PRINTSCRIPT; print $script_style; include "/var/www/html/core/partc"; $linkpage = <<< PRINTLINK gfdl homepage > people > v. balaji's homepage > this page PRINTLINK; print $linkpage; // GFDL header include "/var/www/html/core/partd"; $titlepage = <<< TITLEPAGE Maintaining privacy of data and communication using GPG TITLEPAGE; print $titlepage; // GFDL header include_once( '/var/lib/php/counter.inc' ); error_reporting(E_ERROR); require_once('magpierss/rss_fetch.inc'); require_once('magpierss/rss_utils.inc'); include "/var/www/html/core/parte"; $pagecontent = <<< ENDCONTENT

Most guides to data protection put out by government institutions, universities and corporations tell you about protecting it from nefarious types (the mythical "Mallory" eavesdropping on "Alice" and "Bob"...) but in actual fact you should be equally concerned about protecting it from people who have legitimate access to your files (i.e a sysadmin with "root" privileges on the NEMS machines where GFDLers' mail is stored), or from institutions whose policies may not respect your data privacy.

This is a short introduction to a suite of free software tools for encrypting and signing data. The main tool described here is the GNU Privacy Guard GPG, which is a free GNU implementation of the dual-key encryption method known as Pretty Good Privacy, or PGP.

Dual-key encryption

Dual-key encryption systems are based on a having a key pair. They are anti-symmetric in that if you encrypt with either one, you can decrypt (only) with the other. SSH, PGP and other such cryptographic systems are based on the dual key method.

The key to these methods is that you make one of the key pair public, visible to all the people you may wish to communicate with (essentially anyone in the world...) privately. The pair to the public key is your secret key, which you protect as well as you wish to, using passphrases, which you change frequently, and so on. In dual-key systems, you can send a message to one person or a group which is not readable by anyone else; you can sign a message so that your correspondent can be sure it came from you; and you can verify a signed message from someone else to be sure it came from them.

That's the essence of the method, based on the beautifully elegant principle of dual-key encryption, of which one is private and the other public. The system as a whole is therefore known as public-key cryptography. There is a whole system (the public key infrastructure or PKI) in place for publishing and retrieving public keys from a network of key servers around the world.

Setting up GPG

The first thing you do is to generate your key pair, gpg --gen-key and follow the instructions. This will also create the directory \$HOME/.gnupg.

The \$HOME/.gnupg directory also contains your keyrings. pubring.gpg is the list of public keys you need to know: people you might communicate with (including yourself). secring.gpg contains the secret keys, usually yours. These files are binary and you can't read them directly, but here are some useful commands to start with:

The \$HOME/.gnupg directory also contains the configuration file gpg.conf.

Some useful things I turned on in my gpg.conf...

no-greeting            # the greeting gets annoying...
default-key D95BAE4B   # key ID you prefer to use
default-recipient-self # if you mostly encrypt your own stuff
use-agent              # the agent will remember your passphrase: see below
armor                  # always ascii-armor
emacs-muse-mode created by v. balaji (balaji@princeton.edu) in emacs using the emacs-muse mode.
ENDCONTENT; print $pagecontent; print "last modified: ". date( "d F Y", getlastmod() ); print "
this page visited: ".getCount(). " times "; include "/var/www/html/core/partf"; include "/var/www/html/core/partg";