PRINTSCRIPT; print $script_style; include "/var/www/html/core/partc"; $linkpage = <<< PRINTLINK gfdl homepage > people > v. balaji's homepage > this page PRINTLINK; print $linkpage; // GFDL header include "/var/www/html/core/partd"; $titlepage = <<< TITLEPAGE Maintaining privacy of data and communication using GPG TITLEPAGE; print $titlepage; // GFDL header include_once( '/var/lib/php/counter.inc' ); error_reporting(E_ERROR); require_once('magpierss/rss_fetch.inc'); require_once('magpierss/rss_utils.inc'); include "/var/www/html/core/parte"; $pagecontent = <<< ENDCONTENT
Most guides to data protection put out by government institutions, universities and corporations tell you about protecting it from nefarious types (the mythical "Mallory" eavesdropping on "Alice" and "Bob"...) but in actual fact you should be equally concerned about protecting it from people who have legitimate access to your files (i.e a sysadmin with "root" privileges on the NEMS machines where GFDLers' mail is stored), or from institutions whose policies may not respect your data privacy.
This is a short introduction to a suite of free software tools for encrypting and signing data. The main tool described here is the GNU Privacy Guard GPG, which is a free GNU implementation of the dual-key encryption method known as Pretty Good Privacy, or PGP.
Dual-key encryption systems are based on a having a key pair. They are anti-symmetric in that if you encrypt with either one, you can decrypt (only) with the other. SSH, PGP and other such cryptographic systems are based on the dual key method.
The key to these methods is that you make one of the key pair public, visible to all the people you may wish to communicate with (essentially anyone in the world...) privately. The pair to the public key is your secret key, which you protect as well as you wish to, using passphrases, which you change frequently, and so on. In dual-key systems, you can send a message to one person or a group which is not readable by anyone else; you can sign a message so that your correspondent can be sure it came from you; and you can verify a signed message from someone else to be sure it came from them.
root
privileges on her
system) cannot read it, Alice encrypts it with her own public key.
Only her private key can unlock that data.That's the essence of the method, based on the beautifully elegant principle of dual-key encryption, of which one is private and the other public. The system as a whole is therefore known as public-key cryptography. There is a whole system (the public key infrastructure or PKI) in place for publishing and retrieving public keys from a network of key servers around the world.
The first thing you do is to generate your key pair, gpg --gen-key
and
follow the instructions. This will also create the directory
\$HOME/.gnupg
.
The \$HOME/.gnupg
directory also contains your keyrings. pubring.gpg
is
the list of public keys you need to know: people you might communicate
with (including yourself). secring.gpg
contains the secret keys,
usually yours. These files are binary and you can't read them
directly, but here are some useful commands to start with:
gpg --list-keys
lists all the keys in pubring.gpg
gpg --list-secret-keys
lists the keys in secring.gpg
gpg --search-keys <string>
helps you find the public keys of people
on the PKI. When you pick the one you want, you can add it to your
public keyring.The \$HOME/.gnupg
directory also contains the configuration file
gpg.conf
.
Some useful things I turned on in my gpg.conf
...
no-greeting # the greeting gets annoying... default-key D95BAE4B # key ID you prefer to use default-recipient-self # if you mostly encrypt your own stuff use-agent # the agent will remember your passphrase: see below armor # always ascii-armor