Episode: 1358
Title: HPR1358: How to set up GnuPG, a PGP-compliant encryption system
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1358/hpr1358.mp3
Transcribed: 2025-10-18 00:11:37

---

watching
.
.
.
Hi everyone, this is Klaatu and this is Hacker Public Radio.
This episode is going to cover encrypting email with GPG specifically.
GPG is the GNU privacy guard, it's based on the PGP specification which was developed
back in the 90s by Phil Zimmerman, who was later actually taken to court by the US government
because they felt that he was by writing encryption software and letting it outside the borders
of the United States.
They felt he was literally exporting a weapon, so they actually took him to court.
He did not end up getting thrown into prison for life, but he actually got around it
in an interesting way.
He published the source code in a book, paper book, and said, hey, it's free speech.
And that kind of, I don't know if that was literally what won the case or whatever,
but that's what he did and it became an issue of freedom of speech rather than weaponry
because apparently the same source code if printed on paper becomes something completely
different than it is in digital format.
Yes, it's a wonderful, wonderful world of laws and details that we live in.
So anyway, GPG happens to be a pretty good system for privacy, apparently.
And the way that it works is that each person in the equation of sending an email has two
different keys, a public key and a private key.
And so if I email Ken Fallon, I might type out an email and then I might generate an encryption
method using my private key and his public key.
Now the email is encrypted, so I send it to him, it's still encrypted, it gets downloaded
onto his computer, it's still encrypted, and then he runs a little program and it uses
my public key, not my private key, but my public key and his private key to then decrypt
the email.
If that makes no sense to you, think of it mathematically.
I'm not a mathematician, but this is kind of how I sort of sat down and kind of thought
it out.
So we all know basic algebra, 1 plus x equals 2, solve for x.
If you said 1, you're correct, 1 plus 1 would indeed equal 2, so x must equal 1.
So if we make that a little bit more complex, you might have something like 1 plus x equals
2 plus y, and now if I ask you to solve for x, it becomes a lot more difficult, right?
Because you don't know what the value of y is.
So in, I mean, x could be 1, and y could be 0, right?
Because then you'd have 1 plus 1 equals 2 plus 0, and that would be 2 equals 2.
But just as easily x could be 3, and y could be 2, and then you'd have 1 plus 3 equals
2 plus 2, both sides equaling 4, so again, it could be right.
So it becomes a lot more complex that way.
Now with the private key, public key thing, you're not just dealing with simple equations
like that.
You've actually got a lot more going on.
So you've got, for instance, q times a equals q divided by b, where a is, let's say,
2 times x, and b is, let's say, 3 times y.
So in this equation, the q would represent the e-mail, and then we're modifying the e-mail
by the product of some known factor that would be your public key times some unknown factor
that would be my private key.
But we would know that that would be equal to the same e-mail in reverse, so let's just
say it's divided by some unknown factor that's your private key, and some known factor
that would be my public key.
So even though in that setup, you've got a lot of knowns and unknowns, and you've got
a lot of things that you could look at and analyze, there's always an unknown missing
factor.
As long as I keep my private key private, and you keep your private key private.
If our private keys get revealed to the world, it tips the scale a lot, because even if
one of our private keys gets revealed, then it tips the scale, because now there's that
known missing factor, you can reconstruct, okay, here's how they encrypted it, or here's
how they decrypted it.
So now we can tell how they got to that point from some unknown place.
So hopefully that makes a little bit more sense.
Now obviously even in that complex version, you could just cycle through a bunch of numbers,
right?
You could say, okay, well I know that Q is unknown, but I know that ultimately Q times
2 times x equals Q divided by y times 4, so if I just cycle through a bunch of possible
numbers for x and y, eventually I'll hit the right number or the right combination,
or at least you might hit the right combination.
You might not ever know if you hit the right combination in this scenario.
In real life you might, because suddenly the email would make logical sense in some known
human language, and that's kind of I guess that's the one possibility that all this encryption
stuff always has, right?
I mean they could eventually chain enough GPUs and enough computers together and just cycle
through every known possible combination within a certain bit range and they might hit
upon the solution.
So it's kind of good to keep in mind that at some point presumably the encryption is
going to be figured out, or it's going to be something that they can crack very easily,
and then no longer will your emails be encrypted.
So it's the typical little race to keep ahead of the people trying to undo the things
that you're doing.
So just keep that in mind, the level of numbers being used to generate all of these different
algorithms and encryptions and stuff, they're pretty big.
But again progress marches on, so you don't know really how big that will seem in ten
years or twenty years or five years.
Okay, so let's look at GPG directly first, although in real life you're probably not
going to use GPG directly necessarily.
I sometimes do to encrypt files, but more often than not, like my daily use of it is in
an email program through an email client, and with that you don't really, you're not
going to be aware of all the GPG stuff happening in the background, all you're going to know
is that it's happening, which is nice, it makes it really, really easy to do the encrypting
and decrypting, and it kind of makes it very natural, and it doesn't slow you down any,
when all you're trying to do is email someone or read someone's email, becomes very invisible,
and that's good.
But I do want to go over briefly what it's doing in the background so that you'll know,
you'll understand that it's not just magically happening, and that's always a good thing.
So first thing you need to do is go to GNUPG.org, that's the website to download the GNUPG
program.
If you are on Linux or a Unix-like operating system, there's a good chance that you'll
already have it, but not guaranteed, so you may have to go download it.
The quick and easy way to find out would be to type in which GPG, and if it tells you
that GPG exists, for instance, in slash user, slash bin, slash GPG, then yes, you have
it.
Otherwise, you probably need to get it.
So if you're on Linux, you can probably download it from your repository, and if you're
on anything else, well, BSD, ports, but anything else, GNUPG.org is probably the place that
you'll end up going.
So assuming that you're on Linux right now, just because that's the only way I've really
used GPG directly, or something with a shell that will give you access to the command
line version of GPG, you can first and you should first generate a GPG key for yourself.
If you don't have a key or a pair of keys, it doesn't do you a whole lot of good.
It's not going to do you any good, really, because you kind of need something to decrypt
an encrypt off of, and that's your key, those are your, I guess, your seeds.
So if you do GPG, space, dash, dash, gen, that's GEN, like generate, dash, key, then you'll
be taken to a little walk through program of generating a key for yourself.
So the first question that you'll be asked is do you want an RSA, and RSA key, do you want
a DSA and El Gamel key, DSA sign only or an RSA sign only, you probably don't want it
sign only.
So RSA and RSA or DSA and El Gamel, whichever you prefer, I'm going to go with DSA.
And DSA keys may be between 1024 and 3,072 bits long.
The default is 2048.
To be honest right now, I'm going to go really low, because I want this to be a quick thing.
So I'm just going to go to the lowest 1024, just so that you don't have to wait on me.
But in real life, you could certainly go with the default, which is 2048, or you could
go with the 3072.
There would be some technicalities about time, obviously a larger, bitted key is going
to take longer to encrypt and decrypt information.
It's just more numbers for the computer to crunch.
But if you're trying to stay ahead of that little curve where people are decrypting things
in theory, then maybe going longer would be better.
I don't know.
It's really your own paranoia level should guide you.
So either way, whatever you go with, it will ask how long the key should be valid for.
I usually just say it's not going to expire, because I have no reason for it to expire.
But if you were managing a business or something, and you were doing something with employees,
maybe you would have their keys expire after a year to make sure that they don't leave
the company and then still use their key or something.
I don't know.
So I'm going to say zero, meaning it will not expire.
And then it asks for confirmation.
Is this correct?
And I will say yes to that.
So then it's going to ask you for your user ID to identify yourself.
So this should be how you identify yourself to the people you know.
And there's a little bit of, I guess, there's a bit of a debate going on over what that
means, like a real ID.
What is that?
I mean, is that literally whatever your government has you recorded down as?
Or is that what you use on an everyday basis?
If you don't use your real name on an everyday basis, should that be what you're using?
And if you've got an ID card with some name on it, then you should probably use that ID,
blah, blah, blah.
I don't really care because I'm not in the business of making GPG people feel happy.
And I feel like as clatu, which naturally is my real name, clatu, I mean, that's people
know me as clatu.
And so if I go to a GPG signing party where we are signing each other's keys saying yes,
I trust you, I trust you, I trust you, I trust you, I trust you are who I, you say you
are, then that's about as good as you're going to ever get, right?
Because I could say that I was clatu, but actually I could be secretly someone else,
I could be gourd, and you would never know.
But certainly, clatu to you is this voice that you've heard on Hacker Public Radio,
be a new world order, maybe some other podcasts who knows.
So, so if as long as you're going to associate like this person speaking to you right now
with a key that you keep getting from this person, and if you talk to this person and say,
hey, did you just send me an email with the word ardvark in it?
And I say, why yes, I did, then there's some level of trust there, right?
You can now believe that the email that was signed with the GPG key that was labeled
with clatu's name is certainly the same person as the person who talks on a couple of
different odd casts.
And that's about as deep as any of this stuff is really going to work, right?
Because as you know from earlier episodes of Hacker Public Radio, people can fake identification,
they can fake ID cards.
So if I take an ID card to a GPG signing party and show them that ID card and then it has
a name on there and they sign my key, I mean, does that really mean anything more than
what I've just described about you getting an email from me and then talking to me about
it?
So, that's a big debate.
I'm not going to get into it.
Well, I just did.
I'm not going to get into it any further.
So, I'm going to type in my real name is clatu, my email address, I'm going to put clatu
member.fsf.org and then a brief comment and the comment I tend, I don't really know
what they're intended for, but I tend to just, I tend to use the comment field for some
explanation of why that key exists or who, which clatu this is because I know that clatu
isn't necessarily the most unique handle in a geeky community since it's also a very
popular science fiction name.
So, I'm going to put blue hair augaster and that, I feel, just kind of gives them some
reference so that if they're looking around for my public key, they kind of get, you
know, they'll know, oh, this is, yeah, this is clatu, the augaster, not clatu, the
guy who maintains, you know, some random program on UNIX, although that could be true
too, technically.
But anyway, so I'm going to change anything, no, I'm not going to change anything so I
will say okay to this.
And now it's asking me for a passphrase and entering a passphrase is good.
You will want that because you probably want to authorize your computer to use your key.
You don't want just anyone sitting down at your computer to be able to use your key.
You tend to want to explicitly tell your computer, yes, I am me and I give myself permission
to use this key.
So now it's generating the key and it's asking me to do stuff.
It says do something with your computer because we need more entropy.
So I just open up web browser and click around and just kind of do, I don't know, what
I think is random stuff and eventually it finishes creating the key.
Now if you took that longer key, really, really long key, then it might take you a little
while to generate enough entropy and randomness for your computer to use in order to generate
that key.
So it might not happen as quickly as it just happened for me.
So just keep that in mind, don't panic, just keep using your computer and eventually
you'll get your prompt back and it'll tell you, yes, we've just created a GPG key.
It actually tells you a lot more than that, it tells you that it's created a trust database,
trust DB, it's created your private key that is marked ultimately trusted because you
trust yourself presumably and your public key as well.
So now that we've got a key on our system, we can really, we could start using it right
away.
So if I, if I echo space quote, hello world, close quote, pipe into GPG dash, dash
encrypt greater than, so I'm redirecting the output of this into test dot GPG.
Now I'm basically just going to echo the phrase hello world and I'm piping it into GPG
and I'm having GPG encrypt this, these words hello world and then I'm going to redirect
the output of that command into a test file, so test dot GPG.
So we're just, we're literally just, we're going to create a file essentially that is
the encrypted phrase hello world.
In order for GPG, remember GPG uses a private key and a public key, so in order for GPG
to encrypt this, it needs to know who is allowed to unlock it, what public key is permitted
to, to unlock this cryptic phrase.
So it's using my private key right now, it needs a public key to sort of add to that algorithm
and create the encryption, the, the way that you enter the, the, you define who can unlock
this is you type in the name or the user ID of the person you want to be able to unlock
it.
Now you don't have any other keys on your system yet and on this particular box, neither
why because this is a test box, I'm doing it at the same time as you are, so you have
no one else to encrypt this for.
I mean, you could type in Bob, but there's no Bob GP, you don't have anyone on your
key ring, essentially.
So right now, let's just encrypt it for ourselves.
So I'm just going to type in clatu and hit return and it, it, it scans my little key,
my key chain and it says, okay, I see a clatu, I'll go ahead and assign, I'll use that
public key and your private key, so really it's the same public and the private is both
mine, but that's fine to encrypt this thing into another user ID.
So if you want someone else to be able to open this message, then you could type their
name in, but again, you have to have them in your key chain and you don't have anyone
in your key chain yet and that's fine.
So we're just going to end this process by hitting return and it unceremoniously returns
us to a prompt.
So now if you do an LS in your current directory, you'll see test.gpg does exist and if you
cut test.gpg, you see gibberish, that's what you want to see.
My, my terminal shows, yeah, really ugly gibberish, it's not just nonsense letters, I mean
it's nonsense characters that I've really never seen before on my computer.
So that's a good thing, that is an encrypted, encrypted message.
So now we could also do a gpg, space-dash decrypt, and then give it the name of the file,
so test.gpg.
I hit return and it says, okay, you can unlock this as long as you've got a passphrase.
Why is it asking me for a passphrase, and how does it know I am who I am?
Well because my little gpg program running in the background, it knows that my private
key and my public key are associated with the user executing these commands.
So the fact that it just asks me for a password is simply because it recognizes who I am,
it's aware of my private and my public key.
So there's a little bit of invisibility already going on, it's not like we have to tell
it to use class 2's public key to unlock this thing, it already knows that.
And sure enough, when I type in my password and I hit return, it tells me, okay, it's been
encrypted with 1024-bit-elg-e-key, the ID number of that key, it was created on this
date by class 2 with blue hair and augaster, add class 2 at member.fsf.org, and then it spits
out the text of that message, which was the phrase, hello world, and that's how you encrypt
and decrypt things.
So for all of you who have been using, say, true crypt or some such program as that,
you can actually do the same thing with gpg.
So if I had a whole folder of stuff that I want to do in crypt, I'll just make a test folder
here, test-durr, mkdurr, space, test-durr, makes a test directory, and then I'll go in,
well, I'll just pipe in some random stuff into some files in test-durr, so I'll list user
bin in there, and I'll list user sbin into a file, and then I'll copy jpeg out of my
pictures folder, here's some cats, so copy those into the test directory.
So now I've got, I've got about three files in this little test directory now.
So now if I wanted to encrypt this whole directory, all I would have to do is tar it up, so
I'll tar, space-cf, create file, test-durr.tar, and then the name of the directory to use
as the source, so space, test-durr, so now it's tarred, test-durr.tar, and now I can encrypt
it by jpeg, space-dash, encrypt, test-durr.tar, and again, it's going to ask me, well, who do
you want to be able to unlock this file? So again, I would just, since I don't have any
friends yet, I would type in clatu, and it asks me for another user, well, I don't have
any other users, so I just hit return, and then it's done, because these are really small
files, and sure enough, now I've got a test-durr.tar.gpg. So for all the world, that is an encrypted
folder, and no one could tell what was in there. And in order to decrypt it and view the files
inside, they would need to have access to my private key, and to the public key for which
it was intended. So in this case, again, we're encrypting stuff for ourselves. So if they had
the password to our private key, and they were on our computer, they could indeed decrypt
that file pretty easily. But presumably, you wouldn't tell people your password to your
private key. So even then, people shouldn't be able to just go in and decrypt it without
knowing your password to your private key. So lots of levels of protection there, that's
kind of nice. Let's talk really quick out of back of this key up. That would be gpgspace-dash-export-secret-key.
And that would export your secret key. You would probably want to redirect that to clatu.secret.gpg.key or something like that.
And then you would probably want to put that in a very safe place, because again, the whole
equation comes tumbling down if your secret key, if your private key, is known by other parties,
that kind of ruins the whole mystery of it. So keep that safe, keep it secret, keep it safe,
and back up, I generally speaking, I back up my .gnu-pg folder, because that's got my key ring in it,
and all that other good stuff. Now, another thing that you can do and probably should do is upload
your key to a key server, and not your private key, your public key. And the reason you want to do that
is because in order for gpg to work, people need to know your public key. They need to be able to
encrypt stuff for you, and decrypt stuff that has come in from you. So that's kind of an important
thing. That public key wants to be known. That's why it's called public. And you can do that by
send keys. You do a gpg-send-keys, and then you would need to know your ID. So actually,
let's do this first. gpg-space-list-keys. That'll list all the keys in your key chain,
but the first one you'll recognize is your own. That's your actual key. And it tells you
the identifier, the identifying number of your key. And you'll see that under,
well, the last line of your key block, it says pub-1024-delta-f-e-e, blah blah blah, 2013-09,
whatever, uid-clat-2-blue-hair-adcaster, and then sub-1024g-2b564-delta-0a.
So the two beta-564-delta-0a is the identifying number of my key, or more specifically, the number of
my key as identified by the username that I have provided. That's typically the one that I use.
I don't know that there's best practice in terms of which one you should refer to, but either
one of those will do. The fe-e-0-0, whatever, or the 2b564-d-0a, whatever. So either of those
identifying numbers will do. So if you do a gpg-space--sind-keys, and then paste in that identifying
number, and then hit return, that should send it to a key server somewhere out on the internet.
Which key server it sends that information to will probably simply depend on whatever distribution
you're using and what kind of presets they have in place on my Fedora test box. They already
had one kind of assigned, and much to my surprise, it just sent it, which I really did not mean to do.
On Slackware, they don't preset that for you, and you have to define one yourself.
There are a couple of different servers out there. There's a sort of a new one from Fedora,
actually, themselves, which is I think keys. FedoraProject.org. So you can use that one.
There's one, I think it's pgp.mit.edu or something like that. So yeah, there you go. There's our
servers out there, and then of course servers typically marry each other after a while. So you've got
sort of, you've got key servers talking to other key servers so that your public key gets
propagated fairly quickly all over the place. And again, that is what you want. That's part of
the model of the gpg system to have that public key out there so that people can grab it,
use it along with their private key to send you a message, send you a message, and then you can
use your private key and their public key to then decrypt what they've sent you in vice versa.
Okay, I hope that all made sense. I think it did, but now we should take a quick coffee break
and then move into actually using this technology in everyday emails.
Oh, wait a minute. What am I doing? It's the wrong podcast. We don't take coffee breaks at
hacker public radio. We're going to jump right into this email stuff, but you could pause it and
go get a cup of coffee if you really wanted to. I'm not encouraging that necessarily. There are
lots of different email applications out there. Clients, I mean, and you can use any number of them.
The two that I know, the three that I know work with gpg are pretty much transparently
are thunderbird, k-mail, and mutt. And the reason I know that those work transparently is because I use
them. I will describe how to do thunderbird and mutt. And hopefully the ideas presented here will
sort of translate easily into the other programs that you may find. Thunderbird doesn't actually
support it out of the box. You have to install an add-on. K-mail supports it out of the box,
so it's pretty darn easy with K-mail. But thunderbird, you have to add that on. And since thunderbird
is a lot more portable than K-mail, I would like to go over that one. And then mutt, of course,
is mutt. To get an add-on in thunderbird, you go to the thunderbird menu, wherever that is. It depends
on what version of thunderbird you're using. They've moved it over to a little hidden menu over on
the right lately, but you can find it elsewhere. Maybe in the file menu or something if you're using
an older one. Either way, get the add-on. And the thing that you're looking for in add-ons is called
in-nig-mail, e-n-i-g-m-a-i-l in-nig-mail. Now, when I search for it in the thunderbird add-on
search menu or what it's search bar, it comes up as a results with the best match. And it only
gives me the top five. None of which actually matched the word in-nig-mail. So if you set your filter
to the name, match the name, still won't work. And then down at the bottom of the results,
the first five results, click see all 54 results. Once you do that, it will let you see more results.
And it does that by taking you, I think, to the web page, like the add-on web page at like
get thunderbird.org or mozilla.org, whatever. And the top match at this time is indeed in-nig-mail.
And it's a featured add-on. So featured that it doesn't come up in your standard search. And then
if you roll your mouse over it, you can click add to thunderbird. And it adds, it warns you as it will,
that it's not a mozilla project. You can't really vouch for the developer and so on. So click
through that and go ahead and just install in-nig-mail. It would be the correct answer there.
This is one of those plugins that requires a restart of the application. So once it is installed,
there's a little bar up at the top that says the install will finish once you restart thunderbird.
And then it gives you a button to restart thunderbird now. And then sure enough, it has installed.
So once thunderbird opens back up, you won't really see a whole lot different. If you look
closely, you will find a, that there's a decrypt button possibly somewhere up at the top. Again,
it kind of depends, you know, on what version of thunderbird you're running this. I don't know,
this is again on my test box. So it's whatever Fedora is on right now is what I'm running.
So there's a decrypt button, but it's grayed out. And that's normal. The time that in-nig-mail
will sort of present itself most obviously is when you compose a message or write in thunderbird
terms. So if you click the right, that's W-R-I-T-E button at the top of the thunderbird window,
then you get a new empty message. And you can go up to the, you'll see now a menu at the top of
that, of that window or, or, you know, wherever you see your menus. And you will see that there's a
file edit view, insert format options and open PGP. This is the place you're going to want to be.
So just to kind of prompt thunderbird to make us configure the, the keys that we want,
we will just go ahead and say that we're going to sign this message from the open PGP
menu sign message. It pops up a warning and it says you did not yet configure open PGP security
for the selected identity. Do you want to do this? So we'll click configure. This takes us to a
open PGP options dialogue box and we will say, okay, so enable open PGP support for this
identity. And by quote, identity, it means the person, the person and the, the email account and
everything that you are using thunderbird for. So if you hadn't, you know, if you've got thunderbird
set up for like one email address, then that identity is that one email, email address at your
username. If you have thunderbird set for multiple accounts, maybe you have a work email, you have a
personal email, you have an internet email or like a web mail account, maybe you've got lots of
different identities. So you may want to only use your GPG key for a certain one of those identities.
So whoever you are composing this message as, which right now, since I only have clats who
configured in thunderbird, that's the identity to which it is referring. So yes, I will enable GPG
or open PGP for this identity. And it says use email address of this identity to identify the
open PGP key. You could do that, but I'm going to, I would prefer to use a specific open PGP key.
I just prefer to do it that way. I'll select the key. It pops open a select, a secret open PGP key
to sign. It auto detects my .gnu PG folder now because it's looking for keys on my local system.
So I select that key and it fills in the little hex code number thing. I don't know if it's
actually hex code, but it's a number anyway with an x in it. It looks really technical. And then it
gives me a couple of default options. So the defaults you can do for a GPG email are that you could
sign the message, but not encrypt it. So basically you're just saying, you're including your
public key along with the message. You're signing it with your GPG key. You're not actually
encrypting anything. It will be human readable by everyone. It's not getting scrambled.
You could also sign the encrypted message by default. So you're sending your public key
and you're encrypting the message by default. Meaning it will come through as a scrambled blob
that no one can read unless they have the correct public key and their own private key.
Or you can encrypt the message by default. I find that's usually not something that you want to
do because not everyone in your life probably uses GPG. If so, you're a lucky person. I do not
have everyone in my life using GPG keys. So encrypting a message by default would be a bad idea.
Or I could use GPG mine by default. Never use that. Don't really know what it means. So I'm
going to sign the non encrypted messages by default. And I'm going to say, okay to that.
It tells me that I've just made some settings and do I want to confirm that and I do.
And then I could type out this message to anyone. And you'll see that when you send it to,
I mean, if you send it to yourself or something or to another account that you might own,
you will see that at the bottom of your message now or somewhere in your message,
I forget where a Thunderbird puts it. But I think it's at the bottom. It puts a big long,
ugly string of random looking letters. That is the representation of your GPG key.
And people could use that to then import your public key or whatever or look at it against what
they have on file for you, whatever. So that's just signing it. If you want to encrypt it,
you could go to the OpenGPG menu or the OpenGP button at the top of the Thunderbird window
and tell Thunderbird to, yes, I want to encrypt this message. Now that's going to encrypt
the message for the email address that you are sending it to. It's going to cause problems if
you don't have that person's key in your key chain. So I'm going to hit send
it's going to ask me why it can't find on record a key for this person that I'm sending it
gourd at www.geneworldorder.info. There is no, I don't have that person's key.
Okay, so here's where we're getting into the idea of the public and private key pair.
We were able to use GPG earlier in the terminal because we had both our own private and our own
public key. That's that's easy. We can pair those two things together and encrypt something.
But if we want to encrypt something for someone else and send it to them, we need to get their
public key onto our computer so that we can pair our private and their public key, generate the
encryption, do the encryption and then send it. So that's not so hard. I find the easiest way
for myself just to go back to the terminal and do a GPG space dash dash search dash keys
and then type in the name of whoever you're searching for. So I'm going to do a GPG dash dash search
dash keys space gourd and actually I don't know any of these gourd because there's not really
a gourd that I know and they're all from 2000 and 2001. But anyway, if I there's nine results
for gourd, one of mine, one of which is mine, my real key, but that's not what I want. I want
some other gourd. So I'm going to do a GPG or rather I'm going to, it asks me keys one through
nine of 19. Okay, that's why. So I'm only seeing the first nine for gourd, enter a number or next
or quit. So I'm just going to randomly choose the second result. I type in two and it imports that
public key. So now if I if I look at this person's email, which is a Spanish email, I think ES,
right, that's Spain and it looks pretty well confusing, but I'll just paste it into my Thunderbird.
I'm not going to send this message. I just want to, you know, I just want to see what happens if I
actually that won't be possible. Now I'm offline. It won't work. So I'm going to click send this
message. And so sure enough, it goes through. And in fact, if you if you look at what you're
sending in your sent box, if you went offline like I did, then you'll see gibberish. It says begin
PGP message. Character said is ISO 8859. I'm not using UTF8 really. Version GNU PG comments using
GNU PG with Thunderbird and then a bunch of gibberish. I'm going to delete this message because I don't
know who this Gort is and I don't believe that he probably wants to receive email from me in
spite of my name relation to him. That looks like it works. So now if Gort was to get my message,
then what Gort would need to do if he didn't already have my public key, he would need to go
search for my public key, import it into his key ring, and then his email client would probably
decrypt that message for him. And that's kind of that's how this works. So that doesn't tend to be
the way I use it. It tends to be more like, hey, someone just sent me their public key. Now I can
start encrypting messages to them and I don't have to go search for their key personally. And that's
simply because a lot of people do have keys on servers that are no longer really useful. And so if
you send them something encrypted, they'll write you back and say, hi, I have no idea what you just
said because I opened that GPG key or I created and uploaded that GPG key 10 years ago and I haven't
used it since. So please just tell me what you said. So I tend to get verbal or email confirmation
from people that yes, I want to use my, you know, let's start communicating with GPG encryption
and then maybe they'll send you their public key or you then you can search for it and kind of
look for their name and their email pair. And all you do is it's GPG space dash search keys
and then their name or their email or whatever and select the number that is the correct result
and it will import it into your key chain for you. There is a GPG import keys or import key
and if someone sends you like a key then you can do that. That works too. But I think more often
than not, I tend to get confirmation from the person that yes, they want to start using GPG. I
search for the key that, you know, under their name and email and then I import it that way.
And that's sort of it. So that was, that's Thunderbird and Enigmail. It's really not that hard.
Now the nice thing about this is that if someone sends me an email back that is encrypted with my
public key, Thunderbird is smart enough and GPG is smart enough in the back end to recognize that
this is an encrypted thing that they're that we're dealing with here. And so it just sort of
automatically decrypts it for me. And if I might be thinking of K-mail but I'm pretty sure it
gives me like a little box at the top of my message viewer pane where it says like this wasn't,
you know, this was a GPG encrypted message from user whatever. And so you know that you're reading
something that that really is encrypted but you're seeing the decrypted version of it. It's
either Thunderbird or K-mail that does that. Something graphical. So that you know it's encrypted
but you don't have to bother with like going through any kind of legwork, you don't have to copy
the message into a file and run it through GPG manually through a terminal, you know, it's just,
it just all happens magically on your computer in your email client. And the advantage here of
course is that it is encrypted. It's encrypted when it's saved, you know, to your to your
computer. It's an encrypted entity. It's not being decrypted until you launch your email account
and tell it that you want to view that message. And then it decrypts it for you. The other good
thing about that is that it's obviously encrypted on any server that it exists upon. So if you're
using a web mail service then they have your email yes but it is encrypted email that doesn't
make any good sense to them at all. And so that's kind of nice. Okay, so that's Thunderbird.
K-mail is very similar in terms of setting it up. I'm not going to go through that because it's
not quite as portable as Thunderbird. And MUT is a little bit more a little bit more work to set up
correctly. And I want to kind of do an overview because it is actually a lot of a lot of
work to get it going. I mean not a lot of work but a fair amount. So the first step would be to
use or to make sure that your server has GPG installed which I'm assuming if it's a Linux server
then it would have GPG installed. And again which GPG would would confirm that for you. And sure
enough I have GPG installed actually in my bin folder on the server. So it's not system wide. It's
just in my home folder. So now if I go back out to my home folder and I do a less on my MUT RC file
and I scroll way down to the bottom where I have all my GPG stuff then I have a lot of different
options being set for PGP. So for instance one would be set PGP underscore encrypt underscore
only underscore command equals. And then it invokes you something called the PGP ERAP. That's an email
wrapping program that WRAP PGP ERAP which is in user bin on this computer space GPG space of
bunch of options and then encrypt two and then my key number and then a bunch of other options
to show to direct it at the text that it should encrypt for me. I will include all the like a sample
MUT RC file in the show notes but when I go into MUT and I hit M to create a new message I type out
a recipient. I type out a subject. It takes me to EMAX. I type in the body of my message.
I save that message. I get out of EMAX. Then it takes me back to my MUT screen where it's saying
okay are you ready to send this. So by default I have it to set in my MUT RC file to to sign my
message which is fine normally. I like to sign by default. But in this case let's say that I
want to encrypt it. So I hit P for PGP menu and then it gives me a list of options and that's
encrypt, sign, sign as both inline format or clear. I don't know what inline format and clear mean
but the encrypt and sign obviously and sign as but I only use encrypt and sign. So sign by default
so really I only use encrypt. So if I hit E for encrypt then it's going to now invoke GPG with
a certain set of options as defined in my MUT RC file and it's going to in other words encrypt my
entire message with my right now the my private key and the person to whom I just made my email out to
they're their public key and then if I sent it then it would be it would be sent. I'm not going
to send it and I'm not going to post on the message but that's how that works. So it's it's
practically the same thing. It's just it's just a little bit more manual mostly in the sense that
you have to enter a bunch of new stuff into your MUT RC file. It's not pretty. It's a bunch of code.
I stole it from somewhere online. It works really really great. It works quite well. I've never had
a problem with it. I've gotten messages from other people. I've you know it decrypts fluidly just
as fluidly as on Thunderbird. You never really realize it's encrypted except that you get a bunch of
open PGP output at the top of the message to sort of show you hey this has been signed and it was
encrypted and you're viewing it using this public key and it's as simple as that. And again the
same rules apply. The the reason you're able to encrypt something for someone is because you have
their public key. The reason they're able to encrypt something for you is because they got your
public key and that's all anyone ever needs is public keys. You don't ever share your private key
and you can use GPG based encryption on email from the moment you send it over the internet to
the moment that it gets to their computer until they explicitly tell it to decrypt for them
and and depending on their the software that they're using it may not even might not actually
decrypt it. It might just be showing the main decrypted view which then goes away once they close
that menu or that window. So hopefully that helps you see how easy it is to to encrypt and decrypt
files. It's it's super easy. I mean it really is GPG set yourself up with the GPG key pair
and starting encrypting your files if you want and starting encrypting your emails and make sure
make sure that you back up your private key. You really want to back up your private key. Did I say
that you should back up your private key because that's what you would want to do. If you if you
start encrypting stuff whether it's it's sent mail or whether it's files and then you lose your
private key you will not be able to decrypt those messages anymore. So be aware of that. But other
than that caveat this is a pretty pretty neat and easy way to encrypt stuff. So try it out.
My public key is listed on the key servers out there. So if you do a GPG dash dash search dash
keys and then clatu where you could even to make it more exclusive or whatever just do a search
for not clatu because that's there's only one not clatu and that's me and it's pretty pretty
obvious I think it it lists all the different identities that I've that I've got online. Just grab
that and start emailing me encrypted emails and that would be cool because then we'd be all secret
spy like. So do that have fun. The more you use GPG encryption the less
suspicious it looks. So use it often for even little little everyday messages just encrypt it.
The more noise there is out there the better. Thanks for listening.
You have been listening to Hacker Public Radio at Hacker Public Radio. We are a community podcast
network that releases shows every weekday on day through Friday. Today's show, like all our
shows, was contributed by a HPR listener like yourself. If you ever consider recording a podcast
then visit our website to find out how easy it really is. Hacker Public Radio was founded by
the digital dog pound and the infonomicum computer cloud. HPR is funded by the binary revolution
at binref.com. All binref projects are proudly sponsored by linear pages. From shared hosting
to custom private clouds, go to lunarpages.com for all your hosting needs. Unless otherwise stasis,
today's show is released on the creative commons, attribution, share a like,
3.0 license.