GNU Privacy Guard Logo

GNU Privacy Guard

GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories.

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC 4880 (also known as PGP or Pretty Good Privacy).

Version 1.4 vs. 2.0

Current Ubuntu versions install GnuPG version 1.4.x, while the newer version 2.0.x is recommended for desktop systems.

Amongst others you get the following notable features not available on the classic version.

  • GnuPG Agent
  • PIN-entry
  • Store keys on a SmartCard
  • Support for X.509 certificates and keys, besides OpenPGP keys
  • Support for signed and encrypted mails using S/Mime besides OpenPGP mails
  • Directory Manager

The versions co-exist nicely, if installed on the same system.

Enigmail requires GnuPG 2.0.

GnuPG Agent

The “Gnu Privacy Guard Agent” is a service which safely manages your private-keys in the background. Any application (e.g. the mail-client singning a message with your key) don’t need direct access to your keyfile or your passphrase. Instead they go trough the agent, which eventually will ask the user for the key passphrase in a protected environment.

Additionally GnuPG-Agent also will manage your SSH keys, thus replacing the SSH- Agent.

PIN Entry

“PIN Entry” is used by “GnuPG Agent” and others to safely ask the user for a passphrase in a secure manner. It works on various graphical desktop environments, text- only consoles and terminal sessions.

Note

PIN Entry version 0.8.3 currently installed from the Ubuntu Software-Center disables access to the clipboard for security reasons. Copy or paste of the passhrase is not possible. Later versions allow clipboard access to be enabled as option, although it is disabled by default.

“GPG Agent” and “PIN Entry” will not only make the handling of your keys more secure, but also easier to use. You can set a time, during which you keys will stay unlocked so you are not required to enter your passphrease again every time they key is needed.

Software Installation

“GNU Privacy Guard Version 2”, “GnuPG Agent” and “PIN Entry” can be installed from the Ubuntu Software-Center:

software-center

Or by using apt:

> sudo apt install gnupg2 gnupg-agent pinentry-gtk2 pinentry-curses

Configuration

Default Key for Command-Line

To let GnuPG know which key you normally use, set the following environment variable in the file $HOME/.bashrc:

export GPGKEY=0x0123456789ABCDEF

Key Server Certificate

Whenever GnuPG needs a key to check a signature or to encrypt a message and the public key is not already in our public key ring, that key is retrieved automatically from the key servers. Also keys already in the key-ring must be refreshed from the key-servers periodically to see if they have been revoked or if there have been new signatures added..

This makes it very easy for 3rd-parties to watch with whom we communicate and gives anyone watching our network automatic periodic updates of all the contacts in our address-book.

Therefore all communication with the key servers should be encrypted. For this we download the CA certificate of the SKS key server pool:

$ wget -O ~/.gnupg/sks-keyservers.netCA.pem \
    https://sks-keyservers.net/sks-keyservers.netCA.pem

GnuPG Options

Open the file .gnupg/gpg.conf in you home directory and change, add or uncomment as follows:

#
# Options for GnuPG
#
# See the 'OPTIONS' section of 'man gpg2'
#

#----------------------------------
# Default Private Key
#----------------------------------

# Default private key to use, if you have more then one in your secret keyring
default-key 0x0123456789ABCDEF

#----------------------------------
# Program Behavior
#----------------------------------

# Don't display copyright notice
no-greeting

# Disable inclusion of the version string in ASCII armored output
no-emit-version

# Disable comment string in clear text signatures and ASCII armored messages
no-comments

# Always display long key IDs. Short key IDs can be spoofed.
# Default: short
keyid-format 0xlong

# Include the fingerprint when listing keys
with-fingerprint

# Display the calculated validity of user IDs during key listings
list-options show-uid-validity
verify-options show-uid-validity

# Display the mail address of the signing key when listing signatures
sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g

# Try to find keys automatically
auto-key-locate local keyserver cert pka ldap

# Use the GnuPG-Agent whenever possible
use-agent

#----------------------------------
# Key Servers
#----------------------------------

# This is the server that --recv-keys, --send-keys, and --search-keys will
# communicate with to receive keys from, send keys to, and search for keys on
keyserver hkps://hkps.pool.sks-keyservers.net

# Provide a certificate to secure key server communications with TLS
# Get this from https://sks-keyservers.net/sks-keyservers.netCA.pem
keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem

# Use Tor for connections to the key servers
#keyserver-options http-proxy=localhost://127.0.0.1:9050

# Don't leak DNS queries when using Tor
keyserver-options no-try-dns-srv

# Ignore key server preference from keys. Always use our server of choice.
keyserver-options no-honor-keyserver-url

# When searching for a key with --search-keys, include keys that are marked on
# the keyserver as revoked
keyserver-options include-revoked

# Automatically fetch keys as needed from the keyserver
keyserver-options auto-key-retrieve

#----------------------------------
# Algorithm and Cipher Preferences
#----------------------------------

# List of personal ciphers preferences
personal-cipher-preferences AES256 AES192 AES CAST5

# List of personal digest preferences
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# Message digest algorithm for signing keys
cert-digest-algo SHA512

# List of default ciphers when creating new keys
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

#----------------------------------
# Display Options
#----------------------------------

# Assume input commands are UTF-8 encoded
utf8-strings
# Display output UTF-8 encoded
display-charset utf-8

# Use this program to display photo user IDs
photo-viewer "display -comment %f %i"

Available configuration options can be found on the gpg2 man page.

GnuPG Agent Options

Open the file .gnupg/gpg-agent.conf and change, add or uncomment as follows:

#
# Options for the GnuPG Agent
#
# See the 'OPTIONS' section of 'man gpg-agent'
#

# Program to use for entering passphrases
pinentry-program /usr/bin/pinentry-gtk-2

# Enable the OpenSSH Agent protocol.
enable-ssh-support

# Time in seconds, since last use of a GPG key, after which you will be asked to
# provide your passhprase again.
# Default: 600 (10 minutes)
default-cache-ttl 7200 # 2 hours

# Time in seconds after which you will be asked to provide your GPG key
# passhprase again, regardless of the time since that GPG key has been used.
# Default: 7200 (2 hours)
max-cache-ttl 86400 # 24 hours

# Time in seconds, since last use of an SSH key, after which you will be asked
# to provide your passhprase again.
# Default: 1800 (30 minutes)
default-cache-ttl-ssh 21600 # 6 hours

# Time in seconds after which you will be asked to provide your SSH key
# passhprase again, regardless of the time since that SSH key has been used.
# Default: 7200 (2 hours)
max-cache-ttl-ssh 86400 # 24 hours

Available configuration options can be found on the gpg-agent man page.

Shell Login Options

GPG Agent needs the following lines added to your shell configuration file ~/.bashrc:

#
# GPG Agent
export GPG_TTY=$(tty)

# Tell ssh about our GPG Agent
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
    export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
fi

Backup Your Keys!

Backup is very important. If you loose your private key or the passhprase for it, everything encrypted will not be recoverable.

Backups of your private keys and key-rings should be stored on a encrypted USB drive along with other important and protected files, like your KeepassX password database, your personal TLS certificates and private keys and the ones of your servers.

# Export all public keys from your keyring
$ gpg2 --output /media/user/SafeStorage/pubring.asc \
    --export-options=export-local-sigs,export-sensitive-revkeys \
    --armor --export
# Export your private keys from your keyring
$ gpg2 --output /media/user/SafeStorage/secring.asc \
    --armor --export-secret-key
# Export your personal trust settings, towards other peoples keys
$ gpg2 --export-ownertrust > /media/user/SafeStorage/gpg-ownertrust-db.txt