Wednesday, June 17, 2009

A GPG primer - Part I - Setting up Solaris, creating and distributing a key

I think this is due. I'm a GPG user since a long time and today, still, there are people asking me what are those strange characters out there or why am I doing this.

An encryption key such as GPG's may be used to sign and encrypt communication from and to a sender, the key owner. The key owner, the only one who's got the secret key and its passphrase, can sign and decrypt a message encrypted with such key. Another person who wanted to send me encrypted information could use my public key to encrypt a message and I, and only I, could be able to decrypt the message. That's just the basics and, if you're interested, you could read the GPG User Guide to dig into this subject.

There also exist software which can ease you life with these keys:
  • Some desktop systems come with an integrated key manager that lets you create, sign, encrypt and decrypt files and mail with a bunch of clicks.
  • Some mail client come with similar functionality built-in or via some plugins, such as Evolution or the Enigmail plugin for Thunderbird.
They're so many I'm not even trying to enumerate them. I just focus on man's best friend: good ole command line.

Setting up Solaris

Depending on the Solaris version you're running, maybe you'll need some extra step to set up GPG:
  • Solaris up to version 10: GPG isn't bundled with the OS nor is available in the Companion Software. To install GPG, follow Blastwave's instructions to set up your system and, optionally, follow my instructions to set up a special Blastwave zone. During the recommended Blastwave configuration you'll install GPG (CSWgnupg), too.
  • Solaris Express Community Edition and OpenSolaris-based distros: GPG is (should be) bundled with the OS.

Creating your key

As we said, the first thing you need is a key. You can make one with gpg:
$ gpg --gen-key
and after answering a bunch of questions you'll get your shiny little key

Distribute your key

Unless you're going to encrypt files for yourself, the next thing you've got to do to use your key at full power is distributing it (only the public part of it) to whoever may be interested in:
  • Reading something you signed.
  • Sending you encrypted information.
There are plenty of ways to distribute it but the most effective will be publishing it into a public keyserver:
$ gpg --send-keys key-id --keyserver hkp://subkeys.pgp.net/
Please note the following:
  • Instead of your key-id you could use your name, which was provided to GPG during the key creation phase. If you prefer to know and learn your key-id, you can ask gpg with the --list-keys option.
  • There are many keyserver out there, use the one you like most!
Now, you're ready to tell the world and begin to use your key.

No comments: