GnuPG with the save command (Figure 6). Remember to upload the current key again to the public key server so that third parties can get the update (Listing 3, line 2). Using deluid you can also remove an existing IP from the keychain. The help command provides help for various commands.

Figure 6: You can add further identities to an existing key with the adduid command.

Key Signing

In your work with GnuPG, you'll probably notice that the subject of trusted and untrusted keys comes up. In the latter category are all the keys you import, but have not signed yourself.

Before you sign a key for another person, you should always authenticate its identity – sometimes an official document or driver's license will do it. Then, you can sign the key as follows:

$ gpg --sign-key <Key-ID>

To enhance your key in the Web of Trust, you might consider visiting a so-called key-signing party. Linux and open source conferences like FOSDEM [3] often include such parties in their programs.

If there's any reason to believe your key has been compromised, you should revoke it as soon as you can. If someone were to steal your laptop or break into your house, the key would be considered compromised, if only because of the chance that someone else might have had access to it.

In such cases, it's recommended to have a revocation certificate handy, which you can create with the --gen-revoke option and the --output option to write it to a file (Listing 4). You should subsequently protect the revert.asc file so no one has access to it. A safe or safety deposit box would make good protected places.

$ gpg --gen-revoke Key-ID --output revcert.asc
$ gpg --import revert.asc
$ gpg --send-keys Key-ID

In case you are compromised, import the certificate with --import to the keychain and send it to a public key server. The key is then considered invalid and is removed from all key servers.