Mastermind
New member
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
PGP is a really good system for authentication and encryption. It uses asymmetric cryptography.
A private key is used to generate a public key.
The private key is used for signing and for decryption. The public key is used for encryption and verification.
If you have someone's public key, you can encrypt a message with it and send it to them. Only the recipient will be able to decrypt it with the private key that generated the public key.
If you have someone's message, you can verify it using their public key.
PGP is extremely useful as it allows for both encryption and decentralized authentication of messages and files.
More details here: https://en.wikipedia.org/wiki/Pretty_Good_Privacy
Cheat sheet of commands to use GPG (PGP on GNU/Linux): https://guides.library.illinois.edu/data_encryption/gpgcheatsheet
A nice tutorial on digitalocean: https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages
Good tips by the FSF: https://emailselfdefense.fsf.org/en/
A really good tutorial on creating keys by Thierry Thuon: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/
Create your PGP key
These commands are for GPG under GNU/Linux. For other OS you are on your own.
Chose RSA for both encryption and signing (default option).
Chose 4096 bits key length.
Set expiry to 2y (2 years)
Real name: chose a nickname!
Email address: Go to https://www.guerrillamail.com (through Tor), set a unique inbox ID of length at least 12 (will be used to access the email in the future, if needed) and paste the scrambled email address in the terminal. Save the inbox ID somewhere safe.
Comment: optional
Confirm the creation of the key. You will be prompted for a password to protect the key. Don't forget the password or you won't have access to the key.
The key will now be generated. Move your mouse around to increase entropy during the process.
Issue the following command to see a list of PGP keys on your machine:
The long string of alphanumeric characters is the fingerprint.
Protect your PGP key
A revocation certificate is created by default and the path printed on the terminal. If that's not the case then create one. Print the revocation certificate on paper. You may also want to include it in QR form. Here's a command to generate a QR code from a text file:
In case someone gains access to your PGP key, you can revoke it from any computer.
Now that the revocation certificate is safe, it's time to print out the private key. I recommend installing paperkey and qrencode and running the following command to export it directly to a QR code:
Print the QR code representing your secret key and put it somewhere safe.
Ideally you should have at least two copies of the secret key in two different locations and three copies of the revocation certificate in three different locations.
Upload your public key to a key server
Upload your public key to a key server using the following command:
Make sure to use Tor when interacting with key servers. I recommend using Whonix for that.
Share your public key or fingerprint with others
To display your fingerprint you can use either
or
The latter being more readable.
Mine is: 27B3 633F B288 9C09 13CF 59E5 148E 3128 3ECF FB04
To see your public key you can issue the following command:
I recommend sharing the full public key as a reply to this post and to add the key fingerprint to your forum signature.
Make different PGP keys for different webs of people. This forum is searchable on the internet. If you put your key fingerprint here and then share it with someone else, they can search the fingerprint on jewgle and find out that you visit this forum.
Get other people's public keys from key servers
To download other people's public keys you run the following command:
To get my public key and display it you'd run:
Alternatively you can search for people's keys using their name or email:
Import other people's public keys
If you have their public key, you can import it with the following command:
Sign other people's keys
If you trust that a particular key corresponds to a particular person you can sign it and return it to the key server.
For my key you'd run the following commands:
It's best practice to only sign someone's key if you used multiple channels to verify their identity. Meeting in person is best. The second best option is a phone call (if you know the other person's voice).
This is done to prevent Man-in-the-middle attacks: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
Signing someone's key is a big deal and should not be done lightly.
Verify messages
Now the fun starts. Lets verify that this post was really written by me.
Copy the entire post excluding the forum signature, paste it into a text editor and save it as a file.
Now run the following command to verify that the contents were written by me:
You should get a message saying "Good signature from "AgainstAllAuthority..."
Sign messages
To sign a message you can run the following command:
The output will be the file name and .asc extension. If you only have one key, they -u argument is not needed.
Encrypting messages
Here's a command to sign and encrypt input.txt so that both you and the final recipient can read it:
The output will be the input file name with .asc extension.
Decrypting
This one is the easiest. Just run:
Refreshing keys
I recommend refreshing other people's keys from time to time. Just run:
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEJ7NjP7KInAkTz1nlFI4xIz7P+wQFAmG+y7MACgkQFI4xIz7P
+wRE9RAAj7w7N+YGSWE3ikEhQoyJH77r9H46F3a9r4t/EyvYOVB7ztoi8XDXH07o
sIQZVKPHU5xlDprqZtL4jXgcyygzAAw62PH5mKVU8MIK3u2M4WXRvS74gy8Cn3hq
MBHVNpQKSQf8ozQ8pwWyiUXeyelwkPFQJIcbXYHoiuu+bZ2T3G4Oc+WDEbPtvwV6
RauARIvy6TKa+5axz7tz9iA01YrBQjHh19eJadv6LA1ghbzYKveGnh7AZ4xxuPL2
tDB1o1X2vi6tqT4D9QAgBDv2iivbkG9a73XDnvQs8ZlnEaeZ57YOKjRnffBKlBEF
SKEJG2ruPxLJwlR7NfkHfCUVND9qtxkWrBpVWnk96r7ejNLjJuOTY8mk9YayqZU7
XZtkLFtdJL+KZexAOGJR30Q9tlSQ2bTERI3FiwD5OApdftjutOuShvqfpt2VavUY
/LcgIt//P4Ix5Am4Crd62PrxSmkWTr+zJdvzzaZrbAyGTOg7xSEket8YfJldEWH8
j0TPKM4LbnoT1WA3t+BByOb6Y6ARarriuUTDzvwOpggurUavkjsx5A/iSqMrPnqM
m99uoI74zMLGnlKP8wAhGA+8y+zUjDcHbwiSeMKKpqJHrl9nDzOeAq9ZBsWgighc
iXBhl+fGlLWGIfHrfrbYNsdJ8UuuTI+6J9N36BcL29qGvBgAkm8=
=OKvp
-----END PGP SIGNATURE-----
Hash: SHA512
PGP is a really good system for authentication and encryption. It uses asymmetric cryptography.
A private key is used to generate a public key.
The private key is used for signing and for decryption. The public key is used for encryption and verification.
If you have someone's public key, you can encrypt a message with it and send it to them. Only the recipient will be able to decrypt it with the private key that generated the public key.
If you have someone's message, you can verify it using their public key.
PGP is extremely useful as it allows for both encryption and decentralized authentication of messages and files.
More details here: https://en.wikipedia.org/wiki/Pretty_Good_Privacy
Cheat sheet of commands to use GPG (PGP on GNU/Linux): https://guides.library.illinois.edu/data_encryption/gpgcheatsheet
A nice tutorial on digitalocean: https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages
Good tips by the FSF: https://emailselfdefense.fsf.org/en/
A really good tutorial on creating keys by Thierry Thuon: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/
Create your PGP key
These commands are for GPG under GNU/Linux. For other OS you are on your own.
Code:
gpg --full-generate-key
Chose 4096 bits key length.
Set expiry to 2y (2 years)
Real name: chose a nickname!
Email address: Go to https://www.guerrillamail.com (through Tor), set a unique inbox ID of length at least 12 (will be used to access the email in the future, if needed) and paste the scrambled email address in the terminal. Save the inbox ID somewhere safe.
Comment: optional
Confirm the creation of the key. You will be prompted for a password to protect the key. Don't forget the password or you won't have access to the key.
The key will now be generated. Move your mouse around to increase entropy during the process.
Issue the following command to see a list of PGP keys on your machine:
Code:
gpg --list-keys
Protect your PGP key
A revocation certificate is created by default and the path printed on the terminal. If that's not the case then create one. Print the revocation certificate on paper. You may also want to include it in QR form. Here's a command to generate a QR code from a text file:
Code:
qrencode -l L -r input.txt -o output.png
Now that the revocation certificate is safe, it's time to print out the private key. I recommend installing paperkey and qrencode and running the following command to export it directly to a QR code:
Code:
gpg --export-secret-keys [key id or fingerprint] | paperkey --output-type raw | qrencode --8bit --level L --output secret-key.qr.png
Ideally you should have at least two copies of the secret key in two different locations and three copies of the revocation certificate in three different locations.
Upload your public key to a key server
Upload your public key to a key server using the following command:
Code:
gpg --keyserver keys.openpgp.org --send-keys [key id or fingerprint]
Share your public key or fingerprint with others
To display your fingerprint you can use either
Code:
gpg --list-keys
Code:
gpg --fingerprint
Mine is: 27B3 633F B288 9C09 13CF 59E5 148E 3128 3ECF FB04
To see your public key you can issue the following command:
Code:
gpg --export -a [key id or fingerprint]
Make different PGP keys for different webs of people. This forum is searchable on the internet. If you put your key fingerprint here and then share it with someone else, they can search the fingerprint on jewgle and find out that you visit this forum.
Get other people's public keys from key servers
To download other people's public keys you run the following command:
Code:
gpg --keyserver keys.openpgp.org --recv-keys [fingerprint]
Code:
gpg --keyserver keys.openpgp.org --recv-keys "27B3 633F B288 9C09 13CF 59E5 148E 3128 3ECF FB04"
gpg --export -a "27B3 633F B288 9C09 13CF 59E5 148E 3128 3ECF FB04"
Code:
gpg --keyserver keys.openpgp.org --search-keys [name, email or fingerprint]
Import other people's public keys
If you have their public key, you can import it with the following command:
Code:
gpg --import [file containing public key]
Sign other people's keys
If you trust that a particular key corresponds to a particular person you can sign it and return it to the key server.
For my key you'd run the following commands:
Code:
gpg --sign-key "27B3 633F B288 9C09 13CF 59E5 148E 3128 3ECF FB04"
gpg --keyserver keys.openpgp.org --send-keys "27B3 633F B288 9C09 13CF 59E5 148E 3128 3ECF FB04"
This is done to prevent Man-in-the-middle attacks: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
Signing someone's key is a big deal and should not be done lightly.
Verify messages
Now the fun starts. Lets verify that this post was really written by me.
Copy the entire post excluding the forum signature, paste it into a text editor and save it as a file.
Now run the following command to verify that the contents were written by me:
Code:
gpg --verify [input file]
Sign messages
To sign a message you can run the following command:
Code:
gpg -u [key fingerprint] --clearsign [input file]
Encrypting messages
Here's a command to sign and encrypt input.txt so that both you and the final recipient can read it:
Code:
gpg --encrypt --sign --armor --recipient [your key fingerprint] --recipient [final recipient's key] [input file]
Decrypting
This one is the easiest. Just run:
Code:
gpg -d [input file] > [output file]
Refreshing keys
I recommend refreshing other people's keys from time to time. Just run:
Code:
gpg --keyserver keys.openpgp.org --refresh-keys
iQIzBAEBCgAdFiEEJ7NjP7KInAkTz1nlFI4xIz7P+wQFAmG+y7MACgkQFI4xIz7P
+wRE9RAAj7w7N+YGSWE3ikEhQoyJH77r9H46F3a9r4t/EyvYOVB7ztoi8XDXH07o
sIQZVKPHU5xlDprqZtL4jXgcyygzAAw62PH5mKVU8MIK3u2M4WXRvS74gy8Cn3hq
MBHVNpQKSQf8ozQ8pwWyiUXeyelwkPFQJIcbXYHoiuu+bZ2T3G4Oc+WDEbPtvwV6
RauARIvy6TKa+5axz7tz9iA01YrBQjHh19eJadv6LA1ghbzYKveGnh7AZ4xxuPL2
tDB1o1X2vi6tqT4D9QAgBDv2iivbkG9a73XDnvQs8ZlnEaeZ57YOKjRnffBKlBEF
SKEJG2ruPxLJwlR7NfkHfCUVND9qtxkWrBpVWnk96r7ejNLjJuOTY8mk9YayqZU7
XZtkLFtdJL+KZexAOGJR30Q9tlSQ2bTERI3FiwD5OApdftjutOuShvqfpt2VavUY
/LcgIt//P4Ix5Am4Crd62PrxSmkWTr+zJdvzzaZrbAyGTOg7xSEket8YfJldEWH8
j0TPKM4LbnoT1WA3t+BByOb6Y6ARarriuUTDzvwOpggurUavkjsx5A/iSqMrPnqM
m99uoI74zMLGnlKP8wAhGA+8y+zUjDcHbwiSeMKKpqJHrl9nDzOeAq9ZBsWgighc
iXBhl+fGlLWGIfHrfrbYNsdJ8UuuTI+6J9N36BcL29qGvBgAkm8=
=OKvp
-----END PGP SIGNATURE-----