Reliably encrypting emails using GnuPG

Slashdot it! Delicious Share on Facebook Tweet! Digg!

GnuPG in Everyday Use

If friends and relatives want to send you encrypted emails, they only need to have your key ID. As soon as an encrypted message appears in your Thunderbird mailbox, Enigmail automatically takes care of the decryption by asking you for the password of your private key.

A similar process takes place when you want to send an encrypted message to someone. For Enigmail to select the proper public key associated with recipient for encryption, you organize it through a key server. On the command line, you do this again with the gpg command, this time with the option --recv-keys (Listing 2, first line).

Listing 2

Getting Keys from the Server

$ gpg --recv-keys Key-ID
$ gpg --search-keys 'Max Mustermann'
$ gpg --search-keys

As an alternative, you can search for the name or email address of the recipient with the --search-keys option (Listing 2, lines 2 and 3). By entering the number returned by the search, you import the key.

If you want to add more addresses to the key or remove some, GPG provides the ability to edit the information in the key. On the command line, use the --edit-key option followed by the key ID (Listing 3, first line).

Listing 3

Editing Keys

$ gpg --edit-key Key-ID
$ gpg --send-keys Key-ID

This step will open a command line within gpg. You can add a new address at this point with the adduid command. The subsequent steps are like those for creating the key.

At the end, you quit GnuPG with the save command (Figure 6). Remember to upload the current key again to the public key server so that third parties can get the update (Listing 3, line 2). Using deluid you can also remove an existing IP from the keychain. The help command provides help for various commands.

Figure 6: You can add further identities to an existing key with the adduid command.

Key Signing

In your work with GnuPG, you'll probably notice that the subject of trusted and untrusted keys comes up. In the latter category are all the keys you import, but have not signed yourself.

Before you sign a key for another person, you should always authenticate its identity – sometimes an official document or driver's license will do it. Then, you can sign the key as follows:

$ gpg --sign-key <Key-ID>

To enhance your key in the Web of Trust, you might consider visiting a so-called key-signing party. Linux and open source conferences like FOSDEM [3] often include such parties in their programs.

If there's any reason to believe your key has been compromised, you should revoke it as soon as you can. If someone were to steal your laptop or break into your house, the key would be considered compromised, if only because of the chance that someone else might have had access to it.

In such cases, it's recommended to have a revocation certificate handy, which you can create with the --gen-revoke option and the --output option to write it to a file (Listing 4). You should subsequently protect the revert.asc file so no one has access to it. A safe or safety deposit box would make good protected places.

Listing 4

Revoking Your Key

$ gpg --gen-revoke Key-ID --output revcert.asc
$ gpg --import revert.asc
$ gpg --send-keys Key-ID

In case you are compromised, import the certificate with --import to the keychain and send it to a public key server. The key is then considered invalid and is removed from all key servers.

Buy this article as PDF

Express-Checkout as PDF

Pages: 5

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Encrypting email with GnuPG

    US intelligence agencies tap into billions of call data and electronic messages monthly – reason enough to consider encrypting your email traffic.

  • Q&A with Ubuntu contributor Mike Basinger


  • An overview of the IMAP client Trojitá

    Trojitá is new to the scene of email clients, but it already stands out for its intuitive interface and speed. Even so, this client is still missing some essential functions.

  • Pyspread – The Spreadsheet with a Python connection

    You can find plenty of spreadsheets offering a multitude of features. The Python-based Pyspread demonstrates that a sophisticated spreadsheet application can also be newcomer-friendly.

  • Welcome

    The title of this issue's Editorial section is a shameless rip-off of a section that used to run in Omni, the influential and very cool 80s magazine of "Science Fiction, Fact, and Fantasy." The section in Omni talked about advances in science and technology and where they would lead us. The title played on the actual verbal tense – the word "will" was used a lot in the articles, and the fact that, well, it was about the future.