Difference between revisions of "PGP"

From Organic Design wiki
(Redirected page to Configure PGP)
 
m (Manual PGP encryption/decryption =)
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
#redirect [[Configure PGP]]
+
PGP (Pretty Good Privacy) is actually the name of the original encryption program that provides cryptographic privacy and authentication for data communication and was developed by Phil Zimmermann in 1991. But these days PGP more commonly refers to the open internet standards which encapsulate this original functionality, [[w:Pretty_Good_Privacy#OpenPGP|OpenPGP]] and [[w:GNU Privacy Guard|GNU Privacy Guard]] (GPG). In this article we refer exclusively to using PGP functionality via GPG.
 +
 
 +
== Manual PGP encryption/decryption ==
 +
This is from a [https://bitcoinmagazine.com/technical/circumventing-surveillance-on-the-open-internet Bitcoin Magazine article by L0la L33tz]. To use PGP to send an encrypted message, first import my keys:
 +
<source lang="bash">
 +
gpg --recv-keys {!<KEY_FINGERPRINT>!}
 +
</source>
 +
 
 +
 
 +
Or if you configured to access your keys via a different keyserver such as ''OpenPGP'', then run
 +
<source lang="bash">
 +
gpg --keyserver hkps://keys.openpgp.org --recv-keys {!<KEY_FINGERPRINT>!}
 +
</source>
 +
 
 +
 
 +
To check whether the key import was successful, or to list all your keys along with their corresponding information such as expiry date and fingerprint:
 +
<source lang="bash">
 +
gpg --list-keys
 +
</source>
 +
 
 +
 
 +
To encrypt a message:
 +
<source lang="bash">
 +
gpg -ae -r {!<KEY_ALIAS_FROM_LIST>!}
 +
</source>
 +
then and hit “enter.” Write your message in plain text, such as “Hello PGP,” then end the message with ''CTRL+D''. It's best to include your own PGP fingerprint in the message which you can see from the key list from the command above
 +
 
 +
Next, a PGP message block should appear on your screen. Copy/paste this message including “BEGIN PGP MESSAGE” and “END PGP MESSAGE” into any public forum or messenger of your choice, sending an encrypted message over the open internet, only readable by its designated recipient. For example, you could now send this message to me via Twitter direct message, post it publicly on GitHub or share it in a public Telegram group of which I am a part.
 +
 
 +
 
 +
To decrypt a message:
 +
<source lang="bash">
 +
gpg -d
 +
</source>
 +
and copy/paste the encrypted message text, including “BEGIN PGP MESSAGE” and “END PGP MESSAGE.” The message should then be resolved to plain text. Et voila, you are now set to communicate in private with your counterparties over the open internet, giving law enforcement no chance to surveil the contents of your communication.
 +
 
 +
== Keys and fingerprints ==
 +
todo... [https://metacode.biz/openpgp/openpgp4fpr openpgp4fpr URI scheme]
 +
 
 +
== Key servers ==
 +
todo... [https://datatracker.ietf.org/doc/html/draft-shaw-openpgp-hkp-00 HKP]
 +
 
 +
== Web Key Directories ==
 +
[https://wiki.gnupg.org/WKD Web Key Directories] (WKD) provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain. Following are some basic instructions on how to get WKD up and running based on [https://metacode.biz/openpgp/web-key-directory this metacode.biz guide].
 +
 
 +
GPG allows a unique hash to be generated for an email address, for example the address ''foo@example.com'' is associated with the hash <tt>4hg7tescntgcqaqebqanpuyfu975</tt>. This hash is then used as the filename of a file containing encrypted data of your PGP keys that is generated using your private key and served from a specific location within your email domain (''example.org'' in the example).
 +
 
 +
There are two location formats under the domain that the file can be located, the first is:
 +
<source>
 +
https://openpgpkey.{!example.org!}/.well-known/openpgpkey/{!example.org!}/hu/{!4hg7tescntgcqaqebqanpuyfu975!}
 +
</source>
 +
and
 +
<source>
 +
https://{!example.org!}/.well-known/openpgpkey/hu/{!4hg7tescntgcqaqebqanpuyfu975!}
 +
</source>
 +
 
 +
The first format is tried first and if there is no such domain, then the second format is tried as a fall-back. But '''note''' that if the domain for the first method resolves (which will be the case if you have a wildcard domain), then the key '''must''' be available at the first URL format otherwise some WKD clients (such as gpg itself) will fail to look the key up. My preferred method is to server the key from both locations.
 +
 
 +
 
 +
To obtain the hash for your email address, do the following gpg command from any host that has your private key on it, for example:
 +
<source lang="bash">
 +
gpg --list-keys {!--with-wkd!} foo@example.org
 +
</source>
 +
 
 +
<source>
 +
pub  rsa2048/0x6BA55ED83ABAE1BB 2018-05-08 [SC] [expires: 2020-05-07]
 +
      Key fingerprint = 74EC 8D3D A82A 79DA A25D  F10C 6BA5 5ED8 3ABA E1BB
 +
uid                  [ultimate] Example Key <foo@example.org>
 +
                      {!4hg7tescntgcqaqebqanpuyfu975!}@example.org
 +
sub  rsa2048/0x3B5E7761615E2207 2018-05-08 [E] [expires: 2020-05-07]
 +
</source>
 +
 
 +
 
 +
Next you need to export your key to a file that uses that hash as its name:
 +
<source lang="bash">
 +
gpg --export foo@example.org > {!4hg7tescntgcqaqebqanpuyfu975!}
 +
</source>
 +
 
 +
 
 +
You then upload the generated file to your web-server ensuring that it is available under both URLs without any errors. Note that you must make sure that a CORS header is served along with the key:
 +
<source>
 +
add_header Access-Control-Allow-Origin * always;
 +
</source>
 +
 
 +
 
 +
To test that your key is available go to another machine that has gpg installed and has never seen your key and try locating it:
 +
<source lang="bash">
 +
gpg --locate-key {!foo@example.org!}
 +
</source>
 +
 
 +
<source>
 +
gpg: key 6BA55ED83ABAE1BB: public key "Example Key <foo@example.org>" {!imported!}
 +
gpg: Total number processed: 1
 +
gpg:              {!imported: 1!}
 +
uid [ unknown] foo@example.org
 +
sub  rsa2048 2020-01-23 [E]
 +
</source>
 +
 
 +
== Decentralised proofs ==
 +
todo... [https://metacode.biz/openpgp/proofs decentralised proofs] and [https://github.com/wiktor-k/openpgp-proofs openpgp-proofs]
 +
 
 +
<pre>
 +
--sig-notation {name=value}
 +
--cert-notation {name=value}
 +
-N, --set-notation {name=value}
 +
 
 +
    Put the name value pair into the signature as notation data. name must consist only of printable characters or spaces, and must contain a ’@’ character in the form keyname@domain.example.com (substituting the appropriate keyname and domain name, of course). This is to help prevent pollution of the IETF reserved notation namespace. The --expert flag overrides the ’@’ check. value may be any printable string; it will be encoded in UTF-8, so you should check that your --display-charset is set correctly. If you prefix name with an exclamation mark (!), the notation data will be flagged as critical (rfc4880:5.2.3.16). --sig-notation sets a notation for data signatures. --cert-notation sets a notation for key signatures (certifications). --set-notation sets both.
 +
 
 +
    There are special codes that may be used in notation names. "%k" will be expanded into the key ID of the key being signed, "%K" into the long key ID of the key being signed, "%f" into the fingerprint of the key being signed, "%s" into the key ID of the key making the signature, "%S" into the long key ID of the key making the signature, "%g" into the fingerprint of the key making the signature (which might be a subkey), "%p" into the fingerprint of the primary key of the key making the signature, "%c" into the signature count from the OpenPGP smartcard, and "%%" results in a single "%". %k, %K, and %f are only meaningful when making a key signature (certification), and %c is only meaningful when using the OpenPGP smartcard.
 +
</pre>
 +
 
 +
== See also ==
 +
*[[IndieWeb]]
 +
*[[Configure mail server]]
 +
*[[SSL]]
 +
*[[Privacy]]
 +
*[[Security]]
 +
*[https://eduncan911.com/keys/ Another good PGP page]
 +
[[Category:Security]][[Category:Web3.0]]

Latest revision as of 17:01, 11 February 2022

PGP (Pretty Good Privacy) is actually the name of the original encryption program that provides cryptographic privacy and authentication for data communication and was developed by Phil Zimmermann in 1991. But these days PGP more commonly refers to the open internet standards which encapsulate this original functionality, OpenPGP and GNU Privacy Guard (GPG). In this article we refer exclusively to using PGP functionality via GPG.

Manual PGP encryption/decryption

This is from a Bitcoin Magazine article by L0la L33tz. To use PGP to send an encrypted message, first import my keys:

gpg --recv-keys <KEY_FINGERPRINT>


Or if you configured to access your keys via a different keyserver such as OpenPGP, then run

gpg --keyserver hkps://keys.openpgp.org --recv-keys <KEY_FINGERPRINT>


To check whether the key import was successful, or to list all your keys along with their corresponding information such as expiry date and fingerprint:

gpg --list-keys


To encrypt a message:

gpg -ae -r <KEY_ALIAS_FROM_LIST>

then and hit “enter.” Write your message in plain text, such as “Hello PGP,” then end the message with CTRL+D. It's best to include your own PGP fingerprint in the message which you can see from the key list from the command above

Next, a PGP message block should appear on your screen. Copy/paste this message including “BEGIN PGP MESSAGE” and “END PGP MESSAGE” into any public forum or messenger of your choice, sending an encrypted message over the open internet, only readable by its designated recipient. For example, you could now send this message to me via Twitter direct message, post it publicly on GitHub or share it in a public Telegram group of which I am a part.


To decrypt a message:

gpg -d

and copy/paste the encrypted message text, including “BEGIN PGP MESSAGE” and “END PGP MESSAGE.” The message should then be resolved to plain text. Et voila, you are now set to communicate in private with your counterparties over the open internet, giving law enforcement no chance to surveil the contents of your communication.

Keys and fingerprints

todo... openpgp4fpr URI scheme

Key servers

todo... HKP

Web Key Directories

Web Key Directories (WKD) provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain. Following are some basic instructions on how to get WKD up and running based on this metacode.biz guide.

GPG allows a unique hash to be generated for an email address, for example the address foo@example.com is associated with the hash 4hg7tescntgcqaqebqanpuyfu975. This hash is then used as the filename of a file containing encrypted data of your PGP keys that is generated using your private key and served from a specific location within your email domain (example.org in the example).

There are two location formats under the domain that the file can be located, the first is:

https://openpgpkey.example.org/.well-known/openpgpkey/example.org/hu/4hg7tescntgcqaqebqanpuyfu975

and

https://example.org/.well-known/openpgpkey/hu/4hg7tescntgcqaqebqanpuyfu975

The first format is tried first and if there is no such domain, then the second format is tried as a fall-back. But note that if the domain for the first method resolves (which will be the case if you have a wildcard domain), then the key must be available at the first URL format otherwise some WKD clients (such as gpg itself) will fail to look the key up. My preferred method is to server the key from both locations.


To obtain the hash for your email address, do the following gpg command from any host that has your private key on it, for example:

gpg --list-keys --with-wkd foo@example.org
pub   rsa2048/0x6BA55ED83ABAE1BB 2018-05-08 [SC] [expires: 2020-05-07]
      Key fingerprint = 74EC 8D3D A82A 79DA A25D  F10C 6BA5 5ED8 3ABA E1BB
uid                   [ultimate] Example Key <foo@example.org>
                      4hg7tescntgcqaqebqanpuyfu975@example.org
sub   rsa2048/0x3B5E7761615E2207 2018-05-08 [E] [expires: 2020-05-07]


Next you need to export your key to a file that uses that hash as its name:

gpg --export foo@example.org > 4hg7tescntgcqaqebqanpuyfu975


You then upload the generated file to your web-server ensuring that it is available under both URLs without any errors. Note that you must make sure that a CORS header is served along with the key:

add_header Access-Control-Allow-Origin * always;


To test that your key is available go to another machine that has gpg installed and has never seen your key and try locating it:

gpg --locate-key foo@example.org
gpg: key 6BA55ED83ABAE1BB: public key "Example Key <foo@example.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
uid [ unknown] foo@example.org
sub   rsa2048 2020-01-23 [E]

Decentralised proofs

todo... decentralised proofs and openpgp-proofs

--sig-notation {name=value}
--cert-notation {name=value}
-N, --set-notation {name=value}

    Put the name value pair into the signature as notation data. name must consist only of printable characters or spaces, and must contain a ’@’ character in the form keyname@domain.example.com (substituting the appropriate keyname and domain name, of course). This is to help prevent pollution of the IETF reserved notation namespace. The --expert flag overrides the ’@’ check. value may be any printable string; it will be encoded in UTF-8, so you should check that your --display-charset is set correctly. If you prefix name with an exclamation mark (!), the notation data will be flagged as critical (rfc4880:5.2.3.16). --sig-notation sets a notation for data signatures. --cert-notation sets a notation for key signatures (certifications). --set-notation sets both.

    There are special codes that may be used in notation names. "%k" will be expanded into the key ID of the key being signed, "%K" into the long key ID of the key being signed, "%f" into the fingerprint of the key being signed, "%s" into the key ID of the key making the signature, "%S" into the long key ID of the key making the signature, "%g" into the fingerprint of the key making the signature (which might be a subkey), "%p" into the fingerprint of the primary key of the key making the signature, "%c" into the signature count from the OpenPGP smartcard, and "%%" results in a single "%". %k, %K, and %f are only meaningful when making a key signature (certification), and %c is only meaningful when using the OpenPGP smartcard.

See also