{"id":2623,"date":"2013-10-29T13:41:40","date_gmt":"2013-10-29T17:41:40","guid":{"rendered":"http:\/\/www.kaspersky.co.in\/blog\/?p=2623"},"modified":"2020-02-26T20:27:17","modified_gmt":"2020-02-26T14:57:17","slug":"gpg-strong-encryption-and-digital-signing-made-easy","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/2623\/","title":{"rendered":"GPG, Strong Encryption And Digital Signing Made Easy"},"content":{"rendered":"

Recent revelations about government surveillance have once more brought two-decade old PGP software<\/a> \u00a0into the spotlight, as it remains a quite robust and secure mechanism for communications. \u00a0However, progress in the computing industry requires using longer keys to keep attacks on key pairs less possible. Therefore, my objective is to provide you with the information necessary to create a new RSA key pair with a length of more than 4096 bits. The longer the lifetime of your data the longer your key should be. However, nothing is free, and each time you double your key length the decryption becomes 6 or 7 times slower. Therefore, we\u2019ve chosen a key length of 8192 bits for this article.<\/p>\n

\"pgp\"<\/a><\/p>\n

Not many tools that are currently available support this key size by default, so in order to create our new key we are going to download and modify the latest GnuPG version (currently 1.4.15). We\u2019ll use Ubuntu Linux for this example since nowadays it\u2019s a pretty popular distribution and it will allow you to follow these steps in a simple and straightforward manner. As an alternative you could also use Cygwin<\/a>, which is a good way to have a basic Linux-like environment in your Windows OS.<\/p>\n

\u00a0\"pgp-screenshot-01\"<\/a><\/p>\n

Once you have created your key with the following guide, you can use one of the many tools available for your chosen OS to manage it. For example in Mac OSX you have GPG Suite<\/a> and in Windows you can download GP4Win<\/a>, both allow key generation, key management and all the basic operations you will usually perform everyday with PGP.<\/p>\n

On the one hand you have Gpg4win (GNU Privacy Guard for Windows), which is maintained by the developers of GnuPG and provides encryption and digital signing software for files and emails protecting your valuable information and communications. It\u2019s free software and highly recommended for all Windows users.<\/p>\n

On the other hand, if you have GPG Suite for Mac OSX, which integrates nicely with your OS, providing an open source plugin for Apple Mail and enabling you to encrypt and sign your messages easily. There is also an application to manage your keychain and a command line version of GPG to further explore all the alternatives this tool has to offer.<\/p>\n

\"pgp-screenshot-02\"<\/a><\/p>\n

We\u2019ll start by getting the GnuPG sources and decompressing them into a folder in our hard disk. It\u2019s recommended first that we verify the SHA1 signature for this file to check that everything is correct and we\u2019ve downloaded the verified version of the software. For that, we can use the already installed utility \u201csha1sum\u201d and if the calculated hash matches the one available on the GnuPG website, we are good to go.<\/p>\n

\u00a0\"pgp-screenshot-03\"<\/a><\/p>\n

For this guide we are going to modify a couple source files, but I promise it\u2019s not too complex and the rewards will be enough to justify this effort.<\/p>\n

I\u2019m going to download the gzip compressed GnuPG 1.4.15 source file and with the help of the \u201ctar xvzf [filename]\u201d command, I will obtain a decompressed folder with the original contents of the file. You have to replace the [filename] part of the command with the actual name of the downloaded archive. No square brackets are needed in the actual command.<\/i><\/p>\n

\u00a0\"pgp-screenshot-04\"<\/a><\/p>\n

Next, we need to browse the recently extracted directory by doing a \u201ccd [gnupg-folder]\u201d. There we will find the contents we need for building our GnuPG binary. The first step involves modifying the \u201ckeygen.c\u201d file located in the \u201cg10 directory\u201d.<\/p>\n

\u00a0\"pgp-screenshot-05\"<\/a><\/p>\n

You can edit the \u201ckeygen.c\u201d file using \u201cgedit\u201d, for example, and when shown the contents you can search for the string \u201c4096\u201d, which is the current maximum key size that GnuPG has set up by default. We\u2019ll change that value to \u201c8192\u201d for our purposes in line 1572. Don\u2019t forget to save your changes. Make sure you haven\u2019t introduced any other changes!<\/p>\n

\u00a0\"pgp-screenshot-06\"<\/a><\/p>\n

After we have made this simple modification we are ready to compile our new version of GnuPG. For that the usual \u201c.\/configure\u201d and \u201cmake\u201d commands should be enough. Moreover, if we want to replace the GPG version that Ubuntu ships with by default we\u2019ll execute a \u201csudo make install.\u201d For the moment we\u2019ll use our newly created binary locally in order to set up our RSA 8192 bits key pair.<\/p>\n

\u00a0\"pgp-screenshot-07\"<\/a><\/p>\n

Before executing \u201cgpg\u201d we\u2019ll modify the gpg.conf file located in your Home directory, in this case \u201c\/home\/Giuliani\/.gnupg\/gpg.conf\u201d. By default it won\u2019t have any content but we\u2019ll add our choice of preference for cipher, digest and compression algorithms and hashing mechanisms.<\/p>\n

For this particular case I\u2019m going to add at the end of the file the following contents (you can of course change this to your preferences\/needs):<\/p>\n

personal-cipher-preferences AES256 TWOFISH AES192 AES<\/p>\n

personal-digest-preferences SHA512 SHA384 SHA256<\/p>\n

personal-compress-preferences ZLIB ZIP<\/p>\n

\"pgp-screenshot-08\"<\/a><\/p>\n

After all this hard work we are finally ready to create our key, we\u2019ll execute the \u201c.\/gpg \u2013gen-key\u201d command from the \u201cg10\u201d directory (where we previously modified the \u201ckeygen.c\u201d file\u201d) and will follow the instructions on the screen. The process is pretty simple, we choose the first option to create a key pair that will be used for signing and encrypting and we\u2019ll select 8192 bits as the key size.<\/p>\n

\"pgp-screenshot-09\"<\/a><\/p>\n

Just to add a little more realism to the example, I\u2019m going to set the expiration date for this key too. We\u2019ll use \u201c5y\u201d to tell \u201cgpg\u201d that this key will expire in 5 years.<\/p>\n

\u00a0\"pgp-screenshot-10\"<\/a><\/p>\n

Then we add the name, email address and comment (optional) for this identity. We can add more identities later so don\u2019t worry if you have multiple email addresses you want to include in this key pair.<\/p>\n

\"pgp-screenshot-11\"<\/a><\/p>\n

You will then be prompted to enter your password or passphrase (depending on your personal preferences you should choose one here). There are some good guidelines on choosing a good passphrase<\/a> that will keep your key secure and also will simplify the task of remembering it. If you want more information you can review some FAQs<\/a> available online.<\/p>\n

Remember that if you want to change your password\/passphrase later you can do so without the need to recreate your key or distribute the public one to your contacts again.<\/p>\n

After all the information is entered the process of creating the key pair will begin, GPG will start collecting random bytes in order to improve the random number generation process. Keep using your PC until this process finishes (it can take a while depending on the computer you are using, in my I5 PC with 8 gigs of RAM it took about 15 minutes to complete).<\/p>\n

\u00a0\"pgp-screenshot-12\"<\/a><\/p>\n

Finally, the key creation process is finished. GPG will show the fingerprint for the key, expiration date and all the information you entered previously. Make sure everything is correct before distributing the public key to your contacts.<\/p>\n

\u00a0\"pgp-screenshot-13\"<\/a><\/p>\n

You can use the GPG \u201clist\u201d command (\u2013list-keys) to check all the available keys in your system and export the ones you need. We are going to export the public key for our recently created identity \u201cJoe Doe\u201d the result will be the key file which you can later upload manually to one of the available PGP key servers or distribute it directly to your contacts. The easiest way to do this is by typing \u201cgpg \u2013export \u2013a [username] > [public-key-filename]\u201d.<\/p>\n

\"pgp-screenshot-14\"<\/a><\/p>\n

If you want to upload your public key from the command line you can do so by using the \u201cgpg \u2013keyserver [serverurl] \u2013send-keys [keyID]\u201d command.<\/p>\n

\u00a0\"pgp-screenshot-15\"<\/a><\/p>\n

You can also import public keys using the \u201c\u2014recv-keys\u201d switch instead. All within the comfort of your own command line interface.<\/p>\n

Finally, we are going to create a backup of our private key. Be very careful with this and remember not to share this file with anyone. The process is very similar to what we have seen previously and we can back up our key using \u201cgpg export-secret-key \u2013a [username] > [private-key-filename]\u201d<\/p>\n

\u00a0\"pgp-screenshot-16\"<\/a><\/p>\n

Now you have your brand new PGP key pair, which you can use to enjoy a whole new world of secure communications and data privacy. Welcome!<\/p>\n

\u201cA journey of a thousand miles begins with a single step.\u201d \u2013 Lao Tzu<\/div>\n

Having taken our first step with PGP I hope that you will come back to check in on further updates about this topic. In the meantime, you can play around with one of the many GPG Cheat sheets<\/a> available, which will enable you to adjust the encryption\/decryption functionality, file and message signing and much more.<\/p>\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

Recent revelations about government surveillance have once more brought two-decade old PGP software \u00a0into the spotlight, as it remains a quite robust and secure mechanism for communications. \u00a0However, progress in<\/p>\n","protected":false},"author":313,"featured_media":2622,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[189,475],"class_list":{"0":"post-2623","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-data-security","9":"tag-gpg"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/2623\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/2515\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/2783\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/2619\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/3036\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/gpg-strong-encryption-and-digital-signing-made-easy\/1900\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/3036\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/3036\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/data-security\/","name":"data security"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/2623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/313"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=2623"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/2623\/revisions"}],"predecessor-version":[{"id":18921,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/2623\/revisions\/18921"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/2622"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=2623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=2623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=2623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}